Iptables firewall and NAT service settings

Source: Internet
Author: User
Iptables firewall and NAT service 1. overview 1. introduction (1) a combination of components set between different networks or network security domains, which enhances the security of the internal network of the organization (2) each packet passes review, determine whether a matching filtering rule exists. compare the rules one by one until one rule is satisfied.

IptablesFirewall and NAT service
1. Overview of firewall
1. Introduction
(1) set a combination of components between different networks or network security domains to enhance the security of the internal network of the organization.
(2) check whether each data packet has matched filtering rules and compare them one by one based on the rule order until one of the rules is met, then, the corresponding action is performed based on the control mechanism. if none of the actions are met, the data packets are discarded to protect network security.
(3) it can be either a router or a group of hosts, which are usually placed at the entrance of the public network. all internal and external network communication packets must go through the firewall, only data that meets the security rules can pass the inspection.
(4) implement functions using the firewall
A. It can protect vulnerable services
B. control access to network systems between internal and external networks
C. centrally manage intranet security and reduce management costs
D. improve network confidentiality and privacy
E. record the network usage status to provide a basis for security planning and network maintenance (as shown in the figure below)

2. firewall classification
(1) packet filtering firewall
Advantage: Fast speed;
Disadvantage: once cracked, it is easy to forge the source/target addresses and IP ports of data packets.
"IP address spoofing ".
(2) proxy service firewall
Advantage: When a user requests to access a site, the proxy server will retrieve the site
Information is required and then forwarded to the user, which is much safer than the previous firewall.
Disadvantage: slow speed

II. Introduction to iptables
It is a free software that can replace high-price firewall solutions to complete packet filtering, Packet redirection, and network address translation NAT functions.
III. iptables basics
1. rule (rules): pre-defined condition of the network management, which is generally defined as "if the packet header meets this condition, the packet is processed in this way". these rules specify the source address and target address respectively, transmission protocols (such as tcpudp icmp) and service types (such as http ftpsmtp). when a packet matches the rule, IPTABLES processes the packet according to the method defined by the rule, such as ACCEPT, REJECT, and DROP. to configure a firewall, you can add, modify, and delete these rules.
2. chain: a packet transmission path. each chain is actually a check list among many rules.

, Each chain can have one or more rules. when a packet arrives at a chain
The first rule starts to check.
3. table (tables): provides specific functions. iptables has three built-in tables.
(Filter/nat/mangle) for packet filtering, network address translation, and packet reconstruction respectively
Function.
(1) filter table: used to filter data packets.
Group rules are used to filter packets that meet the conditions.
Sets a series of rules to filter data packets. This table is also the default IPTABLES
Table, IPTABLES also uses this table to execute all the commands, This table contains the INPUT chain (
Packet), FORWARD chain (processing forwarded packets) and OUTPUT chain (processing locally generated
Packets). in this table, only accept and discard data packets.
Change the data package.
(2) nat table: it is mainly used for network address translation and can implement one-to-one, one-to-many, and multiple-to-many
Multi-Level Conversion. IPTABLES uses this table to implement the Internet sharing function. The nat table contains
PREROUTING chain (modifying incoming packets) and OUTPUT chain (before route
And the POSTROUTING chain (modify the data packet to be sent out ).

(3) mangle table: it is mainly used to modify the specified package, because some special applications may
Some transmission features of data packets need to be rewritten, such as TTL.
4. iptables data packet transmission process

Incoming packet output packet
PREROUTING chain FORWORD chain POSTROUTING chain
Forwarding
Enter Local
INPUT chain internal processing process OUTPUT chain

4. disable the system firewall
1. iptables command format
Iptables [-t table]? Command matching operation
(1) table options
Used to specify the iptables built-in table to which the command is applied. There are a total of filter/nat/mangle tables.
(2) command options: Used to specify the iptables execution method, including insert/delete/add rules.

Command description
-P or -- policy <链名> Define default policy
-L or -- list <链名> View the IPTABLES rule list
-A or -- append <链名> Add one rule to the last row of the rule list.
-I or -- insert <链名> Insert 1 rule at the specified position
-D or -- delete <链名> Delete a rule from the rule list
-R or -- replace <链名> Replace a rule in the rule list
-F or -- flush <链名> Delete all rules in the table
-Z or -- zero <链名> Returns the data of the data packet counter/flow meter in the table to zero.

(3) matching options: specify the characteristics of data packets matching rules, including the source address, destination address, transmission protocol, and port number.


