debian下防火墙配置入门
2014-04-13 20:09:09 
阿炯
debian从lenny开始默认的安装中就关闭了防火墙(iptables),需要手动配置,本文用于配置一台debian的机器作为网关(snat),记录了配置的大致过程。
eth0:内网,eth1:接外网。内网通过外网来与外界互连互通。
防火墙策略:
阻止从外网向内网的连接
允许内网连接到外网
下面的设置的语句脚本:
#!/bin/sh
### BEGIN INIT INFO
# Provides: myiptables
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic(本地回环直接放行)
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside(允许建立连接,而不是来自外部的连接)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.(允许从局域网出来的连接)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.(IP伪装,SNAT的一种实现方式)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.(拒绝从外网到内网的连接转发)
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.(开启转发功能)
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod +x /etc/init.d/myiptables
update-rc.d myiptables defaults
或用'insserv'指令。
执行脚本后,通过它可以让其它机器上网。将上述指令保存为脚本文件,放入'/etc/rc.local'中随机启动或放入'/etc/network/if-up.d/'目录下。
allow-hotplug eth0
iface eth0 inet dhcp
pre-up /bin/sh /etc/firewall/enable.sh
post-down /bin/sh /etc/firewall/disable.sh
对于局域网内的上网解决办法,dns解析和dhcp ip分配方法是必可少的,这里推荐dnsmasq。
参考来源:
DebianFirewall
eth0:内网,eth1:接外网。内网通过外网来与外界互连互通。
防火墙策略:
阻止从外网向内网的连接
允许内网连接到外网
下面的设置的语句脚本:
#!/bin/sh
### BEGIN INIT INFO
# Provides: myiptables
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic(本地回环直接放行)
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside(允许建立连接,而不是来自外部的连接)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.(允许从局域网出来的连接)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.(IP伪装,SNAT的一种实现方式)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.(拒绝从外网到内网的连接转发)
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.(开启转发功能)
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod +x /etc/init.d/myiptables
update-rc.d myiptables defaults
或用'insserv'指令。
执行脚本后,通过它可以让其它机器上网。将上述指令保存为脚本文件,放入'/etc/rc.local'中随机启动或放入'/etc/network/if-up.d/'目录下。
allow-hotplug eth0
iface eth0 inet dhcp
pre-up /bin/sh /etc/firewall/enable.sh
post-down /bin/sh /etc/firewall/disable.sh
对于局域网内的上网解决办法,dns解析和dhcp ip分配方法是必可少的,这里推荐dnsmasq。
参考来源:
DebianFirewall