Linux security iptables Firewall detailed 2

In the previous article we introduced iptables main link input, this time we mainly introduce prerouting postrouting These two chains are mainly used for the implementation of NAT function

Nat: believe that the network of people should be very familiar with this, network address translation, commonly used for LAN sharing Internet or special port conversion services

Prerouting: A rule that executes before a packet arrives at the firewall, changing the destination address of the packet, the destination port

Psotrouting: A rule that executes after a packet leaves the firewall for routing judgment, changing the original address source port of the packet

1, the deployment of enterprise Internet Gateway combat, the experimental environment as follows, to ensure that iptables firewall itself can sisu network

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/85/86/wKiom1enLEWDxBEZAAAhH5O4Ohw378.png "title=" 1.png " alt= "Wkiom1enlewdxbezaaahh5o4ohw378.png"/>

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/85/wKioL1enLVPC7dJpAAFiuMfCwdo682.png "style=" float: none; "title=" 2.png "alt=" Wkiol1enlvpc7djpaafiumfcwdo682.png "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/85/85/wKioL1enLVTRXRhSAADPNeUJaNg497.png "style=" float: none; "title=" 3.png "alt=" Wkiol1enlvtrxrhsaadpneujang497.png "/>

Net.ipv4.ip_forward = 1 Turn on forwarding function [[email protected] ~]# Sysctl-pnet.ipv4.ip_forward = 1[[email protected] ~]# iptables-p FORWARD ACCEPT Open FORWARD Forwarding method 1[[email protected] ~]# iptables-t nat-a postrouting-s 172.16.10.0/24-o eth0-j SNAT--  To-source 172.16.80.125 Change the address of the source address 172.16.10.0/24 network segment to 172.16.80.125 that is iptables the external network card address Method 2 applies to no fixed ip[[email protected] ~]# Iptables-t nat-a postrouting-s 172.16.10.0/24-o eth0-j Masquerade network server above in the test access to the extranet situation

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/86/wKiom1enLu3z73aIAAGNzH_fkzI049.png "title=" 1.png " alt= "Wkiom1enlu3z73aiaagnzh_fkzi049.png"/>

You can see that the intranet server is now accessible to the extranet.

2. Server Mapping

Did not do before mapping

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/86/wKiom1enMkjgntMUAAIigZtypNc388.png "style=" float: none; "title=" 1.png "alt=" Wkiom1enmkjgntmuaaiigztypnc388.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/85/86/wKiom1enMmXhwLoHAAGyZXuMdc0751.png "title=" 2.png " alt= "Wkiom1enmmxhwlohaagyzxumdc0751.png"/>

Do mapping rules and grab packages [[email protected] ~]# tcpdump-i any port 80-s0-n-vvv-w httpd.cap[[email protected] ~]# iptables-t nat-a prerouting-d 172.16.80.125-p TCP--dport 80-j DNAT--to-destination 172.16.10.102:80 Mapping, do an access test here

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/85/wKioL1enNQewr4EMAAI553lwCMc997.png "title=" 1.png " alt= "Wkiol1ennqewr4emaai553lwcmc997.png"/>

We look closely at this message, which exactly matches the forwarding rules we set.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/86/wKiom1enNTLBVlUaAATV7vmwiWQ862.png "title=" 3.png " alt= "Wkiom1enntlbvluaaatv7vmwiwq862.png"/>

Next time we'll explain the actual process and considerations for deploying Iptables firewalls in the enterprise

This article from "Thick tak" blog, declined reprint!

Linux security iptables Firewall detailed 2