2. Tech
  3. Packet filter firewall configuration example

Packet filter firewall configuration example

xiaoxiao2021-03-06  39

Packet filter firewall configuration example

1. Network Description: In order to isolate the internal network segment 192.168.0.0/24 and Internet, the firewall is used between the internal network and the Internet, the internal network interface of the firewall is Eth1 (192.168.0.254) The outer network interface is (192.168. 1.254). The intranet has 3 servers.

WWW server: IP address is 192.168.0.251

FTP server: IP address is 192.168.0.252

The E-mail server is: IP address is 192.168.0.253

2, establish a pack filter firewall

// First, an empty script file is generated under the /etc/rc.d/ directory, and add executable permissions

# Touch /etc/rc.d/filter-firewall

# chmod u x /etc/rc.d/filter-firewall

// Edit the /etc/rc.d/rc.local file, so that the script can run automatically when the system is started.

# echo "/etc/rc.d/filter-firewall" >> / etc / rc.d / rc.local

Edit Filter-Firewall

// Insert the following

#! / bin / bash

# Display information on the screen

Echo "Starting iptables rules ...."

# 开启 内 核 转发

Echo "

1"

> / Proc / Sys / Net / IPv4 / IP_FORWARD

# Define variables

IPT = / sbin / iptables

WWW-server = 192.168.0.251

FTP-Server = 192.168.0.252

Email-Server = 192.168.0.253

IP_RANGE = 192.168.0.0 / 24

# Refresh the rules of all chains

$ IPT -F

# First, all forwarded packages are prohibited, then further set the package allowed.

# First, set the firewall Forward policy to Drop

$ Ipt -p forward drop

# Set server rules

1. # For filtering rules from Internet packets

# WWW service port 80 uses TCP or UDP protocol

$ Ipt -a forward -p tcp -d $ www-server --dport www -i eth0 -j accept

# FTP service, command port 21, data port 20

$ Ipt -a forward -p tcp -d $ ftp_server --dport ftp -i eth0 -j accept

#email service

$ Ipt -a forward -p tcp -d $ mail-server -dport smtp -i eth0 -j acid

2. Rule for Intranet

// Allow intranet customers to access the Internet's FTP server with passive mode

$ Ipt -a forward -p tcp -s 0/0 -sport ftp-data -d $ ip_range -i eth0 -j acceptpt

# Accept non-connection request TCP package from Internet

$ Ipt -a forward -p tcp -d $ ip_range! -Syn -i eth0 -j acceptpt

# Receive all UDP packages

$ Ipt -a forward -p udp -d $ ip_range -i eth0 -j accept

3, receive packet filtering from the entire intranet

$ Ipt -a forward -s $ ip_range -i eth1 -j acceptpt

# 处理 i i

$ Ipt -a forward -f -m limited --LIMIT 100 / s --LIMIT-BURST 100 -J ACCEPT

# Set ICMP package filter

转载请注明原文地址:https://www.9cbs.com/read-52643.html

9cbs

New Post(0)