Brief Introduction to iptables Firewall

Generally, LINUX Firewall (iptalbes) uses nat tables (PREROUTING, OUTPUT, and POSTROUTING) and filter tables (FORWARD, INPUT, and OUTPUT ). We can correctly configure the firewall only when we know the data flow. A relatively intuitive graph is used to explain the data trend.

(Here, we will only describe the most basic iptables data stream trend .)
It's your home, and the blue circle is your yard. There are two doors (①), and there are two rooms in your house, eth0 and eth1 respectively, each room has two doors for access ② ③ ④ ⑤. Next to the home of Zhang San and Li Si, the travel between Zhang San and Li Si must pass through your yard.
Assume that the IP address of the eth0 Nic is 192.168.5.1 and the IP address of the eth1 Nic is 218.100.100.111.
Let us assume that "Three Zhangjia" is a LAN, and "four li" is an Internet connection. PREROUTING is used in the yard of my house, FORWARD is used in the yard of my house, INPUT is used in the portal of my house, and OUTPUT is used in the portal of my house. (When our operation is for the server itself, such as the SSH operation, PREROUTING, INPUT, and OUTPUT will certainly be used at this time, PREROUTING and FORWARD are used when data is only accessed by the server .)
It is assumed that the six doors are closed by default. Generate the following code.
######################################## ###################################
* Nat
################################
: Prerouting drop [0: 0]
: Output drop [0: 0]
: Postrouting drop [0: 0]
################################
-F
-Z
-X
### Add statements in the future.
-L-v
COMMIT
######################################## ########
* Filter
##############################
: Input drop [0: 0]
: Forward drop [0: 0]
: Output drop [0: 0]
##############################
-F
-Z
-X
### Add statements in the future.
-L-v
COMMIT
######################################## ##################################
1. LAN users access the Internet through server sharing
(That is, from three Zhang to four Li)
1) first enter gate ① and then exit gate 6th.
-A prerouting-p tcp -- dport 80-j ACCEPT # Allow TCP port 80 to pass through the server
-A forward-p tcp -- dport 80-j ACCEPT # Allow TCP80 port forwarding
-A forward-p tcp -- sport 80-j ACCEPT # Allow the recipient to receive information reversed by the TCP80 Port
2) because we are playing a domain name on the Internet, there is a public network DNS server serving us. Of course, we must also allow data forwarding between Intranet machines and DNS servers. DNS uses UDP 53 or TCP 53 ports. You can use either of them.
-A prerouting-p udp -- dport 53-j ACCEPT
-A forward-p udp -- dport 53-j ACCEPT
-A forward-p udp -- sport 53-j ACCEPT
3) once again, because the LAN address is not allowed on the Internet, the address should be converted into a server address for disguise before going out of the Internet.
-A postrouting-s 192.168.5.0/24-j SNAT-to 218.100.100.111
2. Allow LAN and public network access to the server's SSH
Assume that SSH uses the default port TCP 22. This requirement is equivalent to entering the TCP gate 22 of my house. Therefore, we should first enter the courtyard of my house, then enter the door of my house, and finally exit the door of my house. This operation is an operation on the server itself.
-A prerouting-p tcp -- dport 22-j ACCEPT
-A input-p tcp -- dport 22-j ACCEPT
-A output-p tcp -- sport 22-j ACCEPT
3. Allow Intranet machines to log on to MSN and QQ.
(MSN and QQ are not allowed to log on by default) QQ can generally log on from TCP 80, 8000, 443, UDP 8000, 4000, while MSN can log on from TCP 1863, 443. The process of logging on to MSN and QQ is like accessing the Internet. It is also a designated port for accessing the remote server. Therefore, we only need to use data forwarding.
-A prerouting-p tcp -- dport 1863-j ACCEPT
-A prerouting-p tcp -- dport 443-j ACCEPT
-A prerouting-p tcp -- dport 8000-j ACCEPT
-A prerouting-p udp -- dport 8000-j ACCEPT
-A prerouting-p udp -- dport 4000-j ACCEPT
-A forward-p tcp -- dport 1863-j ACCEPT
-A forward-p tcp -- sport 1863-j ACCEPT
-A forward-p tcp -- dport 443-j ACCEPT
-A forward-p tcp -- sport 443-j ACCEPT
-A forward-p tcp -- dport 8000-j ACCEPT
-A forward-p tcp -- sport 8000-j ACCEPT
-A forward-p udp -- dport 8000-j ACCEPT
-A forward-p udp -- sport 8000-j ACCEPT
-A forward-p udp -- dport 4000-j ACCEPT
-A forward-p udp -- sport 4000-j ACCEPT
4. Enable Intranet machines to send and receive emails.
Receiving mail is the TCP port 110 accessing the remote server, and sending mail is the access to the TCP25 port. Use data forwarding.
-A prerouting-p tcp -- dport 110-j ACCEPT
-A prerouting-p tcp -- dport 25-j ACCEPT
-A forward-p tcp -- dport 110-j ACCEPT
-A forward-p tcp -- sport 110-j ACCEPT
-A forward-p tcp -- dport 25-j ACCEPT
-A forward-p tcp -- sport 25-j ACCEPT
5. The internal machine releases the WEB.
To publish the WEB of the Intranet host 192.168.5.179, it is equivalent to accessing the Intranet from the Internet. It is the same as the LAN shared Internet access in step 1, but the access direction has changed. Instead of accessing the Internet from the Intranet, you can access the Intranet from the Internet.
When the public network access server 218.100.100.111, the firewall maps it to the TCP80 of 192.168.5.179 on the Intranet. When an intranet machine accesses the server 218.100.100.111, the firewall maps it to the TCP80 of 192.168.5.179 on the Intranet.
-A prerouting-I eth0-p tcp-d 218.100.100.111 -- dport 80-j DNAT -- to-destination 192.168.5.179: 80
-A prerouting-I eth1-p tcp-d 218.100.100.111-dport 80-j DNAT-to-destination 192.168.5.179: 80
(The preceding two sentences must be written before-a prerouting-p tcp -- dport 80-j ACCEPT .)
The forwarding of TCP port 80 has been done in step 1, so you do not need to repeat it here. In addition
-A postrouting-s 192.168.5.0/24-j SNAT-to 218.100.100.111:
-A postrouting-p tcp -- dport 80-j ACCEPT
I understand why I want to add this sentence,
Public Network Access http: // 218.100.100.111: (assume that the public network user's IP address is 199.199.199.199, and port 12345 is randomly generated .)
Data source: ip: 199.199.199.199 sport: 12345
Data target: ip Address: 218.100.100.111 dport 80
In this case, call-a prerouting-I eth0-p tcp-d 218.100.100.111 -- dport 80-j DNAT -- to-destination 192.168.5.179: 80 to tell 199.199.199.199, the actual address you want to access should be 192.168.5.179: 80, and then we disguise it as 192.168.5.179: 80 through-a postrouting-p tcp -- dport 80-j ACCEPT Destination Address 218.100.100.111: 80.
Data source: ip: 199.199.199.199 sport: 12345
Data target: ip: 192.168.5.179 dport 80
 
