使用Iptables限制内网访问某些网站;说明:RHEL5Server(10.200.2.;Iptabels脚本如下:;[root@RHEL5iptables]#cat;#!/bin/bash;########################;iptables-tfilter-F;iptables-IFORWARD-dwww.s;iptables-IFORW


使用Iptables限制内网访问某些网站

说明:RHEL5 Server(10.200.2.216)内核启用IP路由转发功能,默认网关指向10.200.49.254,PC-A(10.200.51.202)的默认网关指向10.200.2.216,在RHEL5 Server上通过Iptables限制内网用户访问某些网站。

Iptabels脚本如下:

[root@RHEL5 iptables]# cat iptables.sh

#!/bin/bash

###################################

iptables -t filter -F

iptables -I FORWARD -d www.sohu.com -j DROP

iptables -I FORWARD -d www.114dy.net -j DROP

iptables -P FORWARD ACCEPT

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

###################################

iptables -t nat -F

echo “1″ > /proc/sys/net/ipv4/ip_forward

执行上述Iptables脚本之前通过tcpdump抓包情况如下:

[root@RHEL5 iptables]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@RHEL5 iptables]# tcpdump host 10.200.51.202 and www.sohu.com

tcpdump: WARNING: peth0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on peth0, link-type EN10MB (Ethernet), capture size 96 bytes

11:39:33.924695 IP bogon.2499 > 61.135.150.101.http: R 1891908261:1891908261(0) win 0 11:39:39.899241 IP bogon.2499 > 61.135.150.101.http: R 1891908261:1891908261(0) win 0 11:39:33.926437 IP bogon.spock > 61.135.150.101.http: . ack 837160346 win 65535

11:39:33.926455 IP bogon.spock > 61.135.150.101.http: . ack 1 win 65535

11:39:33.927586 IP bogon.spock > 61.135.150.101.http: . ack 365 win 65172

11:39:33.927599 IP bogon.spock > 61.135.150.101.http: . ack 365 win 65172

11:39:33.928334 IP bogon.facsys-ntp > 61.135.150.101.http: . ack 827826287 win 65535

11:39:33.928347 IP bogon.facsys-ntp > 61.135.150.101.http: . ack 1 win 65535

11:39:33.929230 IP bogon.jdatastore > 61.135.150.101.http: . ack 836651119 win 65535

11:39:33.929243 IP bogon.jdatastore > 61.135.150.101.http: . ack 1 win 65535

11:39:33.931603 IP bogon.jdatastore > 61.135.150.101.http: . ack 363 win 65174

11:39:33.931615 IP bogon.jdatastore > 61.135.150.101.http: . ack 363 win 65174

执行上述Iptables脚本之后通过tcpdump抓包情况如下:

[root@RHEL5 ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP all — anywhere 178.223.71.218.broad.nb.zj.dynamic.163data.com.cn DROP all — anywhere 61.135.150.104

DROP all — anywhere 61.135.150.101

DROP all — anywhere 61.135.150.98

DROP all — anywhere 61.135.150.93

DROP all — anywhere 61.135.150.145

DROP all — anywhere 61.135.150.126

DROP all — anywhere 61.135.150.113

DROP all — anywhere 61.135.150.108

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@RHEL5 ~]# tcpdump host 10.200.51.202 and www.sohu.com

tcpdump: WARNING: peth0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on peth0, link-type EN10MB (Ethernet), capture size 96 bytes

11:50:30.810243 IP bogon.hl7 > 61.135.150.104.http: S 298939320:298939320(0) win 65535 <mss 1360,nop,nop,sackOK>

11:50:33.721198 IP bogon.hl7 > 61.135.150.104.http: S 298939320:298939320(0) win 65535 <mss 1360,nop,nop,sackOK>

11:50:39.756776 IP bogon.hl7 > 61.135.150.104.http: S 298939320:298939320(0) win 65535 <mss 1360,nop,nop,sackOK>

11:50:51.733564 IP bogon.rvs-isdn-dcp > 61.135.150.108.http: S 2663940900:2663940900(0) win 65535 <mss 1360,nop,nop,sackOK>

11:50:54.745177 IP bogon.rvs-isdn-dcp > 61.135.150.108.http: S 2663940900:2663940900(0) win 65535 <mss 1360,nop,nop,sackOK>

11:51:00.780780 IP bogon.rvs-isdn-dcp > 61.135.150.108.http: S 2663940900:2663940900(0) win

65535 <mss 1360,nop,nop,sackOK>

11:51:12.757521 IP bogon.mpfoncl > 61.135.150.113.http: S 2746173429:2746173429(0) win 65535 <mss 1360,nop,nop,sackOK>

11:51:15.769177 IP bogon.mpfoncl > 61.135.150.113.http: S 2746173429:2746173429(0) win 65535 <mss 1360,nop,nop,sackOK>

11:51:21.804783 IP bogon.mpfoncl > 61.135.150.113.http: S 2746173429:2746173429(0) win 65535 <mss 1360,nop,nop,sackOK>

11:51:33.782256 IP bogon.mon > 61.135.150.126.http: S 557986306:557986306(0) win 65535 <mss 1360,nop,nop,sackOK>

11:51:36.793181 IP bogon.mon > 61.135.150.126.http: S 557986306:557986306(0) win 65535 <mss 1360,nop,nop,sackOK>

11:51:42.728186 IP bogon.mon > 61.135.150.126.http: S 557986306:557986306(0) win 65535 <mss 1360,nop,nop,sackOK>

注:Iptables脚本中若直接写网站域名(如:www.sohu.com)的话,则系统要配置正确的DNS解析(/etc/resolv.conf)。