[问题求助]请帮忙看一下这个iptables [复制链接]

echo 1 > /p.roc/s.ys/net/ipv4/ip_forward[成人用品]
e.cho 1 > /proc/sys/net./ipv4/tcp_syncookies服务器
echo 1 > /pro.c/s.ys/net/ipv4/icmp_echo_ignore_broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_.ignore_bogus_error_response.s[成人用品]
#/sbin/ifcon.fig. eth0:0 192.168.10.50.
#/s.bin/ifconfig e.th1:1 192.168.100.2虚拟主机
su squid .-c "/usr/local/squi.d/sbin/squid -s"           鲜花
/u.sr/local/apache2/bin./apachectl -k start.
/sbin/modprobe ip_c.onntrack_ftp.           女人
/sb.in/modprobe ip_nat_ftp<性病>
iptables -F
iptables -X
i.ptables -F -t nat.
iptables -X -t na.t[成人用品]
iptables. -F -t mangle.
iptables .-X -t mangle.

iptables -P. FORWARD DROP--- 印刷
iptable.s -.t nat -P PREROUTING  ACCEPT            杀毒
iptables -t nat -P POSTROUT.ING A.CCEPT.
iptables -t nat. .-P OUTPUT ACCEPT    美容
#dns
iptables -A F.ORWARD -p udp .--dport 53 -j ACCEPT.


#ftp,telnet
iptables -t nat -A PREROUTIN.G -d 202.96.186.240 -p tcp --dport 21 -.j DNAT --to 192.1.68.100.4.
iptables -A FORWARD -o eth0 -d 192.168.100.4. -p tcp --dport 21 -j A.CCEPT投资
ipt.ables -A FORW.ARD -i eth0 -s 192.168.100.4 -p tcp --sport. 21 -m state --state ESTABLISHED -j ACCEPT           女人
iptables -A FORWARD. -i .eth0 -s 192.168.100.4 -p tcp --sport 20 -m state --state. ESTABLISHED,RELATED -j ACCEPT--------------彩票
i.ptables .-A FORWAR.D -o eth0 -d 192.168.100.4 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT.
iptables -t nat -A PREROUTING -d 202.96.186.240 -p.. tcp --dport 23 -.j DNAT --to 192.168.100.4.
ip.tables -A FORWARD -o eth0 -d .192.168.100.4 -p tcp --dport 23 -j ACCEPT.
ip.tables -A FORWARD -i e.th0 -s 192.168.100.4 -p tcp --sport 23 -m state --st.ate ESTABLISHED -j ACCEPT             电子
iptables -t nat -A POSTRO.UTING -d 192.168.100.4 .-p tcp --dport 23. -j SNAT --to 192.168.100.1              乙肝
iptables -t nat -A POSTROUTING -d 19.2.168.1.00.4 -p tcp --dport 21 -j SNAT --to 192.1.68.100.1外贸

iptables -A FORWARD -m state --stat.e E.STABLISHED,RELATED -j ACCEPT(广告)
iptables .-A POSTROUTING -t nat -s 192.168.100.0/24. -j MASQUERADE          婚庆

iptables .-A PREROUTING -t nat -p tcp -s 192.168.100.0/24 -d 202.96.186.240 --dport .80 -j REDIRECT --to-port.s 3128健康
#FIRE
#iptables -I. FORWARD -m string --string "??.?繞" -j DROP.
#iptabl.es -I FORWARD -s 1.92.168.100.0/24 -m string --str.ing "qq.com" -j DROP            杀毒
#iptables. -I FORWARD -d 192.168.100.0/24 -m string --s.tring "聶穩?繕?簞?繙" -#iptables -I FORWARD -s 192.1.68.1.00.0/24 -m string --string "?竄?矇" -j DROP电影
#iptables .-I FORWA.RD -p tcp --sport 80 -m string --string "繒瓊繡疆" -j DROP             汽车
#iptables -I FORWARD -s 192.168.100.0/24 -p tcp --dport 80 -j DROP .-m com.ment --comment "the bad gu.y can not online"             电子
#iptables -I FORWAR.D -s 192.168.100.0/24 -m string --string "qq.com" -j DROP -m commen.t --comment "d.enny go to qq.com"           建材
#ipt.ables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --conn.limit-mask .24 -j DROP.
#iptables -A INPUT -s 192.186.100.0/24 -p. tcp. --syn -m connl.imit --connlimit-above 15 -j DROP域名
iptable.s -A INPU.T -s 192.186.100.0/24 -p tcp -m state --state ESTABLISHED,.RELATED -j ACCEPT           女人

