1、service iptables status可以查看到iptables服务的当前状态
[root@sxhy ~]# service iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 209.126.73.180 0.0.0.0/0
2 DROP all -- 209.126.73.180 0.0.0.0/0
3 DROP all -- 198.204.228.34 0.0.0.0/0
4 DROP all -- 62.210.146.182 0.0.0.0/0
5 DROP all -- 62.210.188.165 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
2、停止、启动防火墙
/etc/init.d/iptables stop
/etc/init.d/iptables start
永久关闭防火墙
chkconfig iptables off
3、屏蔽IP
单个IP的命令是
iptables -I INPUT -s 209.126.73.180 -j DROP
封IP段的命令是
iptables -I INPUT -s 211.1.0.0/16 -j DROP
iptables -I INPUT -s 211.2.0.0/16 -j DROP
iptables -I INPUT -s 211.3.0.0/16 -j DROP
封整个段的命令是
iptables -I INPUT -s 211.0.0.0/8 -j DROP
封几个段的命令是
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
3、添加到服务器启动自运行
有三个方法:
1、把它加到/etc/rc.local中
2、iptables-save >;/etc/sysconfig/iptables可以把你当前的iptables规则放到/etc/sysconfig/iptables中,系统启动iptables时自动执行。
后两种更好此,一般iptables服务会在network服务之前启来,更安全
4、解封:
iptables -L INPUT
iptables -L --line-numbers 然后iptables -D INPUT 序号
----------------------------------------------------
5、防火墙端口操作
开启端口:
#/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
#/sbin/iptables -I INPUT -p tcp --dport 22 -j ACCEPT
然后保存:
#/etc/rc.d/init.d/iptables save
关闭端口:
#/sbin/iptables -I INPUT -p tcp --dport 80 -j DROP
#/sbin/iptables -I INPUT -p tcp --dport 22 -j DROP
然后保存:
#/etc/rc.d/init.d/iptables save
-------------------------
iptables -F /* 清除所有规则 */
iptables -A INPUT -p tcp --dport 22 -j ACCEPT /*允许包从22端口进入*/
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT /*允许从22端口进入的包返回*/
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -p udp --sport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT /*允许本机访问本机*/
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT /*允许所有IP访问80端口*/
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables /*保存配置*/
iptables -L /* 显示iptables列表 */
iptables -F /* 清除所有规则 */
iptables -A INPUT -p tcp --dport 22 -j ACCEPT /*允许包从22端口进入*/
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT /*允许从22端口进入的包返回*/
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -p udp --sport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT /*允许本机访问本机*/
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT /*允许所有IP访问80端口*/
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables /*保存配置*/
iptables -L /* 显示iptables列表 */
6、防火墙脚本squid_proxy_firewall(参考实例)
[root@sxhy ~]# cat /etc/rc.d/init.d/squid_proxy_firewall
# !/bin/sh
echo "Starting squid proxy iptables rules..."
#开启IP包转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward
#开启动态IP支持
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#关闭 Explicit Congestion Notification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
#开启SYN泛洪攻击保护(SYN Cook Flood)
#SYN攻击利用TCP协议缺陷,发送大量伪造的TCP连接请求,使被攻击方资源耗尽,导致拒绝服务
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Inore any brodcast icmp echo requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#装载内核支持模块
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#清除链的规则
/sbin/iptables -F
/sbin/iptables -t nat -F
#清除封包计数器
/sbin/iptables -Z
/sbin/iptables -t nat -Z
#设置默认策略
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
#允许本地连接
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#开放所需端口
#允许内网samba,smtp,pop3,连接
#/sbin/iptables -A INPUT -i eth0 -p udp -m multiport --dports 53 -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -s 60.223.150.181/255.255.255.224 --dport 21 -j DNAT --to-destination 10.236.22.1:21
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 10.236.22.1 --sport 21 -j SNAT --to-source 60.223.150.181:40000-50000
#/sbin/iptables -A INPUT -i eth0 -p tcp --dport 177 -j ACCEPT
#开启177和6000-6010端口供xmangager连接linux 图形界面
/sbin/iptables -A INPUT -p udp --dport 177 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 6000:6010 -j ACCEPT
#开放80端口
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#开放ssh 22端口
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
#/sbin/iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 177 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 177 -j ACCEPT
#oracle需开放端口
/sbin/iptables -A INPUT -p tcp --dport 1521 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 10.236.23.8 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5060 -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 7000 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 7000 -j ACCEPT
#/sbin/iptables -A FORWARD -p udp --dport 53 -j ACCEPT
