急切地问一个iptables的问题

由 zhangxin_tmx 在 09-02-2004 15:32 发表:

急切地问一个iptables的问题

我的系统是RedHat 9.0,内核版本是2.4.20-8,iptables版本是V1.2.7a,我移植了一个在另一服务器上运行得很好的脚本,但该脚本在我的机器上运行总是有问题。

我想通过该脚本使我内部局域网的计算机能连Internet。

脚本如下:

#!/bin/sh

configuration options

LAN_IP_RANGE="10.44.0.0/16"

LAN_IP="10.44.0.1"

LAN_BCAST_ADRESS="10.44.255.255"

LAN_IFACE="eth1"

INET_IP="166.111.44.10"

INET_IFACE="eth0"

LO_IP="127.0.0.1"

LO_IFACE="127.0.0.1"

IPTABLES="/sbin/iptables"

#echo "Starting iptables rules..."

Load all required IPTables modules

Needed to initially load modules

/sbin/depmod -a

Adds some iptables targets like LOG, REJECT and MASQUARADE.

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_MASQUERADE

/sbin/modprobe ip_tables

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

Delete old PREROUTING chain

$IPTABLES -t nat -F PREROUTING

#------------------------------------------------------------------------------

$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/16 -j DROP

$IPTABLES -t nat -A PREROUTING -s 10.0.0.0/8 -j DROP

$IPTABLES -t nat -A PREROUTING -s 172.16.0.0/12 -j DROP

#------------------------------------------------------------------------------

Delete old POSTROUTING chain

$IPTABLES -t nat -F POSTROUTING

MASQ to INET_IFACE

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

set SNAT

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j SNAT --to $INET_IP

Delete old INPUT chain

$IPTABLES -F INPUT

Drop ports in PREROUTING

#$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 10021 -j RETURN

port:22

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -s 166.111.44.200/32 -d $INET_IP --dport 22 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 22 -j DROP

disable port 1 to 1024

$IPTABLES -A INPUT -p tcp --dport 1:1024 -j RETURN

$IPTABLES -A INPUT -p udp --dport 1:1024 -j RETURN

Delete old Forward chain

$IPTABLES -F FORWARD

set natlog train

$IPTABLES -F natlog

$IPTABLES -A natlog -p tcp --syn -j LOG --log-prefix "nat_tcp: " --log-ip-options

$IPTABLES -A natlog -p udp -j LOG --log-prefix "nat_udp: " --log-ip-options

Log all forward

$IPTABLES -A FORWARD -j natlog

该脚本运行时提示如下:

[root@Test-Proxy root]# ./setip.sh

iptables: no chain/target/match by that name

iptables: no chain/target/match by that name

iptables: no chain/target/match by that name

iptables v1.2.7a: Couldn't load target 'natlog':/lib/iptables/libipt_natlog.so:cannot open shared object file: No such file or directory

我逐一手动执行了一下该脚本,发现是以下几个语句的问题:

$IPTABLES -F natlog

$IPTABLES -A natlog -p tcp --syn -j LOG --log-prefix "nat_tcp: " --log-ip-options

$IPTABLES -A natlog -p udp -j LOG --log-prefix "nat_udp: " -

Published At
Categories with 服务器类
Tagged with
comments powered by Disqus