由 hhl00 在 06-22-2004 11:21 发表:
代理与IP NAT兼容的问题
我们单位想实现以下的功能:
1)通过代理实现上网,代理必须实现身份认证,不能是透明代理;
2)通过IP NAT实现内部DMZ区域的服务器映射到公网IP,公网IP绑定在代理服务器的eth0端口,DMZ端口是eth1,LAN1端口是eth2。
现在的问题是代理功能已经实现,如果不加载iptables规则是可以正常上网,一旦加载以下规则,就连不上代理服务器,但是外部可以顺利访问DMZ区域的服务器。
小弟我初学iptables,一直搞不行,请兄弟们帮忙,看看能否实现既实现代理,又可以实现IP NAT功能。
这是我用的iptables规则:
LINUX下的DMZ防火墙配置
Internet Configuration
INET_IP="202.111.111.1"
HTTP_IP="202.111.111.21"
DNS_IP="202.111.111.1"
MAIL_IP="202.111.111.3"
INET_IFACE="eth0"
Local Area Network configuration
LAN_IP="192.168.200.1"
LAN_IFACE="eth2"
DMZ configuration
DMZ_HTTP_IP="192.168.0.6"
DMZ_FTP_IP="192.168.0.2"
DMZ_MAIL_IP="192.168.0.13"
DMZ_IP="192.168.0.1"
DMZ_IFACE="eth1"
Localhost configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTables configuration
IPTABLES="/sbin/iptables"
Module loading
/sbin/depmod –a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
Required proc configuration
echo "1" > /proc/sys/net/ipv4/ip_forward
set policies
$IPTABLES –P INPUT DROP
$IPTABLES –P OUTPUT DROP
$IPTABLES –P FORWARD DROP
create chain for bad tcp packets
$IPTABLES –N bad_tcp_packets
create separate chains for icmp ,tcp and udp to traverse
$IPTABLES –N allowed
$IPTABLES –N icmp_packets
$IPTABLES –N tcp_packets
$IPTABLES –N udp_packets
bad_tcp_packets chains
$IPTABLES –A bad_tcp_packets –p tcp ––tcp–flags SYN,ACK SYN,ACK \
–m state ––state NEW –j REJECT ––reject–with tcp–reset
$IPTABLES –A bad_tcp_packets –p tcp ! ––syn –m state ––state NEW –j LOG \
––log–prefix "New not syn:"
$IPTABLES –A bad_tcp_packets –p tcp ! ––syn –m state ––state NEW –j DROP
allowed chains
$IPTABLES –A allowed –p TCP ––syn –j ACCEPT
$IPTABLES –A allowed –p TCP –m state ––state ESTABLISHED,RELATED –j ACCEPT
$IPTABLES –A allowed –p TCP –j DROP
tcp rules
$IPTABLES –A tcp_packets –p TCP –s 0/0 ––dport 53 –j allowed
udp rules
$IPTABLES –A udp_packets –p TCP –s 0/0 ––destination–port 53 –j ACCEPT
Changed rules totally
$IPTABLES –A icmp_packets –p ICMP –s 0/0 ––icmp–type 8 –j ACCEPT
$IPTABLES –A icmp_packets –p ICMP –s 0/0 ––icmp–type 11 –j ACCEPT
input
bad tcp packets we don't want
$IPTABLES –A INPUT –p tcp –j bad_tcp_packets
packets from the internet to this box
$IPTABLES –A INPUT –p ICMP –i $INET_IFACE –j icmp_packets
from dmz interface to dmz firewall ip
$IPTABLES –A INPUT –p ALL –i $DMZ_IFACE –d $DMZ_IP –j ACCEPT
from lan interface to lan firewall ip
$IPTABLES –A INPUT –p ALL –i $LAN_IFACE –d $LAN_IP –j ACCEPT
from localhost interface to localhost ip
$IPTABLES –A INPUT –p ALL –i $LO_IFACE –s $LO_IP –j ACCEPT
$IPTABLES –A INPUT –p ALL –i $LO_IFACE –s $LAN_IP –j ACCEPT
$IPTABLES –A INPUT –p ALL –i $LO_IFACE –s $INET_IP –j ACCEPT
firewall
$IPTABLES –A INPUT –p ALL –d $INET_IP –m state –– state ESTABLISHED,RELATED \
–j ACCEPT
log weird packets that don't match the above
$IPTABLES –A INPUT –m limit ––limit 3/minute ––limit–burst 3 –j LOG \
