1、linux下使用iptables NAT上网
linux# vi /root/iptables_nat.sh
#echo "Starting kerryhu-iptables rules..."
#!/bin/bash
# BY kerryhu
# QQ:263205768
# MAIL:king_819@163.com
# BLOG:http://kerry.blog.51cto.com
#this is a common firewall created by 2010-3-22
#!/bin/bash
# BY kerryhu
# QQ:263205768
# MAIL:king_819@163.com
# BLOG:http://kerry.blog.51cto.com
#this is a common firewall created by 2010-3-22
#启用内核ip转发
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
#加载需要的模块
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#define some variable
IPT=/sbin/iptables
LAN="192.168.0.0/24"
WAN="222.118.115.55"
DNS="61.177.7.1:53"
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#define some variable
IPT=/sbin/iptables
LAN="192.168.0.0/24"
WAN="222.118.115.55"
DNS="61.177.7.1:53"
#Remove any existing rules
$IPT -F
$IPT -t nat -F
$IPT -F
$IPT -t nat -F
#setting default firewall policy
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
#外面53端口的UDP数据进来
$IPT -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
#允许局域网设置DNS为eth1(网关内网IP)
iptables -A PREROUTING -t nat -p udp -s $LAN -d 192.168.0.1 --dport 53 -j DNAT --to-destination $DNS
#允许局域网设置DNS为eth0(网磁外网IP)
iptables -A PREROUTING -t nat -p udp -s $LAN -d $WAN --dport 53 -j DNAT --to-destination $DNS
$IPT -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
#允许局域网设置DNS为eth1(网关内网IP)
iptables -A PREROUTING -t nat -p udp -s $LAN -d 192.168.0.1 --dport 53 -j DNAT --to-destination $DNS
#允许局域网设置DNS为eth0(网磁外网IP)
iptables -A PREROUTING -t nat -p udp -s $LAN -d $WAN --dport 53 -j DNAT --to-destination $DNS
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#允许外网访问里面
$IPT -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许外网访问本机
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#允许外网访问里面
$IPT -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许外网访问本机
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许内网访问本机
$IPT -A INPUT -i eth1 -p tcp -s $LAN --dport 22 -j ACCEPT
#$IPT -A INPUT -i eth1 -p tcp -s 192.168.0.23 -m mac --mac-source 00:00:F0:71:23:60 --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许本机访问内网
$IPT -A OUTPUT -o eth1 -d $LAN -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp -s $LAN --dport 22 -j ACCEPT
#$IPT -A INPUT -i eth1 -p tcp -s 192.168.0.23 -m mac --mac-source 00:00:F0:71:23:60 --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许本机访问内网
$IPT -A OUTPUT -o eth1 -d $LAN -j ACCEPT
#允许外面的UDP数据进来
#$IPT -A INPUT -i eth0 -p udp -j ACCEPT
#$IPT -A INPUT -i eth0 -p udp -j ACCEPT
#允许本机上网(如果专作服务器就可以不要)
#时钟同步
$IPT -A OUTPUT -o eth0 -d 192.43.244.18 -j ACCEPT
#允许ping出
$IPT -A OUTPUT -o eth0 -p icmp -j ACCEPT
$IPT -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#时钟同步
$IPT -A OUTPUT -o eth0 -d 192.43.244.18 -j ACCEPT
#允许ping出
$IPT -A OUTPUT -o eth0 -p icmp -j ACCEPT
$IPT -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许内网外出
#$IPT -A FORWARD -p tcp -s $LAN -j ACCEPT
#允许内网外出(只允许访问外网的80、53端口)
$IPT -A FORWARD -p tcp -s $LAN --dport 80 -j ACCEPT
$IPT -A FORWARD -p udp -s $LAN --dport 53 -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#内网外出实现IP+MAC绑定
#$IPT -A FORWARD -s 192.168.0.23 -m mac --mac-source 00:00:F0:71:23:60 -j ACCEPT
#实现NAT多电脑上网
$IPT -t nat -A POSTROUTING -o eth0 -s $LAN -j SNAT --to $WAN
#$IPT -A FORWARD -p tcp -s $LAN -j ACCEPT
#允许内网外出(只允许访问外网的80、53端口)
$IPT -A FORWARD -p tcp -s $LAN --dport 80 -j ACCEPT
$IPT -A FORWARD -p udp -s $LAN --dport 53 -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#内网外出实现IP+MAC绑定
#$IPT -A FORWARD -s 192.168.0.23 -m mac --mac-source 00:00:F0:71:23:60 -j ACCEPT
#实现NAT多电脑上网
$IPT -t nat -A POSTROUTING -o eth0 -s $LAN -j SNAT --to $WAN
# 将 对于 80、443、21端口的访问 重定向到内网服务器上
#$IPT -t nat -A PREROUTING -i eth0 -d $WAN -p tcp --dport 80 -j DNAT --to 192.168.0.23:80
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.23:80
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.0.23:443
