经典防火墙设置

#!/bin/bash

赋值IPTABLES:

IPT="/sbin/iptables"

赋值外网IP:

FW_INET= 202.96.???.???

赋值内网网卡和外网网卡,及vpn网卡

IF_INET="eth0"
IF_LOCAL="eth1"
IF_OVPN="tun+"

赋值内部vlan:

LAN_1="192.168.1.0/24"
LAN_2="192.168.2.0/24"
LAN_3="192.168.3.0/24"

赋值总部与分公司的VPN 外网IP.

OVPN_HEADER="202.96.???.???" 本机防火墙外部IP
OVPN_SUBCOMPANY="202:128.???.???"  子公司防火墙外部IP

赋值服务器IP

DNS/DHCP=192.168.1.???
EMAIL_LOCAL= 192.168.1.???
DOMAIN_SERVER=192.168.1.???
ANTIVIRUS_SERVER=192.168.1.???
FILE_SERVER=192.168.1.???
DATABASE_SERVER=192.168.1.???

赋值VLAN网段可出外网

INTERNET1_FULL_ACCESS_1="192.168.1.100-192.168.1.160"
INTERNET2_FULL_ACCESS_2="192.168.2.50-192.168.2.70"
INTERNET3_FULL_ACCESS_3="192.168.3.40-192.168.3.99"
USERS_FULL_ACCESS=
SKYPE_USERS=" 192.168.1.200 192.168.2.200 192.168.3.200"
BLOCKED_HOSTS=""

装载IPTABLES模块

modprobe nf_nat_ftp

清空所有的防火墙设置

$IPT -F INPUT
$IPT -F FORWARD
$IPT -F FORWARD -t mangle
$IPT -F OUTPUT
$IPT -t nat -F OUTPUT
$IPT -t nat -F POSTROUTING
$IPT -t nat -F PREROUTING

设置默认拒绝所有输入和转发数据包

$IPT -P INPUT DROP
$IPT -P FORWARD DROP

充许所有数据包通过OPENVPN网络接口

$IPT -A INPUT -i lo        -j ACCEPT
$IPT -A INPUT -i $IF_LOCAL -j ACCEPT
$IPT -A INPUT -i $IF_OVPN  -j ACCEPT

打开SSH端口访问

$IPT -A INPUT -p tcp --dport  22 -j ACCEPT

充许OPENPN访问

$IPT -A INPUT -p tcp -s $OVPN_SUBCOMPANY -d $OVPN_HEADER --dport 55001 -j ACCEPT

拒绝访问的IP:

$IPT -I INPUT   -s $BLOCKED_IPS -j DROP
$IPT -I FORWARD -s $BLOCKED_IPS -j DROP

邮件服务器端口设置:

$IPT -A FORWARD -s $EMAIL_LOCAL -j ACCEPT
$IPT -A FORWARD -d $EMAIL_LOCAL -j ACCEPT
$IPT -t nat -A POSTROUTING -s $EMAIL_LOCAL -j MASQUERADE
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport   25 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport   80 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport  110 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport  143 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport  587 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport  993 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport  995 -j DNAT --to $EMAIL_LOCAL
$IPT -t nat -A PREROUTING -i $IF_INET -p tcp -d $FW_INET --dport 1925 -j DNAT --to-destination $EMAIL_LOCAL:25

DNS服务器:

$IPT -A FORWARD            -p tcp --sport 1024: -s $DNS/DHCP --dport 53 -j ACCEPT
$IPT -t nat -A POSTROUTING -p tcp --sport 1024: -s $DNS/DHCP --dport 53 -j MASQUERADE
$IPT -A FORWARD            -p udp --sport 1024: -s $DNS/DHCP --dport 53 -j ACCEPT
$IPT -t nat -A POSTROUTING -p udp --sport 1024: -s $DNS/DHCP --dport 53 -j MASQUERADE
$IPT -A FORWARD            -p tcp --sport 1024: -s $DNS/DHCP --dport 80 -j ACCEPT      #允许服务器更新
$IPT -t nat -A POSTROUTING -p tcp --sport 1024: -s $DNS/DHCP --dport 80 -j MASQUERADE