Matching Description
-I or -- in-interface <网络接口号> Network interface from which the package enters
-O or -- out-interface <网络接口号> Network interface from which the package is output
-P or -- proto protocol type specifies the Protocol for Packet matching
-S or -- source <源地址或子网> SOURCE address of the specified data packet matching
-- Sport <源端口号> Specifies the source port number for data packet Matching. you can use "start Port: End
The format of the bundle Port specifies a range
-D or -- destination <目标地址或子网> Specify the target address for packet matching
-- Dport <目标端口号> Specify the target port number for data packet Matching. the "start Port:
End port format specifies a range


(4) action option: specifies what operations should be performed when the data packet matches the rule.

Action description
ACCEPT data packets
DROP dropped data packets
REDIRECT redirects the package back to a port on the local machine or another host, which is usually used
Transparent Proxy or some internal network services
SNAT source address conversion can change the source address of a data packet
DNAT destination address conversion, which can change the destination address of a data packet
The masquerade ip is disguised and can only be used for NAT of ADSL.
LOG function, troubleshooting

2. use iptables

(1) define the default policy
When a packet does not comply with any rule in the chain, iptables will use the predefined default
The default policy is as follows:
Format: iptables [-t table name] <-p> <链名> <动作>
Description: A. The filter table is used by default and can be specified in nat or mangle.
B. <-p> define the default policy
C. <链名> The chain to which the default policy applies.
INPUT/OUTPUT/FORWARD
D. <动作> Handle the package
Example 1: define the default policy of the INPUT chain of the filter table to accept data packets.
Iptables? P INPUT ACCEPT
Example 2: define the nat table OUTPUT chain default policy as discard data packets
Iptables? T nat? P OUTPUT DROP


Tips: for users who do not have rules configured, reject all data packets first, and then, as needed
Release some packages.
Method: iptables? P INPUT DROP
Iptables? P FORWARD DROP
Iptables? P OUTPUT ACCEPT


(2) view iptables rules
Format: iptables [-t table name] <-L> [chain name]

For example, view all the chain rules in the nat table.
Iptables? T nat? L
(3) Add/insert/delete/replace rules
Format: iptables [-t table name] <-A | I | D | R> chain name [rule number] [-I | o Nic
Name] [-p protocol type] [-s source IP address | source subnet] [-- sport source port number
] [-D destination IP address | destination subnet] [-- dport destination port number] <-j action>
Example 1: add a rule for the INPUT chain of the filter table.
For 192.168.1.200, all data packets on this host are discarded, and then the INPUT chain of the filter table is viewed.
Rule list.
Iptables? T filter? A input? S 192.168.1.200? JDROP
Iptables? T filter? L INPUT
Supplement: If the rule content is to ACCEPT the package of this host, you only need to change DROP to ACCEPT

Example 2: insert a rule before the first rule in the INPUT chain rule list of the filter table.
Allow all hosts in the subnet 192.168.2.0 to access port 80 of the TCP protocol.
Iptables? T filter? I INPUT 2? S 192.168.2.0/24? P tcp? Dport
80? J DROP
Iptables? T filter? L INPUT
Example 3: delete the 3rd rules in the INPUT chain rule list of the filter table and view
Iptables? T filter? D input 3
Iptables? T filter? L INPUT
Example 4: replace the first rule in the INPUT chain rule list of the filter table, which is disabled.
192.168.3.0 this subnet host accesses TCP port 80, and then view
Iptables? T filter? R input 2? S 192.168.3.0/24? P tcp? Dport
80? J DROP
Iptables? T filter? L INPUT
(4) clear rules and counters
Format: iptables [-t table name] <-F | Z>
Example: A. delete all rules in the filter table
Iptables-F

B. return the data packet counters and traffic counters in the table to zero.
Iptables? Z
C. delete all rules in the nat table
Iptables? T nat? F
5. NAT service
1. what is a private IP address?
10.0.0.0-10.20.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
2. what is NAT
Is to map an address domain (such as: private network) to another address domain (such as: INTERNET)
Quasi-method.
3. how NAT works
(1) Static network address translation
A. Definition: Address translation must be executed based on A manually created internal and external address ing table.
B. Principles

192.168.16.10

Internet nat server 192.168.16.11
NAT ing table
Private IP address inside the public IP address 192.168.16.12
202.96.2.8 192.168.16.10
202.96.2.9 192.168.16.11
202.96.2.10192.168.16.12
One-to-one conversion

(2) dynamic network address translation
A. Definition: Address translation is done by the NAT server.

