Iptable NAT in centos

Iptable NAT in centos

If you use centos5.3 to configure nat, you will not be able to configure it if you do not need it.

I think there is a problem with the operating system, and I use another 6.6. There is a configured Graphic Guide interface, which is easy to solve.

Later I found it on the English webpage

Echo "1">/proc/sys/net/ipv4/ip_forward

In this way, you can. Looking for more than N locations, we finally know that this is the method of force forwarding when the OS system does not forward traffic by default.

Normally, the configuration file needs to be modified for system forwarding.

/Etc/sysctl. conf

Inside

Net. ipv4.ip _ forward = 1

It does not work because the default value is 0 and disable. If it is changed to 1, it is enable.

Sysctl-p

Update. Of course, you can restart it.

Chkconfig iptables on

Normally enable the firewall as a service.

Then configure the/etc/sysconfig/iptables file.

You can also use the Add command. Here, eth0 is external and eth1 is internal.

Iptables-t nat-a postrouting-o eth0-j MASQUERADE

This means there is no restriction on the internal and external network, which is useful when the IP address of the external network card is DHCP.

Iptables-t nat-a postrouting-s 192.168.1.0/24-j SNAT -- to-source 172.26.1.79

This is the Intranet 192.168.1.0/24. To the outside, replace the source address with 172.26.1.79.

Allow external access to internal servers, such as remote desktop

Iptables-t nat PREROUTING-I eth0-p tcp -- dport 3389-j DNAT -- to-destination 192.168.1.2

-I eth0 indicates the incoming Nic, And I indicates input;-p tcp indicates tcp; -- dport 3389 indicates 3389, and -- to-destination indicates the IP address of the internal server.

These are not enough. The above is a nat table, and-t specifies the table,

You also need to configure the filter table

Iptables-t filter-a forward-I eth0-m state -- state NEW-m tcp-p tcp-d 192.168.1.2 -- dport 3389-j ACCEPT

It is not acceptable to allow internal traffic not in the forwarding link. The-d here is 192.168.1.2, because the PREROUTING in the previous nat table has already performed a NAT route. When the FORWARD process is reached, the destination address has changed from the external Nic IP address to 192.168.1.2, to access the Intranet, you can only use the Intranet IP address to filter out.

Also forward some traffic permits

Iptables-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-a forward-p icmp-j ACCEPT
Iptables-a forward-I lo-j ACCEPT
Iptables-a forward-o eth0-j ACCEPT

Do not use the system with the firewall graphics configuration, a use of the RH-Firewall-1-INPUT, engaged in their own mess.

In addition, the speed of 5.3 is very slow, and the Remote Desktop is connected, and the screen does not move. There is a reason to disable forwarding by default after reading 5.3.

With 6.6, there is no problem, and the speed is acceptable.

Below are some network configuration commands

If there is only one nic at the beginning and later added, only

/Etc/sysconfig/network-scripts/ifcfg-eth0

Without a ifcfg-eth1, you can copy the ifcfg-eth0 as a ifcfg-eth1 and then modify the content inside.

You need to view the hardware file of the NIC.

/Etc/udev/rules. d/70-persistent-net.rules

Check that there is a new Nic and record the mac address,

DEVICE = eth1

NAME = "System eth1"
HWADDR = 00: 50: 56: A0: 40: 18
IPADDR = 192.168.1.1
PREFIX = 24
GATEWAY =
DNS1 =
DOMAIN =

The Modification Item, IP address, mask, and HWADDR are mac addresses. if the version is high and there is UUID, you can change it to a different one from eth0.

No gateway is set for the internal Nic. PREFIX is the PREFIX, which is different from mask. Different OS versions: Write NETMASK for 5, and PREFIX for 6.

Iptables-F

Clear all rule links in the filter of the preset table.

Iptables-X

Clear the rules in the User-Defined chain in the filter of the preset table.

/Etc/rc. d/init. d/iptables save or service iptables save

Save the configuration entered by the command, or the restart will be gone.

Service iptables restart

Restart service

This article from the "Genius without that 1% is never done" blog, please be sure to keep this source http://xushen.blog.51cto.com/1673219/1669784