Книга: Linux Network Administrator Guide, Second Edition

Our Na?ve Example Revisited, Yet Again

Our Na?ve Example Revisited, Yet Again

To implement our na?ve example using the netfilter, you could simply load the ipchains.o module and pretend it is the ipchains version. Instead, we'll reimplement it using iptables to illustrate how similar it is.

Yet again, let's suppose that we have a network in our organization and that we are using a Linux-based firewall machine to allow our users to be able to access WWW servers on the Internet, but to allow no other traffic to be passed.

If our network has a 24-bit network mask (class C) and has an address of 172.16.1.0, then we'd use the following iptables rules:

# modprobe ip_tables
# iptables -F FORWARD
# iptables -P FORWARD DROP
# iptables -A FORWARD -m tcp -p tcp -s 0/0 -sport 80 -d 172.16.1.0/24 /
 -syn -j DROP
# iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 -sport /
 80 -d 0/0 -j ACCEPT
# iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 -dport 80 -s 0/0 -j /
 ACCEPT

In this example the iptables commands are interpreted exactly as the equivalent ipchains commands. The major exception that the ip_tables.o module must load. Note that iptables doesn't support the -b option, so we must supply a rule for each direction.

Оглавление книги


Генерация: 1.480. Запросов К БД/Cache: 3 / 1
поделиться
Вверх Вниз