#/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 25 --syn -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 110 --syn -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 10.236.22.0/24 -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 10.236.22.0/24 -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p tcp --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
#过滤相应的mac地址和ip地址
/sbin/iptables -A FORWARD -s 10.236.22.66 -m mac --mac-source 00:E0:4C:6A:F9:7B -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.247 -m mac --mac-source 00:e0:4c:77:33:e9 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.111 -m mac --mac-source 00:1f:16:19:eb:8e -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.10 -m mac --mac-source 00:19:d1:4b:ca:d7 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.250 -m mac --mac-source 00:e0:4c:19:17:d8 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.248 -m mac --mac-source 00:e0:4c:6a:e0:dd -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.230 -m mac --mac-source 00:e0:4c:6c:39:e8 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.115 -m mac --mac-source 00:e0:4c:6c:31:24 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.117 -m mac --mac-source 00:e0:4c:77:36:96 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.63 -m mac --mac-source 00:e0:4c:6c:31:f7 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.115 -m mac --mac-source 00:16:d4:2d:94:a5 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.114 -m mac --mac-source 70:5a:b6:2e:d8:89 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.113 -m mac --mac-source 00:22:fa:94:ba:10 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.20 -m mac --mac-source 00:e0:4c:6c:33:4e -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.244 -m mac --mac-source 00:e0:4c:6c:0f:cc -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.198 -m mac --mac-source 00:e0:4c:69:04:6a -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.60 -m mac --mac-source 00:E0:4C:6D:FA:00 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.239 -m mac --mac-source 00:26:2d:ff:55:3a -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.188 -m mac --mac-source 00:e0:4c:6a:0b:07 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.102 -m mac --mac-source 00:e0:4c:6a:0f:fd -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.160 -m mac --mac-source 00:E0:4C:6C:0D:3E -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.245 -m mac --mac-source 00:e0:4c:77:34:0f -j ACCEPT
#/sbin/iptables -A FORWARD -s 10.236.22.227 -m mac --mac-source 00:90:27:90:0e:74 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.61 -m mac --mac-source 00:e0:4c:6c:0a:7a -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.70 -m mac --mac-source 00:e0:4c:68:71:d3 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.249 -m mac --mac-source 00:26:2d:ff:15:04 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.92 -m mac --mac-source 00:e0:4c:69:04:7d -j ACCEPT
#ftp
#/sbin/iptables -A FORWARD -s 10.236.22.10 -m mac --mac-source 00:19:d1:48:ca:d7 -j ACCEPT
#对由内向外发起的连接,先进行必要的过滤,防止局域网内病毒的泛红连接
/sbin/iptables -A INPUT -p udp --dport 177 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 6000:6010 -j ACCEPT
#允许内网samba
/sbin/iptables -A FORWARD -p tcp -m multiport --dport 135,445 -j ACCEPT
#/sbin/iptables -A INPUT -s 60.223.150.181/255.255.255.224 -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
#/sbin/iptables -A INPUT -s 60.223.150.181/255.255.255.224 -i eth1 -p udp -m udp --dport 137:139 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 137:139 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 80 -m multiport -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
#允许ping
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
#允许代理服务器PING其他主机
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#允许对已经建立的连接的回应,允许建立在已建立连接基础上的新连接,如ftp_data
/sbin/iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A FORWARD -p tcp -i eth0 --syn -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.66 -j ACCEPT
#/sbin/iptables -A FORWARD -d 10.236.23.242 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.30 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.248 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.5 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 21 -j DNAT --to-destination 10.236.22.30:21
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 21 -j SNAT --to-source 60.223.150.181:21
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 20 -j DNAT --to-destination 10.236.22.30:20
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 20 -j SNAT --to-source 60.223.150.181:20
