【導(dǎo)讀】，你可以在你的/etc/。是的，最初這篇文章。是偽裝成HOWTO文檔的形式書寫的,因?yàn)樵S多人只接受HOWTO文檔,。我已經(jīng)向MarcBoucher及filter團(tuán)隊(duì)的其他核心成員提出了問題。對(duì)他們的工作以及對(duì)。我在為書寫這個(gè)指南時(shí)的幫助表示極大的謝意。這個(gè)文檔將一步一步教你。setup過程，讓你對(duì)iptables包有更多的了解。這大部分的東西都基于例子文件，因?yàn)槲野l(fā)現(xiàn)這是學(xué)習(xí)iptables的一個(gè)好方法。我不太確定如何組織這篇文章，但我最后決定。我是這樣一個(gè)人，在我的局域網(wǎng)上有很多舊機(jī)器，等待連接到Inter上并保證安全。在IRC中流出DCCs的問題，你得服務(wù)器分配端口，并告知客戶端，然后再讓客戶連接。的產(chǎn)品發(fā)布做好準(zhǔn)備，但我仍然建議那些使用ipchains或更老的ipfwadm的人進(jìn)行升級(jí)，除非他們對(duì)正在使用的代碼滿意，或則它們足以滿足他們的需要。了內(nèi)核空間包，在配置時(shí)可以加入內(nèi)核，有用的部分我們將在下文討論。動(dòng)的FTP客戶通過一個(gè)其他方面是完全關(guān)閉的服務(wù)器，下載文件，列表目錄等。當(dāng)然，安裝這個(gè)包也是個(gè)好主意。

　　

【正文】 ially load modules /sbin/depmod a Adds some iptables targets like LOG, REJECT and MASQUARADE. /sbin/modprobe ipt_LOG /sbin/modprobe ipt_MASQUERADE Support for connection tracking of FTP and IRC. /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc CRITICAL: Enable IP forwarding since it is disabled by default. echo 1 /proc/sys//ipv4/ip_forward 18 Dynamic IP users: echo 1 /proc/sys//ipv4/ip_dynaddr Chain Policies gets set up before any bad packets gets through $IPTABLES P INPUT DROP $IPTABLES P OUTPUT DROP $IPTABLES P FORWARD DROP the allowed chain for TCP connections, utilized in the FORWARD chain $IPTABLES N allowed $IPTABLES A allowed p TCP syn j ACCEPT $IPTABLES A allowed p TCP m state state ESTABLISHED,RELATED j ACCEPT $IPTABLES A allowed p TCP j DROP ICMP rules, utilized in the FORWARD chain $IPTABLES N icmp_packets $IPTABLES A icmp_packets p ICMP s 0/0 icmptype 0 j ACCEPT $IPTABLES A icmp_packets p ICMP s 0/0 icmptype 3 j ACCEPT $IPTABLES A icmp_packets p ICMP s 0/0 icmptype 5 j ACCEPT $IPTABLES A icmp_packets p ICMP s 0/0 icmptype 11 j ACCEPT POSTROUTING chain in the nat table Enable IP SNAT for all internal works trying to get out on the Inter $IPTABLES t nat A POSTROUTING o $INET_IFACE j SNAT tosource $INET_IP 19 PREROUTING chain in the nat table Do some checks for obviously spoofed IP39。s $IPTABLES t nat A PREROUTING i $INET_IFACE s $IPTABLES t nat A PREROUTING i $INET_IFACE s $IPTABLES t nat A PREROUTING i $INET_IFACE s $IPTABLES t nat A PREROUTING i $INET_IFACE s $INET_IP j DROP Enable IP Destination NAT for DMZ zone $IPTABLES t nat A PREROUTING p TCP i $INET_IFACE d $HTTP_IP dport 80 j DNAT todestination $DMZ_HTTP_IP $IPTABLES t nat A PREROUTING p TCP i $INET_IFACE d $DNS_IP dport 53 j DNAT todestination $DMZ_DNS_IP $IPTABLES t nat A PREROUTING p UDP i $INET_IFACE d $DNS_IP dport 53 j DNAT todestination $DMZ_DNS_IP FORWARD chain Get rid of bad TCP packets $IPTABLES A FORWARD p tcp ! syn m state state NEW j LOG logprefix New not syn: $IPTABLES A FORWARD p tcp ! syn m state state NEW j DROP DMZ section General rules $IPTABLES A FORWARD i $DMZ_IFACE o $INET_IFACE j ACCEPT $IPTABLES A FORWARD i $INET_IFACE o $DMZ_IFACE m state state ESTABLISHED,RELATED j ACCEPTED 20 HTTP server $IPTABLES A FORWARD p TCP i $INET_IFACE o $DMZ_IFACE d $DMZ_HTTP_IP dport 80 j allowed $IPTABLES A FORWARD p ICMP i $INET_IFACE o $DMZ_IFACE d DMZ_HTTP_IP j icmp_packets DNS server $IPTABLES A FORWARD p TCP i $INET_IFACE o $DMZ_IFACE d $DMZ_DNS_IP dport 53 j allowed $IPTABLES A FORWARD p UDP i $INET_IFACE o $DMZ_IFACE d $DMZ_DNS_IP dport 53 j ACCEPT $IPTABLES A FORWARD p ICMP i $INET_IFACE o $DMZ_IFACE d $DMZ_DNS_IP j icmp_packets LAN section $IPTABLES A FORWARD i $LAN_IFACE j ACCEPT $IPTABLES A FORWARD m state state ESTABLISHED,RELATED j ACCEPT LOG all packets reaching here $IPTABLES A FORWARD m limit limit 3/minute limitburst 3 j LOG loglevel DEBUG logprefix IPT FORWARD packet died: Firewall rules Rules applying to the firewall box INPUT chain Get rid of bad packets 21 $IPTABLES A FORWARD p tcp ! syn m state state NEW j LOG logprefix New not syn: $IPTABLES A FORWARD p tcp ! syn m state state NEW j DROP Packets from the Inter to this box $IPTABLES A INPUT p ICMP i $INET_IFACE j icmp_packets Packets from LAN, DMZ or LOCALHOST From DMZ Interface to DMZ firewall IP $IPTABLES A INPUT p ALL i $DMZ_IFACE d $DMZ_IP j ACCEPT From LAN Interface to LAN firewall IP $IPTABLES A INPUT p ALL i $LAN_IFACE d $LAN_IP j ACCEPT $IPTABLES A INPUT p ALL i $LAN_IFACE d $LAN_BCAST_ADRESS j ACCEPT From Localhost interface to Localhost IP $IPTABLES A INPUT p ALL i $LO_IFACE d $LO_IP j ACCEPT All established and related packets ining from the inter to the firewall $IPTABLES A INPUT p ALL d $INET_IP m state state ESTABLISHED,RELATED j ACCEPT Logging rule $IPTABLES A INPUT m limit limit 3/minute limitburst 3 j LOG loglevel DEB OUTPUT chain Get rid of bad TCP packets $IPTABLES A FORWARD p tcp ! syn m state state NEW j LOG logprefix New not syn: 22 $IPTABLES A FORWARD p tcp ! syn m state state NEW j DROP Allow ourself to send packets not spoofed everywhere $IPTABLES A OUTPUT p ALL d $LO_IFACE s $LO_IP j ACCEPT $IPTABLES A OUTPUT p ALL d $LAN_IPs $LAN_IP j ACCEPT $IPTABLES A OUTPUT p ALL d $INET_IFACE s $INET_IP j ACCEPT Logging rule $IPTABLES A OUTPUT m limit limit 3/minute limitburst 3 j LOG loglevel DEBUG logprefix IPT OUTPUT packet died: 刷新規(guī)則 !/bin/sh Resets the iptables to default values, in case you screw something up while setting your up as I did quite a few times。) Author: Oskar Andreasson (c) of , use at your own risk, do whatever you please with it as long as you don39。t distribute this with due credits to reset the default policies in the filter table. /usr/local/sbin/iptables P INPUT ACCEP