在 RedHat Linux 下用 Webmin 配置 NAT 服务(二)

第二部分讲一下内网服务的对外发布,以发布Web服务器为例。配置环境和方法与第一部分相似。
例如要把内网中一台IP地址为192.168.0.126的服务器上的网站(默认端口为80),通过NAT服务器的8080端口发布给互联网上的用户访问,配置如下:
还是进入Webmin防火墙配置部分的NAT配置界面,这次需要配置“Packets before routing (PREROUTING)”规则,按“Add Role”按钮,打开规则配置界面,“Action to take”选“Destination NAT”,“IPs and ports for DNAT”分别填写192.168.0.126和80,Destination address or network填写等于(Equals) 10.0.0.118,就是外网卡的IP地址;Network protocol填写等于 TCP;Destination TCP or UDP port填写等于8080,别的选项选择默认值。然后保存(Save),再按“Apply Configuration”按钮,使规则生效。
再次注意,如果在外网打开浏览器,输入网址http://10.0.0.118:8080,仍然看不到发布的网站,请配置防火墙的由外向内的转发规则(Forwarded packets (FORWARD)),问题往往出现在这里(防火墙给黑客造成了大麻烦,也给我们自己带来了小麻烦)。注意数据的流向,是从网卡eth0到网卡eth1,规则是:
Accept - If input interface is eth0 and output interface is eth1
全部配置完毕,/etc/sysconfig/iptables文件内容如下:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:My-test-Chain - [0:0]
-A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT --syn
-A My-test-Chain -p icmp -d 10.0.0.118 -i eth0 -j DROP
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
# Not ping 10.0.0.118
-A INPUT -p icmp -d 10.0.0.118 -i eth0
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j RH-Lokkit-0-50-INPUT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.118
-A PREROUTING -p tcp -m tcp -d 10.0.0.118 --dport 8080 -j DNAT --to-destination 192.168.0.126:80
COMMIT
# Completed
请注意与NAT服务发布配置有关的关键语句:
-A PREROUTING -p tcp -m tcp -d 10.0.0.118 --dport 8080 -j DNAT --to-destination 192.168.0.126:80

本文来自“十万个为什么”电脑学习网 http://www.why100000.com
http://www.why100000.com/_Linux/doc/RHLinux_Webmin_Nat.swf

作者:张庆(网眼)2008-1-21

你可能感兴趣的:(linux,redhat,互联网,防火墙,J#)