【 tulaoshi.com - Linux 】
最近,为公司配置了一个PC 网关,用IPtables的nat功能实现的。配置如下:
# Generated by iptables-save v1.2.7a on Tue May 17 11:06:04 2005*filter:INPUT DROP [17432:1689389]:FORWARD ACCEPT [562461:457136263]:OUTPUT DROP [343:26108]-A INPUT -s 10.4.20.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT -A FORWARD -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 20:23 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 20:23 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT -A FORWARD -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -p udp -m udp --sport 53 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 110 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 1433 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 1433 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 1521 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 1521 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 1863 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 3389 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 5631:5632 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 5631:5632 -j ACCEPT -A OUTPUT -d 10.4.20.0/255.255.255.0 -p tcp -m tcp --sport 22 -j ACCEPT COMMIT# Completed on Tue May 17 11:06:04 2005# Generated by iptables-save v1.2.7a on Tue May 17 11:06:04 2005*nat:PREROUTING ACCEPT [1634525:107748168]:POSTROUTING ACCEPT [227:30861]:OUTPUT ACCEPT [6879:487361]-A POSTROUTING -o eth0 -j MASQUERADE COMMIT# Completed on Tue May 17 11:06:04 2005
可是有些FTP站点可以访问,但有些却不可以,不知为何?
不能访问的FTP Server 是Windows 2000 server 自带的FTP Server(5.0)。后来从网上搜了一些资料,说要打开30000以上的端口。于是,我在防火墙上打开了30000的端口。居然成功了,但为什么要打开30000以上的端口呢?
