Linux security iptables Firewall detailed 2

Source: Internet
Author: User

In the previous article we introduced iptables main link input, this time we mainly introduce prerouting postrouting These two chains are mainly used for the implementation of NAT function


Nat: believe that the network of people should be very familiar with this, network address translation, commonly used for LAN sharing Internet or special port conversion services

Prerouting: A rule that executes before a packet arrives at the firewall, changing the destination address of the packet, the destination port

Psotrouting: A rule that executes after a packet leaves the firewall for routing judgment, changing the original address source port of the packet


1, the deployment of enterprise Internet Gateway combat, the experimental environment as follows, to ensure that iptables firewall itself can sisu network


650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/85/86/wKiom1enLEWDxBEZAAAhH5O4Ohw378.png "title=" 1.png " alt= "Wkiom1enlewdxbezaaahh5o4ohw378.png"/>


650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/85/wKioL1enLVPC7dJpAAFiuMfCwdo682.png "style=" float: none; "title=" 2.png "alt=" Wkiol1enlvpc7djpaafiumfcwdo682.png "/>


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/85/85/wKioL1enLVTRXRhSAADPNeUJaNg497.png "style=" float: none; "title=" 3.png "alt=" Wkiol1enlvtrxrhsaadpneujang497.png "/>

Net.ipv4.ip_forward = 1 Turn on forwarding function [[email protected] ~]# Sysctl-pnet.ipv4.ip_forward = 1[[email protected] ~]# iptables-p FORWARD ACCEPT Open FORWARD Forwarding method 1[[email protected] ~]# iptables-t nat-a postrouting-s 172.16.10.0/24-o eth0-j SNAT--  To-source 172.16.80.125 Change the address of the source address 172.16.10.0/24 network segment to 172.16.80.125 that is iptables the external network card address Method 2 applies to no fixed ip[[email protected] ~]# Iptables-t nat-a postrouting-s 172.16.10.0/24-o eth0-j Masquerade network server above in the test access to the extranet situation


650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/86/wKiom1enLu3z73aIAAGNzH_fkzI049.png "title=" 1.png " alt= "Wkiom1enlu3z73aiaagnzh_fkzi049.png"/>


You can see that the intranet server is now accessible to the extranet.


2. Server Mapping

Did not do before mapping

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/86/wKiom1enMkjgntMUAAIigZtypNc388.png "style=" float: none; "title=" 1.png "alt=" Wkiom1enmkjgntmuaaiigztypnc388.png "/>



650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/85/86/wKiom1enMmXhwLoHAAGyZXuMdc0751.png "title=" 2.png " alt= "Wkiom1enmmxhwlohaagyzxumdc0751.png"/>



Do mapping rules and grab packages [[email protected] ~]# tcpdump-i any port 80-s0-n-vvv-w httpd.cap[[email protected] ~]# iptables-t nat-a prerouting-d 172.16.80.125-p TCP--dport 80-j DNAT--to-destination 172.16.10.102:80 Mapping, do an access test here



650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/85/wKioL1enNQewr4EMAAI553lwCMc997.png "title=" 1.png " alt= "Wkiol1ennqewr4emaai553lwcmc997.png"/>


We look closely at this message, which exactly matches the forwarding rules we set.


650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/86/wKiom1enNTLBVlUaAATV7vmwiWQ862.png "title=" 3.png " alt= "Wkiom1enntlbvluaaatv7vmwiwq862.png"/>


Next time we'll explain the actual process and considerations for deploying Iptables firewalls in the enterprise


This article from "Thick tak" blog, declined reprint!

Linux security iptables Firewall detailed 2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.