Linux 7.2 分享ADSL 的一個問題 [Site Map]

aday

2001-12-29, 04:14 PM

Iptables rules for a simple masquerading gateway (no server services)
• Bootstrapping Iptables
o Insert connection-tracking modules (only needed if not built into the kernel).

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp (needed only if you plan on using FTP)
o Set the default policies - sets the default actions of the built-in chains.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
• Blocks all new connections unless initiated from the "protected" network.

iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j DROP
• Jump to the state_chk chain from INPUT and FORWARD chains.

iptables -A INPUT -j state_chk
iptables -A FORWARD -j state_chk
• Masquerade connections - only needed on the firewall box if you have an internal network that you wish to route traffic to and from the Internet.
o Enable IP forwarding between the interfaces - remember to disable this if you're going to unload the Iptables rules.

echo "1" > /proc/sys/net/ipv4/ip_forward
o Load the NAT modules - needed only if you compiled as modules

modprobe iptable_nat
modprobe ip_nat_ftp (needed only if you plan on using FTP)
o Enable IP masquerading - Use if your eth0 has a dynamic IP address. For static IP, it's recommended that you use source NAT instead.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
o Enable source NAT - Use if your eth0 has a static IP address.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address_of_eth0
Port Forwarding
Port Forwarding in Netfilter is done with Iptables. You do not need another tool (such as ipmasqadmin w/ Ipchains). This is only needed if you need to forward traffic from one machine to another. Note that this is different from redirecting traffic.
Port forwarding under Netfilter is done via a two step process.
• Destination NAT the packets (changes the destination IP address in the IP header and port number in the TCP/UDP header)

iptables -t nat -A PREROUTING -i eth0 -p protocol -d ip_address_of_eth0 --dport original_port_number -j DNAT --to destination_ip_address:destination_port_number
• Forward the natted packets (allow the natted packet to be forwarded)

iptables -A FORWARD -i eth0 -o eth1 -p protocol -d destination_ip_address --dport destination_port_number -j ACCEPT
Note that port forwarding also requires IP forwarding and masq'ing or source NAT (the return packets need their source IP addresses to be modified as well).
Putting it together (rc files and such)
Now that you have your first working firewall, you'll probably want to keep these rules in effect between boots. There are basically two options. The first is to include all of the rules and syntax in a custom rc shell script. The second is to use the iptables-save and iptables-restore commands (currently experimental and only recommended for brave souls).
To use the rc script approach, start your firewall rc file immediately after your network initiation. Actually, the exact time that you start your firewall rc script isn't that crucial because you can setup rules for interfaces that don't exist.