Linux system firewall do IP address mapping

First, the environment

Server IP Address:192.168.1.2

Linux Operating system IP Address:192.168.1.3(eth0);192.168.10.20(eth1)

Client IP Address:192.168.10.30

The topology diagram is as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/89/C4/wKiom1gb-I_QXJvrAAB-RBMjMsk991.png "title=" Linux does IP address mapping. png "alt=" Wkiom1gb-i_qxjvraab-rbmjmsk991.png "/>

Second, the configuration

1. Turn on the firewall data forwarding function

configuration file:/proc/sys/net/ipv4/ip_forward

The default value in this configuration file is 0and the value is changed to 1

Note:0 indicates that this function can be turned off;1 indicates that this function is turned on.

2. IPTABLES in Linux operating system

The command to use:

(1) View current firewall rules for this machine:iptables–l–n

Parameters:

-L: Lists the current table of course rules

-N: Without IP and HOSTNAME , the information will be displayed much faster.

(2) Empty the original firewall rule:iptables [-FXZ]

Parameters:

-F: Clears all rules that have been customized

-x: Eliminate all user "custom" chain

-Z: Zero Count ofall chain and flow statistics

(3) Configure the firewall forwarding function by command

A. First, when the client initiates a connection request to the server:the packet is first issued from the client (192.168.10.30) and arrives at the Linux host (192.168.10.20), The packet is encapsulated by a firewall with a new packet header (192.168.1.3). In simple terms , when the packet passes through the Linux host firewall, it is converted by the packet header, and the old source address (client address:192.168.10.30) is changed to the new source address (Linux)

Command:

Iptables-t nat–a postrouting–s192.168.10.30–o eth0-j SNAT--to-source 192.168.1.3

Parameters:

-T: followed bya table, such as Nat or filter, which is omitted by default using the filter

-A chain name: Adds a rule that adds to the last side of the original rule. For example, there are two rules, using -a followed by a third rule.

-io Network interface: set interface Specification for packet ingress and egress

-O: The network interface to which the packet is entered. Combined with postrouting(Modify source IP).

-I: The network interface from which the packet is sent. Combined with preroting(modified destination IP).

-S source ip/Network: The source of the packet where this rule is set;-D: Target ip/ network: Same -S, but this refers to the target's ip/ Network

-j: Following operation;SNAT: Modifying the source of the packet header DNAT: Modify the destination item of the packet header

B. Once the packet has been sent from the client to eth1 , it is converted again:

Command:

Iptables-t nat–a prerouting-d 192.168.10.20-i eth0–j DNAT--to-destination192.168.1.2

Similarly, when the server receives a client request to return a packet:

Iptables–t nat–a postrouting-s 192.168.1.2-o eth1-j SNAT --To-source 192.168.10.20

Iptables-t nat-a prerouting-d 192.168.1.3-i eth1-j DNAT--to-distination 192.168.10.30

The firewall configuration is complete.

Please correct me if there are deficiencies or errors in this area.

This article is from the "12203305" blog, please be sure to keep this source http://12213305.blog.51cto.com/12203305/1869266

Linux system firewall do IP address mapping