zai

Изменения Автор: zai Дата: 18-10-2015

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING ! -d 192.168.0.0/24 -i lan -p tcp -m multiport --dports 80,8080 -j DNAT --to-destination 192.168.0.1:3128
[0:0] -A POSTROUTING -s 192.168.0.0/24 -o wan -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i lan -j ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i wan -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT

При настройке:
*filter
:INPUT DROP [0:0]
Перестает работать интернет (NAT, Squid), т.е. проблемы с DNS (BIND9), что нужно прописать в iptables?



Решение:
[0:0] -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT