Iptables is a simple NAT method when used as a gateway

Source: Internet
Author: User

Bkjia.com exclusive: basic syntax of Iptables (better understanding of the gateway NAT script later ):

Iptables [-t table name] <-A | I | D | R> chain name [Rule number] [-I | o Nic name] [-p protocol type] [-s source IP address | source subnet] [-- sport source port number] [-d destination IP address | destination subnet] [-- dport destination port number] <-j action>

INPUT chain: when a data packet is determined as a local Linux system by route computing in the kernel, it will pass the INPUT chain check.

OUTPUT chain: the data packet generated by the system.

FORWARD chain: data packets routed through the Linux system (that is, when the iptables firewall is used to connect two networks, data packets between the two networks must flow through the firewall ).

PREROUTING chain: used to modify the destination address (DNAT ).

POSTROUTING chain: used to modify the source address (SNAT ).

◆ The forwarding and NAT semantics are independent in iptables. The function of forwarding data packets is to use the FORWARD rule chain in the filter table. The NAT Function is to use the PREROUTING and POSTROUTING rule chains in nat. Obfuscation of these two concepts does not affect their functions, but now it is important to remember their differences. Forwarding and NAT are two different functions and technologies. Forwarding is a routing function, while NAT is a conversion function defined in the nat table.

Iptables acts as a gateway NAT router and starts the NAT address disguise function SNAT/MASQUERADE. For details, refer to the company's NAT routing script/root/firewall. sh instance:

This script provides the following functions:

① Because it is bound to a mac address to access the Internet, enterprise internal clients can prevent ARP viruses in the LAN if they are bound to a mac address;

② Strictly control the Internet access of machines in the LAN. Every time a working machine is added, the ip-mac correspondence of the NAT server must be refreshed; strictly eliminate the Internet access problem of external computers in the company (some employees prefer to bring their own laptop when working overtime on weekends), so as to prevent security problems from happening before they happen;

③ With the monitoring software NTOP + iptraf of the NAT Gateway server, you can monitor the traffic of each host in a timely manner. If any traffic exception is found, you can promptly notify the network administrator or the administrator;

④ After actual use, it is found that when this script is used as a NAT Gateway Router, the company's 10 m Telecom optical fiber bandwidth can be used to the extreme, that is, an employee with thunder, the entire company cannot open the webpage.

⑤ The Gateway NAT server is also suitable for LAN file servers and provides vsftpd and samba services;

⑥ I have read some scripts written by other linux enthusiasts, and I don't feel this script is simple and convenient. I would like to thank teacher Tang, Technical Director of 3158.com for providing technical guidance.

#!/bin/bash

# To facilitate debugging, write firewall rules as scripts to facilitate debugging.

echo "1" > /proc/sys/net/ipv4/ip_forward

arp -f /root/mac.txt

#Replace the original arp correspondence with the Host ip address and mac address defined in the mac.txt file. This script is re-run every time a worker is added.

# When iptables operates on any table of the filter nat mangle, The iptable_nat module is automatically added; this can be left empty.

modprobe iptable_nat

# Loading status detection mechanism, used in the state module. This must be written.

modprobe ip_conntrack

# Ip_conntrack_ftp is used when the local machine is used for FTP. It can be seen that your gateway NAT does not use FTP, so I wrote it here

modprobe ip_conntrack_ftp

# Ip_nat_ftp is used when the local FTP is used. This is used by our system.

modprobe ip_nat_ftp

# Clear the default Filter, FORWARD, and POSTROUTIG chain rules of the gateway.

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

# Set the default FORWARD policy to deny everything (based on the most secure principle)

iptables -P FORWARD DROP

# The client can only access the Internet by binding a mac address. This prevents malicious IP addresses from accessing the Internet within the company, leading to security risks.

cat /root/mac.txt | while read LINE

do       

ipad =`echo $LINE | awk '{print $1}'`      

macd =`echo $LINE | awk '{print $2}'`

iptables -A FORWARD -s $ipad -m mac --mac-source $macd -j ACCEPT

done

# There are several NICs on the gateway. eth0 is connected to the Internet IP address, and eth1, eth2, and so on are the IP addresses of the local network. Because the optical fiber of China Telecom is rented, there is no ADSL Internet access.

iptables -A FORWARD -i eth1 -m state

--state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24

-j SNAT --to 59.195.233.234

The content of/root/mac.txt is as follows:

192.168.1.50 00:16:D3:F6:BD:F5

192.168.1.57 00:16:36:B4:6C:5D

192.168.1.58 00:13:D3:20:04:12

192.168.1.59 00:1E:37:15:18:59

192.168.1.60 00:16:D3:5F:23:B7

192.168.1.65 00:E0:4C:01:1B:85

192.168.1.66 00:1E:37:15:18:59

192.168.1.67 00:E0:B1:B2:58:18

192.168.1.68 00:15:58:20:47:18

192.168.1.80 00:17:31:67:98:DA

192.168.1.88 00:E0:4C:01:1B:85

192.168.1.93 00:21:85:30:7F:DE

192.168.1.94 00:E2:1C:D1:60:41

192.168.1.97 00:13:D3:5E:2F:12

192.168.1.98 00:1D:0F:0F:CC:A2

192.168.1.99 00:19:DB:64:13:5A

......

Bkjia.com exclusive Article. For more information, see the source and author !]

  1. Green Alliance WEB Application Firewall product White Paper download
  2. SQL Injection and XSS AttacK Defense technical White Paper download
  3. Saving website O & M Manager Zhao Ming prize in progress
  4. Israel's ultimate anti-intrusion weapon: check point Software Blade
  5. Detailed explanation of the execution sequence of Iptables rules in Linux
  6. How to Use iptables to implement NAT

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.