Linux iptables explanation and configuration (2) + Case Study

In the previous blog, we introduced the table, link structure, and iptables rule settings of the Linux firewall. So how can LAN users access the Internet when the Linux firewall is used as the gateway server of an enterprise at the same time? How can users on the Internet access the network servers in the LAN? Can iptables do this? The answer is Yes.

This article mainly addresses the preceding problems and introduces two typical applications in the nat table: SNAT and DNAT policies, which are used to enable Internet sharing and publish intranet application servers on the Internet ).

Previous blog address: http://lansgg.blog.51cto.com/5675165/1220438

1. SNAT policies and applications

>>> Snat policy Overview

With the rapid development of Internet networks around the world, the available IP Address resources supported by the IPv4 protocol have gradually become exhausted. The lack of resources makes it difficult for many enterprises to apply for more public IP addresses, you can only pay for one or a few public IP addresses. At the same time, most enterprises are facing the need to connect LAN hosts to the Internet. Using the SNAT policy of iptables can solve this problem.

Case: 1,

In a small enterprise network, the Linux gateway server has two NICs used to connect to the internal LAN and the Internet. For example:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1P2003Z5-0.jpg "title =" 4.jpg"/>

When the Linux gateway server enables route forwarding without using SNAT), the source IP address of the packets accessing the Internet in the LAN remains unchanged after the gateway forwards the packets to 192.168.1.100 ), when a host on the Internet receives such a request packet, it cannot return a response packet because the address is a private IP address and cannot be properly routed;

If the SNAT policy is applied to the Linux gateway server, the packet forwarding status is different. When a data packet sent from the LAN to the Internet arrives at the gateway server, the gateway selects a route. If the packet needs to be forwarded from the Internet interface such as eth0, the source IP address of the data packet is as follows: 192.168.1.100) changed to the gateway's Internet interface address, for example, 218.29.30.31), then submitted to the Internet, and finally sent to the target host www.google.com ). It is equivalent to submitting a data access request as a gateway server's public network identity. Naturally, you can receive normal response packets. The gateway server then returns the response packet to the source host in the LAN based on the previously established SNAT ing. As long as the first packet is processed by SNAT, the connection and other packages of the corresponding data stream are automatically processed by SNAT.

>>> Apply the SNAT policy to solve the above problems)

From the previous requirements, we have learned that SNAT is typically used for LAN Internet access sharing, and the packet switching time is mainly based on POSTROUTING after route selection. The key to SNAT is to change the private IP address of the source IP address of the outbound LAN packet to the public IP address of the Internet interface of the gateway ).

SNAT can only be used for the POSTROUTING chain of a nat table. When using the iptables command to set the SNAT policy, you must use the "-- to-source IP address" option to specify the modified IP address, for example,-j SNAT -- to-source 218.29.30.31 ).

The following describes how to use the SNAT policy through instance configuration. The scenario and requirements are described as follows. Topology as shown above)

The company's gateway server uses the Linux operating system.

". There are two NICs on the Gateway: In the middle of the term, eth0 connects to the Internet, using a fixed IP address 218.29.30.31/30; eth1 connects to the LAN, using a fixed IP address 192.168.1.1/24.

", The default gateway of each host in the LAN is set to 192.168.1.1, and the correct DNS server has been set.

". Now, you need to correctly configure the Linux gateway host so that LAN users in the 192.168.1.0/24 CIDR block can access the Internet in a shared manner.

The recommended procedure for Linux gateway is as follows.

(1) confirm to enable the route forwarding function of the gateway server.

[root@node1 ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 1[root@node1 ~]# sysctl -p

(2) Use the SNAT policy to change the source address to the public IP address of the server for packets accessing the Internet through the LAN.

[root@node1 ~]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 218.29.30.31

Use a client in the LAN to access a website on the Internet, such as www.baidu.com. After the test is successful, add the above SNAT policy to the firewall script file and set it to run automatically after it is not enabled.

