linux iptable 设置实践

下面是设置网络时的基本状况：

主机3个网卡：

eth0 192.168.0.1/24 内网

eth1 192.168.20.1/24 外网

eth2 192.168.50.1/24 会议室网络

ppp0 （设置为 eth1 上拨号上网）

DHCP设置：

192.168.0.1/24 { 192.168.0.100----192.168.0.200 }

192.168.50.1/24 {192.168.50.100---192.168.50.200 }

VPN设置：

localip: 192.168.10.1

remoteip: 192.168.10. 100 192.168.10.150

下面是firewall的具体设置：

[root@yujiagw ~]# cat firewall

#!/bin/sh
iptables -F
iptables -t nat -F
iptables -P FORWARD ACCEPT
iptables -X poweruser
iptables -X qquser
iptables -X httpuser

# NAT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 110 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 443
#iptables -t nat -A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 443

# Port Forwarding
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3389 -j DNAT --to 192.168.0.4:3389
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.4:80
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to 192.168.50.2:8080
#iptables -A FORWARD -d 192.168.50.2 -p tcp --dport 8080 -j ACCEPT
#iptables -t nat -A POSTROUTING -d 192.168.50.2 -p tcp --dport 8080 -j SNAT --to 192.168.0.1

# Basic Port Open
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT

# VPN
iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT

# Conference Room
iptables -A FORWARD -s 192.168.50.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.50.0/24 -j ACCEPT

# Set Connect WAN
iptables -A FORWARD -d 192.168.50.0/24 -j ACCEPT

# HeQuanXin
#iptables -A FORWARD -m mac --mac-source 00:1A:6B:35:A5:66 -j ACCEPT
#iptables -A FORWARD -m mac --mac-source 44:D8:84:0A:9F:5D -j ACCEPT

#-----------------------------------PowerUser-------define------------------------
iptables -N poweruser
iptables -A poweruser -j ACCEPT

#---------------------------------httpuser define-----------------
# Set Http User
iptables -N httpuser

iptables -A httpuser -p tcp --dport 53 -j ACCEPT
iptables -A httpuser -p udp --dport 53 -j ACCEPT

# Reject QQZone
iptables -A httpuser -d user.qzone.qq.com -j REJECT

iptables -A httpuser -p tcp --dport 80 -j ACCEPT
iptables -A httpuser -p udp --dport 80 -j ACCEPT
iptables -A httpuser -p tcp --dport 25 -j ACCEPT
iptables -A httpuser -p tcp --dport 110 -j ACCEPT
iptables -A httpuser -p tcp --dport 443 -j ACCEPT
iptables -A httpuser -p udp --dport 443 -j ACCEPT

iptables -A httpuser -j DROP

#-----------------------------------User-------start------------------------
# HeQuanXin
iptables -A FORWARD -m mac --mac-source 00:1A:6B:35:A5:66 -j httpuser

# xiangshude
iptables -A FORWARD -m mac --mac-source 00:E0:4C:41:49:C4 -j httpuser

# shiyayun
iptables -A FORWARD -m mac --mac-source C8:9C:DC:D2:55:7A -j poweruser

# chenmingxiang
iptables -A FORWARD -m mac --mac-source 54:04:A6:58:A3:EE -j poweruser

# wangxiaoping
iptables -A FORWARD -m mac --mac-source 00:B0:C4:04:A1:7E -j httpuser

# chengmeirong
iptables -A FORWARD -m mac --mac-source 90:2B:34:2D:E6:5B -j httpuser

# zhangyinbo
iptables -A FORWARD -m mac --mac-source 14:DA:E9:D2:3F:DF -j httpuser

# luxiaoxiong
iptables -A FORWARD -m mac --mac-source 90:2B:34:CB:31:EE -j httpuser

#-----------------------------------HTTPUser-------end--------------------------

#-----------------------------------------------------------------------------------
# Block Xunlei
iptables -A FORWARD -d 58.61.39.0/24 -j REJECT
iptables -A FORWARD -d 121.9.209.6 -j REJECT
iptables -A FORWARD -d 121.9.209.7 -j REJECT
iptables -A FORWARD -d 121.9.209.3 -j REJECT
iptables -A FORWARD -d 61.183.55.216 -j REJECT
iptables -A FORWARD -d 61.183.55.218 -j REJECT
iptables -A FORWARD -d 61.183.55.222 -j REJECT
iptables -A FORWARD -d 220.172.191.36 -j REJECT
iptables -A FORWARD -d 121.11.69.108 -j REJECT
iptables -A FORWARD -d 125.91.8.77 -j REJECT
iptables -A FORWARD -d 218.6.13.134 -j REJECT
iptables -A FORWARD -d 219.133.48.0/24 -j REJECT
iptables -A FORWARD -d 219.133.49.0/24 -j REJECT
iptables -A FORWARD -d 219.129.83.0/24 -j REJECT
iptables -A FORWARD -d 219.133.60.0/24 -j REJECT
iptables -A FORWARD -d 210.21.118.141 -j REJECT
iptables -A FORWARD -d 210.21.118.147 -j REJECT
iptables -A FORWARD -d 210.21.118.149 -j REJECT
iptables -A FORWARD -d 221.238.251.118 -j REJECT
iptables -A FORWARD -d 221.238.252.127 -j REJECT
iptables -A FORWARD -d 221.238.252.154 -j REJECT
iptables -A FORWARD -d 221.238.252.155 -j REJECT
iptables -A FORWARD -d 221.238.252.233 -j REJECT
iptables -A FORWARD -d 221.238.253.246 -j REJECT
iptables -A FORWARD -d 222.208.156.0/24 -j REJECT
iptables -A FORWARD -d 203.110.168.233 -j REJECT
iptables -A FORWARD -d 208.115.244.194 -j REJECT
iptables -A FORWARD -d 65.19.183.185 -j REJECT

#Block BT
iptables -A FORWARD -p tcp --dport 6880:6881 -j REJECT
iptables -A FORWARD -p udp --dport 6880:6881 -j REJECT

# Invalid connect drop
iptables -A FORWARD -m state --state INVALID -j DROP

# Accept the already establised connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set the FORWARD chain to DENY
iptables -P FORWARD DROP

posted @ 2013-07-10 11:35 坚固66 阅读(445) 评论(0) 收藏举报

刷新页面返回顶部

坚固66

程序员乐园

linux iptable 设置实践

公告