Linux Learning Notes (32) iptables filter table case, iptables NAT table application

First, iptables filter table Case

Requirements: Release 80, 20, 21 ports, specify a specific IP for 22 ports

Here's how to do it:

vim/usr/local/sbin/iptables.sh//Add the following:

#! /bin/bashipt= "/usr/sbin/iptables"//define a variable, write iptables absolute path $ipt-f//purge rule $ipt-p INPUT DROP//Add default I Nput rule $ipt-p Output ACCEPT//Add default output rule $ipt-p FORWARD Accept//Add default FORWARD rule $ipt-a input-m State--state RE Lated,established-j ACCEPT//release Some related communications, this one plus to prevent some minor problems, later write the rule only need to modify the part can $ipt-a input-s 192.168.127.0/24-p TCP--dpor T 22-j accept $ipt-A input-p tcp--dport 80-j accept$ipt-a input-p TCP--dport 21-j Accept

ICMP example

Iptables-i input-p ICMP--icmp-type 8-j DROP//Can ping through others, others ping not through themselves, simply said to forbid others to ping themselves

Second, iptables NAT table application

A machine two network cards ENS33 (192.168.127.133), ENS37 (192.168.100.1), ENS33 can Sisu network, ENS37 is only the internal network, B Machine Only ens37 (192.168.100.100), and a machine ens37 can communicate interconnection.
Requirement 1: Allows the B machine to connect to the external network
A on-machine open route forwarding echo "1" >/proc/sys/net/ipv4/ip_forward
A on the execution iptables-t nat-a postrouting-s 192.168.100.0/24-o ens33-j Masquerade
Set Gateway to 192.168.100.1 on B
Demand 2:C machine can only communicate with a, so that the C machine can directly connect the B machine's 22 port
A on open route forwarding echo "1" >/Proc/sys/net/ipv4/ip_forward
A executes iptables-t nat-a prerouting-d 192.168.133.130-p tcp--dport 1122-j DNAT--to 192.168.100.100:22
A on the execution iptables-t nat-a postrouting-s 192.168.100.100-j SNAT--to 192.168.133.130
Set Gateway to 192.168.100.1 on B

The following are specific actions for the above two issues

First, add a network card to each of the two machines, link the LAN section, and then disable the original NIC of one of the machines.

I want to add one of my own, I call China here

, at this time a machine has two network cards, one can connect the outside network, one is just add the China Network segment (intranet), B machine Only China network network card

At this time the ens37 of a machine has no IP

Ifconfig ens37 192.168.100.1/24//Fast Set IP

b machine Because of the disabled can be connected to the network network card, now can not remotely login, only to the host operation, the same to ENS37 set IP

Ifconfig ens37 192.168.100.100/24

You can ping each other after setting up the test

A machine (A/B two machine best First iptables-f (iptables-t nat-f), I finally encountered Host B can ping host A two of my network card IP, But the ping does not pass the extranet and the 192.168.127.1, finally executes the iptables-f and then re-adds the following rule to solve the problem )

echo "1" >/proc/sys/net/ipv4/ip_forward//This file defaults to 0, instead 1 is to turn on route forwarding

Iptables-t nat-a postrouting-s 192.168.100.0/24-o ens33-j Masquerade//Let 192.168.100.0/24 be connected by ens33

B Machine Setup Gateway

Route-n//View Gateway route add default GW 192.168.100.1//Set gateway to 192.168.100.1

Ping 192.168.127.133//ping A machine's extranet IP test can ping through

At this time can not connect the outside network, need to set up under DNS,

Vi/etc/resolv.conf

Add to

NameServer 119.29.29.,29

Re-test if you can ping the extranet

Question two:

First, clean up the A-machine NAT rule

Iptables-t nat-f iptables-t nat-a prerouting-d 192.168.127.133-p tcp--dport 1122-j DNAT--to 192.168.100.100:22 Forwarding 192.168.127.133 of 1122 port data to 192.168.100.100:22 Port iptables-t nat-a postrouting-s 192.168.100.100-j SNAT--to 192.168.127.133//Forwards data returned by 192.168.100.100 to 192.168.127.133

Add a gateway to the B machine (previously done, omitted here)

Route add default GW 192.168.100.1//Set gateway to 192.168.100.1

This time in the Xshell landed in the 192.168.127.133 1122 port, successfully landed on the B host

Extended:

for network segments

Iptables-i input-m iprange--src-range 61.4.176.0-61.4.191.255-j DROP

iptables Limit syn speed

1. Iptables-a input-s! 192.168.0.0/255.255.255.0-d 192.168 .0.101-p tcp-m TCP--dport 80-m State--state new-m recent--set--name httpuser--rsource

2. Iptables- A input-m Recent--update--seconds 5--hitcount--name httpuser--rsource-j DROP

principle, TCP three handshake is more than 20 times per 5s is not normal access

where 192.168.0.0/255.255.255.0 is an unrestricted network segment, 192.168.0.101   is the native IP.
This iptables strategy can effectively prevent SYN attacks, but also effectively prevents the robot from spamming.

Linux Learning Notes (32) iptables filter table case, iptables NAT table application