Ps the applications described above are the cases where the gateway server has a fixed static public IP address, and in some cases, enterprises are likely to use a non-fixed dynamic public IP address, for example, you may obtain a dynamic IP address when using ADSL Broadband Access. In this network environment, how should we set an SNAT policy? Iptables provides a data packet processing method called MASQUERADE (camouflage). MASQUERADE is equivalent to the SNAT exception and also modifies the source IP address of the data packet, however, it will automatically obtain the IP address of the Internet interface without the "-- to-source" format.

When using the iptables command to set the MASQUERADE policy, you only need to remove the "-- to-source IP address" in the SNAT policy and use "-j MASQUERADE" to specify the packet processing method. ADSL usually uses PPPOE technology. In Linux, the corresponding connection names are ppp0 and ppp1. If the connection numbers cannot be determined, you can also use ppp + instead.

Eg: Set the MASQUERADE policy. You can use the IP address range 192.168.1.0/24 to connect to the Internet through the ppp0 of the gateway.

[root@node1 ~]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE

Of course, even if the gateway server has a static IP address, it can also use MASQUERADE instead of SNAT. However, MASQUERADE has more overhead than SNAT. Therefore, if there is a fixed IP address, it is best to use the SNAT policy.

2. DNAT policies and applications

>>> Dnat policy Overview

The DNAT policy is very similar to the SNAT policy, but the application direction is reversed. SNAT is used to modify the source IP address, while DNAT is used to modify the target IP address. SNAT can only be used in the POSTROUTING chain of the nat table, DNAT can only be used in the PREROUTING chain and OUTPUT chain of the nat table or the chain called by the nat table.

For example, considering the security and stability of application services, the company sets up external Web servers in an internal network, while the company still has only one public IP address, in addition, clients on the Internet must be able to access the company's website. In this case, the DNAT policy can effectively ensure the communication between the clients on the Internet on the website server on the Intranet.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1P2005R9-1.jpg "title =" 5.jpg"/>

Because the Internet domain name applied by the enterprise needs to be resolved to a valid public IP address such as 218.29.30.31), when the http request submitted by the client in the Internet reaches the gateway host of the enterprise, the gateway first judges the destination address and destination port of the data packet. if it finds that the data packet needs to access port 80 of the local machine, the destination IP address of the data packet is: 218.29.30.31) change to the IP address of the real website server in the Intranet, for example, 192.168.1.6). Then, select the route and send it to the internal website server 192.168.1.6 ). then, based on the previously established DNAT ing, the gateway server modifies the source IP address of the returned HTTP response packet and returns it to the client on the Internet.

In the above DNAT address translation process, the client in the Internet does not need to specify the real LAN address of the enterprise website server. The intermediate switch is completely completed by the gateway host. Through the DNAT policy, the application server located inside the enterprise can provide services to the Internet.

>>> Application of DNAT Policy

When you use the iptables command to set a DNAT policy, you must use the "-- to-destination IP address" option to specify the actual IP address of the enterprise intranet server, for example,-j DNAT -- to-destination 218.29.30.31 ). The following two instances are used to describe the usage of the DNAT policy.

Case: 1. See topology:

", The company registered the domain name www.lansgg.com In the ISP, and corresponds to the Linux Gateway Internet interface eth0) Address: 218.42630.31.

", The company's website server is located in the LAN, IP address is 192.168.1.6.

". Internet users can access www.lansgg.com to view the company's website content.

According to the above environment, the recommended operation steps in Linux gateway are as follows:

1) Confirm that the route forwarding function of the gateway server is enabled.

[root@node1 ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 1[root@node1 ~]# sysctl -p

2) Add a DNAT ing to the Gateway. For packets accessing port 80 of the gateway, change the target address to the Intranet IP address of the website server.

[root@node1 ~]# iptables -t nat -A PREROUTING -i eth0 -d 218.29.30.31 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.6

Use a client in the Internet to access the http://www.lansgg.com for testing. After the test is successful, add the above DNAT policy to the firewall script file of the gateway and set it to run automatically after it is turned on.

