Linux

我有任何不需要的 iptable 規則嗎?

  • October 24, 2011

有人可以告訴我,如果我有不需要的規則嗎?

我特別不確定是否

   $IPT -t nat -P PREROUTING ACCEPT                # is this required?
   $IPT -t nat -P INPUT ACCEPT                     # is this required?
   $IPT -t nat -P OUTPUT ACCEPT                    # is this required?

需要。?

IPT='/sbin/iptables'

LAN_IP_NET="192.168.0.1/24"
WAN_IP="x.x.x.x"

LAN_NET="192.168.245.0/24"

CLIENT_NET1="192.168.245.128/25"  # 192.168.245.128 - 192.168.245.25
CLIENT_NET2="192.168.245.64/26"   # 192.168.245.64  - 192.168.245.12
CLIENT_NET3="192.168.245.32/27"   # 192.168.245.32  - 192.168.245.63
CLIENT_NET4="192.168.245.16/28"   # 192.168.245.16  - 192.168.245.31
CLIENT_NET5="192.168.245.8/29"    # 192.168.245.8   - 192.168.245.15

LAN_NIC="eth1"
WAN_NIC="eth0"

   # Flush everything
   $IPT -F
   $IPT -F -t nat
   $IPT -X
   $IPT -X -t nat


   # Enable packet forwarding
   echo 1 > /proc/sys/net/ipv4/ip_forward

   # Allow all outgoing
   $IPT -P OUTPUT ACCEPT
   $IPT -A OUTPUT -o lo -j ACCEPT

   # Filter rules
   $IPT -A INPUT -i lo -j ACCEPT
   $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

   # Allow all traffic from LAN_NET on LAN_NIC
   $IPT -A INPUT -i $LAN_NIC -s $LAN_NET -j ACCEPT

   # Allow some services from the outside
   $IPT -A INPUT -i $WAN_NIC -p icmp --icmp-type echo-request -j ACCEPT
   $IPT -A INPUT -i $WAN_NIC -p tcp --dport ssh -j ACCEPT
   $IPT -A INPUT -i $WAN_NIC -p tcp --dport www -j ACCEPT

   $IPT -A INPUT -j REJECT



   # Masquerade 192.168.245.8 - 192.168.245.255
   $IPT -t nat -P PREROUTING ACCEPT                # is this required?
   $IPT -t nat -P INPUT ACCEPT                     # is this required?
   $IPT -t nat -P OUTPUT ACCEPT                    # is this required?

   $IPT -t nat -A POSTROUTING -s $CLIENT_NET1 -o $WAN_NIC -j MASQUERADE
   $IPT -t nat -A POSTROUTING -s $CLIENT_NET2 -o $WAN_NIC -j MASQUERADE
   $IPT -t nat -A POSTROUTING -s $CLIENT_NET3 -o $WAN_NIC -j MASQUERADE
   $IPT -t nat -A POSTROUTING -s $CLIENT_NET4 -o $WAN_NIC -j MASQUERADE
   $IPT -t nat -A POSTROUTING -s $CLIENT_NET5 -o $WAN_NIC -j MASQUERADE


   $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

   # Forward 192.168.245.8 - 192.168.245.255. The first 7 IPs are reserved for failover etc
   $IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET1 -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET2 -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET3 -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET4 -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET5 -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -j REJECT

策略規則與其他規則不同,所有內置鏈都有一個策略。它們是鏈的隱含部分,並指定如果鏈中沒有規則匹配數據包時要做什麼。將政策設置為已知值是一種很好的做法。

您可以嘗試刪除規則並查看預設策略是否在重新啟動後接受。只要預設策略保持 ACCEPT,這些命令就是多餘的。但是,如果有人更改策略或預設策略更改,您的防火牆腳本將不再按照您的意願行事。即使您似乎不需要這些規則,也要遵守這些規則。

您對策略的最佳選擇是將其設置為您希望對不匹配的數據包發生的任何事情。對於預設鏈 DROP 或 REJECT 可能是比 ACCEPT 更好的策略。對於 NAT 鏈,ACCEPT 往往是一個好策略。

引用自:https://serverfault.com/questions/324304