Configuring Iptables Firewall Linux NAT (iptables) configuration under CentOS

Source: Internet
Author: User

Configuring the firewall under CentOS configure NAT forwarding service iptables firewall under CentOS

Linux NAT (iptables) configuration

CentOS under Configuration iptables

1,vim/etc/sysconfig/network You can change the host name here.

Networking=yes
Networking_ipv6=no
Hostname=bgi-tj.localdomain
gateway=192.168.11.1 (Hyper-count Gateway)

2.vim/etc/sysconfig/network-scripts/ifcfg-eth0 the first block card.

Broadcom Corporation netxtreme II BCM5709 Gigabit Ethernet
Device=eth0
Bootproto=static
Hwaddr=a4:ba:db:43:xx:xx
ipaddr=192.168.11.2 (Public network address)
netmask=255.255.255.0
Onboot=yes

gateway=192.168.11.1 (can not be set before)

3.vim/etc/sysconfig/network-scripts/ifcfg-eth1 Network card 2, is the intranet

# Broadcom Corporation netxtreme II BCM5709 Gigabit Ethernet
Device=eth1
Bootproto=static
Hwaddr=a4:ba:db:43:xx:xx
ipaddr=192.168.136.1 (intranet address)
netmask=255.255.255.0
Onboot=yes

4.vim/etc/sysctl.conf here is the focus of configuring route forwarding, routing, etc. are used.

# Controls IP Packet forwarding
Net.ipv4.ip_forward = 0

Revision changed to

# Controls IP Packet forwarding
Net.ipv4.ip_forward = 1 allows built-in routing

5.sysctl-p Update

6.service Network Restart Slave

7, if unable to find another NIC can be loaded.

Http://www.cngr.cn/article/63/390/2006/2006071812486.shtml

/etc/network/interfaces the contents of the two-block network card can be edited

Auto Eth0
Iface eth0 inet Static
Address 192.168.18.2
Netmask 255.255.255.0
Network 192.168.18.0
Gateway 192.168.18.1

Auto Eth1
Iface eth1 inet Static
Address 172.17.94.93
Netmask 255.255.255.0
Broadcast 172.17.94.255
Gateway 172.17.94.254

The default is the first network card, you can set two blocks simultaneously open

8.iptables-f

9.iptables-t nat-a postrouting-s 192.168.136.0/24-o eth0-j SNAT--to 192.168.11.2 is forwarded to the 11 network segment.

10./etc/rc.d/init.d/iptables Save or service iptables save

11.service iptables Restart

12. If you find that DNS cannot be resolved, enter the following command firewall problem do not want to. The changes are made to the configuration first.

Iptables-p FORWARD ACCEPT

Iptables-p OUTPUT ACCEPT

Iptables-p INPUT ACCEPT

/etc/rc.d/init.d/iptables Save

Service Iptables Restart

Iptables-a input-i lo-j ACCEPT

Iptables-a forward-p TCP--dport 80-j ACCEPT

Iptables-a forward-p TCP--dport 22-j ACCEPT

Iptables-a forward-p TCP--dport 53-j ACCEPT

Iptables-a forward-p UDP--dport 53-j ACCEPT

Iptables-a forward-p TCP--dport 25-j ACCEPT

Iptables-a forward-p TCP--dport 110-j ACCEPT

Iptables-a forward-p UDP--dport 110-j ACCEPT

Iptables-a forward-p TCP--dport 143-j ACCEPT

Iptables-a forward-p UDP--dport 143-j ACCEPT

Iptables-a forward-p TCP--dport 993-j ACCEPT

Iptables-a forward-p UDP--dport 993-j ACCEPT

Iptables-a forward-p TCP--dport 995-j ACCEPT

Iptables-a forward-p UDP--dport 995-j ACCEPT

Service Iptables Save

Service Iptables Restart

Iptables-a input-i lo-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a forward-p tcp-j ACCEPT

Iptables-a forward-p udp-j ACCEPT

Iptables-a forward-p TCP--dport 1:65534-j ACCEPT

Service Iptables Save

Service Iptables Restart

Sysctl-p
Service Network restart
Iptables-f
Iptables-t nat-a postrouting-s 192.168.*.*/24-o eth0-j SNAT--to IP address.
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-p INPUT ACCEPT
Service Iptables Save
Service Iptables Restart

Iptables-a input-i lo-j ACCEPT
Iptables-a forward-p TCP--dport 1:65534-j ACCEPT
Iptables-a forward-p UDP--dport 1:65534-j ACCEPT
Service Iptables Save
Service Iptables Restart

The default is:

Iptables-p INPUT DROP

Iptables-p FORWARD DROP

Iptables-p OUTPUT ACCEPT

Can affect the use of many features.

