Introduction to Linux port redirection and iptables
By Guo shilong
Request:
The lab has established an internal management information system (B/S mode), requiring each member of the lab to log on to the information system over the network, but the lab members who use the system are no longer in the same network.
The information system is an IIS Web server working on WINXP;
The lab uses SuSE Linux as the server to connect to the Internet;
Linux uses one dual-nic as the gateway and the other as the connection to the Internet;
Getway IP: 192.68.0.1
Internet static IP: 202.11 *. 1 *. 72
Lan WINXP static IP: 192.168.0.228
Port: 8100
Solution
Forward the data from the Internet (or the internet) accessing port 8100 of the Linux server to the web server in the LAN. External IP --> 202.11 *. 1 *. 72: 8100 (192.68.0.1: 8100) --> 192.168.0.228: 8100 and external IP <-- 202.11 *. 1 *. 72: 8100 (192.68.0.1: 8100) <-- 192.168.0.228: 8100. To achieve this port redirection, you must implement URL translation (NAT) and firewall. These functions are provided by the Linux kernel's netfilter subsystem, iptables is the only tool for controlling netfilter. The following describes how to use the iptables command to implement port redirection (enter the following command on the terminal ):
(1) iptables-a forward-M state -- State established, related-J accept
(2) iptables-T Nat-A prerouting-D 202.11 *. 1 *. 72-p tcp -- dport 8100-j dnat -- To 192.168.0.228: 8100
(3) iptables-a forward-D 192.168.0.228-p tcp -- dport 8100-J accept
(4) iptables-T Nat-A postrouting-D 192.168.0.228-p tcp -- dport 80-j snat -- To 192.168.0.1
Rule 1The Validation Package and associated package from any address to any address are allowed to pass. In netfilter, there are several statuses: new, established, related, and invalid. When a machine on the Intranet accesses the internet, it sends a request packet. The packet is in the new state, and the rule setting can pass. When the internet packet is returned, the status is stablished. Linux knows that this packet is a response packet sent by a machine on the Intranet, so it can pass through. When the Internet tries to initiate a new connection to the Intranet, its status is new. If there is no relevant rule to allow it to pass through Linux, it will be blocked.
Second ruleThe destination address sent from the Internet is 202.11 * in the prerouting chain of the NAT table *. 1 *. the destination address of the packet whose protocol is TCP port 8100 is changed to 192.168.0.228 port 8100, that is, the destination address conversion.
Article 3 RulesIn the forward chain of the filter table, it is set to allow data packets whose destination address is 192.168.0.228 and TCP port is 8100 to pass through the filter table.
Article 4 RulesIn the postrouting chain of the NAT table, modify the source address of the packet whose destination address 192.168.0.228 is TCP port 8100 to 192.168.0.1, that is, source address conversion.
Automatic Loading
After adding the link, back up all the links. when the machine is restarted, all links are automatically loaded to avoid losing rules after power loss.
Method 1: Run iptables-save>/etc/iptables and put it under/etc named iptables. Some systems are automatically loaded.
Method 2: Use the command: iptables-save>/root/iptables-script path and name iptables-script.
Loading Method: Modify the file VI/etc/rc. d/rc. Local and add the following command: iptables-Restore/root/iptables-script save and exit: WQ.
Method 3: iptables-save>/etc/sysconfig/iptables
Chkconfig iptables on
Method 4: Service iptables save; write the current rules to/etc/sysconfig/iptables
Chkconfig iptables on; enables iptables to run automatically when it is started.
Introduction to iptables commands
Main Components
To better understand the above commands, we will briefly introduce the iptables command below. The reason for this is that there are 1824 lines of help documentation in the iptables command manual, and the whole city is still a bit dizzy in English. Now, iptables is mainly used to set, maintain, and monitor IP packet filtering rules in the Linux kernel.Table. The kernel defines several tables that contain embedded and user-defined chains.ChainIs a list of rules that can match a set of data packets.RulesSpecifies how to process matched data packets. This is calledTarget.
