问题描述
我有一个装有Linux PC的家庭网络,它们都运行了iptables.我认为将LAN放在Linux网关/防火墙后面比较容易,因此我在路由器和LAN和配置的iptables之间放置了一台PC(带有fedora,没有gui).没问题,INPUT只允许dns一个http(和一些本地文件),转发工作正常:LAN连接到Internet.
I have a home network with Linux pc's, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I've put a pc (with fedora,no gui) between my router and LAN and configured iptables. No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet.
但是我的问题是:FORWARD是允许全部来自外部,还是仅允许使用INPUT配置的端口? FORWARD和INPUT是一起工作还是分开工作?
But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? Do FORWARD and INPUT work together or are they separate?
这是我的iptables:
This is my iptables:
*nat
:PREROUTING ACCEPT [16:1336]
:INPUT ACCEPT [14:840]
:OUTPUT ACCEPT [30:2116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o p1p1 -j MASQUERADE
COMMIT
# Completed on Tue Oct 16 09:55:31 2012
# Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9888]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p UDP --dport 53 -j ACCEPT
-A INPUT -p TCP --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP
-A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP
-A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -j LOG --log-prefix "denied out: "
COMMIT
p1p1(.1.x)是我的外部网卡,p3p1(.2.x)是我的内部网卡.
p1p1 (.1.x) is my external nic, p3p1 (.2.x) is internal.
推荐答案
RedHat具有 (有点长),但是涉及的主题很复杂,而且涉及的内容很多我看不出如何避免的不同用例.
RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.
这是关于 .声明如下:
Here is the chapter about FORWARD and NAT Rules. As it states:
~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
这是会发生什么:
- 您的linux网关收到来自路由器的数据包.数据包头具有:
- 源:
x.x.x.x:y(来自互联网的发送方IP和用于数据包传输的源端口) - 目的地:
192.168.1.1:80(假设您的Linux网关IP在外部NIC上,即p1p1)
- your linux gateway receives a packet from your router. The packet header has:
- source:
x.x.x.x:y(sender IP from the internet & source port used for packet transmission) - destination:
192.168.1.1:80(assuming your linux gateway IP on external NIC, iep1p1)
- 您的linux网关问自己:是对我(
192.168.1.1:80)吗?不,所以我不会发送它到 INPUT 链. - =>我将其发送到 FORWARD 链.
- Your linux gateway asks itself: Is it for me (
192.168.1.1:80) ? No, so I won't send it to the INPUT chain. - => I'll send it to the FORWARD chain.
希望这有助于进一步了解iptables内部路由的工作原理.
Hope it'll help to understand a little bit more how internal routing works with iptables.
这篇关于iptables转发和输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
- source:
- 源: