Iptables, iptableslinux

Iptables, iptableslinux

Rule: packet filtering conditions predefined by the network administrator

Chain: data packet transmission path. Each chain can contain multiple rules, starting from the first rule check.

Table: The third built-in table

Filter: it is mainly used for packet filtering. It can only receive and discard data packets and cannot be changed,

Nat: Mainly used for network address translation,

Mangle: modifies a specified package.

Iptables processes data packets

Iptables command syntax: iptables [-t tables] command [match] [-j target/jump]

 

-T tables]

Specifies the rule table. The default filter

 

List of Common commands:

 

-A: adds A rule to A Rule chain, which is added to the end of the chain by default.

-D: delete a rule. You can enter the complete command or rule number.

-R: Replace the current rule, and the sequence will not change after the rule is replaced

-I: Insert a rule. The rule at the original position moves one position backward.

-L: list all rules in a rule connection.

Iptables-t nat-L list all rules in the nat table

-F: delete a rule.

Iptables-F input: delete all rules in the input chain of the filter.

 

[Match]

Common packet Matching Parameters

-P: match protocol type. It can also be added! Reverse match. all can be used to match all

-S: Used to match the source ip address of the packet.-s 192.168.1.0/24 can be used to match a segment.

-D: match the destination ip address of the packet.

-O: the outbound NIC that matches the data packet.

-- Sport: the source port that matches the data packet. A matching range can be set to 20: 80.

-- Dport: Same as above.

-- Tcp-flags: matches the flag in tcp

 

-J target/jump]

Common handling actions

-J: used to specify the processing action

ACCEPT: Allow data packets

REJECT: blocks data packets.

DROP: discarded data packets are not processed.

Instance: lan: 1.1.1.1 wan: 192.168.2.159
Intranet HOST: 1.1.1.2
Port 22 of the 1.1.1.2 host in the Intranet is mapped to port 88 of the Public IP address 192.168.2.159.
1. Add
Iptables-tnat-a prerouting-d 192.168.2.159-p tcp -- dport 88-j DNAT -- to1.1.1.2: 22
If 1.1.1.2 the gateway of the host is deployed on the iptables server
2. You need to add one in the chain of POSTROUTING.
Iptables-t nat-a postrouting-d 1.1.1.2-p tcp -- dport 22-j SNAT -- to1.1.1.1

SNAT is generally used to access the Internet.

SNAT is used to convert the source address and apply it to the POSTROUTING rule chain. After the route is determined, SNAT is applied to the outbound interface instead of the inbound interface.

DNAT is used to come in from outside

The destination address NAT can be DNAT or REDIRECT. REDIRECT is a special form of destination address translation. It redirects data packets to the input or loop interface of the NAT device. the destination address NAT is applied to the PREROUTING and OUTPUT rule chains of the nat table. The destination address is modified before the route is determined. in PREROUTING, DNAT and REDIRECT rules are related to the inbound interface used to accept data packets forwarded through a local route or sent to the host's inbound interface. in OUTPUT, DNAT and REDIRECT rules are used to process outbound data packets generated by the NAT host.

 

SNAT eg:

Iptables-t nat-I POSTROUTING-s10.1.0.0/24-j SNAT -- to-source 192.168.0.5

Map Intranet 10.1 fields to 192.168.0.5

You can also do this:

Iptables-t nat-I POSTROUTING-s10.1.0.0/24-j SNAT -- to-source192.168.0.5-192.168.0.245

Map a local IP address to an IP address (attack can be performed ^)

The same function in the preceding example: iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j NETMAP -- to192.168.0.0/24

 

DNAT eg:

Iptables-t nat-a prerouting-d ROUTEIP-ptcp -- dport 80-j DNAT -- to-destination WEBIP

ROUTEIP indicates the public IP address of the firewall (router ).

WEBIP indicates the IP address of the Intranet WEB server

This rule indicates that when the Internet accesses the local port HTTP80, it is automatically forwarded to the Intranet WEB server. As a result, the web server is mapped to the Internet.

