Iptables port ing

Finally, I finished iptables. I copied the matching configuration at the beginning, but it was not correct. I searched N more articles on the Internet and finally found a more detailed article, after reading twice, the configuration was successful. Now, you can use port ing to access SSH and VNC on the Intranet.

Iptables is an excellent nat + Firewall tool in Linux. I used this tool to configure a flexible and powerful firewall + nat system in a low-configuration traditional pc, I have read many articles in this regard on the Internet, but it seems that there are few or more biased articles, incomplete content, and easy to mislead, I have studied iptables for a period of time and I have also used it for a long time. I have some experience in writing it for your reference, and I will also read it later.

The first thing to note is that iptables operates the netfilter of more than 2.4 kernels. Therefore, linux kernel 2.4 or more is required. Its functions and security are far more powerful than those of its predecessors, ipfwadm and ipchains. iptables generally works on Layer 2, Layer 3, and Layer 4 of OSI Layer 7, its predecessor, ipchains, cannot independently define tcp/udp ports and mac addresses. Therefore, I think ipchains only work on Layer 3.

Let's first briefly introduce the general workflow of netfilter, that is, when a packet (or packet) arrives at the network interface of linux (NIC) how to handle this packet, and then introduce how to use iptables to change or control the operation on this packet. Netfilter is divided into three tables: filter, nat, and mangle. Each table has different operation Chains (Chains ). In the filter table, that is, its Firewall function, three chains are defined. They are INPUT, FORWARD, and OUTPUT. That is, the three filters that define the inbound, forward, and outbound packets. The Operation and Control of this filter table is also an important means for us to implement the firewall function. In the nat (Network Address Translation, Network Address Translation) table, that is, the table used to implement address translation and port forwarding functions defines three links: PREROUTING, POSTROUTING, and OUTPUT. The following describes these three links in detail; the netfilter mangle table is a custom table, which includes the above filters and various chains in the nat table. It allows us to perform some custom operations, at the same time, the chains in this mangle table are at a higher priority in the netfilter packet processing process, the following figure clearly depicts the netfilter packet processing process (this figure is taken from the Internet and I do not know who the author is. I would like to pay close attention to it !), Generally, we cannot use this mangle table. We will not introduce it here.

We can see that the PREROUTING chain is at the beginning. When a package comes to the network interface of linux, it first goes through the PREROUTING of mangle, and then the PREROUTING of nat, from the chain name, we can see that this chain is required before the routing (pre-routing. Why should I use it before routing? As you can see in this figure, there is a diamond part named ROUTING. This ROUTING part is the route box of Linux, that is, the ROUTING system. It also has very advanced functions, policy Routing and other advanced features can be implemented. We will not explain them in detail here. Let alone this PREROUTING chain, because in this chain, we operate the package in DNAT, that is, changing the destination address and (or port), which is usually used for port forwarding, or nat to the DMZ area of the Intranet. That is to say, when a package comes in, we need to change its destination address. You can think about it, if a package is thrown into the route box before changing the destination address, and the system selects the path and then changes the destination address, the path may be wrong or meaningless, PREROUTING this Chain must be done before the Routing. For example, our public ip address is 60.1.1.1/24, which is eth0 in linux and the Intranet ip address is 10.1.1.1/24 in eth1 in linux. Our Intranet has a web server, the address is 10.1.1.2/24. How can we allow internet users to access our internal web server through this public ip address? We can define a rule on this PREROUTING chain to change the destination address of the user accessing 60.1.1.1: 80 to 10.1.1.2: 80, in this way, internet users can access the Intranet server. Of course, this port is flexible. We can define any port forwarding, not necessarily 80 --> 80, for specific commands, we will introduce them in the following example. Here we will only talk about the process and Concept implementation methods.

Okay, let's go down. This package has already passed two PREROUTING chains. At this point, there is a branch turning point, that is, the Diamond (FORWARD) below the figure ), forward! There is a judgment on the target address (this also shows that PREROUTING must be the first, not only before the route box, but even before the judgment on the target address, because we may make a rule to go to a certain ip address to transfer to our own ip address, so PREROUTING is the first Chain to process this package )! If the package's destination is the LOCAL ip address, the package goes up, enters the INPUT chain for processing, and then enters the local process. If it is not LOCAL, it enters the FORWARD chain for filtering, we will not introduce the processing of INPUT and OUTPUT here, because it is mainly a kind of processing for local security. Here we mainly discuss the filtering of forwarding and the implementation of nat.

1 2 3 4 Next Page