––log–level DEBUG ––log–prefix "IPT INPUT packet died"
Forward
Forward bad tcp packets we don't want
$IPTABLES –A FORWARD –p tcp –j bad_tcp_packets
DMZ General rules
$IPTABLES –A FORWARD –i $DMZ_IFACE –o $INET_IFACE –j ACCEPt
$IPTABLES –A FORWARD –i $INET_IFACE –o $DMZ_IFACE –m state \
––state ESTABLISHED,RELATED –j ACCEPT
$IPTABLES –A FORWARD –i $LAN_IFACE –o $DMZ_IFACE –j ACCEPt
$IPTABLES –A FORWARD –i $DMZ_IFACE –o $LAN_IFACE –m state \
––state ESTABLISHED,RELATED –j ACCEPT
http server
$IPTABLES –A FORWARD –p TCP –i $INET_IFACE –o $DMZ_IFACE –d $DMZ_HTTP_IP \
––dport 80 –j allowed
$IPTABLES –A FORWARD –p ICMP –i $INET_IFACE –o $DMZ_IFACE –d $DMZ_HTTP_IP \
–j icmp_packets
mail server
$IPTABLES –A FORWARD –p TCP –i $INET_IFACE –o $DMZ_IFACE –d $DMZ_MAIL_IP \
––dport 80 –j allowed
$IPTABLES –A FORWARD –p TCP –i $INET_IFACE –o $DMZ_IFACE –d $DMZ_MAIL_IP \
––dport 25 –j allowed
$IPTABLES –A FORWARD –p TCP –i $INET_IFACE –o $DMZ_IFACE –d $DMZ_MAIL_IP \
––dport 110 –j allowed
$IPTABLES –A FORWARD –p ICMP –i $INET_IFACE –o $DMZ_IFACE –d $DMZ_MAIL_IP\
–j icmp_packets
Lan section
$IPTABLES –A FORWARD –i $LAN_IFACE –j ACCEPT
$IPTABLES –A FORWARD –m state ––state ESTABLISHED,RELATED –j ACCEPT
log weird packets that don't match the above
$IPTABLES –A FORWARD –m limit ––limit 3/minute ––limit–burst 3 –j LOG \
––log–level DEBUG ––log–prefix "IPT FORWARD packet died"
output
bad tcp packets we don't want
$IPTABLES –A OUTPUT –p tcp –j bad_tcp_packets
special OUTPUT rules to decide which ip's to allow
$IPTABLES –A OUTPUT –p ALL –s $LO_IP –j ACCEPT
$IPTABLES –A OUTPUT –p ALL –s $LAN_IP –j ACCEPT
$IPTABLES –A OUTPUT –p ALL –s $INET_IP –j ACCEPT
log weird packets that don't match that above
$IPTABLES –A OUTPUT –m limit ––limit 3/minute ––limit–burst 3 –j LOG \
––log–level DEBUG ––log–prefix "IPT OUTPUT packet died"
PREROUTING chain
$IPTABLES –t nat –A PREROUTING –p TCP –i $INET_IFACE –d $HTTP_IP ––dport 80 \
–j DNAT ––to–destination $DMZ_HTTP_IP
$IPTABLES –t nat –A PREROUTING –p TCP –i $INET_IFACE –d $MAIL_IP ––dport 80 \
–j DNAT ––to–destination $DMZ_MAIL_IP
$IPTABLES –t nat –A PREROUTING –p TCP –i $INET_IFACE –d $MAIL_IP ––dport 25 \
–j DNAT ––to–destination $DMZ_MAIL_IP
$IPTABLES –t nat –A PREROUTING –p TCP –i $INET_IFACE –d $MAIL_IP ––dport 110 \
–j DNAT ––to–destination $DMZ_MAIL_IP
###postrouting chain
$IPTABLES –t nat –A POSTROUTING –o $INET_IFACE –j SNAT ––to–source $INET_IP
由 hhl00 在 06-22-2004 11:43 发表:
顶
由 smile787 在 06-22-2004 18:42 发表:
楼上的也太乱了吧,,
你要做dmz吗?要开www,ftp什么的直接开就好了。。。
一定要做dmz吗?
这些语法还有兼容的问题。。。
还有很多费的语句 -s 0/0 是可以要可以不要的。。。。
看到我头晕。。。。
由 smile787 在 06-22-2004 18:45 发表:
请问在不加载iptables下,可以正常上网是什么意思?
用squid的默认端口出去吗?
由 szkingrose 在 06-23-2004 07:58 发表:
> quote:
>
> * * *
>
> 最初由 smile787 发表
>
> **楼上的也太乱了吧,,
>
>
>
> 你要做dmz吗?要开www,ftp什么的直接开就好了。。。
>
>
>
>
>
> 一定要做dmz吗?
>
> 这些语法还有兼容的问题。。。<br **