|
|
公司以一台liunx做網關(gateway)及上網代理(proxy)供其他電腦上網.
但只有以proxy上網成功,而以gateway上網的失敗,請各高手看看有什麼問題.
iptables 如下:
其中eth0 210.1.2.3 是對外的; eth1 10.10.1.2則為對內ip
net.ipv4.ip_forward=1
*nat
 REROUTING ACCEPT
OSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -d 210.1.2.3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.1.2:8080
-A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j SNAT --to-source 210.1.2.3
COMMIT
*mangle
REROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
OSTROUTING ACCEPT
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A INPUT -i eth0
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7010 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 0:1023 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 2049 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 0:1023 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 6000:6009 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 7100 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable |
|
IP卡
狗仔卡
发表于 2003-11-6 15:00:42
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