實驗主題:主要功能是將公有地址216.94.87.37:2121映射到內網的 192.168.100.125:21用於構建這FTP服務器,將內網的192.168.100.0/24 192.168.1.0/24和 192.168.0.0/24的私用地址映射成216.94.87.31實現上網瀏覽(使用NAT)。
以下配置僅供參考:
#!/bin/sh
echo "Starting iptables rules..."
#out eth0 216.94.87.37
#in eth1 192.168.1.254
echo "Starting iptables rules..."
#out eth0 216.94.87.37
#in eth1 192.168.1.254
#Refresh all chains
iptables -F
iptables -F
###########################Open ip_forward ###################
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv4/ip_forward
###########################Define nat #######################
#dport nat
iptables -t nat -A PREROUTING -p tcp -d 216.94.87.37 --dport 2121 -j DNAT --to-destination 192.168.100.125:21
iptables -t nat -A PREROUTING -p udp -d 216.94.87.37 --dport 2121 -j DNAT --to-destination 192.168.100.125:21
iptables -t nat -A PREROUTING -p tcp -d 216.94.87.37 --dport 2121 -j DNAT --to-destination 192.168.100.125:21
iptables -t nat -A PREROUTING -p udp -d 216.94.87.37 --dport 2121 -j DNAT --to-destination 192.168.100.125:21
#sport nat
iptables -t nat -A POSTROUTING -p tcp -s 192.168.100.125 --sport 21 -j SNAT --to-source 216.94.87.37:2121
iptables -t nat -A POSTROUTING -p udp -s 192.168.100.125 --sport 21 -j SNAT --to-source 216.94.87.37:2121
iptables -t nat -A POSTROUTING -p tcp -s 192.168.100.125 --sport 21 -j SNAT --to-source 216.94.87.37:2121
iptables -t nat -A POSTROUTING -p udp -s 192.168.100.125 --sport 21 -j SNAT --to-source 216.94.87.37:2121
#ip nat
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
#############FORWARD DEFAULT POLICY#######################
iptables -P FORWARD Drop
###########################Define packets#################
#Allow www request packets from Internet clients to www servers
iptables -A FORWARD -p tcp -i eth0 -j ACCEPT
iptables -A FORWARD -p udp -i eth0 -j ACCEPT
iptables -P FORWARD Drop
###########################Define packets#################
#Allow www request packets from Internet clients to www servers
iptables -A FORWARD -p tcp -i eth0 -j ACCEPT
iptables -A FORWARD -p udp -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -j ACCEPT
#################################Define fregment rule########
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#################################Define icmp rule#######
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT