防火墙配置请教

由 jsqyy 在 09-26-2004 13:32 发表:

防火墙配置请教

用iptables配置了个包过滤防火墙,用的fedora3 test2,现在出现了这样的问题:所有的ftp服务器不能拿浏览器登陆,用命令行登陆正常,请大家诊断下!

由 jsqyy 在 09-26-2004 13:35 发表:

脚本代码

#!/bin/bash

GATEWAY="192.168.1.2"

FTP_IP="192.168.1.3"

WWW_IP="192.168.1.3"

BT_IP="192.168.1.8"

WAN_IF=eth1

LAN_IF=eth0

LAN_IP_RANCE="192.168.0.0/16"

STATIC_IP="202.105.37.69"

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

sysctl -w net.ipv4.tcp_max_syn_backlog="2048"

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "0" >/proc/sys/net/ipv4/tcp_ecn

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#depmod -a

modprobe ip_tables

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe iptable_nat

modprobe ipt_state

modprobe ipt_limit

modprobe iptable_filter

modprobe ip_nat_ftp

iptables -F

iptables -X

iptables -F -t mangle

iptables -X -t mangle

iptables -F -t nat

iptables -X -t nat

iptables -Z -t nat

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i $LAN_IF -s $LAN_IP_RANCE -p tcp --syn -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -i $LAN_IF -s $LAN_IP_RANCE -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i $LAN_IF -s $LAN_IP_RANCE -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT

iptables -A INPUT -i $LAN_IF -s $LAN_IP_RANCE -p icmp --icmp-type echo-reply -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s $LAN_IP_RANCE -o $WAN_IF -j SNAT --to $STATIC_IP

iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANCE -j ACCEPT

iptables -A FORWARD -i $WAN_IF -d $LAN_IP_RANCE -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p udp -d $LAN_IP_RANCE -i $WAN_IF -j ACCEPT

#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 5 -j ACCEPT

iptables -t nat -A INPUT -s 255.255.255.255 -i $LAN_IF -j DROP

iptables -t nat -A INPUT -s 224.0.0.0/224.0.0.0 -i $LAN_IF -j DROP

iptables -t nat -A INPUT -d 0.0.0.0 -i $LAN_IF -j DROP

iptables -t nat -A PREROUTING -i $WAN_IF -s 192.168.0.0/16 -j DROP

iptables -t nat -A PREROUTING -i $WAN_IF -s 10.0.0.0/8 -j DROP

iptables -t nat -A PREROUTING -i $WAN_IF -s 172.16.0.0/12 -j DROP

#FTP mapping (192.168.1.3)

#iptables -t nat -A PREROUTING -d $STATIC_IP -p tcp --dport 20:21 -j DNAT --to-destination $FTP_IP

#iptables -A FORWARD -d $FTP_IP -p tcp --dport 20:21 -j ACCEPT

#iptables -t nat -I POSTROUTING -s $LAN_IP_RANCE -p tcp -d $FTP_IP --dport 20:21 -j SNAT --to $GATEWAY

#WWW mapping (192.168.1.3)

iptables -t nat -A PREROUTING -d $STATIC_IP -p tcp --dport 80 -j DNAT --to-destination $WWW_IP:80

iptables -A FORWARD -d $WWW_IP -p tcp --dport 80 -j ACCEPT

iptables -t nat -I POSTROUTING -s $LAN_IP_RANCE -p tcp -d $WWW_IP --dport 80 -j SNAT --to $GATEWAY:80

#BT mapping (192.168.1.8)

iptables -t nat -A PREROUTING -d $STATIC_IP -p tcp --dport 6881:6999 -j DNAT --to-destination $BT_IP

iptables -A FORWARD -d $BT_IP -p tcp --dport 6881:6999 -j ACCEPT

iptables -t nat -I POSTROUTING -s $LAN_IP_RANCE -p tcp -d $BT_IP --dport 80 -j SNAT --to $GATEWAY

ptables -t nat -A PREROUTING -d $STATIC_IP -p tcp --dport 20:21 -j DNAT --to-destination $FTP_IP

iptables -A FORWARD -d $FTP_IP -p tcp --dport 20:21 -j ACCEPT

iptables -t nat -I POSTROUTING -s $LAN_IP_RANCE -p tcp -d $FTP_IP --dport 20:21 -j SNAT --to $GATEWAY

由 jsqyy 在 09-26-2004 13:37 发表:

lsmod

[root@linux ~]# lsmod

Module Size Used by

ip_conntrack_irc 70641 0

ip_nat_ftp 4785 0

iptable_mangle 2113 0

iptable_filter 2113 1

ipt_limit 2369 3

ipt_state 1473 1

iptable_nat 17897 2 ip_nat_ftp

ip_conntrack_ftp 71153 1 ip_nat_ftp<br

Published At
Categories with 服务器类
Tagged with
comments powered by Disqus