- 浏览: 256225 次
- 性别:
- 来自: 上海
文章分类
最新评论
-
smartzjp:
可以理解为如果每行数据的所有列都有值,而且列名都是相等的,这个 ...
hbase关于bloom filter使用 -
xiao_feng68:
flash.system.Security.loadPolic ...
关于flex跨域加载MODULE的问题 -
sulanyan29:
挺详细的.
linux之iptables -
liuzhiqiangruc:
这个只要dos2unix 就可以了吧
linux日常工作技巧 -
四个石头:
...
简化的Flex4结构图
内容自:http://iptables-tutorial.frozentux.net/cn/iptables-tutorial-cn-1.1.19.html#NATTABLE
我们可以使用下面的语句打开IP转发功能(IP forwarding):
echo "1" > /proc/sys/net/ipv4/ip_forward
如果你使用的是SLIP、PPP或DHCP,也就是说你是动态获取IP的,那还要用下面的命令打开ip_dynaddr:
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#!/bin/sh # # rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # ########################################################################### # # 1. Configuration options. # # # 1.1 Internet Configuration. # INET_IP="194.236.50.155" INET_IFACE="eth0" INET_BROADCAST="194.236.50.255" # # 1.1.1 DHCP # # # 1.1.2 PPPoE # # # 1.2 Local Area Network configuration. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP address. the same as netmask 255.255.255.0 # LAN_IP="192.168.0.2" LAN_IP_RANGE="192.168.0.0/16" LAN_IFACE="eth1" # # 1.3 DMZ Configuration. # # # 1.4 Localhost Configuration. # LO_IFACE="lo" LO_IP="127.0.0.1" # # 1.5 IPTables Configuration. # IPTABLES="/usr/sbin/iptables" # # 1.6 Other Configuration. # ########################################################################### # # 2. Module loading. # # # Needed to initially load modules # /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state # # 2.2 Non-Required modules # #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # ###### # 4.1 Filter table # # # 4.1.1 Set policies # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 4.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets $IPTABLES -N icmp_packets # # 4.1.3 Create content in userspecified chains # # # bad_tcp_packets chain # $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # #$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT #$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT # # In Microsoft Networks you will be swamped by broadcasts. These lines # will prevent them from showing up in the logs. # #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \ #--destination-port 135:139 -j DROP # # If we get DHCP requests from the Outside of our network, our logs will # be swamped as well. This rule will block them from getting logged. # #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \ #--destination-port 67:68 -j DROP # # ICMP rules # $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # 4.1.4 INPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # # Special rule for DHCP requests from LAN, which are not caught properly # otherwise. # $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # If you have a Microsoft Network on the outside of your firewall, you may # also get flooded by Multicasts. We drop them so we do not get flooded by # logs # #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP # # Log weird packets that don't match the above. # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # # # Bad TCP packets we don't want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.6 OUTPUT chain # # # Bad TCP packets we don't want. # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that don't match the above. # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 nat table # # # 4.2.1 Set policies # # # 4.2.2 Create user specified chains # # # 4.2.3 Create content in user specified chains # # # 4.2.4 PREROUTING chain # # # 4.2.5 POSTROUTING chain # # # Enable simple IP Forwarding and Network Address Translation # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
发表评论
-
expect--linux远程命令交互工具
2014-09-19 14:04 1347http://blog.csdn.net/xiaofei08 ... -
linux下的ssh工具-PAC Manager
2014-09-19 13:42 2863linux下的ssh管理工具,暂末使用过,先mark一下‘ ... -
kvm
2014-08-04 12:57 715http://koumm.blog.51cto.com/703 ... -
shell样例
2012-06-21 10:49 1062#!/bin/sh ################# ... -
服务器性能评估
2012-02-19 15:58 1515来自:http://fuliang.iteye.com/blo ... -
U盘安装CentOS6
2012-02-01 15:50 1771本文来自:http://ponyjava.iteye.com ... -
centos6网卡相关问题
2011-11-23 13:19 1009本人能VM安装Centos6,发现IP地址地态获取时,系统就一 ... -
关于nohup
2011-09-04 10:12 1160最近一个项目需要通过JAVA调用aix机器的shell脚本,但 ... -
linux日常工作技巧
2011-06-14 13:28 10661)去掉linux下从windows拷贝过来文件里面所有的^M ... -
关闭vmware虚拟机滴滴声 bell 声音
2011-04-30 09:30 2547来自互联网:http://chen-dongyu.blogbu ... -
linux之iptables
2008-11-21 16:08 2934书写规则的语法格式是:iptables [-t table] ... -
解决客户端连接oracle10g(centos5.2),TNS无法解析的错误
2008-09-02 12:23 3754刚装了一个linux系统,安装了oracle10g,发现客户端 ... -
xmanager连接centos5
2008-08-31 13:49 4939本文主要内容来自互联网. 本人在使用xmanager来连接C ... -
linux之ie4linux安装
2008-06-12 16:09 2499安装过程在这里就不说了,说说乱码的问题: 拷贝simsun. ... -
tl-wn321g驱动安装
2008-06-10 17:36 63341、驱动包解包至一目录,进入解包目录的Module目录 2、 ... -
linux之内核编译
2008-05-20 09:23 1244一、下载 http://www.kernel.org 二、 ... -
linux之grep使用
2008-05-15 14:04 1126引用: http://bbs.chinaunix.net/vi ... -
linux之bash基础
2008-04-30 14:17 3616关于$特殊取值 $# :位置参数的数量 $*,$@ :所有位置 ... -
linux基本网络配置
2008-04-30 08:59 1301一、基本网络配置 1.基本配置文件 /etc/hosts:是将 ... -
linux之DHCP configure
2008-04-22 16:53 1460DHCP需求环境如下: 公司内部有120个IP地址可以使用:2 ...
相关推荐
Linux防火墙iptables的一个实例应用.pdf
linuxiptables实例加说明.pdf
用Linux+iptables做防火墙具有很高的灵活性和稳定性,但安装和设定起来比较麻烦,而且容易出错,本文旨在用为公司做防火墙的实例,让大家对Linux+iptables做防火墙的安装和配置有一个大致的了解。
Iptables 实例配置
该演示ppt详细讲解了如何正确配置linux中iptables防火墙及附有一有实例讲解.让初学者更易掌握iptables的应用.
linux下防火墙iptables 一、基本知识 二、iptable的安装与配置 禁止端口的实例 强制访问指定的站点 发布内部网络服务器 通过NAT上网 iptables实例
iptables命令实例
详细说明iptables的用法及具体实施。
详细介绍了linux下的防火墙设计和原理,基于应用层的iptables和内核的Netfilter。重点讲了SNAT\DNAT\状态防火墙等,还有具体实例讲解
iptables资源大全的第一部分,包括多个iptables教程、实例、培训资料等。
iptables配置实例 iptables命令可用于配置Linux的包过滤规则,常用于实现防火墙、NAT。 IPTABLES的设置情况 iptables -L -n 删除已有规则 iptables -F 屏蔽指定ip 有时候我们发现某个ip不停的往...
ebtables/iptables interaction on a Linux−based bridge
iptables资源大全的第二部分,包括多个iptables教程、实例、培训资料等。
5.2. restore的不足之处 5.3. iptables-save 5.4. iptables-restore 6. 规则是如何练成的 6.1. 基础 6.2. Tables 6.3. Commands 6.4. Matches 6.4.1. 通用匹配 6.4.2. 隐含匹配 6.4.3. 显式匹配 6.4.4. ...
该文档详细介绍了Redhat7支持的iptables服务与firewalld服务,并将iptables服务的命令行实例做了完整演示。
2小时玩转iptables企业版 1. 概述 2. 框架图 3. 语法 4. 实例分析 5. 网管策略 6. 使用总则、FAQ 7. 实战
1. 概述 2. 框架图 3. 语法 4. 实例分析 5. 网管策略 6. FAQ 7. 实战
第一章序言部分除了第三小节介绍的术语要看看,其他都没什么。...第七章与第八章是实例讲解,对我们 编写自己的规则很有指导意义的,强烈建议你看一看。附录里有一些资源链接是很好的,相信你 一定会喜欢。
主题大纲 1. 概述 2. 框架图 3. 语法 4. 实例分析 5. 网管策略 6. 使用总则、FAQ 7. 实战