#MAIL
ipt.ables -A FORWARD -s 192.168.10.0.0/24 -p udp .-m multiport --dport 53,1800,1810,8000,8080 -j ACCEPT    健康
iptables -A FORWARD -p tcp -s 19.2.168.100.0/24 -m multiport --dport .110,25 -j ACCEP.T    健康
#SUPUSER
iptab.les -I FORWARD -m iprange --src-range 192.168.100.2-192.168.100.50 -j .ACCE.PT.
#MSNUSER
iptables -I FORWARD -p tcp -m iprange --src-range 192.168...100.103-192.168.100.119 -m multiport --dport 443,.80,.8081,3389 -j ACCEPT.
iptables -I FORWARD. -p. tcp -.s 192.168.100.60 -m multiport --dport 443,80 -j ACCEPT电脑
ipta.bles -I FORWARD .-p tcp -s 192.168.100.221 -m multiport --dport 443,8.0 -j ACCEPT.
iptables -I FORWARD -p TCP -s 19.2.168.100.220 -m. multiport --dpor.t 443,80 -j ACCEPT.
#USER
iptables -I FORWARD -p tcp -m iprange --src-range 192.168.10.0.61-1.92.168..100.70 --dport 80 -j ACCEPT域名
iptables -I FORWARD -.p tcp -s 192.168.100.67 -j ACCEP.T    外汇
iptables. -I FORWARD -p tcp -s 192.168.100.70 --dport 400.0 -j ACCEPT服务器
iptables -I F.ORWARD -p .tcp -s 192.168.100.65 -j DROP.


iptables -I FORWARD -p tcp -s 192.168.10.0.66 -.j DROP[成人用品]
i.ptables -I FORWARD -p tcp -s 192.168.100.68 -j D.ROP投资
iptables -I FO.R.WARD -p tcp -s 192.168.100.151 --dport 80 -j ACCEPT服务器
iptables -I FORWARD -p tcp -s 192.168..100.156 --dport. 80 -j ACCEPT             电子
iptables -I .FORWARD -p tcp -s 19.2.168.100.157 --dport 80 -j ACCEPT[成人用品]
iptables -I FORWA.RD -p tcp -s 192.168.100.159 --dport 80 -j ACCEP.T教育
iptables -I FORWARD -p tcp -s 192.168..10.0.163 --dport 80 -j ACCEPT[成人用品]
iptables -I FORWARD -p tcp -s 192.168.100.164 -.-dp.ort 80 -j ACCEPT             电子
iptables -I FORWARD -p tcp -s 192.168.100.170 --.dport 8.0 -j ACCEPT--------------彩票
iptables .-I FOR.WARD -p tcp -s 192.168.100.173 --dport 80 -j ACCEPT.
iptables -I FORWARD -p tc.p .-s 192.168.100.158 --dport 80 -j ACCEPT.
iptab.les -I FORWARD -p tcp -s 192.168.100.18.1 --dport 80 -j ACCEPT.
iptables -I FORWARD -p tcp -s 192.168.10.0..188 --dport 80 -j ACCEPT.
iptables -I FORWA.RD -p tcp -s 192.168.100.212 --dport 80. -j ACCEPT<性病>
iptables -I FORWARD -p tcp -s 192.168.100.214 --dport. 80 -j ACCE.PT<性病>
iptables -I FORWARD -p tcp -s 192..168.100.211 --dport 80 -j ACC.EPT.
iptables -.I FORWARD -p tcp -s 192.168.100.215 --dport 80 -j ACCE.PT虚拟主机
#CWUSER
iptables -I FORWARD. -p tcp -m iprange --src-range 1.92.168.100.71-192.168.100.79 -m multi.port --dport 80,8080,7002,7001,443,3333 -j. ACCEPT.



以上，我设在开机启动执行rc.local,.像以上这种写法是不是每次开机执行的效果都不一样？？这一句iptables -A PRE.ROUTING .-..t nat -p tcp -s 192.1.68.100.0/24 -d 202.96.186.240 --dport 80 -j REDIRECT --to-ports 3128，我发现没有转发到squid去处理，然后我去掉-d 202.96.186.240 ，透明代理正常．现在有点糊涂了，请指出应该怎样改．外贸