When 192.168.5.179 returns data:
Data source: ip: 192.168.5.179 sport: 80
Data target: ip: 199.199.199.199 dport 12345
After the data passes through-a postrouting-s 192.168.5.0/24-j SNAT-to 218.100.100.111,
Data source: ip: 218.100.100.111 sport: 80
Data target: ip: 199.199.199.199 dport 12345
 
6. Complete iptables configuration
######################################## ###################################
* Nat
################################
: Prerouting drop [0: 0]
: Output drop [0: 0]
: Postrouting drop [0: 0]
################################
-F
-Z
-X
-A prerouting-I eth0-p tcp-d 218.100.100.111 -- dport 80-j DNAT -- to-destination 192.168.5.179: 80
-A prerouting-I eth1-p tcp-d 218.100.100.111 -- dport 80-j DNAT-to-destination 192.168.5.179: 80
-A prerouting-p tcp -- dport 80-j ACCEPT
-A prerouting-p udp -- dport 53-j ACCEPT
-A prerouting-p tcp -- dport 22-j ACCEPT
-A prerouting-p tcp -- dport 1863-j ACCEPT
-A prerouting-p tcp -- dport 443-j ACCEPT
-A prerouting-p tcp -- dport 8000-j ACCEPT
-A prerouting-p udp -- dport 8000-j ACCEPT
-A prerouting-p udp -- dport 4000-j ACCEPT
-A prerouting-p tcp -- dport 110-j ACCEPT
-A prerouting-p tcp -- dport 25-j ACCEPT
-A postrouting-s 192.168.5.0/24-j SNAT-to 218.100.100.111
-A postrouting-p tcp -- dport 80-j ACCEPT
-L-v
COMMIT
######################################## ########
* Filter
##############################
: Input drop [0: 0]
: Forward drop [0: 0]
: Output drop [0: 0]
##############################
-F
-Z
-X
-A input-p tcp -- dport 22-j ACCEPT
-A output-p tcp -- sport 22-j ACCEPT
-A forward-p tcp -- dport 80-j ACCEPT
-A forward-p tcp -- sport 80-j ACCEPT
-A forward-p udp -- dport 53-j ACCEPT
-A forward-p udp -- sport 53-j ACCEPT
-A forward-p tcp -- dport 1863-j ACCEPT
-A forward-p tcp -- sport 1863-j ACCEPT
-A forward-p tcp -- dport 443-j ACCEPT
-A forward-p tcp -- sport 443-j ACCEPT
-A forward-p tcp -- dport 8000-j ACCEPT
-A forward-p tcp -- sport 8000-j ACCEPT
-A forward-p udp -- dport 8000-j ACCEPT
-A forward-p udp -- sport 8000-j ACCEPT
-A forward-p udp -- dport 4000-j ACCEPT
-A forward-p udp -- sport 4000-j ACCEPT
-A forward-p tcp -- dport 110-j ACCEPT
-A forward-p tcp -- sport 110-j ACCEPT
-A forward-p tcp -- dport 25-j ACCEPT
-A forward-p tcp -- sport 25-j ACCEPT
-L-v
COMMIT
######################################## ##################################
7. Other Precautions
1) You must enable the IP forwarding function before using the iptables firewall.
# Echo "1">/proc/sys/net/ipv4/ip_forward
2) The above content (the content generated in step 1) is saved to the/etc/sysconfig/iptables file.
3) Restart iptalbes every time you modify the iptables file.
# Service iptables restart