Iptables/netfilter's Network firewall
The function of the network firewall is simply to say that all incoming messages through this machine are in the local routing decision, the destination address is not the native, need to help forward to other networks or the source of the network of such requests when the scene, we call the forwarding function;
Then the forwarded message must be through the forward chain (including three chains, prerouting,forward,postrouting), but filtering can only be implemented in forward;
Please note: The policy defined on the forward chain is only valid for those Wencai that are forwarded by the native computer, and the messages in and out of this host are not effective; the other we will not say more, some of the rules of the test statements, must be able to read;
Add rules to forward chain, pay attention to several issues
(1) The request and the response message will pass through the forward chain, pay attention to the direction of the rules;
such as: Iptables-i forward-m state–state established,related-j ACCEPT
(2) If the Conntrack mechanism can be enabled, note that the maximum number of connections that the gateway host can track is in line with the need;
How to build a network firewall environment using Iptables
1, the environment to build and do the corresponding service application testing
Host 1, CentOS 7.2 Build model for Gateway Interface
NIC 01:172.16.5.40/16 External network host address;
NIC 02:192.168.22.1/24 intranet host address;
~]# Cat/proc/sys/net/ipv4/ip_forward (The forwarding function is not turned on at this time);
Host 1, CentOS 7.2 Build model for intranet host client
IP:192.168.22.2/24;
gateway:192.1.68.22.1;
Host 1, CentOS 7.2 build model for extranet host client
IP:172.16.5.50/16;
Install test environment in intranet host client;
~]# Yum install-y vsftpd httpd telnet-server Samba
The test ping 172.16.5.40 can pass because the IP work with the kernel is not forwarded only on the local machine;
Can grasp the package to see the address resolution process;
~]# tcpdump-i eno16777736-nn ICMP
If the message is still unresponsive after forwarding, the simplest way is to change the default gateway or add a route in this machine.
~]# Route del-net 0.0.0.0 GW 172.16.5.1
~]# route add default GW 172.16.5.40
Add an application service, and the external network client host to test the intranet host client can access;
~]# systemctl Start httpd
~]# echo 192.168.22.2 >/var/www/html/index.html
External network host client testing;
~]# Curlhttp://192.168.22.2(to prove communication between networks is not a problem)
The same as the external network client installation of an application, and in the intranet host test can be connected with the network between normal;
2. Add a policy on the gateway
Make a blacklist first.
~]# iptables-a forworad-j DROP
Intranet client testing;
~]# Curlhttp://192.168.22.2
examples are as follows:
Release access to any external services from the inside out;
~]# iptables-i forward-s 192.168.22.0/24-p tcp–dport 80-j ACCEPT
Open request message out;
~]# iptables-i FORWARD 2-d 192.168.22.0/24-p tcp–sport 80-j ACCEPT
The response message comes in;
Note: Since we are doing a blacklist, any response message that can be requested is safe, in order to avoid more and more rules, we can use the state tracking mechanism;
~]# iptables-d FORWARD 2
Add a rule, both inside and out as long as the response messages are allowed to proceed normally;
~]# iptables-i forward-m state–state established-j ACCEPT
In the future, just write the request strategy;
Such as: Intranet host open SSH connected to the external network;
~]# iptables-r FORWARD 2-s 192.168.22.0/24-p tcp-m multiport–dport 80,22,23,21 139,445-m state–state New
-j ACCEPT
Open an intranet host to access the external network host client FTP service;
Loading the FTP status tracking module on the gateway host;
~]# modprobe Nf_conntrack_ftp,lsmod | grep nf_conntrack_ftp
~]# iptables-r FORWARD 1-m state–state established,related-j ACCEPT
Note: Be sure to write the rules do not block themselves outside the wall, you can define the task schedule, 20-minute policy invalidation @ specify iptables-f;
Nat feature
nat is what I want to do without I am here to state that its full name is (Network Address Translation is the network address translation);
It slows down or even replaces the exhaustion of the IP address space;
A more detailed description can refer to the 36,000 section or official RFC 1632 technical documentation;
* * function * Span class= "Hljs-keyword" >*
Source Address translation: SNAT, can only be applied to the postrouting input chain only consider the first half of the message;
Static conversion: address is fixed;
Dynamic conversion: address is random;
Destination Address translation: DNAT, can only be applied to the prerouting output chain;
Based on the ip+ port conversion, the address is converted, the port is judged;
Masquerade: Address spoofing;
REDIRECT: port mapping;
return: return;
custom chain function;
Based on address pool definition;
 
for networks that have Internet access requirements and that use private addresses internally, A NAT gateway is deployed at the organization's exit location, and the source IP is replaced with a public address, usually the interface address of the egress device, when the message leaves the private network to enter the Internet. An external access request appears to be initiated by the organization's export device after reaching the target, so the requested server can send the response back to the egress gateway from the Internet. The export gateway then replaces the destination address with the source host address of the private network and sends it back inside. In this case, the request and response from the private network host to the public network server is not sensed at both ends of the communication. Based on this model, a large number of intranet hosts will no longer require a public IP address;
dnat: Destination IP address translation  
1, publish internal server, Allow outside Internet users to access the intranet server;
2, network redirection;
(from the network)
Functional testing of NAT
The environment of experiment is still the former environment;
multiple examples are coming in:
All host requests from the Intranet are forwarded to the Extranet (join in the Gateway);
~]# iptables-t nat-a postrouting-s 192.168.22.0/24-j snat–to-source 172.16.5.40
~]# iptables-t NAT-VNL
External network host client grab the package to see;
~]# tcpdump-i eno16777736-nn ICMP (destination address translation auto-complete);
All requests from the external network to a port on the public address are forwarded from one of the servers in the intranet;
~]# iptables-t nat-a prerouting-d 172.16.5.40-p tcp–dport 80-j dnat–to-destination 192.168.22.2
~]# iptables-t NAT-VNL
Extranet Host client Test Curlhttp://172.16.5.40;
~]# iptables-t Nat-a prerouting-d 172.16.5.40-j dnat–to-destination 192.168.22.2:80
any port any address;
Port Mappings httpd 8080;& nbsp
~]# iptables-t nat-a prerouting-d 172.16.5.40-p tcp–dport 80-j dnat–to-destination 192. 168.22.2:8080
~]# iptables-t nat prerouting 2-d 172.16.5.40-p tcp–dport 22022-j DNAT –to-destination 192.168.22.3:22
External host client testing;
~]# ssh-p 22022 [email protected]
Custom Chain, RETURN
Custom chain: Need to be referenced;
~]# iptables-a web_in-d 192.168.22.0/24-p tcp–dport 80-m state–state new-j ACCEPT
~]# Iptables-a forward-j REJECT
Call the above rule before the default rule;
~]# Iptables-i FORWARD 2-d 192.168.22.0/24-p tcp–dport 80-j web_in
~]# Iptables-a web_in-j RETURN
Note: The custom chain cannot be deleted, and must be removed after the chain rule is cleared;
~]# Iptables-f web_in
~]# Iptables-x web_in
Other non-speaking can be self-reference
Done
This article is from the "51eA" blog, be sure to keep this source http://51eat.blog.51cto.com/11892702/1896545
Linux Firewall (iptables) features a detailed description of the second