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 8520 -j DNAT --to-destination 10.236.22.5:8520
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 8520 -j SNAT --to-source 60.223.150.181:8520
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7001 -j DNAT --to-destination 10.236.22.5:7001
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7001 -j SNAT --to-source 60.223.150.181:7001
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7002 -j DNAT --to-destination 10.236.22.5:7002
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7002 -j SNAT --to-source 60.223.150.181:7002
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7003 -j DNAT --to-destination 10.236.22.5:7003
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7003 -j SNAT --to-source 60.223.150.181:7003
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7004 -j DNAT --to-destination 10.236.22.5:7004
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7004 -j SNAT --to-source 60.223.150.181:7004
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7005 -j DNAT --to-destination 10.236.22.5:7005
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7005 -j SNAT --to-source 60.223.150.181:7005
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7006 -j DNAT --to-destination 10.236.22.5:7006
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7006 -j SNAT --to-source 60.223.150.181:7006
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7007 -j DNAT --to-destination 10.236.22.5:7007
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7007 -j SNAT --to-source 60.223.150.181:7007
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 2000 -j DNAT --to-destination 10.236.22.66:2000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.66 --sport 2000 -j SNAT --to-source 60.223.150.181:2000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 4000 -j DNAT --to-destination 10.236.22.245:4000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.245 --sport 4000 -j SNAT --to-source 60.223.150.181:4000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 3000 -j DNAT --to-destination 10.236.22.248:3000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.248 --sport 3000 -j SNAT --to-source 60.223.150.181:3000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 5000 -j DNAT --to-destination 10.236.22.30:5000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 5000 -j SNAT --to-source 60.223.150.181:5000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 443 -j DNAT --to-destination 10.236.22.248:443
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.248 --sport 443 -j SNAT --to-source 60.223.150.181:443
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 5000 -j DNAT --to-destination 10.236.22.20:5000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.20 --sport 5000 -j SNAT --to-source 60.223.150.181:5000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 80 -j DNAT --to-destination 10.236.22.20:80
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.20 --sport 80 -j SNAT --to-source 60.223.150.181:80
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 21 -j DNAT --to-destination 10.236.22.30:21
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 21 -j SNAT --to-source 60.223.150.181:21
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 20 -j DNAT --to-destination 10.236.22.30:20
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 20 -j SNAT --to-source 60.223.150.181:20
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 8000 -j DNAT --to-destination 10.236.23.8:8000
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.23.8 --sport 8000 -j SNAT --to-source 60.223.150.181:8000
#/sbin/iptables -t nat -A PREROUTING -d 60.223.150.181 -p tcp --dport 80 -j DNAT --to 10.236.22.30:6000
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 10.236.22.30 --sport 6000 -j SNAT --to-source 60.223.150.181:20000-30000
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 124.89.103.100/29 --dport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 123.138.163.129/29 --dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 10.236.22.0/24 -j SNAT --to-source 60.223.150.181
#端口重定向,实现透明代理的重点步骤一,有了这一步,客户端就不必设置代理了,服务器根据用户请求目标端口为80,则自动重定向到3128,交由squid处理,由此实现了http代理;同理,根据Squid的协议支持情况,也可设置ftp代理等。
#/sbin/iptables -t nat -A PREROUTING -i eth0 -s 10.236.22.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
#端口重定向,本句起到智能DNS的作用
/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 202.99.192.68:53
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 202.99.192.68:53
#进行IP伪装,这是实现透明代理上网的关键
