Configuring the firewall under CentOS configure NAT forwarding service iptables firewall under CentOS
Linux NAT (iptables) configuration
CentOS under Configuration iptables
1,vim/etc/sysconfig/network You can change the host name here.
Networking=yes
Networking_ipv6=no
Hostname=bgi-tj.localdomain
gateway=192.168.11.1 (Hyper-count Gateway)
2.vim/etc/sysconfig/network-scripts/ifcfg-eth0 the first block card.
Broadcom Corporation netxtreme II BCM5709 Gigabit Ethernet
Device=eth0
Bootproto=static
Hwaddr=a4:ba:db:43:xx:xx
ipaddr=192.168.11.2 (Public network address)
netmask=255.255.255.0
Onboot=yes
gateway=192.168.11.1 (can not be set before)
3.vim/etc/sysconfig/network-scripts/ifcfg-eth1 Network card 2, is the intranet
# Broadcom Corporation netxtreme II BCM5709 Gigabit Ethernet
Device=eth1
Bootproto=static
Hwaddr=a4:ba:db:43:xx:xx
ipaddr=192.168.136.1 (intranet address)
netmask=255.255.255.0
Onboot=yes
4.vim/etc/sysctl.conf here is the focus of configuring route forwarding, routing, etc. are used.
# Controls IP Packet forwarding
Net.ipv4.ip_forward = 0
Revision changed to
# Controls IP Packet forwarding
Net.ipv4.ip_forward = 1 allows built-in routing
5.sysctl-p Update
6.service Network Restart Slave
7, if unable to find another NIC can be loaded.
Http://www.cngr.cn/article/63/390/2006/2006071812486.shtml
/etc/network/interfaces the contents of the two-block network card can be edited
Auto Eth0
Iface eth0 inet Static
Address 192.168.18.2
Netmask 255.255.255.0
Network 192.168.18.0
Gateway 192.168.18.1
Auto Eth1
Iface eth1 inet Static
Address 172.17.94.93
Netmask 255.255.255.0
Broadcast 172.17.94.255
Gateway 172.17.94.254
The default is the first network card, you can set two blocks simultaneously open
8.iptables-f
9.iptables-t nat-a postrouting-s 192.168.136.0/24-o eth0-j SNAT--to 192.168.11.2 is forwarded to the 11 network segment.
10./etc/rc.d/init.d/iptables Save or service iptables save
11.service iptables Restart
12. If you find that DNS cannot be resolved, enter the following command firewall problem do not want to. The changes are made to the configuration first.
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-p INPUT ACCEPT
/etc/rc.d/init.d/iptables Save
Service Iptables Restart
Iptables-a input-i lo-j ACCEPT
Iptables-a forward-p TCP--dport 80-j ACCEPT
Iptables-a forward-p TCP--dport 22-j ACCEPT
Iptables-a forward-p TCP--dport 53-j ACCEPT
Iptables-a forward-p UDP--dport 53-j ACCEPT
Iptables-a forward-p TCP--dport 25-j ACCEPT
Iptables-a forward-p TCP--dport 110-j ACCEPT
Iptables-a forward-p UDP--dport 110-j ACCEPT
Iptables-a forward-p TCP--dport 143-j ACCEPT
Iptables-a forward-p UDP--dport 143-j ACCEPT
Iptables-a forward-p TCP--dport 993-j ACCEPT
Iptables-a forward-p UDP--dport 993-j ACCEPT
Iptables-a forward-p TCP--dport 995-j ACCEPT
Iptables-a forward-p UDP--dport 995-j ACCEPT
Service Iptables Save
Service Iptables Restart
Iptables-a input-i lo-j ACCEPT
Iptables-a input-i lo-j ACCEPT
Iptables-a forward-p tcp-j ACCEPT
Iptables-a forward-p udp-j ACCEPT
Iptables-a forward-p TCP--dport 1:65534-j ACCEPT
Service Iptables Save
Service Iptables Restart
Sysctl-p
Service Network restart
Iptables-f
Iptables-t nat-a postrouting-s 192.168.*.*/24-o eth0-j SNAT--to IP address.
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-p INPUT ACCEPT
Service Iptables Save
Service Iptables Restart
Iptables-a input-i lo-j ACCEPT
Iptables-a forward-p TCP--dport 1:65534-j ACCEPT
Iptables-a forward-p UDP--dport 1:65534-j ACCEPT
Service Iptables Save
Service Iptables Restart
The default is:
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT ACCEPT
Can affect the use of many features.