B. Principles

192.168.16.10

Internet nat server 192.168.16.11
NAT ing table
Private IP address inside the public IP address 192.168.16.12
202.96.2.8: 2320 192.168.16.10: 2320
202.96.2.8: 2879 192.168.16.11: 2879
202.96.2.8: 3012 192.168.16.12: 3012
One-to-multiple conversions (Port consistency)


(3) network address and port conversion (NAPT)
A. Definition: Not only does the IP datagram IP address of the NAT device change, but also the IP data
TCP/UDP port
B. principle 192.168.16.10


Internet napt server 192.168.16.11
NAT ing table
Private IP address inside the public IP address 192.168.16.12
202.96.2.8: 3200 192.168.16.10: 2320
202.96.2.8: 1784 192.168.16.11: 2879
202.96.2.8: 1579 192.168.16.12: 3012
One-to-multiple conversions (random ports)
6. use iptables to implement NAT services
1. configure two NICs
(1) eth0 is a public IP address
(2) eth1 is a private IP address
(3) configure DNS and Gateway
(4) restart the network service

2. enter the command in the command line
(1) echo 1>/proc/sys/net/ipv4/ip_forward
Indicates to enable the routing function of the kernel. if you disable the routing function, you can change 1 to 0.
(2) iptables? T nat? A postrouting? O eth0? J SNAT --
218.104.71.45
Note: You can write the script to the file and then put it into/etc/rc. d/rc. local, so that it can be started with the system, you have to clear the nat/filter table rules and counters (F | Z)
3. client configuration
(1) IP address (2) Gateway (3) DNS
VII. IPTABLES tips
1. prohibit customers from accessing unhealthy websites
Example 1: add a rule to prohibit users from accessing the website with the domain name www.sohu.com
Iptables? I FORWARD? D www.sohu.com-j DROP

Example 2: prohibit users from accessing websites with the IP address 202.17.61.4
Iptables? I FORWARD? D 202.17.61.4-j DROP

2. prohibit some clients from accessing the Internet.
Example 1: add a rule to prohibit clients with IP address 192.168.1.200 from accessing the Internet.
Iptables? I FORWARD? S 192.168.1.200? J DROP
Example 2: add a rule to prohibit clients with subnets 192.168.1.0/24 from accessing the Internet.
Iptables? I FORWARD? S 192.168.1.0/24? JDROP
3. prohibit clients from accessing some services
Example 1: prohibit all clients in the 192.168.1.0 subnet from downloading through FTP
Iptables? I FORWARD? S 192.168.1.0/24? P tcp -- dport 21? J DROP
Example 2: disable all clients in the 192.168.1.0 subnet from using the TELNET protocol.
Iptables? I FORWARD? S 192.168.1.0/24? P tcp -- dport 23? J DROP
4. prohibit the use of ICMP protocol
Example 1: Prohibit Internet users from pinging your NAT server's internet interface through ICMP
Iptables? I INPUT? I eth0 icmp? J DROP
5. prohibit clients from using QQ (many QQ servers)
Iptables? I FORWARD? P tcp -- dport 8000? J DROP
Iptables? I FORWARD? D tcpconn.tencent.com? J DROP

6. publish internal network servers to the public network (Port ing technology)
For example, publish the WEB service of the intranet host 192.168.16.200 to the INTERNET. The INTERNET user accesses the network interface of the NAT server through TCP port 80.
Iptables? T nat? I PREROUTING? I eth0? P tcp -- dport 80? J DNAT
To-destination192.168.16.200: 80

7. disable Internet access to my NAT server through IPTABLES, except for the TCP port 80.
Iptables? A input? I eth0? S 0.0.0.0/0? P icmp? J DROP
Iptables? A input? I eth0? S 0.0.0.0/0? P tcp -- dport! 80? JDROP

8. only intranet users are allowed to access TCP/UDP ports 53 and 80.
Iptables? T nat? A postrouting? P tcp? M multiport -- port 53,80
-S 192.168.168.0/24? O eth0? J SNAT -- to218.104.71.43


Supplement: A practical NAT configuration solution under R9:


Echo 1>/proc/sys/net/ipv4/ip_forward
Modprobe ip_tables
Modprobe ip_nat_ftp/ip_nat_irc/ip_conntrack
Modprobe ip_conntrack_ftp/ip_conntrack_irc
Iptables? F
Iptables? X
Iptables? Z
Iptables? F? T nat
Iptables? X? T nat
Iptables? Z? T nat
Iptables? P INPUT ACCEPT
Iptables? P OUTPUT ACCEPT
Iptables? P FORWARD ACCEPT
Iptables? T nat? P PREROUTING ACCEPT
Iptables? T nat? P POSTROUTING ACCEPT
Iptables? T nat? P OUTPUT ACCEPT
Iptables? T nat? A postrouting? O eth0? S 192.168.186.0/24? JSNAT
-- To 218.104.71.45
Important: if it is an ADSL environment, change eth0 to ppp0; SNAT... Change to MASQUERADE

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.