It is too troublesome to do this thing, accidentally, I was closed outside.
----------------------------------------------
First, preface
Second, the environment
Third, the grammatical analysis
Iv. Configuration and Testing
1.SNAT case
2.DNAT case
3.SSH case
4.SSH in-depth cases (custom rules)
5.web and FTP (custom rules)
6.web and FTP (system default rules)
V. Preservation
----------------------------------------------
First, preface
Iptables is the Linux kernel integrated IP packet filtering system, which facilitates better control of IP packet filtering and firewall configuration on Linux systems if the Linux system is connected to the Internet or LAN, server, or proxy server connecting LAN and Internet.
Netfilter/iptables is packet filtering, which can only be applied at the network layer "source address, Destination address, Protocol (IP icmp arp rarp, etc.)" and Transport Layer "Protocol (TCP/UDP), port number (source port, Destination port), TCP flag bit (SYN ACK fin RST), status (established,new,invalid,related), if you want to use the L7 project in application layer filtering, you are now stopped maintenance.
Second, the environment
CentOS6.4 32-bit
Third, the grammatical analysis
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/28/5E/wKioL1N4H97ggF8GAAChzWLHBp8696.jpg "title=" 12345678.png "alt=" Wkiol1n4h97ggf8gaachzwlhbp8696.jpg "/>
NetFilter frame:
1.filter: Firewall Policy filtering
INPUT access to the firewall itself (e.g. intranet or extranet access to Web,mysql)
OUTPUT originates from Access to the firewall (for example, its own resources to access the intranet or the extranet)
FORWARD access through the firewall
2.nat:nat Conversion
postrouting SNAT Source Address translation (internal access external)
prerouting DNAT Destination Address translation (external access internal)
OUTPUT
3.mangle: QoS for packets (quality of service), infrequently used
INPUT
OUTPUT
FORWARD
Postrouting
Prerouting
Basic syntax:
IPTABLES-T table name Directive chain option parameter-j action
Table Name:
-T
Filter "INPUT OUTPUT FORWARD"
Nat "Postrouting prerouting OUTPUT"
Mangle "INPUT OUTPUT FORWARD postrouting prerouting"
Instructions:
-L--list View list of rules
-a--append added 1 rules at the end of the rule list
-D--delete Chain number removes the specified rule from the list of rules
-I--insert chain number inserts 1 rules at the specified location
-R--replace chain a rule in the list of number substitution rules
-P--policy Chain define default Policy
-N--new-chain user-defined chain name
-X--delete-chain Delete all user-defined chains in the filter table (the system's built-in chain cannot be cleared)
-F--flush chain clears all rules in the filter table (or in a chain) (including all rules on the system's built-in chain, and all rules on the user-defined chain)
-N--numeric display in an easy-to-read digital manner
-V--verbose More information
--line-numbers show the number of the rule
Option parameters:
Source-S--source address/subnet/network
-i specifies which network interface the packets are coming from, such as Ppp0, Eth0, and eth1 (Note: This parameter can only be used for input, FORWARD and prerouting three chains)
Target-D--destination address/subnet/network
-o Specifies the network interface from which the packet is exported, such as Ppp0, Eth0, and eth1 (Note: This parameter can only be used for output, postrouting these two chains)
Protocol-P TCP/UDP--sport Source port number--dport destination port number
ICMP--icmp-type
Module:
-M Module Name parameter
Action:
Accept Packet
Reject/drop drops the packet, REJECT is basically the same as the drop, except that it returns an error message to the sender in addition to blocking the packet
SNAT Source Address Translation
DNAT Destination Address Translation
REDIRECT redirection
The order in which rules are applied: top to bottom, and finally the default rule
Iv. Configuration and Testing
1.SNAT case
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/28/5E/wKiom1N4IGziKMe4AAGmsfOeE-Y401.jpg "title=" Tuopu.png "alt=" Wkiom1n4igzikme4aagmsfoee-y401.jpg "/>
# vim/etc/sysctl.conf 7 Net.ipv4.ip_forward = 1 //Turn on route forwarding function # sysctl-p# iptables-t nat-a postrouting-s 192.168.2.0/ 24-o eth2-j SNAT--to 192.168.1.105# iptables-t nat-l-n-v--line-numberchain prerouting (Policy ACCEPT packets, 5 606 bytes) num pkts bytes target prot opt in out source destinationchain postrouting (Policy ACCEPT 1 packets, bytes) num pkts bytes target prot opt in out source destination1 0 0 snat< C13/>all -- * eth1 192.168.2.0/24 0.0.0.0/0 to:192.168.1.105chain OUTPUT (Policy ACCEPT 1 packets, bytes) num pkts bytes target prot opt in out source destination
At this point, PC1 ping 192.168.1.1 (extranet gateway), may be different, display Destination Host prohibited,
The reason for this is because the forward chain in filter (access through the firewall) has a default rule that can be turned off.