This is sufficient when you only need to access the Intranet from the Internet,

However, if you want to access the WEB server from an intranet server through the Internet IP address of the WEB server, you also need to add an SNAT rule:

Iptables-t nat-APOSTROUTING-p tcp-d WEBIP -- dport 80-j SNAT -- toROUTEIP

Change the source IP address of the data packet accessing the WEB server to the gateway IP address. Otherwise, the access will fail.

Reasons for simple analysis:

Assume that the Intranet 192.168.0.10-> hosts that need to access the WEB from the external IP address

192.168.0.254-> internal IP address of the WEB server

192.168.0.1-> Gateway (external IP Address: 202.96.22.22)

When 192.168.0.10 accesses the WEB Service of 202.96.22.22,

According to the DNAT on the gateway, the destination IP address of the data packet is changed from 202.96.22.22 to 192.168.0.254. 254 after receiving the data packet, it was found that 10 was sent,

Then he will directly return the packet to 192.168.0.10, but 10 after receiving the packet, he finds that the package source is not what he wants 202.96.22.22,

The package will be discarded directly.

The solution is to send packets to 10 instead of the gateway at 254, so that the gateway returns the original route to 10 machines. In this way, you can solve this problem by changing the source IP address of the packet sent to the WEB Service 254 request to the gateway IP address 192.168.0.1. That is

Iptables-t nat-a postrouting-ptcp-d 192.168.0.254 -- dport 80-j SNAT -- to 192.168.0.1

 

1. Lan 192.168.1.0/24,

Web server: 192.168.1.10

Ftp server: 192.168.1.11

Gateway linux,

Intranet eth0, IP Address: 192.168.1.1

Internet eth1, IP Address: a. B. c. d

 

How does NAT allow Intranet and Internet access to the company's servers?

A: # web

# Using DNAT for port ing

Iptables-t nat-a prerouting-da. B. c. d-p tcp -- dport 80-j DNAT -- to 192.168.1.10

# Use SNAT for source address conversion (key) so that the response packet can return the correct response

Iptables-t nat-a postrouting-d192.168.1.10-p tcp -- dport 80-j SNAT -- to 192.168.1.1

 

# Some people often forget to open the relevant ports of the FORWARD chain.

Iptables-a forward-o eth0-d192.168.1.10-p tcp -- dport 80-j ACCEPT

Iptables-a forward-I eth0-s192.168.1.10-p tcp -- sport 80-m -- state ESTABLISHED-jACCEPT

 

# Ftp

Modprobeip_nat_ftp ### load the ip_nat_ftp module (if not compiled into the kernel) so that ftp can be correctly NAT

Modprobeip_conntrack_ftp ### load the ip_conntrack_ftp Module

# Using DNAT for port ing

Iptables-t nat-a prerouting-da. B. c. d-p tcp -- dport 21-j DNAT -- to 192.168.1.11

Iptables-a forward-o eth0-d192.168.1.11-p tcp -- dport 21-j ACCEPT

Iptables-a forward-I eth0-s192.168.1.11-p tcp -- sport 21-m -- state ESTABLISHED-jACCEPT

Iptables-a forward-I eth0-s192.168.1.11-p tcp -- sport 20-m -- state ESTABLISHED, RELATED-jACCEPT

Iptables-a forward-o eth0-d192.168.1.11-p tcp -- dport 20-m -- state ESTABLISHED-jACCEPT

Iptables-a forward-o eth0-d192.168.1.11-p tcp -- dport 1024:-m -- state ESTABLISHED, RELATED-jACCEPT

Iptables-a forward-I eth0-s192.168.1.11-p tcp -- sport 1024:-m -- state ESTABLISHED-jACCEPT

# Use SNAT for source address conversion (key) so that the response packet can return the correct response

Iptables-t nat-a postrouting-d192.168.1.11-p tcp -- dport 21-I eth0-j SNAT -- to192.168.1.1

 

 

 

For details, refer:

Http://blog.csdn.net/huguohu2006/article/details/6453522