eth0连接ADSL Modem,设成DHCP,同时要让ADSL自动启动,所以eth0就不要自动启动了。eth1做内网连接网卡,IP地址是192.168.3.1,将网关设成0.0.0.0,DNS不要设置。因为ADSL拨号成功之后,会自动获取网关和DNS的设置,所以eth1不能设置网关和DNS。
设置iptables,如下:
# Generated by iptables-save v1.4.4 on Wed Nov 3 22:07:11 2010
*nat
:PREROUTING ACCEPT [89:5389]
:OUTPUT ACCEPT [99:6218]
:POSTROUTING ACCEPT [99:6218]
-A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 3 22:07:11 2010
# Generated by iptables-save v1.4.4 on Wed Nov 3 22:07:11 2010
*filter
:INPUT ACCEPT [2965:1911992]
:FORWARD ACCEPT [614:192167]
:OUTPUT ACCEPT [5625:1000183]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
COMMIT
# Completed on Wed Nov 3 22:07:11 2010
*nat
:PREROUTING ACCEPT [89:5389]
:OUTPUT ACCEPT [99:6218]
:POSTROUTING ACCEPT [99:6218]
-A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 3 22:07:11 2010
# Generated by iptables-save v1.4.4 on Wed Nov 3 22:07:11 2010
*filter
:INPUT ACCEPT [2965:1911992]
:FORWARD ACCEPT [614:192167]
:OUTPUT ACCEPT [5625:1000183]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
COMMIT
# Completed on Wed Nov 3 22:07:11 2010
以上设置开通了ssh和https两项服务,其他来自ppp0的连接都将被drop。
以上设置是输入了iptables命令之后,使用iptables-save生成的,保存以上内容为:/etc/iptables-config,然后修改/etc/rc.local,加入:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables-restore < /etc/iptables-config
iptables-restore < /etc/iptables-config
完成。