# iptables-t Filter-lchain FORWARD (policy ACCEPT) target prot opt source destinationreject all -- anywhere anywhere reject-with icmp-host-prohibited# iptables-t filter-f FORWARD
At this point, the PC1 can be connected to the outside network.
If there is an FTP server on the outside network, access via the browser is not a problem, but command line access is no data, you need to load a module.
# modprobe ip_nat_ftp
If the address of the eth2 is dynamic, then address spoofing is required.
# iptables-t Nat-r postrouting 1-s 192.168.2.0/24-o eth2-j Masquerade //Address camouflage
Snat Summary
# iptables-t nat-a postrouting-s 192.168.2.0/24-o eth2-j SNAT--to 192.168.1.105 (WAN port address, Static) # Iptables-t Nat-a Postrouting-s 192.168.2.0/24-o Eth2-j Masquerade (WAN Port dynamic address)
2.DNAT case (more for server publishing)
# iptables-t nat-a prerouting-d 192.168.1.105-p tcp--dport 3389-j DNAT--to 192.168.2.100# iptables-t nat-l-vChai N prerouting (Policy ACCEPT packets, 3231 bytes) pkts bytes Target prot opt in out source destination
4 204 DNAT TCP --any any anywhere 192.168.1.105 TCP dpt:ms-wbt-server to : 192.168.2.100
The external network can be remotely connected to the PC1 in the intranet, the connection address is 192.168.1.105.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/28/5E/wKiom1N4Jwfz-yGyAADNBef4nJE345.jpg "style=" float: none; "title=" 105.jpg "alt=" Wkiom1n4jwfz-ygyaadnbef4nje345.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/28/5E/wKioL1N4Jtzi7jFPAADam8plhFY210.jpg "style=" float: none; "title=" admin.jpg "alt=" Wkiol1n4jtzi7jfpaadam8plhfy210.jpg "/>
3. Firewall-to-SSH service settings
For input:
Both--dport and-D refer to their own ports and addresses
--sport and-S refers to the port and address of the initiating connector
For output:
Both--sport and-s refer to their own ports and addresses
--dport and-D refer to the port and address of the initiating connector
(1) Settings for SSH server
# iptables-a INPUT- p tcp--dport 22-j accept# iptables-a output-p tcp--sport 22-j ACCEPT
(2) SSH service as Client connection
# iptables-a output-p TCP--dport 22-j accept# iptables-a INPUT- p TCP--sport 22-j ACCEPT
Note: SSH connection to the native IP is a special case where the server is connected to the SSH service as a client.
The above rules on the SSH service is a loophole, if the hacker exploits the network packet spoofing, it can invade the service; only if the server iptables authenticates to the issuing packet, if it is a connected packet (established) that is already established, it is allowed to pass, otherwise drop.