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#------------为流量控制做基于fw过滤器的标记
iptables -I PREROUTING -t mangle -p tcp -s 10.236.22.243/24 -j MARK --set-mark 1
iptables -I PREROUTING -t mangle -p tcp -s 10.236.22.88/24 -j MARK --set-mark 1
#------------为上传速率做流量控制
#tc 要求内核2.4.18以上,所以不够的要升级
#tc 只能控制网卡发送包的速率,所以上传速率的限制要在eth0上做
#----删除旧有队列
tc qdisc del dev eth1 root
#----加一个根队列,速率用网卡的速率10Mbit,也可用上传的速率
tc qdisc add dev eth1 root handle 100: cbq bandwidth 10Mbit avpkt 1000
#----加一个根类
tc class add dev eth1 parent 100:0 classid 100:1 cbq bandwidth 10Mbit rate 10Mbit allot 1514 weight 1Mbit prio 8 maxburst 8 avpkt 1000 bounded
#----加一个子类用于内网1速率限制为300Kbit
tc class add dev eth1 parent 100:1 classid 100:2 cbq bandwidth 10Mbit rate 300Kbit allot 1513 weight 30Kbit prio 5 maxburst 8 avpkt 1000 bounded
#----加一个子类用于内网2速率限制为320Kbit
tc class add dev eth1 parent 100:1 classid 100:3 cbq bandwidth 10Mbit rate 320Kbit allot 1513 weight 32Kbit prio 6 maxburst 8 avpkt 1000 bounded
#----设置队列规则
tc qdisc add dev eth1 parent 100:2 sfq quantum 1514b perturb 15
tc qdisc add dev eth1 parent 100:3 sfq quantum 1514b perturb 15
#------将队列和fw过滤器映射起来 其中hand 1 的1是开始用iptables 做的标记,hand 2 的2也是开始用iptables 做的标记
tc filter add dev eth1 parent 100:0 protocol ip prio 1 handle 1 fw classid 100:2
tc filter add dev eth1 parent 100:0 protocol ip prio 2 handle 2 fw classid 100:3
#-----------------------限制下载速率,过滤器是用u32
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 200: cbq bandwidth 10Mbit avpkt 1000
tc class add dev eth0 parent 200:0 classid 200:1 cbq bandwidth 10Mbit rate 10Mbit allot 1514 weight 2Kbit prio 8 maxburst 8 avpkt 1000 bounded
tc class add dev eth0 parent 200:1 classid 200:2 cbq bandwidth 10Mbit rate 100Kbit allot 1513 weight 1Mbit prio 5 maxburst 8 avpkt 1000 bounded
tc qdisc add dev eth0 parent 200:2 sfq quantum 1514b perturb 15
tc filter add dev eth0 parent 200:0 protocol ip prio 25 u32 match ip dst 10.236.22.195 flowid 200:2
tc filter add dev eth0 parent 200:0 protocol ip prio 25 u32 match ip dst 10.236.22.187 flowid 200:2
[root@sxhy ~]# service iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 209.126.73.180 0.0.0.0/0
2 DROP all -- 209.126.73.180 0.0.0.0/0
3 DROP all -- 198.204.228.34 0.0.0.0/0
4 DROP all -- 62.210.146.182 0.0.0.0/0
5 DROP all -- 62.210.188.165 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
2、停止、启动防火墙
/etc/init.d/iptables stop
/etc/init.d/iptables start
永久关闭防火墙
chkconfig iptables off
3、屏蔽IP
单个IP的命令是
iptables -I INPUT -s 209.126.73.180 -j DROP
封IP段的命令是
iptables -I INPUT -s 211.1.0.0/16 -j DROP
iptables -I INPUT -s 211.2.0.0/16 -j DROP
iptables -I INPUT -s 211.3.0.0/16 -j DROP
封整个段的命令是
iptables -I INPUT -s 211.0.0.0/8 -j DROP
封几个段的命令是
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
3、添加到服务器启动自运行
有三个方法:
1、把它加到/etc/rc.local中
2、iptables-save >;/etc/sysconfig/iptables可以把你当前的iptables规则放到/etc/sysconfig/iptables中,系统启动iptables时自动执行。
3、service iptables save 也可以把你当前的iptables规则放/etc/sysconfig/iptables中,系统启动iptables时自动执行。
/etc/rc.d/init.d/iptables save
4、解封:
iptables -L INPUT
iptables -L --line-numbers 然后iptables -D INPUT 序号
----------------------------------------------------
5、防火墙端口操作
开启端口:
#/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
#/sbin/iptables -I INPUT -p tcp --dport 22 -j ACCEPT
然后保存:
#/etc/rc.d/init.d/iptables save
关闭端口:
#/sbin/iptables -I INPUT -p tcp --dport 80 -j DROP
#/sbin/iptables -I INPUT -p tcp --dport 22 -j DROP
然后保存:
#/etc/rc.d/init.d/iptables save
-------------------------
iptables -F /* 清除所有规则 */
iptables -A INPUT -p tcp --dport 22 -j ACCEPT /*允许包从22端口进入*/
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT /*允许从22端口进入的包返回*/
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -p udp --sport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT /*允许本机访问本机*/
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT /*允许所有IP访问80端口*/
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables /*保存配置*/
iptables -L /* 显示iptables列表 */
iptables -F /* 清除所有规则 */
iptables -A INPUT -p tcp --dport 22 -j ACCEPT /*允许包从22端口进入*/
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT /*允许从22端口进入的包返回*/
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -p udp --sport 53 -j ACCEPT /* 域名解析端口,一般不开 */
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT /*允许本机访问本机*/
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT /*允许所有IP访问80端口*/
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables /*保存配置*/
iptables -L /* 显示iptables列表 */
6、防火墙脚本squid_proxy_firewall(参考实例)
[root@sxhy ~]# cat /etc/rc.d/init.d/squid_proxy_firewall
# !/bin/sh
echo "Starting squid proxy iptables rules..."
