Build a firewall instance using Linux + Iptables (1)

Preface
Using Linux + iptables as a firewall has high flexibility and stability (dude, my firewall has never been restarted since it was done), but it is troublesome to install and set it, and it is prone to errors, this article aims to use firewall instances for the company to give you a general understanding of the installation and configuration of the firewall for Linux + iptables, hoping to play a role in attracting others.
System Environment and network regulation
First, let's take a look at the company's environment. The company uses a 2 m adsl leased line to access the Internet. China Telecom allocates a public IP address of 218.4.62.12/29 and a gateway of 218.4.62.13. The company has more than 50 computers and uses DHCP, the IP address is 192.168.2.XXX, And the DHCP Server is built on the iptables Server. Another company has a computer training center that uses the specified fixed IP address and the IP address is 192.168.20.XXX. To view the web page more quickly, we have a Squid Server. All computers browse the webpage through Squid Server. The company also has a WEB Server + Mail Server + Ftp Server. The IP address is 218.4.62.18. The above computers and servers must be deployed in the firewall. The rules are as follows:
The Iptables Server has three NICs, and eth0 has two IP addresses, 218.4.62.14 and 218.4.62.18.
Here, 218.4.62.14 is shared Internet access, 218.4.62.18 is dedicated to WEB Server, and Eth1 IP is 192 ...... 168.2.9; in order to make the Training Center PC and the company PC do not access each other, the Training Center Server is directly connected to Switch-B, eth2 is connected to Switch-A, and the Training Center PC and Squid Server are connected, web Server.
After the network is configured, the Server is installed. The system used by Iptables Server is Redhat Linux V7.3. When installing the server, pay attention to the firewall installation package.
IPTABLES Basics
Iptables Syntax:

Iptables [-t TABLE] ACTION [PATTERN] [-j TARGET]

TABLE:
Filters, nat, and mangle are available. If not specified, the default value is filter table.
ACTION ):
ACTION Description
-L Chain: Display All rules in the Chain
-A Chain adds A rule to the Chain.
-D Chain: delete a rule from the Chain.
-I Chain inserts a rule in the Chain.
-R Chain replaces a rule in the Chain.
-P Chain's preset policies for Chain
-F Chain clears all rules in the Chain
-N Chain: customizes a Chain.
-X clears all custom chains
CHAINS:
Iptables has five default Chains (Rule chain), as shown in the following table:
The timing of the occurrence of Chains
After the PREROUTING packet enters the local machine, it enters the Route Table
After the INPUT data packet passes the Route Table
OUTPUT is sent by the local machine, before entering the Route Table
After FORWARD passes the Route Table, when the object is not local
After POSTROUTING passes the Route Table, it is sent to the network adapter
PATTERN (Set condition ):
Parameter description
-P Protocol communication protocols, such as tcp, udp, icmp, and all ......
The Source Address specified by-s Address is Address.
-D Address: the Destination Address specified is Address.
-I Interface: Specify the NIC for which the data packet enters.
-O Interface: Specify the NIC output by the data packet
-M Match specifies advanced options, such as mac, state, multiport, etc ......
TARGET (Common Action ):
TARGET description
ACCEPT
DROP dropped data packets
RETURN directly without comparison
The application that the QUEUE sends to the User-Space to process the data packet.
SNAT nat: Translation Source Address
DNAT nat: Translation address
Dedicated for MASQUERADE nat: Translation source address becomes NIC MAC
Dedicated for REDIRECT nat: a port transferred to the Local Machine