2023年7月23日发(作者：)

使用Iptables限制内网访问某些网站

说明：RHEL5 Server（10.200.2.216）内核启用IP路由转发功能，默认网关指向10.200.49.254，PC-A（10.200.51.202）的默认网关指向10.200.2.216，在RHEL5 Server上通过Iptables限制内网用户访问某些网站。

Iptabels脚本如下：

[root@RHEL5 iptables]# cat

#!/bin/bash

###################################

iptables -t filter -F

iptables -I FORWARD -d -j DROP

iptables -I FORWARD -d -j DROP

iptables -P FORWARD ACCEPT

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

###################################

iptables -t nat -F

echo "1" > /proc/sys/net/ipv4/ip_forward

执行上述Iptables脚本之前通过tcpdump抓包情况如下： [root@RHEL5 iptables]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@RHEL5 iptables]# tcpdump host 10.200.51.202 and

tcpdump: WARNING: peth0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on peth0, link-type EN10MB (Ethernet), capture size 96 bytes

11:39:33.924695 IP bogon.2499 > : R 1891908261:1891908261(0) win 0

11:39:39.899241 IP bogon.2499 > : R 1891908261:1891908261(0) win 0

11:39:33.926437 IP > : . ack 837160346 win 65535

11:39:33.926455 IP > : . ack 1 win 65535

11:39:33.927586 IP > : . ack 365 win 65172

11:39:33.927599 IP > : . ack 365 win 65172

11:39:33.928334 IP -ntp > : . ack 827826287 win 65535

11:39:33.928347 IP -ntp > : . ack 1 win 65535

11:39:33.929230 IP tore > : . ack 836651119 win 65535

11:39:33.929243 IP tore > : . ack 1 win 65535

11:39:33.931603 IP tore > : . ack 363 win 65174

11:39:33.931615 IP tore > : . ack 363 win 65174

执行上述Iptables脚本之后通过tcpdump抓包情况如下：

[root@RHEL5 ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP all -- anywhere

DROP all -- anywhere 61.135.150.104

DROP all -- anywhere 61.135.150.101

DROP all -- anywhere 61.135.150.98

DROP all -- anywhere 61.135.150.93

DROP all -- anywhere 61.135.150.145

DROP all -- anywhere 61.135.150.126

DROP all -- anywhere 61.135.150.113

DROP all -- anywhere 61.135.150.108

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@RHEL5 ~]# tcpdump host 10.200.51.202 and

tcpdump: WARNING: peth0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on peth0, link-type EN10MB (Ethernet), capture size 96 bytes

11:50:30.810243 IP 7 > : S 298939320:298939320(0) win 65535

1360,nop,nop,sackOK>

11:50:33.721198 IP 7 > : S 298939320:298939320(0) win 65535

1360,nop,nop,sackOK>

11:50:39.756776 IP 7 > : S 298939320:298939320(0) win 65535

1360,nop,nop,sackOK>

11:50:51.733564 IP -isdn-dcp > : S 2663940900:2663940900(0) win

65535

11:50:54.745177 IP -isdn-dcp > : S 2663940900:2663940900(0) win

65535

11:51:00.780780 IP -isdn-dcp > : S 2663940900:2663940900(0) win 65535

11:51:12.757521 IP l > : S 2746173429:2746173429(0) win 65535

11:51:15.769177 IP l > : S 2746173429:2746173429(0) win 65535

11:51:21.804783 IP l > : S 2746173429:2746173429(0) win 65535

11:51:33.782256 IP > : S 557986306:557986306(0) win 65535

1360,nop,nop,sackOK>

11:51:36.793181 IP > : S 557986306:557986306(0) win 65535

1360,nop,nop,sackOK>

11:51:42.728186 IP > : S 557986306:557986306(0) win 65535

1360,nop,nop,sackOK>

注：Iptables脚本中若直接写网站域名（如：）的话，则系统要配置正确的DNS解析（/etc/）。