#开启IP包转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward
#开启动态IP支持
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#关闭 Explicit Congestion Notification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
#开启SYN泛洪攻击保护(SYN Cook Flood)
#SYN攻击利用TCP协议缺陷,发送大量伪造的TCP连接请求,使被攻击方资源耗尽,导致拒绝服务
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Inore any brodcast icmp echo requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#装载内核支持模块
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#清除链的规则
/sbin/iptables -F
/sbin/iptables -t nat -F
#清除封包计数器
/sbin/iptables -Z
/sbin/iptables -t nat -Z
#设置默认策略
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
#允许本地连接
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#开放所需端口
#允许内网samba,smtp,pop3,连接
#/sbin/iptables -A INPUT -i eth0 -p udp -m multiport --dports 53 -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -s 60.223.150.181/255.255.255.224 --dport 21 -j DNAT --to-destination 10.236.22.1:21
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 10.236.22.1 --sport 21 -j SNAT --to-source 60.223.150.181:40000-50000
#/sbin/iptables -A INPUT -i eth0 -p tcp --dport 177 -j ACCEPT
#开启177和6000-6010端口供xmangager连接linux 图形界面
/sbin/iptables -A INPUT -p udp --dport 177 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 6000:6010 -j ACCEPT
#开放80端口
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#开放ssh 22端口
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
#/sbin/iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 177 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 177 -j ACCEPT
#oracle需开放端口
/sbin/iptables -A INPUT -p tcp --dport 1521 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 10.236.23.8 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5060 -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 7000 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 7000 -j ACCEPT
#/sbin/iptables -A FORWARD -p udp --dport 53 -j ACCEPT
#/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 25 --syn -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 110 --syn -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 10.236.22.0/24 -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 10.236.22.0/24 -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p tcp --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
#过滤相应的mac地址和ip地址
/sbin/iptables -A FORWARD -s 10.236.22.66 -m mac --mac-source 00:E0:4C:6A:F9:7B -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.247 -m mac --mac-source 00:e0:4c:77:33:e9 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.111 -m mac --mac-source 00:1f:16:19:eb:8e -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.10 -m mac --mac-source 00:19:d1:4b:ca:d7 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.250 -m mac --mac-source 00:e0:4c:19:17:d8 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.248 -m mac --mac-source 00:e0:4c:6a:e0:dd -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.230 -m mac --mac-source 00:e0:4c:6c:39:e8 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.115 -m mac --mac-source 00:e0:4c:6c:31:24 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.117 -m mac --mac-source 00:e0:4c:77:36:96 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.63 -m mac --mac-source 00:e0:4c:6c:31:f7 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.115 -m mac --mac-source 00:16:d4:2d:94:a5 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.114 -m mac --mac-source 70:5a:b6:2e:d8:89 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.113 -m mac --mac-source 00:22:fa:94:ba:10 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.20 -m mac --mac-source 00:e0:4c:6c:33:4e -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.244 -m mac --mac-source 00:e0:4c:6c:0f:cc -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.198 -m mac --mac-source 00:e0:4c:69:04:6a -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.60 -m mac --mac-source 00:E0:4C:6D:FA:00 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.239 -m mac --mac-source 00:26:2d:ff:55:3a -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.188 -m mac --mac-source 00:e0:4c:6a:0b:07 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.102 -m mac --mac-source 00:e0:4c:6a:0f:fd -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.160 -m mac --mac-source 00:E0:4C:6C:0D:3E -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.245 -m mac --mac-source 00:e0:4c:77:34:0f -j ACCEPT