Is the IP springboard, from one IP to the machine you want to use (block the ports you don't want to use directly) port mirroring
Iptables-t nat-a prerouting-d x.x.x.x (public IP)-p TCP--dport 2200 (port number)-j DNAT--to 192.168.3.202:22 (Intranet IP: Intranet IP Port) Nat default routeIP route add 192.168.6.0/24 via 192.168.11.2
Or add a gateway default to the IP segment you want to jump IP route add-net 192.168.6.0/24 GW 192.168.11.1
Dev Eth0 (the NIC must be able to connect with the network you want to jump) such as 192.168.11.0/24 and 192.168.6.0/24.
Say so many novice very confused, huh huh. Let's take a look at the practice.
1. Preparatory work
1.1 CentOS Final installation is complete, stop the unwanted service
1.2 To modify the host name:
1.2.1/etc/sysconfig/network
1.2.2/etc/hosts
1.3 Network Card settings
1.3.1 Single Ip/etc/sysconfig/network-scripts/ifcfg-eth0
1.3.2 IP Segment
#cd/etc/sysconfig/network-scripts/
#cp-a Ifcfg-eth0 ifcfg-eth0-range0
#vi IFCFG-ETH0-RANGE0
Device=eth0-range0
ipaddr_start=192.168.136.2 #设置地址段的起始IP
ipaddr_end=192.168.136.100 #设置地址段的结束IP
gateway=192.168.136.1
netmask=255.255.255.0
Clonenum_start= the starting "number" of the "#设置虚拟接口" (clone– clone) In this example, starting from 20, 21,22,23 ...
No_aliasrouting=yes #该选项可以设置在主配置文件中 (Ifcfg-eth0)
#虚拟接口可以继承主配置文件中的设置, the role of the virtual interface is to avoid the new definition of routing information, resulting in a slow routing access problem.
1.2.3 Command mode
IP addr Add 192.168.136.0/24 dev $OUTGOING
1.4 Routing Settings
1.4.1
#vi/etc/sysconfig/static-routes
Eth0 (device name) NET (network address) 192.168.0.0 (subnet) netmask 255.255.255.0 (gateway address) GW 192.168.0.1
A./usr/sysconfig/network-scripts/route-eth0
10.0.2.0/24 via 192.168.0.144
10.0.3.0/24 via 192.168.0.144
10.0.4.0/24 via 192.168.0.144
The 1.4.2 configures the gateway for the system's main routing table, which is the gateway to the telecommunications
IP route add 0/0 via 22.22.22.1
1.4.3 Adds a routing rule that allows all data queries leading to Netcom to be labeled as a 11 routing table, adding a default gateway provided by Netcom.
IP route add 0/0 via 11.11.11.1 table 11
IP rule Add to 60.0.0.0/13 table 11
IP rule Add to 60.8.0.0/15 table 11
IP rule Add to 60.10.0.0/16 table 11
Note that when configuring the network card, do not configure the gateway, do not use the old ifconfig command to configure the gateway, but to use IPROUTE2 to configure the gateway, it will cause conflicts, or use the IP route replace command to replace
The IP route add command.
1.5 Forwarding Settings
/etc/sysctl.conf
# Controls IP Packet forwarding
Net.ipv4.ip_forward = 1
Net.ipv4.netfilter.ip_conntrack_max = 1048576
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300
1.6 resolv.conf
NameServer 10.0.0.1
2. Iptables Configuration
2.1 Iptables Initialization
Iptables-t nat-f
Iptables-f
Iptables-x
Iptables-p INPUT ACCEPT
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-n Newconn
2.2 NAT Conversion
2.2.1 First will go out of the packet from two WAN port IP camouflage Masquerade, mainly do not let the opposite know where you come from.