$IPT -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.23 -j ACCEPT
$IPT -A FORWARD -i eth0 -p tcp --dport 443 -d 192.168.0.23 -j ACCEPT
#将本机的10010端口映射到内网服务器上的3389端口上
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 10010 -j DNAT --to 192.168.0.23:3389
$IPT -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.0.23 -j ACCEPT
#$IPT -t nat -A PREROUTING -i eth0 -d $WAN -p tcp --dport 80 -j DNAT --to 192.168.0.23:80
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.23:80
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.0.23:443
$IPT -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.23 -j ACCEPT
$IPT -A FORWARD -i eth0 -p tcp --dport 443 -d 192.168.0.23 -j ACCEPT
#将本机的10010端口映射到内网服务器上的3389端口上
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 10010 -j DNAT --to 192.168.0.23:3389
$IPT -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.0.23 -j ACCEPT
#ftp转发
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.0.24:21
$IPT -A FORWARD -i eth0 -p tcp --dport 21 -d 192.168.0.24 -j ACCEPT
$IPT -A FORWARD -i eth0 -s 192.168.0.24 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -s 192.168.0.24 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -o eth0 -d 192.168.0.24 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.0.24:21
$IPT -A FORWARD -i eth0 -p tcp --dport 21 -d 192.168.0.24 -j ACCEPT
$IPT -A FORWARD -i eth0 -s 192.168.0.24 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -s 192.168.0.24 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -o eth0 -d 192.168.0.24 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
chmod +x /root/iptables_nat.sh
echo "/root/iptables_nat.sh" >> /etc/rc.local
2、iptables批量绑定IP-MAC地址的脚本
通过LanHelper等软件或ARP命令得到 ip_mac.txt 文件格式如下:
172.20.0.3 00:00:F0:71:23:60
172.20.0.6 00:16:76:09:0F:23
172.20.0.10 00:13:8F:26:F9:A6
172.20.0.11 00:16:EC:9A:FF:A9
172.20.0.13 00:14:85:93:26:5A
172.20.0.14 00:13:8F:30:40:7F
172.20.0.16 00:16:EC:26:B6:F4
……
172.20.0.6 00:16:76:09:0F:23
172.20.0.10 00:13:8F:26:F9:A6
172.20.0.11 00:16:EC:9A:FF:A9
172.20.0.13 00:14:85:93:26:5A
172.20.0.14 00:13:8F:30:40:7F
172.20.0.16 00:16:EC:26:B6:F4
……
IP地址和MAC地址之间只有一个空格
预设转发包为禁止通过
iptables -P FORWARD DROP
iptables -P FORWARD DROP
然后再根据绑定MAC机器让他通过转发包
iptables -A FORWARD -s 172.20.0.3 -m mac --mac-source 00:00:F0:71:23:60 -j ACCEPT
iptables -A FORWARD -s 172.20.0.3 -m mac --mac-source 00:00:F0:71:23:60 -j ACCEPT
写个脚本批量绑定MAC机器,以后有新机器加入的时候只需要在ethers.txt文件中增加就行了。
以下内容为程序代码:
cat /root/ip_mac.txt | while read line
do
iptables -A FORWARD -s ${line% *} -m mac --mac-source ${line#* } -j ACCEPT
done
或
以下内容为程序代码:
while read sip mac
do
iptables -A FORWARD -s $sip -m mac --mac-source $mac -j ACCEPT
done < /root/ip_mac.txt
或
以下内容为程序代码:
tail -f /root/ip_mac.txt | while read sip mac
do
iptables -A FORWARD -s $sip -m mac --mac-source $mac -j ACCEPT
done &
以下内容为程序代码:
tail -f /root/ip_mac.txt | while read sip mac
do
iptables -A FORWARD -s $sip -m mac --mac-source $mac -j ACCEPT
done &
或
以下内容为程序代码:
#!/bin/sh
arp | while read ip type mac flags iface
do
echo $ip $mac >> /root/ip_mac.txt
done
ethers.txt只是做限制iptables转发的例子文件名而已,vi手动添加,只需要添加一次就行了,不要重复。
如果只是简单在网关上面绑定IP和MAC地址防止局域网ARP欺骗,只需要拷贝ip_mac.txt到/root/ ,执行arp -f /root/ip_mac.txt 绑定命令,并把此命令加入到/etc/rc.d/rc.local 中。
3、内网实现NAT代理上网,使用外网地址池
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to 222.33.44.50-222.33.44.60
Linux下单网卡绑定多IP(外网接口eth0上绑定多IP)
在/etc/sysconfig/network-scripts目录里面创建一个名为ifcfg-eth0:0的文件,添加内容如下:
DEVICE=eth0:0
IPADDR=222.33.44.51
BROADCAST=222.33.44.255
IPADDR=222.33.44.51
BROADCAST=222.33.44.255
NETMASK=255.255.255.0
ONBOOT=yes
ONBOOT=yes
ifcfg-eth0:1
DEVICE=eth0:1
IPADDR=222.33.44.52
BROADCAST=222.33.44.255
IPADDR=222.33.44.52
BROADCAST=222.33.44.255
NETMASK=255.255.255.0
ONBOOT=yes
ONBOOT=yes
本文转自king_819 51CTO博客,原文链接:http://blog.51cto.com/kerry/289443,如需转载请自行联系原作者
