Configure the firewall and nat forwarding service in CentOS

Today, I got a new server, used as a stepping stone, and pasted and copied the previous Code. As a result, there was a problem and I couldn't forward it,

Beth was not clear, so I had to find it a little later. First, find the network,

No network problems found, no problems with the Intranet and Internet, and no problems with the dual-nic gateway,

So I had to search Baidu for the problem. Here I found an article that is useful to myself and posted it to solve the problem in the future.

Configure iptables firewall in CentOS

Linux NAT (iptables) Configuration

Configure iptables in CentOS

1. vim/etc/sysconfig/network can be used to change the host name.

NETWORKING = yes
NETWORKING_IPV6 = no
HOSTNAME = BGI-TJ.localdomain
GATEWAY = 192.168.11.1 (supercomputing GATEWAY)

2. vim/etc/sysconfig/network-scripts/the first Nic In the ifcfg-eth0.

Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet
DEVICE = eth0
BOOTPROTO = static
HWADDR = A4: BA: DB: 43: XX
IPADDR = 192.168.11.2 (public address)
NETMASK = 255.255.255.0
ONBOOT = yes

GATEWAY = 192.168.11.1 (you can skip this setting)

3. vim/etc/sysconfig/network-scripts/ifcfg-eth1 Nic 2, is the Intranet

# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet
DEVICE = eth1
BOOTPROTO = static
HWADDR = A4: BA: DB: 43: XX
IPADDR = 192.168.136.1 (intranet address)
NETMASK = 255.255.255.0
ONBOOT = yes

4. vim/etc/sysctl. conf is used to configure route forwarding and enable routing.

# Controls IP packet forwarding
Net. ipv4.ip _ forward = 0

Change

# Controls IP packet forwarding
Net. ipv4.ip _ forward = 1 allow built-in Routing

5. sysctl-p update

6. The service network restart starts the NIC

7. If you cannot find another network card, you can load it.

Http://www.cngr.cn/article/63/390/2006/2006071812486.shtml

You can edit the content of the/etc/network/interfaces two NICs.

Auto eth0
Iface eth0 inet static
Address 192.168.18.2
Netmask 255.255.255.0
Network 192.168.18.0
Gateway 192.168.18.1

Auto eth1
Iface eth1 inet static
Address 172.17.94.93
Netmask 255.255.255.0
Broadcast 172.17.94.255
Gateway 172.17.94.254

The default value is the first Nic. You can set both enable

8. iptables-F

9. iptables-t nat-a postrouting-s 192.168.136.0/24-o eth0-j SNAT -- to 192.168.11.2 is forwarded to the 11 CIDR block.

10./etc/rc. d/init. d/iptables save or service iptables save

11. service iptables restart

12. If you find that the DNS cannot be resolved, enter the following command to avoid firewall issues. You can change the configurations first.

Iptables-P FORWARD ACCEPT

Iptables-P OUTPUT ACCEPT

Iptables-P INPUT ACCEPT

/Etc/rc. d/init. d/iptables save

Service iptables restart

Iptables-a input-I lo-j ACCEPT

Iptables-a forward-p tcp -- dport 80-j ACCEPT

Iptables-a forward-p tcp -- dport 22-j ACCEPT

Iptables-a forward-p tcp -- dport 53-j ACCEPT

Iptables-a forward-p udp -- dport 53-j ACCEPT

Iptables-a forward-p tcp -- dport 25-j ACCEPT

Iptables-a forward-p tcp -- dport 110-j ACCEPT

Iptables-a forward-p udp -- dport 110-j ACCEPT

Iptables-a forward-p tcp -- dport 143-j ACCEPT

Iptables-a forward-p udp -- dport 143-j ACCEPT

Iptables-a forward-p tcp -- dport 993-j ACCEPT

Iptables-a forward-p udp -- dport 993-j ACCEPT

Iptables-a forward-p tcp -- dport 995-j ACCEPT

Iptables-a forward-p udp -- dport 995-j ACCEPT

Service iptables save

Service iptables restart

Iptables-a input-I lo-j ACCEPT

Iptables-a input-I lo-j ACCEPT

Iptables-a forward-p tcp-j ACCEPT

Iptables-a forward-p udp-j ACCEPT

Iptables-a forward-p tcp -- dport 1: 65534-j ACCEPT

Service iptables save

Service iptables restart

Sysctl-p
Service network restart
Iptables-F
Iptables-t nat-a postrouting-s 192. 168. *. */24-o eth0-j SNAT -- to IP address.
Iptables-P FORWARD ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P INPUT ACCEPT
Service iptables save
Service iptables restart

Iptables-a input-I lo-j ACCEPT
Iptables-a forward-p tcp -- dport 1: 65534-j ACCEPT
Iptables-a forward-p udp -- dport 1: 65534-j ACCEPT
Service iptables save
Service iptables restart

Default Value:

Iptables-P INPUT DROP

Iptables-P FORWARD DROP

Iptables-P OUTPUT ACCEPT

Will affect the use of many features.