不要贴脚本，贴 iptables-save 的结果

QUOTE:原帖由 platinum 于 2007-11-23 10:56 发表
不要贴脚本，贴 iptables-save 的结果


支持，脚本看得晕。

iptables -A POSTROUTING -t nat -s 192.168.100.0/24 -j MASQUERADE

既然是MASQUERDE,想必是动态IP了，你那个 -d 202.96.186.240 根本就是多余的

是静态的，我没用ＳＮＡＴ．

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.186.100.0/24     anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            source IP range 192.168.100.71-192.168.100.79 multiport dports http,webcache,afs3-prserver,afs3-callback,https,3333
ACCEPT     tcp  --  192.168.100.215      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.211      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.214      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.212      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.188      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.181      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.158      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.173      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.170      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.164      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.163      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.159      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.157      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.156      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.151      anywhere            tcp dpt:http
DROP       tcp  --  192.168.100.68       anywhere
DROP       tcp  --  192.168.100.66       anywhere
DROP       tcp  --  192.168.100.65       anywhere
ACCEPT     tcp  --  192.168.100.70       anywhere            tcp dpt:4000
ACCEPT     tcp  --  192.168.100.67       anywhere
ACCEPT     tcp  --  anywhere             anywhere            source IP range 192.168.100.61-192.168.100.70 tcp dpt:http
ACCEPT     tcp  --  192.168.100.220      anywhere            multiport dports https,http
ACCEPT     tcp  --  192.168.100.221      anywhere            multiport dports https,http
ACCEPT     tcp  --  192.168.100.60       anywhere            multiport dports https,http
ACCEPT     tcp  --  anywhere             anywhere            source IP range 192.168.100.103-192.168.100.119 multiport dports https,http,tproxy,3389
ACCEPT     all  --  anywhere             anywhere            source IP range 192.168.100.2-192.168.100.50
ACCEPT     tcp  --  192.168.100.0/24     anywhere            multiport dports pop3,smtp
ACCEPT     udp  --  192.168.100.0/24     anywhere            multiport dports domain,1800,1810,8000,webcache
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

QUOTE:原帖由 platinum 于 2007-11-23 10:56 发表
不要贴脚本，贴 iptables-save 的结果


# Generated by iptables-save v1.2.11 on Fri Nov 23 11:20:28 2007
*mangle
REROUTING ACCEPT [38155:17645793]
:INPUT ACCEPT [4674:452380]
:FORWARD ACCEPT [26548:15478267]
:OUTPUT ACCEPT [4861:992438]
OSTROUTING ACCEPT [31381:16468544]
COMMIT
# Completed on Fri Nov 23 11:20:28 2007
# Generated by iptables-save v1.2.11 on Fri Nov 23 11:20:28 2007
*filter
:INPUT ACCEPT [4674:452380]
:FORWARD DROP [28:2161]
:OUTPUT ACCEPT [4862:992594]
-A INPUT -s 192.186.100.0/255.255.255.0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m iprange --src-range 192.168.100.71-192.168.100.79 -m multiport --dports 80,8080,7002,7001,443,3333 -j ACCEPT
-A FORWARD -s 192.168.100.215 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.211 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.214 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.212 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.188 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.181 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.158 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.173 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.170 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.164 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.163 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.159 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.157 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.156 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.151 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.68 -p tcp -j DROP
-A FORWARD -s 192.168.100.66 -p tcp -j DROP
-A FORWARD -s 192.168.100.65 -p tcp -j DROP
-A FORWARD -s 192.168.100.70 -p tcp -m tcp --dport 4000 -j ACCEPT
-A FORWARD -s 192.168.100.67 -p tcp -j ACCEPT
-A FORWARD -p tcp -m iprange --src-range 192.168.100.61-192.168.100.70 -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.220 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A FORWARD -s 192.168.100.221 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A FORWARD -s 192.168.100.60 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A FORWARD -p tcp -m iprange --src-range 192.168.100.103-192.168.100.119 -m multiport --dports 443,80,8081,3389 -j ACCEPT
-A FORWARD -m iprange --src-range 192.168.100.2-192.168.100.50 -j ACCEPT
-A FORWARD -s 192.168.100.0/255.255.255.0 -p tcp -m multiport --dports 110,25 -j ACCEPT
-A FORWARD -s 192.168.100.0/255.255.255.0 -p udp -m multiport --dports 53,1800,1810,8000,8080 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Fri Nov 23 11:20:28 2007
# Generated by iptables-save v1.2.11 on Fri Nov 23 11:20:28 2007
*nat
REROUTING ACCEPT [8594:1826625]
OSTROUTING ACCEPT [14:892]
:OUTPUT ACCEPT [23:1648]
-A PREROUTING -s 192.168.100.0/255.255.255.0 -d 202.96.186.240 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.100.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 23 11:20:28 2007

”然后我去掉-d 202.96.186.240 ，透明代理正常“
加的目的是什么？
你又是如何测试的？

之前也有的，透明代理正常，-d 202.96.186.240 是我的对外公网ip。这两天发现squid的透明代理没有起作用（在浏览器设定代理时，正常），于时早上将-d 202.96.186.240 去掉，透明代理起作用。可是iptables还是有问题，表现为iptables -I FORWARD -p tcp -s 192.168.100.65 -j DROP这个，居然可以登陆qq.我在想会不会是顺序问题？