|
|
小弟最近在配置一代理服务器,用iptables+squid已经实现了透明代理,现在要用iptables做访问控制,如内网用户默认禁止所有服务,再逐步开通相关服务.在iptables中的配置如下(/etc/rc.local):
===================================================================
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
# OUTER_PORT = eth1
# INTER_PORT = eth0
touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -t nat -X
#
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
#
/sbin/iptables -N bad_tcp_packets
/sbin/iptables -N allowed
/sbin/iptables -N tcp_packetsfirewall
/sbin/iptables -N udp_packets
/sbin/iptables -N icmp_packets
#
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
/sbin/iptables -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A allowed -p TCP -j DROP
#
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 23 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 53 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j ACCEPT
#
/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 8000 -j ACCEPT
#
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
/sbin/iptables -A INPUT -p tcp -j bad_tcp_packets
/sbin/iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i lo -s 192.168.100.253 -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i lo -s 10.0.0.15 -j ACCEPT
# Rules for incoming packets from anywhere
/sbin/iptables -A INPUT -p ALL -d 10.0.0.15 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p TCP -j tcp_packets
/sbin/iptables -A INPUT -p UDP -j udp_packets
/sbin/iptables -A INPUT -p ICMP -j icmp_packets
#
/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: "
#
/sbin/iptables -A FORWARD -p tcp -j bad_tcp_packets
/sbin/iptables -A FORWARD -p tcp --dport 21 -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 80 -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 110 -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: "
#
/sbin/iptables -A OUTPUT -p tcp -j bad_tcp_packets
/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s 192.168.100.253 -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s 10.0.0.15 -j ACCEPT
#
/sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: "
#
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth1 -j SNAT --to-source 10.0.0.15
==================================================================
然而如果用/etc/rc.d/init.d/iptables restart
/etc/rc.local运行使会提示错误如下:
==================================================================
[root@localhost root]# /etc/rc.local
: command not found 10:
modprobe: Can't locate module ip_tables
modprobe: Can't locate module ip_conntrack
modprobe: Can't locate module iptable_filter
modprobe: Can't locate module iptable_mangle
modprobe: Can't locate module iptable_nat
modprobe: Can't locate module ipt_LOG
modprobe: Can't locate module ipt_limit
modprobe: Can't locate module ipt_state
modprobe: Can't locate module ip_conntrack_ftp
modprobe: Can't locate module ip_nat_ftp
: command not found 25:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Table does not exist (do you need to insmod?)
iptables: Table does not exist (do you need to insmod?)
: command not found 31:
iptables: Bad policy name
iptables: Bad policy name
: command not found 36:
: command not found 43:
'ptables v1.2.8: unknown reject type `tcp-reset
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
'ptables v1.2.8: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
: command not found 48:
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
: command not found 53:
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found 63:
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found 70:
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found 74:
'ptables v1.2.8: Invalid target name `bad_tcp_packets
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found 80:
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `tcp_packets
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `udp_packets
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `icmp_packets
Try `iptables -h' or 'iptables --help' for more information.
: command not found 86:
: command not found 89:
'ptables v1.2.8: Invalid target name `bad_tcp_packets
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found 96:
: command not found 99:
'ptables v1.2.8: Invalid target name `bad_tcp_packets
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.8: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found 105:
====================================================================
可在root shell下直接敲入再用iptables-save一切正常情况,/var/log/iptables.log中的记录如下
=====================================================================
Nov 16 13:16:24 localhost kernel: IPT INPUT packet died: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:b0:00:27:e7:08:00 SRC=192.168.100.77 DST=192.168.100.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 16 13:16:24 localhost kernel: IPT INPUT packet died: ^MIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:b0:00:27:e7:08:00 SRC=192.168.100.77 DST=192.168.100.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 16 13:16:24 localhost last message repeated 2 times
Nov 16 13:16:30 localhost kernel: IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=192.168.100.77 DST=202.101.98.55 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=127 PROTO=UDP SPT=1029 DPT=53 LEN=41
Nov 16 13:16:30 localhost kernel: IPT FORWARD packet died: ^MIN=eth0 OUT=eth1 SRC=192.168.100.77 DST=202.101.98.55 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=127 PROTO=UDP SPT=1029 DPT=53 LEN=41
Nov 16 13:16:30 localhost last message repeated 2 times
Nov 16 13:16:31 localhost kernel: IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=192.168.100.77 DST=202.101.98.55 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=129 PROTO=UDP SPT=1029 DPT=53 LEN=41
Nov 16 13:16:31 localhost kernel: IPT FORWARD packet died: ^MIN=eth0 OUT=eth1 SRC=192.168.100.77 DST=202.101.98.55 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=129 PROTO=UDP SPT=1029 DPT=53 LEN=41
Nov 16 13:18:08 localhost kernel: IPT OUTPUT packet died: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=0 ID=57649 DF PROTO=TCP SPT=631 DPT=32773 WINDOW=32720 RES=0x00 ACK URGP=0
Nov 16 13:18:28 localhost kernel: IPT OUTPUT packet died: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=69 TOS=0x00 PREC=0x00 TTL=0 ID=58825 DF PROTO=TCP SPT=32773 DPT=631 WINDOW=32721 RES=0x00 ACK PSH URGP=0
===================================================================
请问以上的配置是否有误,错在哪里呢????是否是用这样的方式来控制????] |
|
IP卡
狗仔卡
发表于 2004-11-16 13:48:47
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主