接下来去配置防火墙: 安装squid [root@localhost Server]# rpm -ivh squid-2.6.STABLE21-3.el5.i386.rpm 查看规则 [root@localhost ~]# iptables -L Chain INPUT (policy ACCEPT) targetprot opt sourcedestination Chain FORWARD (policy ACCEPT) targetprot opt sourcedestination Chain OUTPUT (policy ACCEPT) targetprot opt sourcedestination 保证自己能够正常连接到防火墙 [root@localhost ~]# iptables -t filter -A INPUT -s 192.168.20.129 -p tcp --dport 22 -j ACCEPT [root@localhost ~]# iptables -t filter -A OUTPUT -d 192.168.20.129 -p tcp --sport 22 -j ACCEPT 拒绝所有过防火墙的流量 [root@localhost ~]# iptables -P INPUT DROP [root@localhost ~]# iptables -P OUTPUT DROP [root@localhost ~]# iptables -P FORWARD DROP 允许内网用户流量通过POSTROUTING从eth2网卡出去 [root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth2 -j MASQUERADE 允许工程部的人员在上班时间能够访问ftp [root@localhost ~]# iptables -t filter -A FORWARD -m iprange --src-range 192.168.20.10-192.168.20.20 -m time --timestart 08:00 --timestop 20:00 --weekdays Mon,Tue,Wed,Thu,Fri -p tcp --dport 21 -j ACCEPT 接收进入内网的所有流量 [root@localhost ~]# iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 只允许工程部人员在上班时间访问192.168.102.10的ftp [root@localhost ~]# iptables -t filter -R FORWARD 1 -m iprange --src-range 192.168.20.10-192.168.20.20 -m time --timestart 08:00 --timestop 20:00 -d 192.168.102.10 -o eth2 --weekdays Mon,Tue,Wed,Thu,Fri -p tcp --dport 21 -j ACCEPT 验证 [root@localhost ~]# date Thu May 16 10:00:04 CST 2013 不允许工程部人员在上班时间登录qq [root@localhost ~]# iptables -t filter -A FORWARD-m iprange --src-range 192.168.20.10-192.168.20.20 -m time --timestart 08:00 --timestop 20:00-o eth2 --weekdays Mon,Tue,Wed,Thu,Fri -m layer7 --l7proto qq-j DROP [root@localhost ~]# date Thu May 16 10:06:47 CST 2013 下班时间无限制 [root@localhost ~]# iptables -t filter -A FORWARD -s 192.168.20.0/24 -m time --timestart 20:01 --timestop 07:59 -o eth2 -j ACCEPT [root@localhost ~]# date -s 21:00:00 Thu May 16 21:00:00 CST 2013
|
|