下面是设置网络时的基本状况: 主机3个网卡: eth0 192.168.0.1/24 内网 eth1 192.168.20.1/24 外网 eth2 192.168.50.1/24 会议室网络 ppp0 ( 设置为 eth1 上拨号上网) DHCP设置: 192.168.0.1/24 { 192.168.0.100----192.168.0.200 } 192.168.50.1/24 {192
主机3个网卡:
eth0 192.168.0.1/24 内网
eth1 192.168.20.1/24 外网
eth2 192.168.50.1/24 会议室网络
ppp0 ( 设置为 eth1 上拨号上网)
DHCP设置:
192.168.0.1/24 { 192.168.0.100----192.168.0.200 }
192.168.50.1/24 {192.168.50.100---192.168.50.200 }
VPN设置:
localip: 192.168.10.1
remoteip: 192.168.10. 100 192.168.10.150
下面是firewall的具体设置:
[root@yujiagw ~]# cat firewall
#!/bin/sh
iptables -F
iptables -t nat -F
iptables -P FORWARD ACCEPT
iptables -X poweruser
iptables -X qquser
iptables -X httpuser
# NAT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 110 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 443
#iptables -t nat -A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 443
# Port Forwarding
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3389 -j DNAT --to 192.168.0.4:3389
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.4:80
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to 192.168.50.2:8080
#iptables -A FORWARD -d 192.168.50.2 -p tcp --dport 8080 -j ACCEPT
#iptables -t nat -A POSTROUTING -d 192.168.50.2 -p tcp --dport 8080 -j SNAT --to 192.168.0.1
# Basic Port Open
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
# VPN
iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT
# Conference Room
iptables -A FORWARD -s 192.168.50.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.50.0/24 -j ACCEPT
# Set Connect WAN
iptables -A FORWARD -d 192.168.50.0/24 -j ACCEPT
# HeQuanXin
#iptables -A FORWARD -m mac --mac-source 00:1A:6B:35:A5:66 -j ACCEPT
#iptables -A FORWARD -m mac --mac-source 44:D8:84:0A:9F:5D -j ACCEPT
#-----------------------------------PowerUser-------define------------------------
iptables -N poweruser
iptables -A poweruser -j ACCEPT
#---------------------------------httpuser define-----------------
# Set Http User
iptables -N httpuser
iptables -A httpuser -p tcp --dport 53 -j ACCEPT
iptables -A httpuser -p udp --dport 53 -j ACCEPT
# Reject QQZone
iptables -A httpuser -d user.qzone.qq.com -j REJECT
iptables -A httpuser -p tcp --dport 80 -j ACCEPT
iptables -A httpuser -p udp --dport 80 -j ACCEPT
iptables -A httpuser -p tcp --dport 25 -j ACCEPT
iptables -A httpuser -p tcp --dport 110 -j ACCEPT
iptables -A httpuser -p tcp --dport 443 -j ACCEPT
iptables -A httpuser -p udp --dport 443 -j ACCEPT