CentOS6.3 system build gateway firewall using iptables
Source: Internet
Author: User
System environment: centos6.3x64IPTABLES: system comes with 1. deployment environment: 1. disable SELINUX # setenforce0 # vi/etc/sysconfig/selinux --------------- SELINUXdisabled ------------- 2. clear the default policy and restart iptables # iptables-t system environment:
Centos6.3x64
IPTABLES: built-in
I. Deployment environment: 1. disable SELINUX
# Setenforce 0
# Vi/etc/sysconfig/selinux
---------------
SELINUX = disabled
---------------
2. clear the default policy and restart it.
Iptables # Iptables-t NAT-F
# Iptables-F
# Service iptables save
# Service iptables restart
3. enable the server-side route forwarding function
# Vi/etc/sysctl. conf
---------------------
Net. ipv4.ip _ forward = 1
---------------------
# Sysctl-p
In this example, we simulate a WEB site, only enable SSH: 22 and WEB: 80 at the firewall, and configure the ing between the firewall and port 22 and 80 on the intranet server, if other port services are enabled, modify
650) this. width = 650; "src =" http://upload.server110.com/image/20130822/1S33Q362-0.jpg "title =" iptables.jpg "/>
II. gateway firewall iptables configuration: 1. the internal loopback network is always on.
# Iptables-a input-I lo-s 127.0.0.1-j ACCEPT
# Iptables-a output-o lo-s 127.0.0.1-j ACCEPT
2. use DNAT for Port ING:
# Iptables-t nat-a prerouting-d 1.2.3.4-p tcp -- dport 22-jDNAT -- to 192.168.100.10
# Iptables-t nat-a prerouting-d 1.2.3.4-p tcp -- dport 80-jDNAT -- to 192.168.100.10
# Use SNAT for source address conversion (key) so that the response packet can return the correct response
# Iptables-t nat-a postrouting-d 192.168.100.10-p tcp -- dport 22-j SNAT -- to 192.168.100.1
# Iptables-t nat-a postrouting-d 192.168.100.10-p tcp -- dport 80-j SNAT -- to 192.168.100.1
3. open the relevant Port (route forwarding) of the FORWARD chain)
# Iptables-a forward-o eth1-d 192.168.100.10-p tcp -- dport22-j ACCEPT
# Iptables-a forward-I eth1-s 192.168.100.10-p tcp -- sport22-m state -- state
ESTABLISHED, RELATED-j ACCEPT
# Iptables-a forward-o eth1-d 192.168.100.10-p tcp -- dport80-j ACCEPT
# Iptables-a forward-I eth1-s 192.168.100.10-p tcp -- sport80-m state -- state
ESTABLISHED, RELATED-j ACCEPT
4. the subnet accepts other tcp packets.
# Iptables-a forward-p tcp-I eth1-o eth0-j ACCEPT
5. the subnet can access the internet services of other UDP protocols.
# Iptables-a forward-p udp-I eth0-s 192.168.0.0/24-o eth1-j ACCEPT
# Iptables-a forward-p udp-I eth1-d 192.168.0.0/24-o eth0-m state -- state ESTABLISHED-j ACCEPT
6. subnet access to the public network is disguised as a gateway address, allowing intranet users to route out the Internet
# Iptables-t nat-a postrouting-s 192.168.100.0/24-o eth0-jMASQUERADE
7. reject all other policies:
# Iptables-P FORWARD REJECT
# Iptables-a input-j REJECT
# Iptables-P OUTPUT REJECT
8. save and restart the service:
# Service iptables save
# Service iptables restart
---------- Configuration completed -----------
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