Ps: If the SNAT Internet sharing policy is not set, the Intranet client may not be able to access the internal website server in the form of a public IP address such as 218.29.30.31. If you have such a requirement, you can add an SNAT rule accordingly, as shown in the following command:

[root@node1 ~]# iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 218.29.30.31 -p tcp --dport 80 -j SNAT --to-source 192.168.1.1

Case: 2. If the internal DNAT service needs to conflict with the service sending of the gateway host itself, data access needs to be distinguished. For example, the Linux gateway itself runs the SSH service, and the database server in the internal network also runs the SSH service. Both hosts want to be remotely managed from the Internet. Because there is only one available public IP address, it is necessary to distinguish between the gateway and the access port. The default port number of the SSH server is 22.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1P2001456-2.jpg "title =" 6.jpg"/>

The Internet IP address eth0: 218.29.30.31 of the company's Linux gateway server; IP address of the database server located in the LAN: 192.168.1.5;

", According to the company arrangement, the Administrator should be able to remotely manage the database server from the home host at any time, the login destination address is 218.29.30.31: 2222

". The IP address of the host in the Administrator's home may be randomly changed in the range of 63.34.45.0/24 network segments.

According to the above environment, the idea of applying the DNAT policy is as follows.

>, Access 218.29.30.31: 22 data is still not processed by default), corresponding to the SSH service of the gateway host itself.

> The default port 22 is used for SSH services on both hosts.

>>> On the gateway host, DNAT processes the data packets accessing port 2222 of the local machine. The target port must be specified for the database server in the internal network at the same time ).

The recommended procedure is as follows;

1) enable the ssh service on the database server. Note that you have set the route or default gateway record)

service sshd startroute add -net 63.34.45.0/24 gw 192.168.1.1

2) Confirm that the gateway server's route forwarding function is enabled.

[root@node1 ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 1[root@node1 ~]# sysctl -p

3) Add a DNAT ing to the Gateway. For data packets accessing port 2222 of the gateway, change the target address to the Intranet IP address of the database server host.

[root@node1 ~]# iptables -t nat -A PREROUTING -i eth0 -s 63.34.45.0/24 -d 218.29.30.31 -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.5:22

After the test is successful, add the above DNAT policy to the firewall script file and set it to automatically run after the instance is started.

The following are firewall scripts;

I have learned the syntax and simple rule settings of the iptables command. When adding firewall rules, you must fully understand the packet matching process, especially the matching process in the Rule chain. In this way, we can better optimize the rule sequence and improve the efficiency and accuracy of the packet filtering mechanism.

3. Export and Import firewall rules

The iptables package provides two Commands: iptables-save and iptables-restore, which are used to save and restore the restore firewall rules respectively. These two commands can be used to conveniently export and import rules.

>>>>>, Iptables-save

When you directly execute the iptables-save command, the information about the currently configured firewall rules is output to the terminal.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1P2001V8-3.jpg "title =" 4.jpg"/>

In general, you can use redirection to save information as the specified configuration file. Combined with the iptables service script provided by the system by default, You can automatically load rule settings in the/etc/sysconfig/iptables file.

Eg: Save the currently debugged iptables rules to the configuration file and load them automatically using the iptables service script.

[Root @ node1 ~] # Iptables-save>/etc/sysconfig/iptables [root @ node1 ~] # Service iptables restartiptables: clear firewall rules: [OK] iptables: Set the chain to policy ACCEPT: raw mangle nat filter [OK] iptables: uninstalling module: [OK] iptables: application Firewall Rules: [OK] [root @ node1 ~] # Chkconfig -- level 35 iptables on

>>>, Iptables-restore

You can use the iptables-restore command to import iptables rules from saved configuration files. This file must be the configuration data exported using the iptables-save command ).

Eg: Import iptables rules from the saved rule configuration file.

[root@node1 ~]# iptables-restore </etc/sysconfig/iptables

So far, 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1P20063G-4.gif "/> exhausted ~~

This article is from the Coffee _ Blue Mountains blog, please be sure to keep this source http://lansgg.blog.51cto.com/5675165/1220807