NATtingSOHOfirewall

# Model NATting SOHO firewall for SP article

　　# by Jay Beale (jay@bastille-linux.org)

　　#

　　# Warning: you're going to have to hack this for your own purposes.

　　#

　　# Assumptions:

　　# your internal network is 192.168.1.0/24 on eth1

　　# your internet IP is 10.0.0.1 on eth0

　　# your internal network IP on eth1 is 192.168.1.1

　　#

　　# Additonally:

　　# you have another internal network, a DMZ: 192.168.2.0/24 on eth2

　　$INTERNAL_IP = 192.168.1.1

　　$INTERNAL_NET = 192.168.1.0/24

　　$INTERNET = 10.0.0.1

　　$DMZ = 192.168.2.0/24

　　# Insert the required kernel modules

　　modprobe iptable_nat

　　modprobe ip_conntrack

　　modprobe ip_conntrack_ftp

　　# Set default policies for packets going through this firewall box

　　iptables -t nat -P PREROUTING DROP

　　iptables -t nat -P POSTROUTING DROP

　　iptables -P FORWARD DROP

　　# Set default policies for packet entering this box

　　iptables -P OUTPUT ALLOW

　　iptables -P INPUT ALLOW

　　# Kill spoofed packets

　　for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

　　echo 1 > $f

　　done

　　# Anything coming from our internal network should have only our addresses!

　　iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP

　　# Anything coming from the Internet should have a real Internet address

　　iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP

　　iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP

　　iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP

　　# Note:There are more "reserved" networks, but these are the classical ones.

　　# Block outgoing network filesharing protocols that aren't designed

　　# to leave the LAN

　　# SMB / Windows filesharing

　　iptables -A FORWARD -p tcp --sport 137:139 -j DROP

　　iptables -A FORWARD -p udp --sport 137:139 -j DROP

　　# NFS Mount Service (TCP/UDP 635)

　　iptables -A FORWARD -p tcp --sport 635 -j DROP

　　iptables -A FORWARD -p udp --sport 635 -j DROP

　　# NFS (TCP/UDP 2049)

　　iptables -A FORWARD -p tcp --sport 2049 -j DROP

　　iptables -A FORWARD -p udp --sport 2049 -j DROP

　　# Portmapper (TCP/UDP 111)

　　iptables -A FORWARD -p tcp --sport 111 -j DROP

　　iptables -A FORWARD -p udp --sport 111 -j DROP

　　# Block incoming syslog, lpr, rsh, rexec...

　　iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP

　　iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP

　　iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP

　　iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

　　###

　　# Transparently proxy all web-surfing through Squid box

　　$SQUID = 192.168.1.2:8080

　　$SQUIDSSL = 192.168.1.2:443

　　iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID

　　iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL

　　# Transparently forward all outgoing mail to a relay host

　　$SMTP = 192.168.1.3

　　iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP

　　# Transparently redirect web connections from outside to the DMZ web

　　# server

　　$DMZ_WEB = 192.168.2.2

　　iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT --to $DMZ_WEB

　　# Source NAT to get Internet traffic through

　　iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET

　　# Activate the forwarding!

　　echo 1 >/proc/sys/net/ipv4/ip_forward本文来自：http://www.xiaoyaxiao.com/2603.html
发表您的高见！