Iptables common setting rules

Tutorial environment: LinuxRedFlag6.0 uses the gateway for nat translation and the firewall for iptables. One physical machine and two virtual machines in WindowsServer2003 simulate a private network in the range of 192.168.1.0/24. On Linux (firewalls and gateways in the following sections refer to the host), the two NICs are set as follows: eth0 -- used to communicate with the Internet, intranet public lab environment:
Linux RedFlag6.0 used for nat translation gateway and settings Iptables.
On Windows Server 2003, one physical machine and two virtual machines simulate a private network in the range of 192.168.1.0/24.
On Linux (firewalls and gateways in the following sections refer to the host), the two NICs are set as follows:
Eth0 is an external IP address used for communication with the Internet.
IP 10.1.4.135
Netmask 255.255.252.0
Gateway 10.1.4.249
DNS1 10.1.4.15
DNS2 10.1.0.2
Eth1 -- used to communicate with the intranet, which is the gateway address of the intranet.
IP 192.168.1.254
Netmask 255.255.255.0
Gateway is empty
DNS1 10.1.4.15
DNS2 10.1.0.2
I:
IPtables -- used for NAT translation
Iptables-t nat POSTROUTING-F
Clear previous nat table settings
Before performing NAT translation, you must enable the IP forwarding function of the Linux server. Otherwise, the IP packets arriving at the server will be discarded.
The forwarding function is enabled as follows:
Modify/etc/sysctl. net. ipv4.ip _ forward = 0 field. change 0 to 1. this is a kernel-level modification and takes effect permanently; enter # echo 1>/proc/sys/net/ipv4/ip_forward in the console to enable the forwarding function, but the forwarding function fails after restart. Some Linux systems have fliter table filtering policies by default. note this. Now you can configure NAT translation:
# Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j SNAT -- to 10.1.4.135
This command converts the intranet IP address of 192.168.1.0/24 to a public IP address 10.1.4.135 on eth0.
II:
IPtables -- used to implement Port ing
# Iptables-t nat-a prerouting-I eth1-p tcp-d 10.1.4.135 -- dport 21-j DNAT -- to 10.1.0.10
The IP address is mapped to the 10.1.0.10FTP server in the Gateway 10.1.4.135 (note that the IP address of the Gateway is not required to be mapped. On the contrary, the IP address can be any IP address that is not a CIDR block of 192.168.1.0/24, this is a virtual IP address for Port ing ). In this way, users in the 192.168.1.0/24 CIDR block can access the external FTP server through the ing of this virtual IP address.
Note: If the FTP server is a cluster, such as 10.1.0.10, 11, or 12, it can be implemented through iptables. Server load balancerThe implementation command is as follows:
# Iptables-t nat-a prerouting-I eth1-p tcp-d 10.1.4.135 -- dport 21-j DNAT -- to 10.1.0.10-10.1.0.12
III:
IPtables: Port 80 used to shield Internet addresses, Internet IP addresses, external networks, external access ports, internal IP addresses, and intranet fixed IP addresses
# Iptables-t nat-a prerouting-d www.baidu.com-j DROP
Shielding a website is implemented here, and access to intranet hosts and gateways is restricted.
# Iptables-t filter-a forward-d www.baidu.com-j DROP
This feature blocks a website. The intranet is restricted, but the gateway is not limited. the following configuration policies are similar to the above, for specific causes, see the process diagram in iptables for data packets, as shown below:
# Iptables-t nat-a prerouting-d 10.1.0.10-j DROP
The fixed IP address 10.1.0.10 is blocked.
# Iptables-t nat-a prerouting-d 10.1.4.0/24-j DROP
The IP address range 10.1.4.0/24 is blocked.
# Iptables-t nat-a prerouting-p tcp -- dport 80-j DROP
Shielding the outgoing fixed port --- 80 is implemented here.
# Iptables-t nat-a prerouting-s 192.168.1.6-j DROP
Disable communication between hosts with an internal IP address of 192.168.1.6 and the Internet.
# Iptables-t-nat-a prerouting-s 192.168.1.6-p tcp -- dport 80-j DROP
Access to port 80 from hosts at 192.168.1.6 is disabled.
# Iptables-t nat-a prerouting-p tcp -- dport 80-d www.sina.com-j DNAT -- to 10.1.4.254
The function of redirecting access to www.sina.com to the company's internal BBS webpage is implemented here.
IV:
IPtables -- used to block ICMP echo request and echo reply packets
# Iptables-t filter-a input-p icmp -- icmp-typeecho-request-j DROP
All ICMPecho-request packets are discarded at the firewall (in this case, the firewall can ping the same machine as other machines, but other machines cannot ping the firewall, including the firewall itself and the loopback address)
# Iptables-t filter-a output-p icmp -- icmp-typeecho-reply-j DROP
This prevents the firewall from sending any ICMPecho-reply packets (in this case, the firewall can ping other hosts, but cannot ping itself, including the loopback address)
(Note: Both of the preceding rules can be used to organize echo packets. either or both of them can be used.
However, you must note that all the ping operations on the intranet and the Internet are disabled. to distinguish them, see the following two rules)
# Iptables-t filter-a input-I eth0-p icmp -- icmp-typeecho-request-j DROP
(# Iptables-t filter-a output-o eth0-p icmp -- icmp-typeecho-reply-j DROP)
The above two commands implement ping policies for intranet and internet access failure.
V:
IPtables -- used to prohibit unauthorized IP addresses from accessing the Gateway Linux system
# Iptables-t filter-a input-s! 192.168.1.6-p tcp -- dport 22-j DROP
This command only authorizes the IP address 192.168.1.6 to be a valid user who accesses the Linux host through ssh.
This access control can also be implemented by editing/etc/hosts. allow in linux. the specific method is as follows:
Remove # allowed to use the local INET services, # symbol before as decided
Add the following lines:
Sshd: 192.168.1.6
If telnet is allowed, you only need to modify the IPtables setting-dport 22 to -- dport23
(You can also authorize a CIDR block, such as 192.168.1.0/24. to add multiple authorized IP addresses, you only need to add more lines)
Appendix:
The rules set for Iptables will expire after linux is restarted. To save it, use the following method:
# Service iptables save
In this way, the iptables setting file is saved to the/etc/sysconfig/iptables file.
If you are not familiar with iptables, we recommend that you back up the original settings before setting them. The method is as follows:
Save:
#/Sbin/iptables-save> ~ /Iptables-rules-backup
Save iptables settings to the current user's home directory
Recovery:
#/Sbin/iptables-restore Go to the iptables backup directory and use this command to restore rules
By default, the settings for iptables are automatically applied. However, if the rules are not enabled for a long time, you can save the existing settings (restart the service if the settings are not saved, and the settings will be lost) restart the iptables service to make it take effect immediately. the command is as follows:
# Service iptables restart
This command restarts iptables and applies the saved rules.
By default, the iptables service is automatically started when the linux system is started. However, if the service is not automatically loaded in many cases, you can manually add iptables to an on-premises server after configuring relevant rules. The command is as follows:
# Chkconfg iptables on