首页 > CentOS > VMWare/CentOS7 iptables搭建简单路由环境
2015
11-18

VMWare/CentOS7 iptables搭建简单路由环境

VMWare/CentOS7 iptables搭建简单路由环境

1、在CentOS7 上添加两张网卡并配置好IP,两张网卡均为桥接模式

外网:ifcfg-eno16777736

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME="ifcfg-eno16777736"
UUID=84bb2509-5049-40bc-9248-40f70a52750b
ONBOOT=yes
HWADDR=00:50:56:31:41:0C
IPADDR=192.168.XX.XX
PREFIX=24
GATEWAY=192.168.XX.XX
DNS1=114.114.114.114
DNS2=114.114.115.115

内网:ifcfg-eno33554984

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME="eno33554984"
UUID=c0818f7c-b75a-48b3-b2b6-75bfddb50263
HWADDR=00:50:56:2F:EF:32
ONBOOT=yes
IPADDR=10.1.1.254
PREFIX=24
GATEWAY=10.1.1.254
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

 

2、安装iptables 服务,并设置开机启动

# yum install -y iptables-services
# systemctl enable iptables.service

 

3、使用脚本自动配置路由器

iptables_router.sh

#!/bin/sh


#printf ip addr
ip addr

echo "please input your wan nic :"
read wan_nic

echo "please input your lan nic :"
read lan_nic


#enable ip forward
#sed -i -e "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT


# ALLOW ALL in PRIVATE NET
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $lan_nic -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i $wan_nic -j DROP
/sbin/iptables -A INPUT -s 169.254.0.0/255.255.0.0 -i $wan_nic -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i pptp+ -j ACCEPT
/sbin/iptables -A INPUT -i tun+ -j ACCEPT


# Make sure that new TCP connections are SYN packets
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP


#SYN ACK
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

# ICMP
#/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $wan_nic -p icmp -m icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -i $wan_nic -p icmp -m icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -i $wan_nic -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -i $wan_nic -p icmp -m icmp --icmp-type 11 -j ACCEPT

# DENY OTHERS
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT
/sbin/iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

# Save iptables
service iptables save

脚本会提示让你输入外网网卡,和内网卡,输入回来就可以了,如下图:

 

3、新启动一个WIN7 虚拟机,设置为 IP:10.1.1.88  网关:10.1.1.254 子网:255.0.0.0

最后编辑:
作者:dnybz
这个作者貌似有点懒,什么都没有留下。