#/sbin/iptables -A FORWARD -s 10.236.22.227 -m mac --mac-source 00:90:27:90:0e:74 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.61 -m mac --mac-source 00:e0:4c:6c:0a:7a -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.70 -m mac --mac-source 00:e0:4c:68:71:d3 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.249 -m mac --mac-source 00:26:2d:ff:15:04 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.236.22.92 -m mac --mac-source 00:e0:4c:69:04:7d -j ACCEPT
#ftp
#/sbin/iptables -A FORWARD -s 10.236.22.10 -m mac --mac-source 00:19:d1:48:ca:d7 -j ACCEPT
#对由内向外发起的连接,先进行必要的过滤,防止局域网内病毒的泛红连接
/sbin/iptables -A INPUT -p udp --dport 177 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 6000:6010 -j ACCEPT
#允许内网samba
/sbin/iptables -A FORWARD -p tcp -m multiport --dport 135,445 -j ACCEPT
#/sbin/iptables -A INPUT -s 60.223.150.181/255.255.255.224 -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
#/sbin/iptables -A INPUT -s 60.223.150.181/255.255.255.224 -i eth1 -p udp -m udp --dport 137:139 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 137:139 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 80 -m multiport -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
#允许ping
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
#允许代理服务器PING其他主机
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#允许对已经建立的连接的回应,允许建立在已建立连接基础上的新连接,如ftp_data
/sbin/iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A FORWARD -p tcp -i eth0 --syn -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.66 -j ACCEPT
#/sbin/iptables -A FORWARD -d 10.236.23.242 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.30 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.248 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.236.22.5 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 21 -j DNAT --to-destination 10.236.22.30:21
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 21 -j SNAT --to-source 60.223.150.181:21
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 20 -j DNAT --to-destination 10.236.22.30:20
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 20 -j SNAT --to-source 60.223.150.181:20
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 8520 -j DNAT --to-destination 10.236.22.5:8520
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 8520 -j SNAT --to-source 60.223.150.181:8520
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7001 -j DNAT --to-destination 10.236.22.5:7001
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7001 -j SNAT --to-source 60.223.150.181:7001
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7002 -j DNAT --to-destination 10.236.22.5:7002
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7002 -j SNAT --to-source 60.223.150.181:7002
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7003 -j DNAT --to-destination 10.236.22.5:7003
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7003 -j SNAT --to-source 60.223.150.181:7003
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7004 -j DNAT --to-destination 10.236.22.5:7004
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7004 -j SNAT --to-source 60.223.150.181:7004
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7005 -j DNAT --to-destination 10.236.22.5:7005
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7005 -j SNAT --to-source 60.223.150.181:7005
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7006 -j DNAT --to-destination 10.236.22.5:7006
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7006 -j SNAT --to-source 60.223.150.181:7006
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 7007 -j DNAT --to-destination 10.236.22.5:7007
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.5 --sport 7007 -j SNAT --to-source 60.223.150.181:7007
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 2000 -j DNAT --to-destination 10.236.22.66:2000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.66 --sport 2000 -j SNAT --to-source 60.223.150.181:2000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 4000 -j DNAT --to-destination 10.236.22.245:4000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.245 --sport 4000 -j SNAT --to-source 60.223.150.181:4000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 3000 -j DNAT --to-destination 10.236.22.248:3000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.248 --sport 3000 -j SNAT --to-source 60.223.150.181:3000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 5000 -j DNAT --to-destination 10.236.22.30:5000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 5000 -j SNAT --to-source 60.223.150.181:5000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 443 -j DNAT --to-destination 10.236.22.248:443
