Iptables Intranet/Internet access rules for Enterprise web Servers

The iptables-AINPUT-ptcp-s10.1.2.187-jACCEPT adds 10.1.2.187 to the permitted range iptables-tnat-APOSTROUTING-jSNAT -- to-source10.1.2.1 parameter-A: add (with Link)-I: insert-p: with protocol-s: source IP-d: Target IP-j: operation behavior-t: Add Table -- to-source: SNAT,

 

Iptables-a input-p tCp-S 10.1.2.187-j ACCEPT
Add 10.1.2.187 to the permitted range

Iptables-t nat-a postrouting-j SNAT -- to-source 10.1.2.1
Parameter --

-A: add (Link)
-I: insert
-P: Protocol
-S: source IP address
-D: Target IP Address
-J: Operation Behavior
-T: Add Table
-- To-source: used for SNAT to indicate the SNAT source address.
-- To-destination: used for DNAT to indicate the destination address of the changed DANT.


IPTABLE: input output forword prerouting postrouting (chain)
For more information, see online.

View the current iptable list:
Iptables-L
Iptables-t nat-L (content in the nat table)
Iptables-L-n: IP address displayed, not automatically resolved to Domain Name
Iptables-L -- line-numbers: Display number: iptables-F Delete filter table content: iptables-F-t nat Delete nat table content

SNAT is generally used to access the Internet.
DNAT is used to come in from outside

SNAT eg:
Iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j SNAT -- to-source 192.168.0.5
Map Intranet 10.1 fields to 192.168.0.5
You can also do this:
Iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j SNAT -- to-source 192.168.0.5-192.168.0.245
Map a local IP address to an IP address (attack can be performed ^)
The same function in the preceding example: iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j NETMAP -- to 192.168.0.0/24

DNAT eg:
Iptables-t nat-a prerouting-d ROUTEIP-p tcp -- dport 80-j DNAT -- to-destination WEBIP
ROUTEIP indicates the public IP address of the firewall (router ).
WEBIP indicates the IP address of the Intranet WEB server
This rule indicates that when the Internet accesses the local port HTTP80, it is automatically forwarded to the Intranet WEB server. As a result, the web server is mapped to the Internet. This is sufficient when you only need to access the Intranet from the Internet, but if you need to access the WEB server from the Intranet machine through the Internet IP address of the WEB server, you also need to add an SNAT rule: iptables-t nat-a postrouting-p tcp-d WEBIP -- dport 80-j SNAT -- to ROUTEIP: Change the source IP address of the data packet accessing the WEB server to the gateway IP address. Otherwise, the access will fail. Reason for simple analysis: assume that the Intranet 192.168.0.10-> the host that needs to access the WEB from the external IP address 192.168.0.254-> the internal IP address of the WEB server 192.168.0.1-> the gateway (the external IP address is 202.96.22.22) when 192.168.0.10 accesses the WEB Service of 202.96.22.22, according to The DNAT on the gateway, the destination IP address of the data packet is changed from 202.96.22.22 to 192.168.0.254. 254 after receiving the packet, it is found that 10 is sent, then it will directly return the packet to 192.168.0.10, but 10 after receiving the packet, it is found that the packet source is not your desired 202.96.22.22, the package will be discarded directly. The solution is to send packets to 10 instead of the gateway at 254, so that the gateway returns the original route to 10 machines. In this way, you can solve this problem by changing the source IP address of the packet sent to the WEB Service 254 request to the gateway IP address 192.168.0.1. That is, iptables-t nat-a postrouting-p tcp-d 192.168.0.254 -- dport 80-j SNAT -- to 192.168.0.1 has A better solution to separate A network segment, that is to say, in the DMZ zone, each SERVER is placed. Http://www.bkshanghai.com/index.aspx

 

Iptables-save>/usr/local/work/iptables