我想对外发布3台服务器,前方用iptables 做防火墙,请问是不是要在和internet连接的网卡上绑3个IP呀!谢谢!
好好先生 回复于:2003-08-20 16:11:52 |
不用.你看一下精华区的"网络安全"相关贴子.只用一个IP,可以用iptables来映射. |
nu9i 回复于:2003-08-20 16:42:01 |
没找到! |
cilient 回复于:2003-08-20 17:05:57 |
give me your IP , I will you a example for iptables nat! |
nu9i 回复于:2003-08-20 17:18:39 |
比如我的3个机器是10.10.10.10 10.10.10.11 10.10.10.12 连接internet 的网卡地址是202.10.10.10 |
cilient 回复于:2003-08-20 17:33:23 |
一般情况,如果是用(只有)一个地址做NAT,那么如下: #载入相关模块 modprobe ip_tables modprobe ip_nat_ftp #进行ip伪装 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 这里eth0一定要是你的广域网的那个口,如果你有多个广域网IP,那么给出来,我给你具体的作NAT的方法和配置、或者是基于端口映射的方法! |
nu9i 回复于:2003-08-20 17:38:16 |
我有3台机器,现在用着3个IP,202.xxx.xxx.2 202.xxx.xxx.3 202.xxx.xxx.4 。前一段被人攻击了,我现在想用linux做个防火墙,让服务器都使用假IP,怎么做呢? |
cilient 回复于:2003-08-20 18:42:52 |
给你一个例子: #!/bin/bash # Do iptables based masquerading and firewalling. # ~spot, 09/01/2002 # Set default PATH export PATH=/sbin:/usr/sbin:/bin:/usr/bin # Load NAT modules modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc # Load connection-tracking modules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc # Disable response to broadcasts. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Clean old iptables iptables -F iptables -X iptables -Z # Allow forwarding through the internal interface iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Default forward policy to DROP iptables -P FORWARD DROP # Do masquerading through eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Port Forwarding iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.100.2:22 # Firewall Rules # Loopback - Allow unlimited traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # SYN-Flooding Protection iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # Make sure that new TCP connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP # Fragments : Don't trust the little buggers. Send 'em to hell. iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP # Refuse spoofed packets claiming to be the loopback iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP # Allow BootP/DHCP UDP requests iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT # DNS # Allow UDP packets in for DNS client from nameservers iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT # SSH # allow all sshd incoming connections (including the port fw) iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT # HTTP # allow all http/https incoming/return connections iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT # FTP # allow all ftpd incoming connections iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT # Enable active ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable passive ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable ident probes (IRC) iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT # Allow ICMP in if it is related to other connections iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow bot traffic through iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT # enable dcc iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT # LOGGING: # UDP, log & drop iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -i eth0 -p udp -j DROP # ICMP, log & drop iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -i eth0 -p icmp -j DROP # Windows NetBIOS noise, log & drop iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: " iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP # IGMP noise, log & drop iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: " iptables -A INPUT -i eth0 -p 2 -j DROP # TCP, log & drop iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i eth0 -p tcp -j DROP # Anything else not allowed, log & drop iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: " iptables -A INPUT -i eth0 -j DROP 这个例子是做masqurede的,你的情况是做NAT,如果是静态NAT,可以如下: 然后我们将分配给A、B、C主机的公网ip绑定到iptables防火墙的外网接口,执行以下命令: ifconfig eth0 add 202.xxx.xxx.2netmask 255.255.255.0 ifconfig eth0 add 202.xxx.xxx.3 netmask 255.255.255.0 ifconfig eth0 add 202.xxx.xxx.3 netmask 255.255.255.0 首先,对防火墙接收到的目的ip为202.xxx.xxx.1和202.xxx.xxx.2的所有数据包进行目的NAT(DNAT), 只写两个了: iptables -A PREROUTING -i eth0 -d 202.xxx.xxx.1 -j DNAT --to 10.10.10.1 iptables -A PREROUTING -i eth0 -d 202.xxx.xxx.2 -j DNAT --to 10.10.10.2 其次,对iptables防火墙接收到的源ip地址为10.10.10.1和10.10.10.2的数据包进行源NAT(SNAT): iptables -A POSTROUTING -o eth0 -s 10.10.10.1 -j SNAT --to 202.xxx.xxx.1 iptables -A POSTROUTING -o eth0 -s 10.10.10.2 -j SNAT --to 202.xxx.xxx.2 这样就实现了静态一一映射。 如果要基于端口:那么就要这样: #映射端口,以UDP5000为例子 iptables -t nat -A PREROUTING -i eth0 -d 202.xxx.xxx.1 -p udp --dport 5000 -j DNAT --to 10.10.10.1 iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.1 -p udp --sport 5000 -j SNAT --to 202.xxx.xxx.1 #映射协议,以ICMP协议为例子 iptables -t nat -A PREROUTING -i eth0 -d 202.xxx.xxx.1 -p icmp -j DNAT --to 10.10.10.1 iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.1 -p icmp -j SNAT --to 202.xxx.xxx.1 基本的方法就是这样了,要防火墙规则做得好,就去网上参考一些别人的规则样例吧。 祝你顺利! |
herogl 回复于:2003-08-20 19:13:33 |
http://chinaunix.net/forum/viewtopic.php?t=73421&highlight=%B7%C0%BB%F0%C7%BD |
nu9i 回复于:2003-08-21 10:43:36 |
谢谢!cilient |
延伸阅读
文章来源于领测软件测试网 https://www.ltesting.net/