NAT使用实例 - - 网络安全 - 防火墙

防火墙

本类阅读TOP10

·ARP欺骗技术
·防火墙软件Netfilter之包过滤技术
·用iptales实现包过滤型防火墙(一)
·防火墙软件Netfilter之NAT技术
·使用iptable实现动态防火墙
·企业网中用Linux作为路由器
·基于Linux的路由器和防火墙配置
·用ipchains构建防火墙和IP伪装
·一个实用的防火墙配置范例
·构建基于ipchains的Linux防火墙

站内搜索

NAT使用实例

#!/bin/sh

#####################################
# Example NAT usage for 2.4 kernels #
# Stephanie Lockwood-Childs 1/17/01 #
#####################################

#----------------------#
# Variable Definitions #
#----------------------#

EXT=eth0
INT=eth1

# "Masquerading" Example
PRIV_NETS="128.111.1.1 128.111.185.0/255.255.255.0"
MASQ_NET=192.168.1.0/255.255.255.0

# "General SNAT" Example
MAP_FROM=192.168.1.0/255.255.255.0
MAP_TO=128.111.185.30-128.111.185.42

# "Redirection" Example
INTERNAL_IP=10.10.1.1

# "Port Forwarding" Example
EXTERNAL_IP=128.111.1.200
NEWS_SERVER=10.10.1.38
MAIL_SERVER=10.10.1.69

# "Load Balancing" Example
VIRTUAL_SERVER=news.sblug.com
SERVER_RANGE=10.10.1.9-10.10.1.15

#-------------#
# NAT Section #
#-------------#

#
# Flush previous rules
#

iptables -t nat -F

#
# Masquerading
#

# Masquerading for outgoing connections, except privileged nets are exempt
for NET in $PRIV_NETS ; do
iptables -t nat -A POSTROUTING -d $NET -o $EXT -j ACCEPT
done
iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE

#
# General SNAT
#

# Internal computers w/ private ips "borrow" public ips of other internal computers to ssh out
iptables -t nat -A POSTROUTING -s $MAP_FROM -o $EXT -p tcp --dport ssh -j SNAT --to-source $MAP_TO
iptables -t nat -A POSTROUTING -s $MAP_FROM -o $EXT -p udp --dport ssh -j SNAT --to-source $MAP_TO

#
# Redirection
#

# Redirect internal net http traffic through squid proxy, but allow direct access to local web server
iptables -t nat -A PREROUTING -i $INT -d ! $INTERNAL_IP -p tcp --dport www -j REDIRECT --to-port 8080

#
# Port Forwarding
#

# Forward gateway port 7000 to news server and gateway port 8000 to pop mail server
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 7000 -j DNAT --to-dest $NEWS_SERVER:nntp
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 8000 -j DNAT --to-dest $MAIL_SERVER:pop3

#
# Load Balancing
#

# Basic load balancing by redirecting nntp requests to any of several local news servers
iptables -t nat -A PREROUTING -d $VIRTUAL_SERVER -p tcp --dport nntp -j DNAT --to-dest $SERVER_RANGE

相关文章：