Книга: Linux Network Administrator Guide, Second Edition
Our Na?ve Example Revisited, Yet Again
Our Na?ve Example Revisited, Yet Again
To implement our na?ve example using the netfilter, you could simply load the ipchains.o module and pretend it is the ipchains version. Instead, we'll reimplement it using iptables to illustrate how similar it is.
Yet again, let's suppose that we have a network in our organization and that we are using a Linux-based firewall machine to allow our users to be able to access WWW servers on the Internet, but to allow no other traffic to be passed.
If our network has a 24-bit network mask (class C) and has an address of 172.16.1.0, then we'd use the following iptables rules:
# modprobe ip_tables
# iptables -F FORWARD
# iptables -P FORWARD DROP
# iptables -A FORWARD -m tcp -p tcp -s 0/0 -sport 80 -d 172.16.1.0/24 /
-syn -j DROP
# iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 -sport /
80 -d 0/0 -j ACCEPT
# iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 -dport 80 -s 0/0 -j /
ACCEPT
In this example the iptables commands are interpreted exactly as the equivalent ipchains commands. The major exception that the ip_tables.o module must load. Note that iptables doesn't support the -b option, so we must supply a rule for each direction.
- Open Source Insight and Discussion
- Chapter 12. Debugging your scripts
- Chapter 14. Example scripts
- Appendix E. Other resources and links
- Appendix J. Example scripts code-base
- Example NAT machine in theory
- Source Quench
- The final stage of our NAT machine
- example rc.firewall
- Listing your active rule-set
- Updating and flushing your tables
- How to use this License for your documents