RHEL5.4 iptables configuration (figure)

This section will focus on the configuration of the next iptables, which is a tool to ensure network security, Iptables is based on the core firewall, built-in Filter,nat and mangle three tables, filter is responsible for filtering packets, NAT involves network address translation Mangle table is mainly used to modify the contents of the packet, generally rarely use it; the default chain of rules is: input,output,nat,postrouting,prerouting; The following two pictures are a good illustration of the working mechanism of the iptables firewall, For detailed use and introduction you can refer to the man document

One: Server and client network settings
[Root@server ~]# ifconfig |grep ' inet addr ' |cut-d ': '-F 2 |cut-d '-F 1//view service IP and MAC address
10.0.0.200
192.168.100.254
127.0.0.1
[Root@server ~]# ifconfig eth1 |grep hwaddr
eth1 Link encap:ethernet hwaddr 00:0c:29:0c:7c:4e

[Root@server ~]# grep ' ip_forward '/etc/sysctl.conf//Turn on server-side routing functionality and make it effective
Net.ipv4.ip_forward = 1
[Root@server ~]# Sysctl-p
[Root@server ~]# Ping www.baidu.com-c 2//test connection to the public network
PING www.a.shifen.com (119.75.213.51) bytes of data.
Bytes from 119.75.213.51:icmp_seq=1 ttl=53 time=71.6 ms
Bytes from 119.75.213.51:icmp_seq=2 ttl=53 time=67.2 ms

[Root@client ~]# ifconfig |grep ' inet addr ' |cut-d ': '-F 2 |cut-d '-F 1//client IP and routing settings
192.168.100.20
127.0.0.1
[Root@client ~]# Route-n
Kernel IP Routing Table
Destination Gateway genmask Flags Metric Ref use Iface
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.100.254 0.0.0.0 UG 0 0 0 eth0

[Root@server ~]# Ping 192.168.100.20-c 2//test connection with client on server side
PING 192.168.100.20 (192.168.100.20) bytes of data.
Bytes from 192.168.100.20:icmp_seq=1 ttl=64 time=5.92 ms
Bytes from 192.168.100.20:icmp_seq=2 ttl=64 time=1.12 ms

Two: setting does not allow server SSH to client
[Root@client ~]# iptables-l-N//View the client's default firewall policy, the-n parameter represents no name resolution; You can see that the default system policy is very strict, while customizing a rh-firewall-1-input chain of rules, It is then referenced in the input chain, which is less efficient and easier to maintain.
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Rh-firewall-1-input All--0.0.0.0/0 0.0.0.0/0

Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Rh-firewall-1-input All--0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

Chain Rh-firewall-1-input (2 references)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 255
ACCEPT ESP--0.0.0.0/0 0.0.0.0/0
ACCEPT AH--0.0.0.0/0 0.0.0.0/0
ACCEPT UDP--0.0.0.0/0 224.0.0.251 UDP dpt:5353
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:631
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:631
ACCEPT All--0.0.0.0/0 0.0.0.0/0 State related,established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:22
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

[root@client ~]# service iptables stop//shutdown firewall, which can be used to initialize the rules of the chain in all tables, change the chain's default policy to allow, or use iptables-f to clear the rule
Flushing firewall rules: [OK]
Setting chains to Policy Accept:filter [OK]
Unloading iptables modules: [OK]
[Root@client ~]# iptables-a input-s 192.168.100.254-p tcp--dport 22-j//Set server does not allow SSH to REJECT representation added at end of chain
[Root@client ~]# iptables-l-n INPUT//View Set policy
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
REJECT TCP--192.168.100.254 0.0.0.0/0 TCP dpt:22 reject-with icmp-port-unreachable

[root@client ~]# Service Iptables Save//Saves the rule with the Save command, the rule file is in the/etc/sysconfig/iptables file
Saving firewall rules to/etc/sysconfig/iptables: [OK]

[Root@server ~]# SSH 192.168.100.20//server-side test
Ssh:connect to host 192.168.100.20 Port 22:connection refused
Third: Allow server-side SSH to client, but require server-side IP and MAC address legal
[Root@client ~]# iptables-i input-i eth0-m mac--mac-source 00:0c:29:0c:7c:4e-s 192.168.100.254-p tcp-m-- The dports 22,21,20-j ACCEPT//-i parameter represents adding a policy at the top of the rule chain, and Iptables's working mechanism is to match from top to bottom, once the match is based on the rules to determine the packet, so the order is important
[Root@client ~]# iptables-l-N//view rules
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
ACCEPT TCP--192.168.100.254 0.0.0.0/0 MAC 00:0c:29:0c:7c:4e multiport dports 22,21,20
REJECT TCP--192.168.100.254 0.0.0.0/0 TCP dpt:22 reject-with icmp-port-unreachable

[Root@server ~]# SSH 192.168.100.20//server-side test
The authenticity of host ' 192.168.100.20 (192.168.100.20) ' can ' t be established.
RSA key fingerprint is 3a:5d:33:3c:c5:04:8f:31:19:38:1b:9a:b4:75:4c:51.
Are you sure your want to continue connecting (yes/no)?

[root@server ~]# ftp 192.168.100.20
Connected to 192.168.100.20.
(vsftpd 2.0.5)
530/Login with U SER and pass.
530 Please login with the USER and pass.
Kerberos_v4 rejected as a authentication type
Name (192.168.100.20:root): FTP
331 Please specify the Passwor D.
Password:
230 Login successful.

