[Topology] 1. eth0: 212.75.218.2 eth1: 192.168.1.253/24 eth1: 192.168.1.254/24 2. internet host eth0: 212.74.218.1 3. intranet client (can have many, test with one) eth0: 192.168.1.51/24 4. intranet servers (one test can be used) eth0: 192.168.1.1/24 [configuration] [three-host] 1. linux server is used as a firewall to stop all services and set the default iptables policy to drop iptable-P input drop iptable-P output drop iptable-P forward drop 2. enable Linux forwarding Echo 1>/proc/sys/NET/IPv4/ip_forward 3. add a route table (you do not need to add it by default) Route add-host 192.168.1.51 Dev eth2 route add-host 192.168.1.1 Dev eth1 4. add the target address translation (set the Internet access to the Intranet server) iptable-T Nat-A prerouting-D 212.75.218.2-t tcp -- dport 80-J dnet -- to-destination 192.168.1.1: 80 // The target address is converted to iptable-a forward-D 192.168.1.1-p tcp -- dport 80-M state -- state new, established-J accept // The inbound packet to 192.168.1.1 is set to accept iptable-a forward-s 192.168.1.1-p tcp -- Sport 80-M state -- State established-J accept // The packet is outbound from 192.168.1.1 set to accept // at this time, the Internet can access 212.75.218.2, and the server accessing the Intranet 192.168.1.1 is limited to TCP type 5. set the Intranet client to access the Internet iptable-T Nat-A postrouting-s 192.168.1.51-p tcp-M state -- state new, established-J snet -- to-source 212.75.218.2 // access iptable-a forward-s 192.168.1.51-p tcp-M State through an Internet address -- state new, established-J accept // Add an intranet client to set the packet to accept iptable-a forward-D 192.168.1.51-p tcp-M state -- State established-J accept // intranet client request packet stream it is set to accept // at this time, the Intranet client segment can access the Internet data, only for the TCP type [Intranet client] 1. set the IP address ifconfig eth0 192.168.1.51/24 up 2. add gateway route add default GW 192.168.1.254 [Intranet server] 1. set the IP address ifconfig eth0 192.168.1.1/24 up 1. add gateway route add default GW 192.168.1.253
DMZ host implementation