First, iptables filter table Case
Requirements: Release 80, 20, 21 ports, specify a specific IP for 22 ports
Here's how to do it:
vim/usr/local/sbin/iptables.sh//Add the following:
#! /bin/bashipt= "/usr/sbin/iptables"//define a variable, write iptables absolute path $ipt-f//purge rule $ipt-p INPUT DROP//Add default I Nput rule $ipt-p Output ACCEPT//Add default output rule $ipt-p FORWARD Accept//Add default FORWARD rule $ipt-a input-m State--state RE Lated,established-j ACCEPT//release Some related communications, this one plus to prevent some minor problems, later write the rule only need to modify the part can $ipt-a input-s 192.168.127.0/24-p TCP--dpor T 22-j accept $ipt-A input-p tcp--dport 80-j accept$ipt-a input-p TCP--dport 21-j Accept
ICMP example
Iptables-i input-p ICMP--icmp-type 8-j DROP//Can ping through others, others ping not through themselves, simply said to forbid others to ping themselves
Second, iptables NAT table application
A machine two network cards ENS33 (192.168.127.133), ENS37 (192.168.100.1), ENS33 can Sisu network, ENS37 is only the internal network, B Machine Only ens37 (192.168.100.100), and a machine ens37 can communicate interconnection.
Requirement 1: Allows the B machine to connect to the external network
A on-machine open route forwarding echo "1" >/proc/sys/net/ipv4/ip_forward
A on the execution iptables-t nat-a postrouting-s 192.168.100.0/24-o ens33-j Masquerade
Set Gateway to 192.168.100.1 on B
Demand 2:C machine can only communicate with a, so that the C machine can directly connect the B machine's 22 port
A on open route forwarding echo "1" >/Proc/sys/net/ipv4/ip_forward
A executes iptables-t nat-a prerouting-d 192.168.133.130-p tcp--dport 1122-j DNAT--to 192.168.100.100:22
A on the execution iptables-t nat-a postrouting-s 192.168.100.100-j SNAT--to 192.168.133.130
Set Gateway to 192.168.100.1 on B
The following are specific actions for the above two issues
First, add a network card to each of the two machines, link the LAN section, and then disable the original NIC of one of the machines.
I want to add one of my own, I call China here
, at this time a machine has two network cards, one can connect the outside network, one is just add the China Network segment (intranet), B machine Only China network network card
At this time the ens37 of a machine has no IP
Ifconfig ens37 192.168.100.1/24//Fast Set IP
b machine Because of the disabled can be connected to the network network card, now can not remotely login, only to the host operation, the same to ENS37 set IP
Ifconfig ens37 192.168.100.100/24
You can ping each other after setting up the test
A machine (A/B two machine best First iptables-f (iptables-t nat-f), I finally encountered Host B can ping host A two of my network card IP, But the ping does not pass the extranet and the 192.168.127.1, finally executes the iptables-f and then re-adds the following rule to solve the problem )
echo "1" >/proc/sys/net/ipv4/ip_forward//This file defaults to 0, instead 1 is to turn on route forwarding
Iptables-t nat-a postrouting-s 192.168.100.0/24-o ens33-j Masquerade//Let 192.168.100.0/24 be connected by ens33
B Machine Setup Gateway
Route-n//View Gateway route add default GW 192.168.100.1//Set gateway to 192.168.100.1
Ping 192.168.127.133//ping A machine's extranet IP test can ping through
At this time can not connect the outside network, need to set up under DNS,
Vi/etc/resolv.conf
Add to
NameServer 119.29.29.,29
Re-test if you can ping the extranet
Question two:
First, clean up the A-machine NAT rule
Iptables-t nat-f iptables-t nat-a prerouting-d 192.168.127.133-p tcp--dport 1122-j DNAT--to 192.168.100.100:22 Forwarding 192.168.127.133 of 1122 port data to 192.168.100.100:22 Port iptables-t nat-a postrouting-s 192.168.100.100-j SNAT--to 192.168.127.133//Forwards data returned by 192.168.100.100 to 192.168.127.133
Add a gateway to the B machine (previously done, omitted here)
Route add default GW 192.168.100.1//Set gateway to 192.168.100.1
This time in the Xshell landed in the 192.168.127.133 1122 port, successfully landed on the B host
Extended:
for network segments
Iptables-i input-m iprange--src-range 61.4.176.0-61.4.191.255-j DROP
iptables Limit syn speed
-
Iptables-a input-s! 192.168.0.0/255.255.255.0-d 192.168 .0.101-p tcp-m TCP--dport 80-m State--state new-m recent--set--name httpuser--rsource
-
Iptables- A input-m Recent--update--seconds 5--hitcount--name httpuser--rsource-j DROP
principle, TCP three handshake is more than 20 times per 5s is not normal access
where 192.168.0.0/255.255.255.0 is an unrestricted network segment, 192.168.0.101 is the native IP.
This iptables strategy can effectively prevent SYN attacks, but also effectively prevents the robot from spamming.
Linux Learning Notes (32) iptables filter table case, iptables NAT table application