In linux iptable settings, the following figure shows the basic network conditions: the host has three NICs: eth0 192.168.0.1/24 Intranet eth1 192.168.20.1/24 Internet eth2 192.168.50.1/24 meeting room network ppp0 (set to dial-up Internet access on eth1) DHCP settings: 192.168.0.1/24 {192.168.0.100 ---- 192.168.0.200} 192.168.50.1/24 {192.168.50.100 --- 192.168.50.200} VPN settings: localip: 192.168.10.1 remoteip: 192.168.10. 100 192.168.10.150 the specific settings of firewall are as follows: [root @ yujiagw ~] # Cat firewall #! /Bin/shiptables-Fiptables-t nat-Fiptables-p forward ACCEPTiptables-X poweruseriptables-X route-X httpuser # NATiptables-t nat-a postrouting-o ppp0-j MASQUERADE # iptables -t nat-a postrouting-o eth2-j MASQUERADE iptables-t nat-a prerouting-p tcp -- dport 53-j ACCEPTiptables-t nat-a prerouting-p udp -- dport 53 -j ACCEPTiptables-t nat-a prerouting-p tcp -- dport 25-j ACCEPTiptables-t nat-a prerouting-p tcp -- dport 110-j ACCEPT # iptables-t nat- PREROUTING-p tcp -- dport 443-j REDIRECT -- to-port 443 # iptables-t nat-a prerouting-p udp -- dport 443-j REDIRECT -- to-port 443 # Port Forwarding # iptables-t nat-a prerouting-I ppp0-p tcp -- dport 3389-j DNAT -- to 192.168.0.4: 3389 # iptables-t nat-a prerouting-I ppp0-p tcp -- dport 80-j DNAT -- to 192.168.0.4: 80 # iptables-t nat-a prerouting-I ppp0-p tcp -- dport 8080-j DNAT -- to 192.168.50.2: 8080 # iptables-a forward-d 192.168.50.2-p tcp -- dport 8080-j ACCEPT # iptables-t nat-a postrouting-d 192.168.50.2-p tcp -- dport 8080-j SNAT -- 192.168.0.1 # Basic Port Openiptables-a forward-p tcp -- dport 53-j ACCEPTiptables-a forward-p udp -- dport 53-j ACCEPTiptables-a forward-p tcp -- dport 25-j ACCEPTiptables-a forward-p tcp -- dport 110-j ACCEPT # VPNiptables-a forward-s 192.168.10.0/24-d 192.168.0.0/24-j ACCEPTiptables-a forward-s 192.168.0.0/24- d 192.168.10.0/24-j ACCEPT # Conference Roomiptables-a forward-s 192.168.50.0/24-d 192.168.0.0/24-j ACCEPTiptables-a forward-s 192.168.0.0/24-d 192.168.50.0/24- j ACCEPT # Set Connect WANiptables-a forward-d 192.168.50.0/24-j ACCEPT # HeQuanXin # iptables-a forward-m mac -- mac-source 00: 1A: 6B: 35: A5: 66-j ACCEPT # iptables-a forward-m mac -- mac-source 44: D8: 84: 0A: 9F: 5D-j ACCEPT # using PowerUser ------- define using iptables-N poweruseriptables-A poweruser-j ACCEPT # using httpuser define --------------- # Set Http Useriptables-N httpuser iptables-A httpuser-p tcp -- dport 53-j ACCEPTiptables-A httpuser-p udp -- dport 53-j ACCEPT # Reject QQZoneiptables-A httpuser-d user.qzone.qq.com-j REJECT iptables-A httpuser-p tcp -- dport 80- j ACCEPTiptables-A httpuser-p udp -- dport 80-j ACCEPTiptables-A httpuser-p tcp -- dport 25-j ACCEPTiptables-A httpuser-p tcp -- dport 110-j ACCEPTiptables- httpuser-p tcp -- dport 443-j ACCEPTiptables-A httpuser-p udp -- dport 443-j ACCEPT iptables-A httpuser-j DROP # Your User ------- start ------------------------ # HeQuanXiniptables-A FORWARD -m mac -- mac-source 00: 1A: 6B: 35: A5: 66-j httpuser # xiangshudeiptables-a forward-m mac -- mac-source 00: E0: 4C: 41: 49: c4-j httpuser # shiyayuniptables-a forward-m mac -- mac-source C8: 9C: DC: D2: 55: 7A-j poweruser # chenmingxiangiptables-a forward-m mac -- mac-source 54: 04: A6: 58: A3: EE-j poweruser # wangxiaopingiptables-a forward-m mac -- mac-source 00: B0: C4: 04: A1: 7E-j httpuser # chengmeirongiptables-a forward-m mac -- mac-source 90: 2B: 34: 2D: E6: 5B-j httpuser # zhangyinboiptables-a forward-m mac -- mac-source 14: DA: E9: D2: 3F: DF-j httpuser # luxiaoxiongiptables-a forward-m mac -- mac-source 90: 2B: 34: CB: 31: EE-j httpuser # define HTTPUser ------- end users # Blocks # Block Xunleiiptables-a forward-d 58.61.39.0/24-j REJECTiptables-a forward-d 121.9.209.6-j REJECTiptables-A FORWARD export-j REJECTiptables-a forward-d 121.9.209.3-j REJECTiptables-a forward-d tables-j REJECTiptables -a forward-d FORWARD-j REJECTiptables-a forward-d 121.11.69.108-j REJECTiptables-a forward-d FORWARD-j REJECTiptables-a forward- d tables/24-j REJECTiptables-a forward-d 219.133.49.0/24-j REJECTiptables-a forward-d tables/24-j REJECTiptables-a forward-d tables/24-j REJECTiptables -a forward-d rules-j REJECTiptables-a forward-d 210.21.118.149-j REJECTiptables-a forward-d rules-j REJECTiptables-a forward- d FORWARD-j REJECTiptables-a forward-d 221.238.252.155-j REJECTiptables-a forward-d FORWARD-j REJECTiptables-a forward-d 222.208.156.0/24-j REJECTiptables-a forward-d predict-j REJECT # block BTiptables-a forward-p tcp -- dport 6880: 6881-j REJECTiptables-a forward-p udp -- dport 6880: 6881-j REJECT # Invalid connect dropiptables-a forward-m state -- state INVALID-j DROP # Accept the already establised connectioniptables-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT # Set the FORWARD chain to DENYiptables-P FORWARD DROP
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
