IPTABLES acting as LAN router RHEL5 and above

Prepare a PC equipped with RHEL5,

Eth0 can sisu net

Eth1 Connecting Intranet

1. Open the package forwarding function:

echo "1" >/proc/sys/net/ipv4/ip_forward

2, modify the/etc/sysctl.conf file, turn on packet forwarding function:

Net.ipv4.ip_forward = 1

3. Open the NAT function of Iptables:

Iptables-t nat-a postrouting-o Eth0-j Masquerade

The configuration has been completed by this step.

The rest is a troubleshooting or auxiliary command.

To view the routing table:

Netstat-rn or Route-n

View NAT Table

Iptables-t nat-l

In case of Can ' t initialize iptables table ' NAT ' table does exist workaround:

Need to install iptables related modules

Modprobe Ip_tables

Modprobe Ip_conntrack

Modprobe Iptable_filter

Modprobe ipt_state

Networking--->

Networking Options--->

Network packet filtering Framework (NetFilter)--->

Core NetFilter Configuration--->

Now just set the modules your need for your netfilter box. That's it, I Hope now it works for you.

If the following information is present in execution iptables-l, then the kernel needs to be reconfigured and compiled:

Iptables V1.4.2:can ' t initialize iptables table ' filter ': Table does not exist (does you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

Configuration options:

Networking-->

Networking options-->

[*] Network packet filtering (replaces IPChains)

Core NetFilter configuration->

<*> NetFilter xtables Support (required for ip_tables)

Ip:netfilter configuration->

<*> Connection Tracking (required for Masq/nat)

<*> IP Tables Support (required for Filtering/masq/nat)

<*> IP Range Match support

<*> Packet Filtering

<*> REJECT Target Support

<*> Full NAT

Ip_forward

In addition, IP forwarding needs to be turned on on the host to maintain the connection channel.

To see if IP forwarding is turned on (1 means open):

Cat/proc/sys/net/ipv4/ip_forward

If it is not open, open it with the following command:

Echo 1 >/proc/sys/net/ipv4/ip_forward

Save Settings

The above iptables settings and IP forwarding settings will disappear after rebooting the system, so save the settings if necessary.

Save Iptables Settings:

/etc/init.d/iptables Save

Set the Iptables setting to load automatically when the system starts (in Gentoo, for example):

Rc-update Add iptables Default

Save Ip_forward settings (set in/etc/sysctl.conf):

Net.ipv4.ip_forward = 1

Security risks

When Ip_forward is turned on, it is common to open rp_filter (Reverse Path filter) at the same time, checking the source address of the packet.

If this setting is not turned on, it is vulnerable to IP spoofing from the intranet.

Open Rp_filter:

for f In/proc/sys/net/ipv4/conf/*/rp_filter; Do echo 1 > $f; Done

Save Settings (set in/etc/sysctl.conf):

Net.ipv4.conf.default.rp_filter = 1

Net.ipv4.conf.all.rp_filter = 1

IPTABLES acting as LAN router RHEL5 and above