Configure iptabels firewall in RHEL5.7 (lower)

 

In the previous article, I talked about the application of iptables firewall to a single host. Now I want to learn how to use iptables firewall as a gateway firewall. In this case, the iptables firewall not only protects a host, but also protects the entire network and acts as a gateway. The responsibilities are more important, and the demand is also improved a lot.

NAT Function of linux Firewall

I will not talk about NAT address translation here. We know that this is generally implemented on a vro, and linux Hosts can also implement this function. The iptables firewall has three built-in tables: filter, nat, and mangle. The nat table provides the address translation function. The nat table contains three links: PREROUTING, OUTPUT, and POSTROUTING. The rules in the table indicate how to convert the data packet address.

1. SNAT

Source NAT rules are defined in the POSTROUTING chain. These rules are processed after the route is completed. You can use the "-j SNAT" target action to convert the source address of the matched data packet. If you want to convert the source IP address of the packet sent out from the Intranet 10.10.1.0/24 to the fixed public IP address 218.75.26.35 of the Internet interface eth0 and use the "-j POSTOUTING" target action, you need to execute the following iptables command:

Iptables-t nat-a postrouting-s 10.10.1.0/24-o eth0-j SNAT -- to-source 218.75.26.35

In the preceding command, "-t nat" specifies that the nat table is used. "-a postrouting" indicates that rules are added to the POSTROUTING chain, "-- to-source 218.75.26.35" indicates converting the source IP address of the data packet to 218.75.26.35. According to the-s option, the source IP address of the matched data packet should belong to the 10.10.1.0/24 subnet. Also, "-o eth0" specifies that source NAT translation is performed only for data packets sent out of the eth0 interface. The converted public IP address is the public IP address of eth0.

**************************************** **************************************** ******

In addition to the public network address converted to eth0, you can also use other addresses, such as 218.75.26.34. Create a sub-interface for eth0 and set the IP address to 218.75.26.34. The command is as follows:

Ifconfig eth0: 1 218.75.26.34 netmask quota limit 240

The preceding command gives the eth0 interface two public IP addresses. You can also use a certain IP address range as the converted public IP address. At this time, you need to create multiple sub-interfaces and correspond to each public IP address. The parameter after the "-- to-source" option should appear in the form of "a. B. c. x-a. B .c.y. **************************************** **************************************** ******

The previous section describes the fixed public IP address after data packet conversion. If the public IP address is obtained dynamically from the ISP service provider through ADSL dialing, the IP address obtained for each dialing operation is different, and the network interface is generated only after dialing. In this case, the "-- to-source" option in the preceding command cannot be used. To solve this problem, iptables provides another source NAT called IP camouflage. The implementation method is to adopt the "-j MASQUERADE" target action. The specific commands are as follows.

Iptables-t nat-a postrouting-s 10.10.1.0/24-o ppp0-j MASQUERADE

In the preceding command, MASQUERADE indicates disguise. ppp0 is a virtual interface generated after successful dialing, and its IP address is the public IP address obtained from the ISP service provider. "-J MASQUERADE" indicates changing the source IP address of the data packet to the IP address of the ppp0 interface.

2. DNAT

Destination NAT changes the destination IP address of the data packet. When a data packet from the Internet accesses the public IP address of the network interface of the NAT server, the NAT server converts the destination address of these packets to an appropriate Intranet IP address and then routes it to the Intranet computer. In this way, servers using Intranet IP addresses can also provide network services for computers on the Internet. If you have learned about the hardware firewall, you will know that there is a DMZ area where you can map internal and external servers. Similarly, iptables firewall can implement the same function. "-J DNAT" specifies that the target action is DNAT, which indicates that the destination IP address of the data packet needs to be modified. Its sub-option "-- to 10.10.2.3" indicates that the modified IP address is 10.10.2.3. After the destination IP address is modified, the routing module routes the data packets to the 10.10.2.3 server. Assume that a computer whose IP address is 10.10.2.3 needs to provide network services for the Internet, you can specify a public IP address to establish a ing relationship with 10.10.2.3 and adopt the "-j PREROUTING" action. If the public IP Address used is 218.75.26.34, the command to configure the destination NAT is as follows:

Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-j DNAT -- to 10.10.2.3

The preceding rules are added to the PREROUTING chain. This chain is located in front of the routing module. Therefore, the destination IP address of the data packet is changed before the routing, which will affect the routing result. Because the network interface eth0 is connected to the Internet, "-I eth0" ensures that the packets are from the Internet. "-D 218.75.26.34/32" indicates that the data packet destination is on the 218.75.26.34 host, and this IP address should be the address of a sub-interface of eth0, so that the NAT server can receive data packets. Otherwise, data packets will be discarded because they are not received.