Four: Define deletion of default policy rules and policies
[root@client ~]# iptables-p input drop    //define the default rule for the input chain to reject and view
[ Root@client ~]# iptables-l-n
Chain INPUT (Policy DROP)
target     prot opt Source &nbs p;             destination         
accept     TCP--192.168.100.254             0.0.0.0/0           MAC 00:0c:29:0c:7c:4e multiport dports 22,21,20
reject     TCP--192.168.100.254       0.0.0.0/0           TCP dpt:22 Reject-with Icmp-port-unreachable

[root@client ~]# iptables-d input 2     //Delete the second rule in the input chain and view
[Root@client ~]# Iptables-l-N
Chain INPUT (Policy DROP)
target     prot opt source    & nbsp;          destination         
accept     TCP--192.168.100.254             0.0.0.0/0           MAC 00:0c:29:0c:7c : 4E multiport dports 22,21,20

V: Using iptables to realize Snat
[Root@server ~]# iptables-l-T nat-n-V//View NAT table policy,-v parameter for display details
Chain prerouting (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

Chain postrouting (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

Chain OUTPUT (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

The default client side is not connected to the public network, and therefore need to do snat on the server side, while the client's gateway needs to point to the intranet network card eth1

[Root@server ~]# iptables-t nat-a postrouting-o eth0-s 192.168.100.0/24-j SNAT--to-source 10.0.0.200
[Root@server ~]# iptables-a forward-i eth0-o eth1-m State--state new-j ACCEPT
[Root@server ~]# iptables-a forward-o eth0-i eth1-m State--state established,related-j ACCEPT

In Froward, these two rules are mainly related to the SYN of TCP's three handshake, plus the efficiency of forwarding can be improved.

[root@server ~]# iptables-l forward-n-v   //Viewing configuration information
Chain FORWARD (policy ACCEPT 237 packets, 181 bytes)
Pkts bytes target     prot opt in     out      source               Destination        &NBSP
    0     0 accept      All--eth0   eth1    0.0.0.0/0             0.0.0.0/0           State NEW
    0     0 accept     All--eth1   eth0 & nbsp;  0.0.0.0/0            0.0.0.0/0            State related,established

[root@client ~]# ping www.g.cn-c 2     //Client Test
Ping www.g.cn (203.208.39.99) byt Es of data.
bytes from bi-in-f99.1e100.net (203.208.39.99): icmp_seq=1 ttl=242 time=78.7 ms
-bytes from bi-in-f99.1e100. NET (203.208.39.99): icmp_seq=2 ttl=243 time=81.3 ms
[root@client ~]# traceroute www.g.cn
traceroute to www.g.cn ( 203.208.39.104), hops max, byte packets
1 Bogon (192.168.100.254) 1.243 ms 1.217 ms 1.064 MS
2 Bogon (10.0.0 .1) 4.884 Ms 4.738 ms 5.800 ms
3 122.90.176.1 (122.90.176.1) 68.062 ms 67.964 ms 67.821 ms
4 122.90.10.237 (122.90 .10.237) 35.287 Ms 64.357 ms 78.671 ms

//In the actual production environment, the server end of the Internet using ADSL, it can also use the Masquerade parameter to achieve the above features
[root@server ~]# iptables-t nat-d postrouting 1
[R ~]# iptables-t nat-a postrouting-o eth0-j Masquerade
[root@server ~]# iptables-t nat-l oot@server postrouting-n -V
Chain postrouting (Policy ACCEPT 2 packets, 194 bytes)
Pkts bytes target     prot opt IN&N bsp;    out     source                destination        
     0     0 Masquerade All--*      eth0    0.0.0.0/0& nbsp;           0.0.0.0/0

VI: Using iptables to realize Dnat
[root@client ~]# service httpd restart//configure Apache server on client side
stopping httpd: [OK]
Starting httpd: [OK]
[Root@client ~]# echo "Just one Test" >/var/www/html/index.html

[Root@server ~]# Service httpd status/Verify that Apache services are not installed on the server side
Httpd:unrecognized Service

Configure Dnat
[Root@server ~]# iptables-t nat-a prerouting-p tcp--dport 80-j dnat--to-destination 192.168.100.20
[Root@server ~]# iptables-t nat-l-v prerouting
Chain prerouting (Policy ACCEPT packets, 13431 bytes)
Pkts bytes Target prot opt in Out source destination
0 0 Dnat TCP--any any anywhere from anywhere TCP dpt:http to:192.168.100.20

[Root@server ~]# iptables-t nat-a output-p tcp--dport 80-j dnat--to-dest 192.168.100.200:3128 The//iptables for transparent proxies Reset
[Root@server ~]# iptables-t nat-l output-v//view Configuration
Chain OUTPUT (Policy ACCEPT 1 packets, 140 bytes)
Pkts bytes Target prot opt in Out source destination
0 0 Dnat TCP--any any anywhere from anywhere TCP dpt:http to:192.168.100.200:3128

[Root@server ~]# lsmod |grep IP//view iptables loaded modules, configuration file is/etc/sysconfig/iptables-config
Ipt_masquerade 7617 1
Iptable_nat 11077 1
Ip_nat 21101 2 Ipt_masquerade,iptable_nat
Ip_conntrack 53281 4 Xt_state,ipt_masquerade,iptable_nat,ip_nat
Nfnetlink 10713 2 Ip_nat,ip_conntrack
Iptable_filter 7105 1
Ip_tables 17029 2 Iptable_nat,iptable_filter
Ipt_reject 9665 0
Ip6t_reject 9409 1
Ip6table_filter 6849 1
Ip6_tables 18053 1 Ip6table_filter
..................................................................

Http://www.linux.gov.cn/netweb/iptables.htm

Turn from: http://zhumeng8337797.blog.163.com/blog/static/1007689142010112211587735/