Basic use of iptables/nat

Overview NetFilter is a set of flexible package filtering firewall/Advanced Router Support introduced by Linux2.4kernel in combination with kernelspace/userspace. Iptables is a user-state tool that can be used to modify Netfilter rules. in combination, iptables can be used to modify the core advanced routing function in the user state. Overview

NetFilter is a set of core states introduced by Linux 2.4 kernel-flexible packet filtering firewall/Advanced Router Support in combination with kernel space/userspace.IptablesIt is a user-state tool that can be used to modify the Netfilter rules. in combination, the two can be used to modify the core advanced routing function in the user state, not only does not need to re-compile the kernel, but also does not have to restart the system, real-Time modification takes effect immediately. Therefore, it is one of the iconic features of the 2.4 kernel, far better than ipchains of 2.2.

As a packet filtering firewall, Netfilter can allow or discard these packets according to a series of conditions, or allow them to be sent to the user space for processing. as an advanced router, netfilter can modify IP packet header data (mainly source/destination address/Port) based on some characteristics of the IP packet to achieve IP camouflage, Port ING,Server load balancerAnd so on, and this time our work is mainly to use these features.

Another major advantage of Netfilter is its high scalability. you can add new matching and processing functions by writing the kernel module. it supports two internal tables (filter/nat ), you can also add new functions for the above two types of functions. Each table has different chains, which correspond to different processing stages; A package may go through several chains of several tables from entry to exit. each chain contains several rules to process the packages that enter the chain one by one, let me talk about it in detail below (if you are not interested in the operation, you will understand it here .) :

Iptables usage 2.1 tables and links

First, the iptables command needs to specify a table. If no table is specified, it is identified as a filter table by default. for example:
Iptables-L-v

The rules of the INPUT/FORWARD/OUTPUT chains in the filter table are listed, and the PREROUTING/POSTROUTING/OUTPUT of the nat table must be used.
Iptables-t nat-L-v

2.2 chain initialization

Before the operation, all rules on a chain may be cleared (flush) and then started from scratch:
Iptables-t nat-F PREROUTING
Of course, this is not the case if the previous rule cannot be deleted.

Each chain has a default policy. for example, the INPUT chain is used to process all newly entered packets for the local machine. for this chain, we often set it to DROP by default ), then some packages can be passed, which is safer:
Iptables-P INPUT DROP

2.3 rules and INPUT chains

Of course, you need to set rules to allow some packets to come in. for example, to allow tcp access on port 23:
Iptables-a input-p tcp -- dport 23-j ACCEPT
-The A parameter is added to A chain rule, followed by two parts of the rule: Conditions and executed operations. First, match conditions:

-P tcp is the protocol tcp
-- Dport 23 is the destination port 23.

Common matching conditions include-s (source ip) and-d (destination ip). For more information, see man. In this configuration, we also use another matching method:
-M state -- state ESTABLISHED

-The m parameter is used to load a type of non-built-in matching method: connection status matching. ESTABLISHED is used to match the packages that have ESTABLISHED the socket connection, which is often used in the following situations: prohibit connections from the outside to the inside, but for socket connections established from the inside to the outside, the incoming packets can pass through.

Then the operation, that is, the TARGET ):
-J ACCEPT is used to jump (jump) to the target ACCEPT. another target commonly used in INPUT is DROP, that is, packet loss, which can be discarded for unwanted packets.

2.4 DNAT/Port ing

-----------------

NAT refers to network address translation ?), That is, you can modify the source or destination address/port at the same time as the route to complete some advanced routing functions. For example, the source address is an invalid public IP address that needs to be adjusted from the network 192.168.1.1/24. this is called SNAT. Generally, the egress address of the Gateway is used as the modified address, this situation is more precisely called the IP disguise (MASQUERADE ). In another case, packets sent to a computer are sent to another computer/Port. this is often called Port Ing. it is also called DNAT, D indicates destination.

DNAT is generally performed after the package enters and before the route is determined, so it occurs in the PREROUTING chain:
Iptables-t nat-a prerouting-p tcp -- dport 23-ddnat. server. ip. addr-j DNAT -- to bupt.org. ip. addr: 23
In this way, the destination address for telnet access to the public network host is changed to our server.

2.5 SNAT/IP camouflage

I thought it would work like that, but it turns out that it is not very successful. after the study, I think the specific reason is that the source address of the package that reaches the true feelings is the visitor's address, therefore, the IP packet sent back will not pass through our DNAT server. the source address of the visitor's packet is not the destination address requested by him. this naturally cannot establish a TCP connection.

Therefore, after scratching my head for half an hour, I decided to add SNAT, which is also the server in the middle.
Iptables-t nat-a postrouting-p tcp -- dport 23-dbupt. server. ip. addr-o eth0-j MASQUERADE
Note the following two points:

The destination address must be the final address and port because the DNAT address has changed.

You must specify an outbound port (-o interface) for IP Spoofing. Otherwise, the ghost may know what the disguised IP address is, for example, 127.0.0.1.

2.6 allow packet forwarding

Echo 1>/proc/sys/net/ipv4/ip_forward

If you do not allow ip packet forwarding, all configurations are useless and the packet will not be routed.

2.7 delete a rule:

Iptables-d input...
The subsequent statement is exactly the same as iptables-A, and must be A single character to be deleted.

Permanent our configuration

If the iptables configuration has not been processed, it will expire after each restart, so it should be permanent.

If it is rh, an iptables service is already provided in it.
Service iptables save
It should be around the same, but I will give the brothers a 10 thousand method:

Create a script under/etc/init. d/and add the execution permission

Write the things I have given in the script:

Use the echo to open ip_forward.

Add three rules to INPUT (telnet, www and the state)

Add two rules to PREROUTING (telnet, www)

POSTROUTING also has two

In/etc/rc [2-5]. d/add the symbolic link to the script, such as S20buptnat. sh-> .. /init. d/buptnat. sh (S20 should be acceptable. Theoretically, it has passed the rcS. d's S40 should already have the network function, which is similar to Debian)

Summary

It's a long time. well, it's all about command usage. it's hard to get to the ground, so it's better if you have any reference value for everyone :)