域服务器内外转发

$IPT -A FORWARD -s $DOMAIN_SERVER -j ACCEPT
$IPT -t nat -A POSTROUTING -s $DOMAIN_SERVER -j MASQUERADE

抗病毒服务器内外转发

$IPT -A FORWARD -s $PA_NETFLOW -j ACCEPT
$IPT -t nat -A POSTROUTING -s $PA_NETFLOW -j MASQUERADE

内外网隔离,VLAN IP段可访问外网设置

$IPT -A FORWARD -m iprange --src-range $INTERNET1_FULL_ACCESS -j ACCEPT
$IPT -t nat -A POSTROUTING -m iprange --src-range $INTERNET1_FULL_ACCESS ! -d 192.168.0.0/16 -j MASQUERADE
$IPT -A FORWARD -m iprange --src-range $INTERNET2_FULL_ACCESS  -j ACCEPT
$IPT -t nat -A POSTROUTING -m iprange --src-range $INTERNET2_FULL_ACCESS  ! -d 192.168.0.0/16 -j MASQUERADE
$IPT -A FORWARD -m iprange --src-range $INTERNET3_FULL_ACCESS  -j ACCEPT
$IPT -t nat -A POSTROUTING -m iprange --src-range $INTERNET3_FULL_ACCESS  ! -d 192.168.0.0/16 -j MASQUERADE

外网代理端口

$IPT -A FORWARD            -p tcp -s $LAN_1 --dport 443 -j ACCEPT
$IPT -t nat -A POSTROUTING -p tcp -s $LAN_1 --dport 443 -j MASQUERADE
$IPT -A FORWARD            -p tcp -s $LAN_2 --dport 443 -j ACCEPT
$IPT -t nat -A POSTROUTING -p tcp -s $LAN_2 --dport 443 -j MASQUERADE
$IPT -A FORWARD            -p tcp -s $LAN_3 --dport 443 -j ACCEPT
$IPT -t nat -A POSTROUTING -p tcp -s $LAN_3 --dport 443 -j MASQUERADE

示例

1: Linux firewall allow intranet workstation (windows8) to access internet
2: Workstation(windows8) get ip from Linux DHCP server.

条件

1: Computer with internet access
2: WMware workstation 9.0.
3: CentOS 6.4(firewall server).
4: CentOS 6.4(DHCP SERVER).

5: Windows 8 (Workstation).

解决方案

虚拟机

1: Install OS system in VMware.

2: OS Network Settings.

Firewall:

1: WAN Network(NAT)
2: LAN Network(Host Only)

DHCP

1: LAN Network.

Windows 8

1: LAN Network.

VM Hostonly Network

防火墙

LAN(eth0) and WAN (eth1) Settings.
vi /etc/sysconfig/network-scripts/eth0

vi /etc/sysconfig/network-scripts/eth1

Service network restart.

Check Firewall ip, WAN: ifconfig eth0 LAN: ifconfig eth1

Check if can access internet: Ping www.google.com

Check the Internet DNS, vi /etc/ resolv.conf

vi /etc/rc.local, sh /etc/rc.local

Check the Route, route -n.

echo "1" > /proc/sys/net/ipv4/ip_forward**

IPTABLES

1: Firewall server: iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 192.168.1.99 
2: Firewall server: iptables -t nat -A POSTROUTING -s 192.168.1.99 -o eth0 -j SNAT --to-source 192.168.60.130
3: Firewall server: iptables -t nat -L

DHCP服务器

vi /etc/sysconfig/network-scripts/ifcfg-eth0

vi /etc/dhcp/dhcpd.conf

Service dhcpd restart

Windows客户端

Ip settings

Check the Win8 if get ip from dhcp server. ipconfig/all

客户端测试上网

4: Win8 Workstation: Go to Win8 check, if can access internet. 

5:service iptables stop: 再次打开网页,就不能网了