在配置防火墙时,最重要的就是要把已经连接上的连接加入到规则中,前期配置就是因为没有加这一项,导致防火墙总是失败的。因为连接是双向的,必须2个方向都允许了才可以通信,而我在配置的时候一般只写单方向的。
我们先在网关上做一个最简单的防火墙配置,开放网关的ssh(22),dns(53)和dhcp(67)服务的端口,并且允许内网所有网段间的相互转发。
修改文件/etc/sysconfig/iptables
# eth0: internet connection with ip: 1.1.1.1
# eth1: local connection with ip 192.168.1.254
# eth2: local connection with ip 192.168.2.254
# eth10: local connection with ip 10.10.10.254
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INTERNET - [0:0]
# forward a public port on internet to local address.
-A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.1:80
# internet
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# enable all established connections.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# http enables on all interface.
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# loopback
-A INPUT -i lo -j ACCEPT
# input from internet
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p icmp -j DROP
-A INPUT -i eth0 -j REJECT
# allowed input
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
# disable all other inputs
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# forward is allowed
-A FORWARD -j ACCEPT
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT- 本文固定链接: http://www.wy182000.com/2013/11/07/防火墙配置/
- 转载请注明: wy182000 于 Studio 发表
这个作者貌似有点懒,什么都没有留下。