For the sake of security, machines with important content such as web servers, databases, and billing may be hidden behind the firewall, even without an Internet address. Here, we assume that we need to set a linux gateway for a web server with only an intranet address so that the Internet can access the web, but the access from other ports is blocked. Iptables is provided by the Linux kernel above. for security reasons, machines with important content such as web servers, databases, and billing may be hidden behind the firewall, or even without an Internet address. Here, we assume that we need to set a linux gateway for a web server with only an intranet address so that the Internet can access the web, but the access from other ports is blocked.
IptablesIt is a firewall built on the kernel above linux2.4. it can be used to block illegal port and IP access, or used as a gateway device, configure NAT/firewall, and implement portforward.
The logic of iptables consists of table tables, chain chains, and rule rules. Handle the packet header accordingly. When the system receives a packet, the underlying route is distributed according to the destination. If the destination is a local machine, enter the INPUT chain. After processing the local machine, go to the OUTPUT chain and send it. If the destination is not a local machine, it enters the FORWARD chain. if the destination conforms to the rules, it is forwarded.
Device settings:
Web site ip port: 192.168.12.50 80 (windows IIS server orlinux apache)
Gateway public ip (eth0): 210.211.22.20, private ip (eth1): 192.168.12.10 (
Centos5.2)
Now we want to access http: // 210.211.22.20 to access http: // 192.168.12.50: 80.
1. configure gateway to allow IP forwarding:
Vi/etc/sysctl. conf
Settings:
Net. ipv4.ip _ forward = 1
Run
Sysctl-p
We should see
Net. ipv4.ip _ forward = 1
2. set iptables on gateway
# Nat table, PREROUTING chain, set tcp protocol for the target port of eth0 to 80, put it in DNAT, forward to 192.168.12.50: 80
Iptables-a prerouting-t nat-I eth0-p tcp -- dport 80-j DNAT -- to 192.168.12.50: 80
# Filter table: for the received eth0, switch from eth1 to 192.168.12.50: 80
Iptables-a forward-p tcp-I eth0-o eth1-d 192.168.12.50 -- dport 80-j ACCEPT
# However, we also need to perform nat transformation to maintain a ing table. The intranet address is used for sending data from eth1, and the Internet address is changed when it comes back. Otherwise, the Internet will not receive a reply.
Iptables-t nat-a postrouting-j MASQUERADE-o eth1
After the settings are complete, run service iptables save
Access http: // 210.211.22.20 from the Internet to view the intranet webpage.
3. you can set the port to 1433 of the database or 25,110 of ftp, smtp, and pop as needed. the protocol and forwarding must be slightly modified and debugged.
For example, set the mssql database proxy.
#1. set the PREROUTING chain in the nat table. the-o option is not available here.
Iptables-t nat-a prerouting-p tcp-I eth0 -- dport 1433-j DNAT -- to 192.168.12.123: 1433
#2. set the filter table
Iptables-a forward-p tcp-I eth0-o eth1 -- dport 1433-d 192.168.12.123-j ACCEPT
#3. nat translation. If yes, you can leave it unspecified.
Iptables-t nat-a postrouting-j MASQUERADE-o eth1
4. set iptables to disable all access that is not allowed.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
