The script below is the firewall script for my dept
of the company. Lan can access the outside network by
nat and outside can visit the web and ftp server
located in Lan.
It work very well but it neet the outside has a
route entry that is taking this firewall as gateway to
enter this Lan. Actually I hope the web and ftp server
can
show themself at firewall to the outside. If so no
need
to have the route entry I mentioned above.
I did think much how to do it and fail to work out.
Somebody can help me or remind me of the method?
Thanks in advance!
Bill Zhao
#!/bin/sh
echo 0 >
/proc/sys/net/ipv4/ip_forwardLAN_IP_NET='192.168.63.0/24'
LAN_NIC='eth1'
WAN_IP='10.161.24.220'
WAN_NIC='eth0'
PS_IP='192.168.63.198'
# load some modules (if needed)
modprobe ip_nat_ftp
modprobe ip_conntrack_ftpmodprobe ip_conntrack_ftp
# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j
MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s
$LAN_IP_NET
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Maintaining router from LAN
iptables -A INPUT -i $LAN_NIC -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
# Open ports to server on LAN
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
80 -j DNAT --to $PS_IP:80
iptables -A FORWARD -j ACCEPT -p tcp --dport 21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
21 -j DNAT --to $PS_IP:21
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
_________________________________________________________
Do You Yahoo!?
启用电邮帐号,领会雅虎通[身临其境聊电影]的动感魅力,还有网络摄像头+雅虎通收音机等你来拿
http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.messenger.yahoo.com