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.248 --sport 443 -j SNAT --to-source 60.223.150.181:443
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 5000 -j DNAT --to-destination 10.236.22.20:5000
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.20 --sport 5000 -j SNAT --to-source 60.223.150.181:5000
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 80 -j DNAT --to-destination 10.236.22.20:80
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.20 --sport 80 -j SNAT --to-source 60.223.150.181:80
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 21 -j DNAT --to-destination 10.236.22.30:21
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 21 -j SNAT --to-source 60.223.150.181:21
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 20 -j DNAT --to-destination 10.236.22.30:20
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.22.30 --sport 20 -j SNAT --to-source 60.223.150.181:20
#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 60.223.150.181 --dport 8000 -j DNAT --to-destination 10.236.23.8:8000
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 10.236.23.8 --sport 8000 -j SNAT --to-source 60.223.150.181:8000
#/sbin/iptables -t nat -A PREROUTING -d 60.223.150.181 -p tcp --dport 80 -j DNAT --to 10.236.22.30:6000
#/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 10.236.22.30 --sport 6000 -j SNAT --to-source 60.223.150.181:20000-30000
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 124.89.103.100/29 --dport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 123.138.163.129/29 --dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 10.236.22.0/24 -j SNAT --to-source 60.223.150.181
#端口重定向,实现透明代理的重点步骤一,有了这一步,客户端就不必设置代理了,服务器根据用户请求目标端口为80,则自动重定向到3128,交由squid处理,由此实现了http代理;同理,根据Squid的协议支持情况,也可设置ftp代理等。
#/sbin/iptables -t nat -A PREROUTING -i eth0 -s 10.236.22.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
#端口重定向,本句起到智能DNS的作用
/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 202.99.192.68:53
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 202.99.192.68:53
#进行IP伪装,这是实现透明代理上网的关键
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#------------为流量控制做基于fw过滤器的标记
iptables -I PREROUTING -t mangle -p tcp -s 10.236.22.243/24 -j MARK --set-mark 1
iptables -I PREROUTING -t mangle -p tcp -s 10.236.22.88/24 -j MARK --set-mark 1
#------------为上传速率做流量控制
#tc 要求内核2.4.18以上,所以不够的要升级
#tc 只能控制网卡发送包的速率,所以上传速率的限制要在eth0上做
#----删除旧有队列
tc qdisc del dev eth1 root
#----加一个根队列,速率用网卡的速率10Mbit,也可用上传的速率
tc qdisc add dev eth1 root handle 100: cbq bandwidth 10Mbit avpkt 1000
#----加一个根类
tc class add dev eth1 parent 100:0 classid 100:1 cbq bandwidth 10Mbit rate 10Mbit allot 1514 weight 1Mbit prio 8 maxburst 8 avpkt 1000 bounded
#----加一个子类用于内网1速率限制为300Kbit
tc class add dev eth1 parent 100:1 classid 100:2 cbq bandwidth 10Mbit rate 300Kbit allot 1513 weight 30Kbit prio 5 maxburst 8 avpkt 1000 bounded
#----加一个子类用于内网2速率限制为320Kbit
tc class add dev eth1 parent 100:1 classid 100:3 cbq bandwidth 10Mbit rate 320Kbit allot 1513 weight 32Kbit prio 6 maxburst 8 avpkt 1000 bounded
#----设置队列规则
tc qdisc add dev eth1 parent 100:2 sfq quantum 1514b perturb 15
tc qdisc add dev eth1 parent 100:3 sfq quantum 1514b perturb 15
#------将队列和fw过滤器映射起来 其中hand 1 的1是开始用iptables 做的标记,hand 2 的2也是开始用iptables 做的标记
tc filter add dev eth1 parent 100:0 protocol ip prio 1 handle 1 fw classid 100:2
tc filter add dev eth1 parent 100:0 protocol ip prio 2 handle 2 fw classid 100:3
#-----------------------限制下载速率,过滤器是用u32
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 200: cbq bandwidth 10Mbit avpkt 1000
tc class add dev eth0 parent 200:0 classid 200:1 cbq bandwidth 10Mbit rate 10Mbit allot 1514 weight 2Kbit prio 8 maxburst 8 avpkt 1000 bounded
tc class add dev eth0 parent 200:1 classid 200:2 cbq bandwidth 10Mbit rate 100Kbit allot 1513 weight 1Mbit prio 5 maxburst 8 avpkt 1000 bounded
tc qdisc add dev eth0 parent 200:2 sfq quantum 1514b perturb 15
tc filter add dev eth0 parent 200:0 protocol ip prio 25 u32 match ip dst 10.236.22.195 flowid 200:2
tc filter add dev eth0 parent 200:0 protocol ip prio 25 u32 match ip dst 10.236.22.187 flowid 200:2