Is the IP springboard, from one IP to the machine you want to use (block the ports you don't want to use directly) port mirroring

Iptables-t nat-a prerouting-d x.x.x.x (public IP)-p TCP--dport 2200 (port number)-j DNAT--to 192.168.3.202:22 (Intranet IP: Intranet IP Port) Nat default route

IP route add 192.168.6.0/24 via 192.168.11.2

Or add a gateway default to the IP segment you want to jump IP route add-net 192.168.6.0/24 GW 192.168.11.1

Dev Eth0 (the NIC must be able to connect with the network you want to jump) such as 192.168.11.0/24 and 192.168.6.0/24.

Say so many novice very confused, huh huh. Let's take a look at the practice.

1. Preparatory work


1.1 CentOS Final installation is complete, stop the unwanted service

1.2 To modify the host name:
1.2.1/etc/sysconfig/network
1.2.2/etc/hosts

1.3 Network Card settings
1.3.1 Single Ip/etc/sysconfig/network-scripts/ifcfg-eth0
1.3.2 IP Segment
#cd/etc/sysconfig/network-scripts/
#cp-a Ifcfg-eth0 ifcfg-eth0-range0
#vi IFCFG-ETH0-RANGE0
Device=eth0-range0
ipaddr_start=192.168.136.2 #设置地址段的起始IP
ipaddr_end=192.168.136.100 #设置地址段的结束IP
gateway=192.168.136.1
netmask=255.255.255.0
Clonenum_start= the starting "number" of the "#设置虚拟接口" (clone– clone) In this example, starting from 20, 21,22,23 ...
No_aliasrouting=yes #该选项可以设置在主配置文件中 (Ifcfg-eth0)
#虚拟接口可以继承主配置文件中的设置, the role of the virtual interface is to avoid the new definition of routing information, resulting in a slow routing access problem.
1.2.3 Command mode
IP addr Add 192.168.136.0/24 dev $OUTGOING

1.4 Routing Settings
1.4.1
#vi/etc/sysconfig/static-routes
Eth0 (device name) NET (network address) 192.168.0.0 (subnet) netmask 255.255.255.0 (gateway address) GW 192.168.0.1
A./usr/sysconfig/network-scripts/route-eth0
10.0.2.0/24 via 192.168.0.144
10.0.3.0/24 via 192.168.0.144
10.0.4.0/24 via 192.168.0.144
The 1.4.2 configures the gateway for the system's main routing table, which is the gateway to the telecommunications
IP route add 0/0 via 22.22.22.1
1.4.3 Adds a routing rule that allows all data queries leading to Netcom to be labeled as a 11 routing table, adding a default gateway provided by Netcom.
IP route add 0/0 via 11.11.11.1 table 11
IP rule Add to 60.0.0.0/13 table 11
IP rule Add to 60.8.0.0/15 table 11
IP rule Add to 60.10.0.0/16 table 11
Note that when configuring the network card, do not configure the gateway, do not use the old ifconfig command to configure the gateway, but to use IPROUTE2 to configure the gateway, it will cause conflicts, or use the IP route replace command to replace

The IP route add command.

1.5 Forwarding Settings
/etc/sysctl.conf
# Controls IP Packet forwarding
Net.ipv4.ip_forward = 1
Net.ipv4.netfilter.ip_conntrack_max = 1048576
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300

1.6 resolv.conf
NameServer 10.0.0.1

2. Iptables Configuration
2.1 Iptables Initialization
Iptables-t nat-f
Iptables-f
Iptables-x
Iptables-p INPUT ACCEPT
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-n Newconn
2.2 NAT Conversion
2.2.1 First will go out of the packet from two WAN port IP camouflage Masquerade, mainly do not let the opposite know where you come from.
/sbin/iptables-t nat-a postrouting-o Eth1-j Masquerade
/sbin/iptables-t nat-a postrouting-o Eth2-j Masquerade
2.1.2 SNAT Conversion Network.
IPTABLES-T nat-a postrouting-s Internal IP address/subnet-o $OUTGOING-j SNAT--to $IPPOOL
2.1.31 network segments of the telecom Netcom automatic switching
Iptables-t nat-i postrouting-s 192.168.0.0/24-d $ telecom ip-j SNAT--to 222.168.1.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 218.62.3.3
2.1.4 Access 222.222.5.0/15 and 222.240.0.0/13 go Telecom, other default Netcom
# echo "Dianxin" >>/etc/iproute2/rt_table (this is added to the file, once can be executed)
# IP route replace default via 222.168.1.2 table Dianxin
# IP rule Add fwmark 1 table dianxin (This note order, can be viewed with IP rule)
# iptables-t Nat-f
# iptables-t Mangle-f
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d 222.222.5.0/15-j MARK--set-mark 1
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d 222.240.0.0/13-j MARK--set-mark 1
# iptables-t nat-a postrouting-s 192.168.0.0/24-d 222.222.5.0/15-j SNAT--to $DIANXIN
# iptables-t nat-a postrouting-s 192.168.0.0/24-d 222.240.0.0/13-j SNAT--to $DIANXIN
# iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to $ access to the address of the Netcom line network card
# IP route Flush Cache

