Iptables nat technology note (1)

It has been used for a long timeIptablesTo write iptables.NatNotes for your reference!

1. Java environment Establishment

Use/etc/profile for global configuration whenever possible

2. When importing iptables on the front-end server, pay attention to the iptables version.

After iptables is imported, you can use service iptables save to save the configuration automatically.

Modify/etc/sysctl. conf to enable the ip_forward function automatically.

After the preceding settings, use chkconfig to select the iptables service. You can ensure that iptables runs automatically at the default running level.

3. Use the ifup version of redhat 8 (that is, the ifrouteup in the server cut script) to automatically modify the default route when you adjust the NIC.

4. Use mac address simulation whenever possible during server cutting in the IDC

Operation Command ifconfig eth0 hw ether aa: bb: cc: dd: ee: ff

5. Static route adding method

/Etc/sysconfig/network-scripts/routes-eth0

192.168.0.0/16 via 10.10.0.22

/Etc/sysconfig/static-routes

Eth0 net 192.168.0.0 netmask 255.255.0.0 gw 10.10.0.22

6. When iptables is used for port ing, if the default gateway of the mapped server is not the frontend server itself, the SNAT in postrouting must be specified as the frontend Intranet address.

Take the telecom data center as an example. The firewall eth0 10.10.0.1 eth1 218.78.212.84

Client A: 10.10.0.33 default route: 10.10.0.1

-A prerouting-d 218.78.212.84-p tcp-m tcp-dport 22-j DNAT-to-destination 10.10.0.33

Result: Except that 10.10.0.33 cannot be connected, ssh is supported. The log record is the correct source IP address.

-A prerouting-d 218.78.212.84-p tcp-m tcp-dport 22-j DNAT-to-destination 10.10.0.33

-A postrouting-d 10.10.0.33-p tcp-m tcp-dport 22-j SNAT-to-source 218.78.212.84

Result: ssh is supported for both 10.10.0.33 and 10.0.33, but the log is recorded as the firewall's Internet IP address 218.78.212.84.

-A prerouting-d 218.78.212.84-p tcp-m tcp-dport 22-j DNAT-to-destination 10.10.0.33

-A postrouting-s 10.10.0.33-p tcp-m tcp-dport 22-j SNAT-to-source 218.78.212.84

Result: Both 10.10.0.33 and 10.10.0.33 support ssh and the log records are the correct source IP addresses.

Clent B: 10.10.0.138 default route: 10.10.0.241

-A prerouting-d 218.78.212.84-p tcp-m tcp-dport 22-j DNAT-to-destination 10.10.0.33

-A postrouting-d 10.10.0.33-p tcp-m tcp-dport 22-j SNAT-to-source 10.10.0.1

Result: Only 10.10.0.138 can be used for ssh, but the log is recorded as the firewall Intranet IP address 10.10.0.1.

7. Modify the/etc/inittab and press Ctrl + Alt + Del to block the key combination to prevent misoperation and eliminate security risks.

8. SSH only uses the key authentication method

9. Use/etc/hosts. allow and/etc/hosts. deny for IP address access filtering.

The following script blacklists the IP addresses that have been illegally connected in the/etc/hosts. deny directory through log.

#! /Bin/bash

# To prevent the IP address from being blacklisted, add the IP address to/etc/hosts. allow first.

# Find the IP addresses of the last 20 logs indicating illegal connection attempts and failed connection attempts

Tail-20/var/log/secure | awk '$0 ~ /Illegal | Failed/'| awk-Ffrom' {print $2} '| awk' {print $1} '>/tmp/badip

# Read the sshd address definition in/etc/hosts. deny

List = 'grep sshd/etc/hosts. deny'

# Blacklist when the number of connections to the IP addresses in the log exceeds 5

If ["'wc-l/tmp/badip | awk '{print $1}'' ">" 5 "-a" 'sort-u/tmp/badip | wc- l | awk '{print $1} ''" = "1"]

Then

Blockip = 'head-1/tmp/badip'

If ['grep $ blockip/etc/hosts. deny | wc-l | awk '{print $1 }''! = 1]

Then

Echo "$ list $ blockip">/etc/hosts. deny

Fi

Fi