12月 222015
 
[root@backup data]# cat firewall.sh
#!/bin/bash
#
# Run everyday 04:00 for rsync by harveymei @201511251116
# Open TCP Port 873 and Restart IPTABLES

RuleNum=`service iptables status |grep dpt:873 |awk '{print $1}'`
iptables -R INPUT $RuleNum -p tcp --dport 873 -j ACCEPT
service iptables save; service iptables restart

echo "`date +%Y%m%d_%H:%M` OK" > /data/firewall

# Sleep 1 Hour for Rsync Transfer

sleep 30m;

# Close TCP Port 837 and Restart IPTABLES

RuleNum=`service iptables status |grep dpt:873 |awk '{print $1}'`
iptables -R INPUT $RuleNum -p tcp --dport 873 -j DROP
service iptables save; service iptables restart

echo "`date +%Y%m%d_%H:%M` FINISHED" >> /data/firewall

exit 0;

加入定时任务

[root@backup data]# cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed

0 4 * * * root /data/firewall.sh
[root@backup data]#
5月 192014
 

dual-nic-iptables主机A
外网IP地址:182.92.78.105
内网IP地址:10.162.220.104
主机B
内网iP地址:10.162.221.118
查看接口信息
[root@AY1405161625122035baZ ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:37:B6
inet addr:10.162.220.104 Bcast:10.162.223.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27730 errors:0 dropped:0 overruns:0 frame:0
TX packets:4894 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1722333 (1.6 MiB) TX bytes:356206 (347.8 KiB)
Interrupt:165

eth1 Link encap:Ethernet HWaddr 00:16:3E:00:37:B7
inet addr:182.92.78.105 Bcast:182.92.79.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4147415 errors:0 dropped:0 overruns:0 frame:0
TX packets:15476 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:206913746 (197.3 MiB) TX bytes:1928149 (1.8 MiB)
Interrupt:164

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[root@AY1405161625122035baZ ~]#

修改IP包转发
[root@AY1405161625122035baZ ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@AY1405161625122035baZ ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@AY1405161625122035baZ ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@AY1405161625122035baZ ~]#
[root@AY1405161625122035baZ ~]# vi /etc/rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward

修改配置文件
[root@AY1405161625122035baZ ~]# vi /etc/sysctl.conf
# Controls IP packet forwarding
#net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
将iptables加入服务启动
root@AY1405161625122035baZ ~]# chkconfig –list iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@AY1405161625122035baZ ~]# chkconfig –level 35 iptables on

无法启动
[root@AY1405161625122035baZ ~]# service iptables status
iptables: Firewall is not running.
[root@AY1405161625122035baZ ~]# service iptables start
[root@AY1405161625122035baZ ~]# service iptables status
iptables: Firewall is not running.
[root@AY1405161625122035baZ ~]#
添加规则后启动
[root@AY1405161625122035baZ ~]# iptables -I INPUT -p tcp –dport 80 -j ACCEPT
[root@AY1405161625122035baZ ~]# iptables -I INPUT -p tcp –dport 22 -j ACCEPT
[root@AY1405161625122035baZ ~]# iptables -t nat -A PREROUTING -p tcp –dport 41022 -j DNAT –to-destination 10.162.221.118:22
[root@AY1405161625122035baZ ~]# iptables -t nat -A POSTROUTING -d 10.162.221.118 -p tcp –dport 22 -j SNAT –to 10.162.220.104

源地址发送数据->{PREROUTING->路由规则->POSTROUTING}->目的地址接收到数据

–table -t table table to manipulate (default: `filter’)
–append -A chain Append to chain
-d, –destination address[/mask][,…]

[root@AY1405161625122035baZ ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@AY1405161625122035baZ ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
[root@AY1405161625122035baZ ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:41022 to:10.162.221.118:22

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT tcp — 0.0.0.0/0 10.162.221.118 tcp dpt:22 to:10.162.220.104

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@AY1405161625122035baZ ~]#
在内网主机上查看网络连接状态
[root@AY140518164554406132Z ~]# netstat -tun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 232 10.162.221.118:22 10.162.220.104:53408 ESTABLISHED
tcp 0 1 10.162.221.118:44338 110.75.102.62:80 SYN_SENT
[root@AY140518164554406132Z ~]#