2.1.6 adding similar routes
If ["$ALLOW _access_client"! = ""]; Then
For LAN in ${allow_access_client}; Do
{
Iptables-a forward-p tcp-m multiport-s ${lan}-o $ETH _wan--dport $PORT-j ACCEPT
Iptables-a forward-p udp-m multiport-s ${lan}-o $ETH _wan--dport $PORT-j ACCEPT
Iptables-a forward-p tcp-m multiport-i $ETH _wan--sport $PORT-j ACCEPT
Iptables-a forward-p udp-m multiport-i $ETH _wan--sport $PORT-j ACCEPT
}
Done
Fi

2.3 Save
Iptables-save-c >/etc/sysconfig/iptables

1.5 Forwarding Settings
/etc/sysctl.conf
# Controls IP Packet forwarding
Net.ipv4.ip_forward = 1
Net.ipv4.netfilter.ip_conntrack_max = 1048576
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300

2. Iptables Configuration
2.1 Iptables Initialization
Iptables-t nat-f
Iptables-f
Iptables-x
Iptables-p INPUT ACCEPT
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-n Newconn
2.2 NAT Conversion
2.2.1 First packets that go out from two WAN ports are IP camouflaged Masquerade
/sbin/iptables-t nat-a postrouting-o Eth1-j Masquerade
/sbin/iptables-t nat-a postrouting-o Eth2-j Masquerade
2.1.2 SNAT
IPTABLES-T nat-a postrouting-s Internal IP address/subnet-o $OUTGOING-j SNAT

--to $IPPOOL
2.1.31 network segments of the telecom Netcom automatic switching
Iptables-t nat-i postrouting-s 192.168.0.0/24-d $ telecom Ip-j SNAT

--to 222.168.1.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to

218.62.3.3
2.1.4 Access 222.222.5.0/15 and 222.240.0.0/13 go Telecom, other default Netcom
# echo "Dianxin" >>/etc/iproute2/rt_table (this is added to the file,

Line once)
# IP route replace default via 222.168.1.2 table Dianxin
# IP rule Add fwmark 1 table dianxin (this note order, use IP rule to check

See
# iptables-t Nat-f
# iptables-t Mangle-f
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d

222.222.5.0/15-j MARK--set-mark 1
# iptables-t mangle-a prerouting-i eth0-s 192.168.0.0/24-d

222.240.0.0/13-j MARK--set-mark 1
# iptables-t Nat-a postrouting-s 192.168.0.0/24-d

222.222.5.0/15-j SNAT--to $DIANXIN
# iptables-t Nat-a postrouting-s 192.168.0.0/24-d

222.240.0.0/13-j SNAT--to $DIANXIN
# iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to $ connect

The address of Netcom line network card

2.3 Save
Iptables-save-c >/etc/sysconfig/iptables

#--+--+--+--+--+--+--+--+--+--+--+--+--+--

It is very necessary to configure the Iptables firewall under CentOS. Come to us to learn how to configure!

My blog has mentioned firewall configuration Oh.

To set up a firewall in Linux, for example CentOS, open the iptables configuration file:

Vi/etc/sysconfig/iptables

The/etc/init.d/iptables status command is used to query whether there are 80 ports open, if there are no two ways to handle them:

1. Modify the Vi/etc/sysconfig/iptables command to add a firewall open 80 port

-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 80-j ACCEPT

2. Turn off/On/restart the firewall

/etc/init.d/iptables stop

#start Open

#restart restart

3. Permanently shut down the firewall

Chkconfig--level iptables off

/etc/init.d/iptables stop

Iptables-p INPUT DROP

4. Open Active mode 21 port

Iptables-a input-p TCP--dport 21-j ACCEPT

5. Open the port between passive mode 49152~65534

Iptables-a input-p TCP--dport 49152:65534-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-m State--state established-j ACCEPT

Attention:

Be sure to leave a good posterior for yourself. A management port and SSH management port

It is important to note that you must modify this file according to the circumstances of your server.

Restart iptables after all modifications are completed:

Service Iptables Restart

You can verify that the rules are already in effect:

Iptables-l

Configuring Iptables Firewall Linux NAT (iptables) configuration under CentOS

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.