|
# iptables -X wangkai
2. 保存规则 方法一:将规则写入iptables 的启动脚本 #v/etc/rc.d/init.d/iptables 在start()函数中写入要保存的规则 方法二:将规则写入一个自定义的脚本,再把该脚本放如rc.local中,要注意的是建立脚本是要输入iptables的绝对路径:/sbin/iptables 方法三:# service iptables save (将内存中的规则保存到/etc/sysconfig/iptables中,重启系统时,iptables的启动脚本会利用iptables-restore 来恢复该文件中的规则) 方法四:# iptables-save>/etc/sysconfig/iptables (该命令等同与上一条命令)
·设置防火墙主机具有SNAT功能,代理内网中的主机接入Internet ·设置防火墙主机拒绝icmp 数据包 ·设置防火墙主机发布内网中的Web服务器和FTP服务器 ·设置防火墙主机禁止内网主机访问www.163.com; 配置过程:
⑵ # vi /etc/dhcpd.conf ddns-update-style none; ignore client-updates; default-lease-time 3600; max-lease-time 7200; subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; options domain-name-servers 202.162.38.254; range 192.168.0.4 192.168.0.254; } ⑶ # vi /etc/sysconfig/dhcpd DHCPDARGS =eth0 ⑷ # service dhcpd start
echo “1” >/proc/sys/net/ipv4/ip_forward
⑵ # service iptables start ⑶ # iptables –F # iptables –t nat –F # iptables –t mangle –F # iptables –P INPUT DROP # iptables –P OUTPUT DROP # iptables –P FORWARD DROP # iptables –t nat –A POSTROUTING –s 192.168.0.0/24 –j SNAT -–to-source 202.162.39.1 # iptables –A FORWARD –s 192.168.0.0/24 –m state –state NEW –j ACCEPT # iptables –A FORWARD–m state –state ESTABLISHED,RELATED –j ACCEPT # iptables –t nat –A PREROUTING –d 202.162.39.1 –p tcp -–dport 80 –j DNAT --to-destination 192.168.0.2 # iptables –t nat –A PREROUTING –d 202.162.39.1 –p tcp -–dport 21 –j DNAT --to-destination 192.168.0.3 # iptables –I FORWARD –s 192.168.0.0/24 –d www.163.com -j DROP (4) # service iptables save |