/sbin/iptables-t nat-a postrouting-o Eth1-j Masquerade
/sbin/iptables-t nat-a postrouting-o Eth2-j Masquerade
2.1.2 SNAT Conversion Network.
IPTABLES-T nat-a postrouting-s Internal IP address/subnet-o $OUTGOING-j SNAT--to $IPPOOL
2.1.31 network segments of the telecom Netcom automatic switching
Iptables-t nat-i postrouting-s 192.168.0.0/24-d $ telecom ip-j SNAT--to 222.168.1.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 218.62.3.3
2.1.4 Access 222.222.5.0/15 and 222.240.0.0/13 go Telecom, other default Netcom
# echo "Dianxin" >>/etc/iproute2/rt_table (this is added to the file, once can be executed)
# IP route replace default via 222.168.1.2 table Dianxin
# IP rule Add fwmark 1 table dianxin (This note order, can be viewed with IP rule)
# iptables-t Nat-f
# iptables-t Mangle-f
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d 222.222.5.0/15-j MARK--set-mark 1
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d 222.240.0.0/13-j MARK--set-mark 1
# iptables-t nat-a postrouting-s 192.168.0.0/24-d 222.222.5.0/15-j SNAT--to $DIANXIN
# iptables-t nat-a postrouting-s 192.168.0.0/24-d 222.240.0.0/13-j SNAT--to $DIANXIN
# iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to $ access to the address of the Netcom line network card
# IP route Flush Cache
2.1.6 adding similar routes
If ["$ALLOW _access_client"! = ""]; Then
For LAN in ${allow_access_client}; Do
{
Iptables-a forward-p tcp-m multiport-s ${lan}-o $ETH _wan--dport $PORT-j ACCEPT
Iptables-a forward-p udp-m multiport-s ${lan}-o $ETH _wan--dport $PORT-j ACCEPT
Iptables-a forward-p tcp-m multiport-i $ETH _wan--sport $PORT-j ACCEPT
Iptables-a forward-p udp-m multiport-i $ETH _wan--sport $PORT-j ACCEPT
}
Done
Fi
2.3 Save
Iptables-save-c >/etc/sysconfig/iptables
1.5 Forwarding Settings
/etc/sysctl.conf
# Controls IP Packet forwarding
Net.ipv4.ip_forward = 1
Net.ipv4.netfilter.ip_conntrack_max = 1048576
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300
2. Iptables Configuration
2.1 Iptables Initialization
Iptables-t nat-f
Iptables-f
Iptables-x
Iptables-p INPUT ACCEPT
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-n Newconn
2.2 NAT Conversion
2.2.1 First packets that go out from two WAN ports are IP camouflaged Masquerade
/sbin/iptables-t nat-a postrouting-o Eth1-j Masquerade
/sbin/iptables-t nat-a postrouting-o Eth2-j Masquerade
2.1.2 SNAT
IPTABLES-T nat-a postrouting-s Internal IP address/subnet-o $OUTGOING-j SNAT
--to $IPPOOL
2.1.31 network segments of the telecom Netcom automatic switching
Iptables-t nat-i postrouting-s 192.168.0.0/24-d $ telecom Ip-j SNAT
--to 222.168.1.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to
218.62.3.3
2.1.4 Access 222.222.5.0/15 and 222.240.0.0/13 go Telecom, other default Netcom
# echo "Dianxin" >>/etc/iproute2/rt_table (this is added to the file,
Line once)
# IP route replace default via 222.168.1.2 table Dianxin
# IP rule Add fwmark 1 table dianxin (this note order, use IP rule to check
See
# iptables-t Nat-f
# iptables-t Mangle-f
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d
222.222.5.0/15-j MARK--set-mark 1
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d
222.240.0.0/13-j MARK--set-mark 1
# iptables-t Nat-a postrouting-s 192.168.0.0/24-d
222.222.5.0/15-j SNAT--to $DIANXIN
# iptables-t Nat-a postrouting-s 192.168.0.0/24-d
222.240.0.0/13-j SNAT--to $DIANXIN
# iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to $ connect
The address of Netcom line network card
2.3 Save
Iptables-save-c >/etc/sysconfig/iptables
#--+--+--+--+--+--+--+--+--+--+--+--+--+--
It is very necessary to configure the Iptables firewall under CentOS. Come to us to learn how to configure!
My blog has mentioned firewall configuration Oh.
To set up a firewall in Linux, for example CentOS, open the iptables configuration file:
Vi/etc/sysconfig/iptables
The/etc/init.d/iptables status command is used to query whether there are 80 ports open, if there are no two ways to handle them:
1. Modify the Vi/etc/sysconfig/iptables command to add a firewall open 80 port
-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 80-j ACCEPT
2. Turn off/On/restart the firewall
/etc/init.d/iptables stop
#start Open
#restart restart
3. Permanently shut down the firewall
Chkconfig--level iptables off
/etc/init.d/iptables stop
Iptables-p INPUT DROP
4. Open Active mode 21 port
Iptables-a input-p TCP--dport 21-j ACCEPT
5. Open the port between passive mode 49152~65534
Iptables-a input-p TCP--dport 49152:65534-j ACCEPT
Iptables-a input-i lo-j ACCEPT
Iptables-a input-m State--state established-j ACCEPT
Attention:
Be sure to leave a good posterior for yourself. A management port and SSH management port
It is important to note that you must modify this file according to the circumstances of your server.
Restart iptables after all modifications are completed:
Service Iptables Restart
You can verify that the rules are already in effect:
Iptables-l
Configuring Iptables Firewall Linux NAT (iptables) configuration under CentOS
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
