According to RFC 1918, you can use the following IP networks for private nets which will never be connected to the Internet:Class A 10.0.0.0 - 10.255.255.255 255.0.0.0 Class B 172.16.0.0 - 172.31.255.255 255.255.0.0 Class C 192.168.0.0 - 192.168.255.255 255.255.255.0 |
|
options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPDIVERT |
|
config GENERIC cd ../../compile/GENERIC make depend all install |
|
# ²Ä¤@¤ùºô¥d©T¦³ªº³]©w¡G ifconfig_vr0="inet 211.75.215.107 media 100baseTX netmask 255.255.255.0"
# ¥u¥Î¤@¤ùºô¥d®É¡A±N²Ä¤@¤ùºô¥dµêÀÀ¥X¥t¤@ÓIP(¦pªG¨Ï¥Î¨â¤ùºô¥d¡A´N¤£n³]³o¤@¦æ¡A©ÎªÌµù¸Ñ°_¨Ó¤]¥i)¡C
# ¦pªG§A¦³²Ä¤G¤ùºô¥d®É¡A±N¦¹ºô¥d³]©w¦p¤U(·íµM°Õ¡A³o¤@¦æªºµù¸Ñ´NÀ³¸Ó¨ú®ø¡A²Ä¤G¶ôºô¥d¤~·|¦³§@¥Î)¡C
# «Å§i¥»¥D¾÷¥i°µ¬°gateway(³q°T¹h)
# «Å§i¨¾¤õÀð(IP-FIREWALL)
# ©w¸q NATD ªººô¸ô¥d¤¶±¡AÀ³©w¸q¦b³]©w public IP ªººô¥d¥N¸¹¤W¡C |
¶}¾÷«á¡AYn§ó§ïNATªº³]©w¡G
kill -KILL `cat /var/run/natd.pid`
natd -redirect_port tcp 192.168.1.220:80 211.75.215.107:80 -interface vr0
| natd 8668/divert |
#!/bin/sh # ================ # ²M°£©Ò¦³¨¾¤õÀð¹LÂoªº³W«h(Âk¹s)¡Aipfw¸Ô²Ó»yªk½Ð¡Gman ipfw /sbin/ipfw -f flush # ================ # ¥ý©w¸q deny¡A¥Ñ¦¹³B¶}©l©w¸q¨¾¤õÀð¹LÂoªº³W«h # §Ú¬O¤ñ¸û¬½¤@ÂI¡An¾×´N¥þ³¡³£¾×¦í¡Aºw¤ô¤£º|¡C # ================ # ³o¸Ìªº all ¡A¬O«ü /etc/services Àɮפ¤©Ò°O¸üªº¦U¶µªA°È¦WºÙ¡C # ¦p¦¹³]©w¨¾¤õÀð³W«h«á¡A¥L³s ping §Úªº¥D¾÷³£§O·Q¤F¡C # ¥H¤Uªº IP ©Î Class C ¡A¤£¬O¦³¤J«I°Ê§@¡B´N¬O¶Ã±H¼s§i«H¡A§Ú¤£Åwªï³oºØ¤H¡A©Ò¥H©Úµ´´£¨Ñ¥ô¦óªA°È¡C # ----- spam ----- # /sbin/ipfw add deny all from 211.22.166.45 to any /sbin/ipfw add deny all from 216.153.141.44 to any /sbin/ipfw add deny all from 192.72.80.7 to any /sbin/ipfw add deny all from 61.220.214.251 to any /sbin/ipfw add deny all from 61.154.244.0/24 to any /sbin/ipfw add deny all from 140.113.75.248 to any /sbin/ipfw add deny all from 61.16.11.0/24 to any /sbin/ipfw add deny all from 61.217.135.209 to any /sbin/ipfw add deny all from 61.225.169.0/24 to any /sbin/ipfw add deny all from 61.227.50.0/24 to any /sbin/ipfw add deny all from 61.228.0.0/24 to any /sbin/ipfw add deny all from 63.119.26.216 to any /sbin/ipfw add deny all from 64.94.217.0/24 to any /sbin/ipfw add deny all from 64.114.31.2 to any /sbin/ipfw add deny all from 65.30.9.44 to any /sbin/ipfw add deny all from 65.32.169.173 to any /sbin/ipfw add deny all from 139.175.252.20 to any /sbin/ipfw add deny all from 163.29.255.0/24 to any /sbin/ipfw add deny all from 192.72.81.0/24 to any /sbin/ipfw add deny all from 193.126.14.83 to any /sbin/ipfw add deny all from 195.190.94.200 to any /sbin/ipfw add deny all from 203.79.166.137 to any /sbin/ipfw add deny all from 203.198.160.118 to any /sbin/ipfw add deny all from 203.146.235.0/24 to any /sbin/ipfw add deny all from 203.204.139.129 to any /sbin/ipfw add deny all from 206.154.48.203 to any /sbin/ipfw add deny all from 207.254.20.124 to any /sbin/ipfw add deny all from 210.85.75.0/24 to any /sbin/ipfw add deny all from 210.208.48.108 to any /sbin/ipfw add deny all from 211.20.175.110 to any /sbin/ipfw add deny all from 211.21.140.133 to any /sbin/ipfw add deny all from 211.21.191.123 to any /sbin/ipfw add deny all from 211.75.204.163 to any /sbin/ipfw add deny all from 211.75.220.228 to any /sbin/ipfw add deny all from 211.78.1.3 to any /sbin/ipfw add deny all from 211.114.30.1 to any /sbin/ipfw add deny all from 212.67.193.231 to any /sbin/ipfw add deny all from 216.4.172.254 to any /sbin/ipfw add deny all from 217.11.131.182 to any /sbin/ipfw add deny all from 217.115.144.0/24 to any # ================ # ³o¤@¦æ¬O©w¸qNATªº³q¦æ¡A¦pªG¥u¬O³]©w firewall ªº¸Ü¡A¤£»Ýn³]©w³o¤@¦æ¡C /sbin/ipfw add divert natd all from any to any via vr0 # ================ # ¨ä¾lªº(all)³£©ñ¦æ¤F¡ANAT ©M FireWall ³£»Ýn³]©w³o¤@¦æ¡C /sbin/ipfw add pass all from any to any |
|
Flushed all rules. 00100 deny ip from 140.113.75.248 to any 00200 deny ip from 211.78.1.3 to any 00300 deny ip from 211.21.191.123 to any 00400 deny ip from 64.114.31.2 to any 00500 divert 8668 ip from any to any via vr0 00600 allow ip from any to any |