It is an ip stepping stone. You can change the port image from an ip address to the machine you want to use (Shield ports that you don't want to use ).

Iptables-t nat-a prerouting-d x. x. x. x (Public IP)-p tcp -- dport 2200 (Port Number)-j DNAT -- to 192.168.3.202: 22 (intranet ip: Intranet IP port) NAT default route

Ip route add 192.168.6.0/24 via 192.168.11.2

Or add a gateway to the ip address segment route add-net 192.168.6.0/24 gw 192.168.11.1 by default.

Dev eth0 (the NIC must be able to connect to the network you want to jump to) for example, 192.168.11.0/24 and 192.168.6.0/24.

So many new users are confused, right. Let's take a look at it.

1. Preparations

1.1 after CentOS Final is installed, stop unnecessary services

1.2 modify the Host Name:
1.2.1/etc/sysconfig/network
1.2.2/etc/hosts

1.3 Nic settings
1.3.1 Single IP/etc/sysconfig/network-scripts/ifcfg-eth0
1.3.2 IP segment
# Cd/etc/sysconfig/network-scripts/
# Cp-a ifcfg-eth0 ifcfg-eth0-range0
# Vi ifcfg-eth0-range0
DEVICE = eth0-range0
IPADDR_START = 192.168.136.2 # Set the starting IP address of the CIDR Block
IPADDR_END = 192.168.136.100 # set the end IP address of the CIDR Block
GATEWAY = 192.168.136.1
NETMASK = 255.255.255.0
CLONENUM_START = "20" # Set the starting "Number" of the Virtual Interface (CLONE-CLONE). In this example, it will start from 20, 23 ......
NO_ALIASROUTING = yes # This option can be set in the master profile (ifcfg-eth0)
# A Virtual Interface can inherit the settings in the main configuration file. Its role is to avoid the problem of slow route access caused by the new routing information of the Virtual Interface.
1.2.3 command Method
Ip addr add 192.168.136.0/24 dev $ OUTGOING

1.4 route settings
1.4.1
# Vi/etc/sysconfig/static-routes
Eth0 (device name) net (Network Address) 192.168.0.0 (subnet) netmask 255.255.255.0 (gateway address) gw 192.168.0.1
A./usr/sysconfig/network-scripts/route-eth0
10.0.2.0/24 via 192.168.0.144
10.0.3.0/24 via 192.168.0.144
10.0.4.0/24 via 192.168.0.144
1.4.2 configure a gateway for the main route table of the system. The Gateway is a gateway of China Telecom.
Ip route add 0/0 via 22.22.22.1
1.4.3 add routing rules to add a default gateway provided by China Netcom to route tables marked as 11 for all data queries to China Netcom.
Ip route add 0/0 via 11.11.11.1 table 11
Ip rule add to 60.0.0.0/13 table 11
Ip rule add to 60.8.0.0/15 table 11
Ip rule add to 60.10.0.0/16 table 11
Note that When configuring the network card, do not configure the gateway, do not use the old ifconfig command to configure the gateway, but use iproute2 to configure the gateway. Otherwise, a conflict may occur, or use the ip route replace command to replace

Ip route add command.

1.5 forwarding settings
/Etc/sysctl. conf
# Controls IP packet forwarding
Net. ipv4.ip _ forward = 1
Net. ipv4.netfilter. ip_conntrack_max = 1048576
Net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 300

1.6 resolv. conf
Nameserver 10.0.0.1

2. iptables configuration
2.1 iptables Initialization
Iptables-t nat-F
Iptables-F
Iptables-X
Iptables-P INPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-N NEWCONN
2.2 NAT Translation
2.2.1 first, the IP address of the data packets sent from two WAN ports is disguised as masquerade, mainly to prevent the opposite side from knowing where you came from.
/Sbin/iptables-t nat-A postrouting-o eth1-j masquerade
/Sbin/iptables-t nat-A postrouting-o eth2-j masquerade
2.1.2 SNAT conversion network.
Iptables-t nat-a postrouting-s internal IP address/subnet-o $ OUTGOING-j SNAT -- to $ IPPOOL
2.1.3 automatic switch between China Telecom and China Netcom for one CIDR Block
Iptables-t nat-I POSTROUTING-s 192.168.0.0/24-d $ Telecom ip-j SNAT -- to 222.161.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to 218.62.3.3
2.1.4 access 222.222.5.0/15 and 222.240.0.0/13 through China Telecom.
# Echo "200 DIANXIN">/etc/iproute2/rt_table (this is added to the file and can be executed once)
# Ip route replace default via 222.161.2 table DIANXIN
# Ip rule add fwmark 1 table DIANXIN (this attention sequence can be viewed using ip rule)
# Iptables-t nat-F
# Iptables-t mangle-F
# Iptables-t mangle-a prerouting-I eth0-s 192.168.0.0/24-d 222.222.5.0/15-j MARK -- set-mark 1
# Iptables-t mangle-a prerouting-I eth0-s 192.168.0.0/24-d 222.240.0.0/13-j MARK -- set-mark 1
# Iptables-t nat-a postrouting-s 192.168.0.0/24-d 222.222.5.0/15-j SNAT -- to $ DIANXIN
# Iptables-t nat-a postrouting-s 192.168.0.0/24-d 222.240.0.0/13-j SNAT -- to $ DIANXIN
# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to $ address for connecting to the network card of the China Netcom line
# Ip route flush cache

