Linux

帶有外部 ADSL 路由器的 iptables NAT/轉發;網路上的電腦無法訪問網際網路

  • February 11, 2013

我正在設置防火牆/網關(Ubuntu 伺服器 8.04.1)

防火牆有三個網卡: eth0 192.168.0.2 eth1 192.168.1.2 eth2 192.168.2.2

eth1 直接連接到 ADSL 路由器(上面也有 NAT) ADSL 路由器的 IP 是 192.168.1.1

192.168.0.x 上的 PC 需要通過路由器訪問網際網路(每個網關都設置為 192.168.0.2)

192.168.2.x 上的伺服器接收來自 Internet 的流量

這是我目前擁有的防火牆腳本**(已更新)**:

#!/bin/bash

# Local - eth0 - 192.168.0.*
# Comms - eth1 - 192.168.1.*
# Servr - eth2 - 192.168.2.*

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Loopback

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# DNS

iptables -A OUTPUT -p udp -o eth1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth2 --sport 53 -j ACCEPT


# Firewall outgoing (access 80,443,53 from the firewall itself; don't open up for unrelated incoming connections)

iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT


# NAT

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT
iptables -A FORWARD -o eth2 -j ACCEPT

echo 1 >/proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp -m multiport --dports 80,443 -j ACCEPT

iptables -A FORWARD -i eth0 -p udp -m multiport --dports 53 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp -m multiport --dports 53 -j ACCEPT

iptables -A FORWARD -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Allow responses

iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT


# Load balance

iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.2.81
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.2.82
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.2.83


# ICMP

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -N icmp_accept
iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp -j icmp_accept


# Anti DoS

#iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT


# Logging

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -j LOG --log-prefix "IPTABLES-DROP " --log-level 4
iptables -A LOGGING -j DROP

防火牆的網關設置為 192.168.1.1

貓 /etc/網路/介面:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   address 192.168.0.2
   netmask 255.255.255.0
   network 192.168.0.0
   broadcast 192.168.0.255

auto eth1
iface eth1 inet static
   address 192.168.1.2
   netmask 255.255.255.0
   network 192.168.1.0
   broadcast 192.168.1.255
   gateway 192.168.1.1
   dns-nameservers 192.168.1.1

auto eth2
iface eth2 inet static
   address 192.168.2.2
   netmask 255.255.255.0
   network 192.168.2.0
   broadcast 192.168.2.255

ip route list 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2 預設通過192.168.1.1 開發 eth1 指標 100

防火牆

  • 可以在網際網路上ping IP
  • 無法 http 訪問 Internet 上的 IP

PC - 可以 ping 防火牆 - 無法 http / ping 網際網路上的 IP

已經執行:sysctl -w net.ipv4.ip_forward=1

這或多或少是我從各個站點收集到的推薦配置。關於如何讓 PC 通過防火牆訪問 Internet 上的站點的任何建議?

謝謝

我會替換

iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT

iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

此外,除了 icmp(輸入和輸出)之外,我沒有看到任何網關流量規則。

您缺少基本的 FORWARD 表規則 - 您的數據包在發送到 Internet 的途中被轉發,但響應被丟棄,因為您沒有定義任何規則來接受它們並將預設 FORWARD 策略設置為 DROP。我會補充

# ACCEPT reverse path packets for outbound TCP connections
iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT
# ACCEPT reverse path packets for outbound UDP "connections"
iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT

# create and fill icmp_accept chain with rules for desired ICMP messages
iptables -N icmp_accept
iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT

# allow necessary ICMP
iptables -A FORWARD -p icmp -j icmp_accept

YMMV 取決於您需要什麼樣的安全性和日誌記錄級別,但這應該可以幫助您入門。

引用自:https://serverfault.com/questions/476592