The above is to allow a public IP to be fully mapped to an IP address on the Intranet. In this case, the host 10.10.2.3 is directly located on the Internet and there is no difference in using the 218.75.26.34 address. Therefore, although this method achieves the purpose of address translation, it does not actually bring much benefit, because the main purpose of using NAT is to share public IP addresses to save the increasingly tight IP Address resources. To achieve the purpose of sharing IP addresses, you can use port ing. Port ing maps a port of a public IP address to a port of an Intranet IP address. It is very flexible to use. Two mapped ports have different port numbers, and different ports of the same public IP can be mapped to different Intranet IP addresses. For example, the host 10.10.2.3 only provides Web Services for the internet. Therefore, you only need to open port 80, while the host 10.10.2.9 provides FTP services for the internet. Therefore, you need to open port 21. In this case, port 80 and port 21 of the Public IP address 218.75.26.34 can be mapped to port 80 and port 21 of 10.10.2.3 and 10.10.2.9, respectively, so that the two Intranet servers can share a public IP address. The command is as follows.

Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-p tcp -- dport 80-j DNAT -- to 10.10.2.3: 80

Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-p tcp -- dport 21-j DNAT -- to 10.10.2.9: 21

In the preceding command, the destination address is a TCP packet of 218.75.26.34. When the destination port is 80, it is forwarded to port 80 of the 10.10.2.3 host. When the destination port is 21, it is forwarded to port 21 of the 10.10.2.9 host. Of course, the two mapped ports can be completely different. For example, if a host 10.10.2.8 also provides Web services through port 80 and the mapped IP address is 218.75.26.34, You need to map another port of 218.75.26.34, such as 8080 to port 80 of 10.10.2.8, the command is as follows:

Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-p tcp -- dport 8080-j DNAT -- to 10.10.2.8: 80

Note: The above section only describes the DNAT configuration in iptables. in actual application, it takes some other configurations to work together to make the configuration really successful. For example, the three links in the filter table should allow corresponding data packets to pass through, and the eth0 interface sub-interface should be created for each Internet IP address.

In addition, for the FTP service, because port 21 is only used to establish a control connection, other ports must be used for data transmission. In the passive mode, the port number that the client initiates a connection to the FTP server is random. Therefore, you cannot open a fixed port to meet the requirements. To solve this problem, you can load the following two modules in Linux: modprobeip_conntrack_ftp and modprobeip_nat_ftp. The two modules can monitor the FTP control flow so that you can know the port used for the FTP data connection to be established in advance, so that the corresponding packets can pass through, even if the firewall does not open this port.

Lab Cases

RHEL-A is a server of the enterprise intranet, RHEL-B is a host of the Internet, RHEL-C is the enterprise egress gateway, Router represents the carrier Router. Private addresses are used inside the Enterprise, and NAT translation is required at the gateway for access. The eth0 interface of the RHEL-C has only one public IP address. RHEL-A is required to access the Internet RHEL-B, RHEL-B in the browser to enter the Internet IP of the RHEL-C can directly access the 80 port of the RHEL-A (the premise to ensure that the RHEL-A http service is enabled ).

First enable routing on the RHEL-C
Echo 1>/proc/sys/net/ipv4/ip_forward
1. snat on the RHEL-C for source address conversion
Iptables-t nat-a postrouting-s 192.168.10.0/24-o eth1-j SNAT -- to-source 198.2.3.2
2. Configure the default route on the RHEL-C
Route add-net 0.0.0.0 netmask 0.0.0.0 gw 198.2.3.1
3. Configure the default route on the RHEL-B
Route add-net 0.0.0.0 netmask 0.0.0.0 gw 203.2.3.1
View the nat rule table for the RHEL-C:

At this point if there is no other problem, the RHEL-A can Ping the Internet and RHEL-B. Now activate the vsftpd service for RHEL-B to access with RHEL-A

Access is normal, view process connection on RHEL-B
Netstat-na | more
We can find the following record:

The RHEL-A is through the gateway RHEL-C Internet IP 198.2.3.2 on the RHEL-B port 21 access, SNAT configuration successful!
4, dnat on the RHEL-C, The RHEL-A port 80 ing out
Iptables-t nat-a prerouting-I eth1-d 198.2.3.2/32-p tcp -- dport 80-j DNAT -- to 192.168.10.1: 80
At this time, access http: // 198.2.3.2 with the RHEL-B firefox browser, if the RHEL-A web page is displayed successfully, then the internal server ing internet is successful, DNAT configuration successful!

 

 

From http://power1990.blog.51cto.com/2673141/714292