2.1.6 add similar routes
If ["$ ALLOW_ACCESS_CLIENT "! = ""]; Then
For LAN in $ {ALLOW_ACCESS_CLIENT}; do
{
Iptables-a forward-p tcp-m multiport-s $ {LAN}-o $ ETH_WAN -- dport $ PORT-j ACCEPT
Iptables-a forward-p udp-m multiport-s $ {LAN}-o $ ETH_WAN -- dport $ PORT-j ACCEPT
Iptables-a forward-p tcp-m multiport-I $ ETH_WAN -- sport $ PORT-j ACCEPT
Iptables-a forward-p udp-m multiport-I $ ETH_WAN -- sport $ PORT-j ACCEPT
}
Done
Fi

2.3 save
Iptables-save-c>/etc/sysconfig/iptables

1.5 forwarding settings
/Etc/sysctl. conf
# Controls IP packet forwarding
Net. ipv4.ip _ forward = 1
Net. ipv4.netfilter. ip_conntrack_max = 1048576
Net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 300

2. iptables configuration
2.1 iptables Initialization
Iptables-t nat-F
Iptables-F
Iptables-X
Iptables-P INPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-N NEWCONN
2.2 NAT Translation
2.2.1 first, the IP address disguised as masquerade is used for packets sent from two WAN ports.
/Sbin/iptables-t nat-A postrouting-o eth1-j masquerade
/Sbin/iptables-t nat-A postrouting-o eth2-j masquerade
2.1.2 SNAT
Iptables-t nat-a postrouting-s internal IP address/subnet-o $ OUTGOING-j SNAT

-- To $ IPPOOL
2.1.3 automatic switch between China Telecom and China Netcom for one CIDR Block
Iptables-t nat-I POSTROUTING-s 192.168.0.0/24-d $ Telecom ip-j SNAT

-- To 222.161.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT --

218.62.3.3
2.1.4 access 222.222.5.0/15 and 222.240.0.0/13 through China Telecom.
# Echo "200 DIANXIN">/etc/iproute2/rt_table (this is added to the file and runs

Line once)
# Ip route replace default via 222.161.2 table DIANXIN
# Ip rule add fwmark 1 table DIANXIN

View)
# Iptables-t nat-F
# Iptables-t mangle-F
# Iptables-t mangle-a prerouting-I eth0-s 192.168.0.0/24-d

222.222.5.0/15-j MARK -- set-mark 1
# Iptables-t mangle-a prerouting-I eth0-s 192.168.0.0/24-d

222.240.0.0/13-j MARK -- set-mark 1
# Iptables-t nat-a postrouting-s 192.168.0.0/24-d

222.222.5.0/15-j SNAT -- to $ DIANXIN
# Iptables-t nat-a postrouting-s 192.168.0.0/24-d

222.240.0.0/13-j SNAT -- to $ DIANXIN
# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to $

IP address of the network adapter of the China Netcom line

2.3 save
Iptables-save-c>/etc/sysconfig/iptables

# -- + --

It is necessary to configure the iptables firewall in CentOS. Let's learn how to configure it!

I mentioned in my blog that firewall configuration is never recommended.

Set the firewall in Linux. Take CentOS as an example to open the iptables configuration file:

Vi/etc/sysconfig/iptables

Run the/etc/init. d/iptables status Command to check whether port 80 is enabled. If port 80 is not enabled, you can use either of the following methods:

1. Modify the vi/etc/sysconfig/iptables command to add the firewall to open port 80

-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 80-j ACCEPT

2. Disable/enable/restart the Firewall

/Etc/init. d/iptables stop

# Start

# Restart

3. permanently disable the Firewall

Chkconfig -- level 35 iptables off

/Etc/init. d/iptables stop

Iptables-P INPUT DROP

4. enable port 21 in Active Mode

Iptables-a input-p tcp -- dport 21-j ACCEPT

5. Enable passive mode 49152 ~ Port 65534

Iptables-a input-p tcp -- dport 49152: 65534-j ACCEPT

Iptables-a input-I lo-j ACCEPT

Iptables-a input-m state -- state ESTABLISHED-j ACCEPT

Note:

Be sure to leave a path for yourself and leave a VNC Management port and an SSh Management port.

You must modify the file based on your server.

After all the modifications, restart iptables:

Service iptables restart

You can verify whether all rules have taken effect:

Iptables-L

Through the introduction of this article, we have clearly understood the process of configuring iptables firewall in CentOS. I hope everyone can master it! Study hard.