Home > Developer > Linux

A detailed approach to configuring iptables for routing functions under Linux

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

as the company's Internet router needs to implement the functions of NAT address translation, DHCP, DNS caching, traffic control, application program management, NAT address translation through Iptables can be directly implemented, the DHCP service needs to install the DHCPD,DNS cache function requires the use of BIND, Flow control can use TC, application control: for example, the blocking of QQ can use netfilter-layer7-v2.22+17-protocols-2009-05-28.tar.gz to realize

1. Network Planning

Operating system is centos5.8

2, installation DHCPD


Yum Install Dhcp-3.0.5-31.el5
Vim/etc/dhcp/dhcpd.conf
Ddns-update-style Interim;
Ignore client-updates;
Subnet 10.0.0.0 netmask 255.255.255.0 {
Option routers 10.0.0.1;
Option Subnet-mask 255.255.255.0;
Option Domain-name-servers 10.0.0.1;
Range DYNAMIC-BOOTP 10.0.0.100 10.0.0.200;
Default-lease-time 21600;
Max-lease-time 43200;
}

3. Install bind to implement DNS caching


Yum Install bind97.i386 bind97-libs.i386 bind97-utils.i386
Vim/etc/named.conf
Options {
Directory "/var/named";
allow-recursion {10.0.0.0/24;};
recursion Yes;
Forward first; #将所有请求都进行转发
Forwarders {114.114.114.114;}; #定义转发服务器地址
};
Zone "." in {
Type hint;
File "named.ca";
};
Zone "localhost" in {
Type master;
File "Named.localhost";
Allow-transfer {none;};
};
Zone "0.0.127.in-addr.arpa" in {
Type master;
File "Named.loopback";
Allow-transfer {none;};
};

Create a root domain file, default


Dig-t NS. >/var/named/named.ca
chown:named/var/named/named.ca

Create a local forward parsing file, default


Vim/var/named/named.localhost
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
NS @
A 127.0.0.1
Chown:named/var/named/named.localhost

Create a local reverse parse file, default


Vim/var/named/named.loopback
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
NS @
A 127.0.0.1
PTR localhost.
Chown:named/var/named/named.loopback

Check the master configuration file


Named-checkconf

Check the root zone configuration file


Named-checkzone "."/var/named/named.ca

Check Zone files


Named-checkzone "localhost"/var/named/named.localhost

Start the service


Service named start

4. Recompile the compiled kernel and iptables to support application layer filtering
Because the firewall function is the NetFilter kernel module, it is necessary to recompile the kernel, the need to download new kernel source code, and use netfilter-layer7-v2.22 as the kernel patch together to compile into the kernel. Control Netfiler is the Iptables tool, so iptables must also recompile the installation, and finally install the application filtering signature library 17-protocols-2009-05028.tar.gz

1. Patch the kernel and recompile the kernel
2, to Iptables source code patching, and recompile iptables
3, Installation 17proto

Backing up iptables scripts and configuration files


Cp/etc/rc.d/init.d/iptables/root/iptables.sysv
Cp/etc/sysconfig/iptables-config/root/iptables-config

2.6 Cores

https://www.kernel.org/pub/linux/kernel/v2.6/

NetFilter

http://download.clearfoundation.com/l7-filter/

Iptables Source

Http://www.netfilter.org/projects/iptables/downloads.html

Application Signature Library

http://download.clearfoundation.com/l7-filter/


Xz-d LINUX-2.6.28.10.TAR.XZ
TAR-XVF linux-2.6.28.10.tar.gz-c/usr/src #新的内核源码 for recompilation
TAR-ZXVF netfilter-layer7-v2.22.tar.gz-c/usr/src #内核补丁和iptables补丁, supported only to 2.6.28
#进入解压目录并创建软连接 </p> <P>CD/USR/SRC
LN-SV linux-2.6.28.10 Linux
#进入内核目录 </p> <p>cd/usr/src/linux
#为当前内核打补丁 </p> <p>patch-p1 <. /netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.path
#为了方便编译内核将系统上的内核配置文件复制过来 </p> <p>cp/boot/config-2.6.18-164.el5/usr/src/linux/.config

Compiling the kernel


Make Menuconfig
Networking support, Networking Options, Network packet filtering framework, Core NetFilter Configuration
<M> NetFilter Connection Tracking support
<M> "Lawyer7" match support
<M> "string" Match support
<M> "Time" match support
<M> "IPRange" match support
<M> "Connlimit" match support
<M> ' state ' match support
<M> "Conntrack" Connection match support
<M> "Mac" address match support
<M> "Multiport" multiple port match support
Networking support, networign options, Network packet filtering framework, ip:netfiltr Configuration
<M> IPV4 Connection Tracking Support (required for NAT)
<M> Full NAT
<M> Masquerade Target Support
<M> Netmap Target Support
<M> REDIRECT Target Support

Select Networking Options in Networking support

Find the network packet filtering Framework (NetFilter) –>core Netfiler CONFIGRATIONG–>NETFILTER Connection Tracking Support (new), ' Layer7″match Support (new), ' time ' match support (new), ' IPRange '

Find Ip:netfilter CONFIGURATION–>IPV4 Connection tracking Support,full NAT (NEW)


Make
Make Modules_install
Make install

Restart operating system Select New Kernel Login

Uninstall the old iptables


Rpm-e iptables-1.3.5-9.1.el5 Iptables-ipv6-1.3.5-9.1.el5 Iptstate-1.4-2.el5--nodeps

Install the new iptables to support the new Netfiler module


TAR-JSVF iptables-1.4.6.tar.bz2-c/USR/SRC
cd/usr/src/netfilter-layer7-v2.23
CD Iptables-1.4.3forward-for-kernel-2.6.20forward
CP */usr/src/iptables-1.4.6/extensions/
cd/usr/src/iptables-1.4.6/
./configure--PREFIX=/USR--with-ksource=/usr/src/linux
Make
Make install

View the files for the iptables after installation


Ls/usr/sbin |grep iptables
Ls/usr/libexec/xtables

Copy the configuration files and scripts that were backed up before


cp/root/iptables-config/etc/sysconfig/
Cp/root/iptables.sysv/etc/rc.d/init.d/iptables

To modify the path of iptables in a script


Vim/etc/rc.d/init.d/iptables
:., [email protected]/sbin/[email protected]/usr/sbin/[email protected]

Let iptables service boot up automatically


Chkconfig--add iptables

Modifying the iptables configuration file
The/etc/sysconfig/iptables-config in the
iptables_modules= "Ip_conntrack_netbios_ns" comment out

Install Protocol signatures


Tar xvf 17-protocols-2009-05028.tar.gz
Make install

After completion, the file will be generated in/etc/l7-protocols
Supported Protocols/etc/l7-protocols/protocols

Add Iptables policy, run internal network Internet, prohibit QQ and video


Iptables-t nat-a postrouting-s 10.0.0.0/24-j SNAT--to-soure 192.168.6.67
Iptables-a forward-m layer7--l7proto qq-j DROP
Iptables-a forward-m layer7--l7proto httpvideo-j DROP
Iptables-a forward-m layer7--l7proto httpaudio-j DROP

No Internet access for 8 to 12 points


Iptables-a forward-m time--timestart--timestop 12:00-j DROP

5. Using TC to control bandwidth
For example, the company export bandwidth is 10Mbps, user a allocates 500KB maximum download bandwidth, the maximum download bandwidth assigned to User B is 200KB
A user ip:10.0.0.100
b User ip:10.0.0.101


#在eth0网卡上创建一个根队列规则, the algorithm for the queue rule uses Htb,default 2 to specify a default category number, the default traffic control policy, and if the IP is not matched in the subsequent filter, there is this policy
TC Qdisc Add dev eth0 root handle 1:0 HTB default 2
#在eth0网卡上定义一个类, the 1 in prant 1:0 corresponds to handle 1:0,classid 1:2 in the root queue rule, which is the identity of the current class, which is used in the subsequent get filter, the rate 200kbsp means the bandwidth is 200kb/s, Ceil 200kbps means maximum bandwidth also 200kb/s,prio 2 is priority
TC class Add dev eth0 parent 1:0 classid 1:2 HTB rate 200kbps ceil 200kbps prio 2
TC class Add dev eth0 parent 1:0 classid 1:3 HTB rate 500kbps ceil 500kbps prio 2
#将两个类的默认的fifq队列规则改为sfq
TC Qdisc Add dev eth0 parent 1:2 handle SFQ
TC Qdisc Add dev eth0 parent 1:3 handle SFQ
#在网卡eth0上的1:0 nodes (corresponding to handle in Qdisc 1:0) add a u32 filtering rule with a priority of 1, all packets with the destination address 10.0.0.100 are 1:2 classes (corresponding to ClassID 1:2 classes)
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.100 flowid 1:2
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.101 flowid 1:3

If there are other users such as user C and D IP is 102, 103, the required download bandwidth is also required 500 then join


TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.102 flowid 1:3
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.103 flowid 1:3

Clear the rules on eth0


TC Qdisc del Dev eth1 root>/dev/null

A detailed approach to configuring iptables for routing functions under Linux

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
command to check iptables in linux how to edit iptables in linux how to view iptables in linux how to configure iptables in linux best book to study for a certification linux routing tutorial how to configure iptables in linux step by step
Related Article
Linux under the PS command Usage summary
Linux error--->export ' = ' not a valid identifier for gen...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More