Chain
There are four embedded links: prerouting, output, postrouting, input, and forward.
Table
There are three independent tables: filter, Nat, and mangle.
Filter is a default table (if the-t parameter is not added, the table parameters are passed ). It mainly includes embedded chains, input (the control point of the data packet destined for the local socket), forward (the control point of the data packet to be routed through the route table ), output (control point of locally generated data packets ).
Nat is used to create a new link. Contains three embedded chains, prerouting (modify the data packet as long as the data packet arrives), output (modify the locally generated data packet before the route ), postrouting ).
Mangle is used to modify specific data packets. Prerouting (modify the data packet as long as the data packet arrives), output (modify the locally generated data packet before the route), and postrouting (modify the data packet when the data is to be sent back ), input (the control point of the data packet destined for the local socket) and forward (the control point of the data packet to be routed through the route table ).
Item
The firewall specifies a data packet matching rule and a target. If the package does not match, check the next rule in the chain. If it matches, the target value specifies the next rule to be checked. This may be a user-defined rule or a specific value of accept, drop, queue, return.
Accept allows data packets to pass through.
Drop dropped data packets.
The queue transmits data packets to the user space.
Return: stop the current link check and return to the previous link.
Other common extension targets.
DNAT, which is valid only in the prerouting and output chains in the NAT table and indicates that the destination address of the packet should be modified. For example, if the network adapter connecting iternet is eth0, you need to transfer the HTTP request from iternet (TCP packet and destination port is port 80) to the 192.168.1.80 website server on the internal network: iptables-T Nat-A prerouting-I eth0-P TCP--dport 80-J DNAT-to-destination 192.168.1.80.
Masquerade: the port ing of the packet output Nic. It is only valid in the postrouting chain of the NAT table and can only be used in the dynamic IP connection. If it is a static IP, it uses SNAT.
Netmap: maps the entire network address to another network address. --Address [/mask].
Reject: reject a link by sending a link error packet, which is equivalent to drop.
SNAT is only valid in the postrouting chain of the NAT table. Indicates the source address of the package to be modified.
Iptables common Command Options
-ChainRule-SpecificationAdd Rules at the end of the selected chain;
-IChain[Rulenum]Rule-SpecificationInsert rules in the selected chain with the rule number. (rulenum starts from 1)
-L [Chain]List all rules. iptables-T nat-N-l is commonly used to list rules.-N is used to cancel domain name resolution and speed up the command;
-DChain RulenumDeletes the specified rule of the selected chain;
-RChain Rulenum Rule-SpecificationReplacement rules;
-F [Chain]Delete all rules;
-N defines a new chain;
-X deletes non-embedded links in a table if no parameter exists;
-PChain TargetSet rules;
Define rule parameters
-P [!]Protocal(TCP, UDP, ICMP, and all) Specify the protocol;
-S [!]Address[/Mask] specifies the source address. The mask is a subnet mask/24 =/255.255.255.0;
-D [!]Address[/Mask] specifies the destination address;
-JTargetIf the data packet matches, it is redirected to the target.
Data Packet Process
To better use the iptables command, you should know the specific process of data packets in tables and links so that you can set rules at the corresponding control points (LINKS.
Forward data packets
Mangle (prerouting)-> NAT (prerouting)-> Mangle (forward)-> filter (forward)-> Mangle (postrouting)-> NAT (postrouting)
Packet Flow sent from network to local process (input)
Mangle (prerouting)-> NAT (prerouting)-> Mangle (input)-> filter (input)
Data Packet Flow (output) sent by the local process to the network)
Mangle (output)-> NAT (output)-> filter (output)-> Mangle (postrouting)-> NAT (postrouting)
Local process to another local process (Local Network)
Mangle (output)-> NAT (output)-> filter (input)-> Mangle (input)
For more information, see www.netfilter.org.