4. (1) as an SSH server (drop all default rules)
# iptables-t filter-a input-s 192.168.2.0/24-p TCP--dport 22-m State--state new,established-j ACCEPT# iptables-t Filter-a output-d 192.168.2.0/24-p TCP--sport 22-m State--state established-j accept# iptables-l-nChain INPUT (PO Licy DROP) target prot opt source destination ACCEPT TCP -- 192.168.2.0/24 0.0.0.0/0 TCP dpt:22 State new,establishedchain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT TCP -- 0.0.0.0/0 192.168.2.0/24 TCP SPT:22 State established
(2) Set as client to Ssh,dns
# iptables-a input-p TCP--sport 22-m State--state established-j ACCEPT
5.web and FTP (custom rules)
# Setup //Turn off the firewall system default rule
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/28/62/wKiom1N4rcaRMQApAADaArvG8CM297.jpg "title=" Setup1.png "alt=" Wkiom1n4rcarmqapaadaarvg8cm297.jpg "/>
# iptables-l //system default rule all off Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD ( Policy accept) target prot opt source destination Chain OUTPUT (policy accept) target prot opt source destination
(1) for Web server (80 port)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/28/62/wKiom1N4tKLwTB0MAADYUnQ1ma8924.jpg "title=" Tcp.png "alt=" Wkiom1n4tklwtb0maadyunq1ma8924.jpg "/>
# iptables-t filter-a INPUT- p TCP--dport 80-m State--state new,established-j accept# iptables-t filter-a OUTP UT- p TCP--sport 80-m state--state established-j ACCEPT
(2) for FTP server
# iptables-t filter-a INPUT- p TCP--dport 21-m State--state new,established-j accept# iptables-t filter-a OUTP UT- p TCP--sport 21-m State--state established-j accept# iptables-t filter-a INPUT- p TCP--dport 20-m stat E--state established-j accept# iptables-t filter-a OUTPUT -P TCP--sport 20-m state--state new,established- J Accept#modprobe Ip_nat_ftp
6.web and FTP (system default rules)
# Setup //Open firewall system default rule
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/28/62/wKiom1N4rq_h00ZiAADnfCZPvvM241.jpg "title=" Setup2.png "style=" Float:none; "alt=" wkiom1n4rq_h00ziaadnfczpvvm241.jpg "/>
# iptables-l //system default all rules chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT All --Anywhere anywhere state related,establishedaccept ICMP- anywhere anywhere Accept All -anywhere anywhere ACCEPT TCP - anywhere Anywhere state NEW TCP dpt:sshreject all - anywhere anywhere Reject-with Icmp-host-prohibitedchain FORWARD (Policy ACCEPT) target prot opt source destination REJECT All -- anywhere anywhere reject-with icmp-host-prohibitedchain OUTPUT (policy ACCEPT) target Prot opt source destination
Rules for opening FTP
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/28/62/wKioL1N4roPAmWF0AADOBRVZM0c196.jpg "style=" float: none; "title=" Ftp.png "alt=" Wkiol1n4ropamwf0aadobrvzm0c196.jpg "/>
Rules for opening the web
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/28/62/wKioL1N4roSzip9EAAD_a5_5yqw847.jpg "style=" float: none; "title=" Www.png "alt=" Wkiol1n4roszip9eaad_a5_5yqw847.jpg "/>
# IPTABLES-L-N--line-number//Open FTP and Web's overall default rule chain INPUT (policy ACCEPT) num Target prot opt source Destination 1 Accept All – 0.0.0.0/0 0.0.0.0/0 State Related,established2 Accept ICMP--0.0.0.0/0 0.0.0.0/0 3 ACCEPT All--0.0.0.0/0 0.0.0.0/0 4 ACC EPT TCP--0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:225 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state New TCP dpt:806 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 State New TCP dpt:217 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain FORWARD (Pol Icy ACCEPT) Num target prot opt source destination 1 REJECT All-0.0.0.0/0 0. 0.0.0/0 reject-with icmp-host-prohibitedchain OUTPUT (policy ACCEPT) num Target prot opt source Destination
V. Preservation
# service Iptables saveiptables:saving firewall rules to/etc/sysconfig/iptables:[ OK ]
All rules are saved in/etc/sysconfig/iptables.
This article is from the "Promise" blog, make sure to keep this source http://yinuoqianjin.blog.51cto.com/8360868/1413060