一、准备工作:
1.一台 Redhat linux主机(这是必备的),分别在redhat linux 7.1以后的任何一版本上都
测试没有问题
2.两块网卡:eth0 eth1
3.系统支持iptables:
[root@NetShare linux-2.4]# rpm -qa|grep iptables
iptables-1.2.5-3
iptables-ipv6-1.2.5-3
iptables的rpm包已经安装上了,不过还要看一下内核的支持情况,也决定了iptables所
能发挥的功效
4.内核情况如下:
[root@NetShare linux-2.4]# cd /usr/src/linux-2.4
[root@NetShare linux-2.4]# make menuconfig
在Networking options---> 这个选项里有
IP: Netfilter Configuration---> (以下是偶的选择,供参考)
<*> Connection tracking (required for masq/NAT)
<M> FTP protocol support
<M> IRC protocol support
<M> Userspace queueing via NETLINK (EXPERIMENTAL)
<*> IP tables support (required for filtering/masq/NAT)
网管网www_bitscn_com <M> limit match support
<M> MAC address match support
<M> netfilter MARK match support
<M> Multiple port match support
<M> TOS match support
<M> AH/ESP match support
<M> LENGTH match support
<M> TTL match support
<M> tcpmss match support
<M> Connection state match support
<M> Unclean match support (EXPERIMENTAL)
<M> Owner match support (EXPERIMENTAL)
<*> Packet filtering
<M> REJECT target support
<M> MIRROR target support (EXPERIMENTAL)
网管u家u.bitsCN.com <*> Full NAT
<M> MASQUERADE target support
<M> REDIRECT target support
<M> Basic SNMP-ALG support (EXPERIMENTAL)
<*> Packet mangling
<M> TOS target support
<M> MARK target support
<M> LOG target support
<M> ULOG target support
<M> TCPMSS target support
这是内核所支持的一些模块,相关模块都是作什么的,可以去参考内核的说明文档!
二、具体实施:
针对于此,我这几天写了一个简单的小脚本,大家可以利用他来作代理服务,如果有能力,可
以添加一些相关的规则...
程序如下:
#! /bin/sh
##### written by wind5212002/12/17 #####
##### mail: wbff0926@sina.com#####
网管u家u.bitscn@com
IPTABLES=/usr/sbin/iptables
EXTERNAL="eth1"---> 外网的接口
INTERNAL="eth0" ---> 内网的接口
IP=192.168.0.0/24 ---> 内网地址
#
### 重置三条链默认的规则
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
### 重置nat表
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
### 刷新nat与链的所有规则
#
$IPTABLES -F
$IPTABLES -t nat -F
#
### 删除非默认的链和nat表的规则
#
$IPTABLES -X
$IPTABLES -t nat -X
start() {
#
###打开ip转发
#
echo -n $"Starting firewall "
echo 1 > /proc/sys/net/ipv4/ip_forward
#
###加载必要的模块
#
echo -n "Staring modprobe the necessary mod for iptables"
网管联盟bitsCN_com
for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/*
do
t=`echo $i |sed 's/\.o$//g'`
module=`basename $t`
modprobe $module
done
#
###允许ICMP数据包(ping)
#
$IPTABLES -A INPUT -p icmp -j ACCEPT
#
###允许内部网之间的数据通讯
#
$IPTABLES -A INPUT -i $INTERNAL -s $PRINET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL -d $PRINET -j ACCEPT
#
###NAT转发的关键
#
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
echo_success
}
stop(){
echo -n $"Stopping Firewall"
flush
for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/*
do
t=`echo $i |sed 's/\.o$//g'`
网管u家u.bitscn@com module=`basename $t`
modprobe -r $module
done
# Disale IPV4 Packet Forwarding
echo "0" > /proc/sys/net/ipv4/ip_forward
echo_success
}
restart()
{
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo $"Usage: $0 "
exit 1
esac
按照需要将你所对应的变量改动一下,应该没有问题的!
说明:这个基本上能保证代理上网的功能,其他的什么都没有作,包括SNAT,DNAT,都没有作,
如果有需要的可以自己去改动,如有问题,请与偶mail联系!
wind521
网管bitscn_com
评论加载中…
