QQ登录

只需一步,快速开始

 找回密码
 注册

QQ登录

只需一步,快速开始

返回列表 发新帖
查看: 822|回复: 0

老大们帮忙看看我的透明代理+路由配置错在哪。。

[复制链接]
蓝青
发表于 2005-3-29 00:01:39 | 显示全部楼层 |阅读模式
服务器SQUID 启动正常。。。
但iptables启动报错。。但当初仍可使用,可最近网络总是掉线。。也很卡。。不知道是什么原因。。老大们帮小生看看哪。。。

/etc/rc.d/

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

#rtsp
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 554 -j DNAT --to 192.192.192.250
iptables -t nat -A POSTROUTING -d 192.192.192.250 -p tcp --dport 554 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.250 -p tcp --dport 554 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.250 -p tcp --sport 554 -m --state ESTABLISHED -j ACCEPT

#web
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 80 -j DNAT --to 192.192.192.250
#iptables -t nat -A POSTROUTING -d 192.192.192.250 -p tcp --dport 80 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.250 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.250 -p tcp --sport 80 -m --state ESTABLISHED -j ACCEPT
#ftp
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 21 -j DNAT --to 192.192.192.250
iptables -A FORWARD -o eth0 -d 192.192.192.250 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.250 -p tcp --sport 21 -m --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.250 -p tcp --sport 20 -m --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -d 192.192.192.250 -p tcp --dport 20 -m --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -d 192.192.192.250 -p tcp --dport 1024: -m --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.250 -p tcp --sport 1024: -m --state ESTABLISHED -j ACCEPT
#iptables -t nat -A POSTROUTING -d 192.192.192.250 -p tcp --dport 21 -i eth0 -j SNAT --to 192.192.192.200

#mir
#7000
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 7000 -j DNAT --to 192.192.192.254
iptables -t nat -A POSTROUTING -d 192.192.192.254 -p tcp --dport 7000 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.254 -p tcp --dport 7000 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.254 -p tcp --sport 7000 -m --state ESTABLISHED -j ACCEPT
#7100
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 7100 -j DNAT --to 192.192.192.254
iptables -t nat -A POSTROUTING -d 192.192.192.254 -p tcp --dport 7100 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.254 -p tcp --dport 7100 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.254 -p tcp --sport 7100 -m --state ESTABLISHED -j ACCEPT
#7200
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 7200 -j DNAT --to 192.192.192.254
iptables -t nat -A POSTROUTING -d 192.192.192.254 -p tcp --dport 7200 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.254 -p tcp --dport 7200 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.254 -p tcp --sport 7200 -m --state ESTABLISHED -j ACCEPT
#7210
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 7210 -j DNAT --to 192.192.192.254
iptables -t nat -A POSTROUTING -d 192.192.192.254 -p tcp --dport 7210 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.254 -p tcp --dport 7210 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.254 -p tcp --sport 7210 -m --state ESTABLISHED -j ACCEPT
#7220
iptables -t nat -A PREROUTING -d 外网IP -p tcp --dport 7220 -j DNAT --to 192.192.192.254
iptables -t nat -A POSTROUTING -d 192.192.192.254 -p tcp --dport 7220 -j SNAT --to 192.192.192.200
iptables -A FORWARD -o eth0 -d 192.192.192.254 -p tcp --dport 7220 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.192.192.254 -p tcp --sport 7220 -m --state ESTABLISHED -j ACCEPT
#squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.192.192.0/24 --dport 80 -j REDIRECT --to-ports 3128
#iptables -t nat -A POSTROUTING -s 192.192.192.0/24 -o eth1 -j MASQUERADE


------------------
/etc/sysconfig/iptables
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*mangle
REROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
COMMIT

*nat
REROUTING ACCEPT [0]
OSTROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
[0] -A PREROUTING -s 192.192.192.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[0] -A PREROUTING -s 192.192.192.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
[0] -A POSTROUTING -s 192.192.192.0/255.255.255.0 -j MASQUERADE
#[0] -A POSTROUTING -s 192.168.20.32/255.255.255.240 -j SNAT --to 211.148.130.133
COMMIT
#
*filter
:INPUT ACCEPT [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [0]
:RH-Firewall-1-INPUT - [0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
#
[0] -A INPUT -s 207.46.0.0/255.255.0.0 -j DROP
[0] -A INPUT -d 207.46.0.0/255.255.0.0 -j DROP

[0] -A INPUT -s 255.255.255.255 -i eth0 -j DROP
[0] -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
[0] -A INPUT -d 0.0.0.0 -i eth0 -j DROP
[0] -A INPUT -p tcp -m tcp --sport 5000 -j DROP
[0] -A INPUT -p udp -m udp --sport 5000 -j DROP
[0] -A OUTPUT -p tcp -m tcp --dport 5000 -j DROP
[0] -A OUTPUT -p udp -m udp --dport 5000 -j DROP

[0] -A INPUT -s 外网IP -i eth1 -p tcp -m tcp --dport 137:139 -j DROP
[0] -A INPUT -s 外网IP -i eth1 -p udp -m udp --dport 137:139 -j DROP
[0] -A INPUT -s 192.192.192.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
[0] -A INPUT -s 192.192.192..0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
[0] -A INPUT -s 外网IP/255.255.255.240 -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
[0] -A INPUT -s 外网IP/255.255.255.240 -i eth1 -p udp -m udp --dport 137:139 -j ACCEPT
[0] -A INPUT -p tcp -m tcp --dport 137:139 -j DROP
[0] -A INPUT -p udp -m udp --dport 137:139 -j DROP

[0] -A INPUT -s 192.192.192.0/255.255.255.0 -i eth0 -p tcp -j ACCEPT
[0] -A INPUT -s 192.192.192.0/255.255.255.0 -i eth0 -p udp -j ACCEPT

[0] -A INPUT -i eth1 -p udp -m udp --dport 3 -j DROP
[0] -A INPUT -i eth1 -p tcp -m tcp --dport 3 -j DROP
[0] -A INPUT -i eth1 -p tcp -m tcp --dport 111 -j DROP
[0] -A INPUT -i eth1 -p udp -m udp --dport 111 -j DROP
#
[0] -A INPUT -i eth1 -p udp -m udp --dport 587 -j DROP
[0] -A INPUT -i eth1 -p tcp -m tcp --dport 587 -j DROP

[0] -A INPUT -s 211.148.130.129 -i eth1 -p tcp -m tcp --dport 3128 -j DROP
[0] -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 3128 -j ACCEPT
[0] -A INPUT -s 211.148.130.128/255.255.255.240 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
[0] -A INPUT -p tcp -m tcp --dport 3128 -j DROP
#
[0] -A INPUT -i eth1 -s 192.192.192.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0] -A INPUT -i eth1 -s 外网IP/28 -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0] -A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP
COMMIT
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

GMT+8, 2024-11-6 05:04 , Processed in 0.063469 second(s), 15 queries .

© 2021 Powered by Discuz! X3.5.

快速回复 返回顶部 返回列表