NetFilter Iptables Application Example
One filter table case
1 Requirements: For the filter table only, the default input chain drop, the other two links accept, and then for
The 192.169.188.0/24 opens 22 ports and opens 80 ports and 21 ports for all network segments.
We write a shell script implementation
vim /usr/local/sbin/iptalbes.sh#!/bin/bashipt="/usr/sbin/iptables"$ipt -F # 清空现有规则$ipt -P INPUT DROP # 预设INPUT 链规则$ipt -P OUTPUT ACCEPT # 预设 OUPUT 链规则$ipt -P FORWARD ACCEPT # 预设FORWARD链规则$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #疏通传输环境$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT #放行指定ip的22端口$ipt -A INPUT -p tcp --dport 80 -j ACCEPT #放行80端口$ipt -A INPUT -p tcp --dport 21 -j ACCEP #放行21端口
2. A small application of ICMP
For server security we usually do not want the unfamiliar host ping our network, so it is necessary to implement a non-ping operation through the firewall mechanism
iptables -I INPUT -p icmp --icmp-type 8 -j DROP
The above command can not let any machine ping our host, but usually we have to detect the intranet, so should be on this basis to release the LAN ping operation, you can continue to add the following rules
iptables -I INPUT -p icmp --icmp-type 8 -i eth0 -s 10.0.0.0/24 -j ACCEPT
Application of two NAT tables
The application of NAT tables largely implements the function of a router.
Case 1: Suppose your machine has two NICs, eth0 and eth1, where eth0 IP is 10.0.2.68,eth1 IP is 192.168.1.1. Eth0 links the Internet, but Eth1 has no links. Now another machine, IP for 192.168.1.2 and eth1 is interoperability, then how to set up to let IP for 192.168.1.2 this machine on the outside of the network?
We configure the rules for NAT tables to
1 turn on the route forwarding feature
echo "1" >/proc/sys/net/ipv4/ip_forward
2 Configuring routing Rules
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
3 Configuring the Gateway
Set Gateway to 192.168.100.1 on B
Remarks Set IP and mask
ifconfig eth0 192.168.5.40 netmask 255.255.255.0
Setting up the Gateway
route add default gw 192.168.5.1
route -n
View Gateway
Case 2: A machine can be connected to the Internet, the B machine can only communicate with C, so that a machine can directly connect to the B machine's 22 port.
Take my own environment for example, a machine for windos host, IP for 192.168.226.1
b Machine for VMware inside LINUX1, there are two network cards, ENS33 IP for 192.168.226.129
ENS37 to 192.168.100.1
C Machine for virtual machine linux2, IP for 192.168.100.100
Now how to configure can let the host SSH connection linux2?
1. Route forwarding is still turned on
echo "1" >/proc/sys/net/ipv4/ip_forward
2 Configuring routing Rules
A on the executioniptables -t nat -A PREROUTING -d 192.168.226.129 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
Create a map port before routing, indicating where to go and where to go
A on the executioniptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.226.129
After routing, add the source IP address, the destination IP address corresponding to the relationship, indicating where the
3 Configuring the Gateway
Set Gateway to 192.168.100.1 on B
Finally, SSH link 192.168.226.129 port 1122 can log on to the C machine
Linux Learning Summary (25) System Management 4