NetFilter Filter Table case and NAT table application

First, Fileter table case

requirements: only for the filter table, the default policy input chain drop, the other two chain accept, then open 22 for 192.168.204.0/24, 80 ports for all network segments, open 21 ports for all network segments.
This requirement is not complicated, but because there are many rules, it is best to write in the form of a script. The script reads as follows:

[[email protected] ~]# cat /usr/local/sbin//iptables.shcat: /usr/local/sbin//iptables.sh: 没有那个文件或目录[[email protected] ~]# vim !$vim /usr/local/sbin//iptables.sh#! /bin/bashipt="/sbin/iptables"$ipt -F                                                   //清空规则$ipt -P INPUT DROP                           //指定INPUT链默认动作DROP$ipt -P OUTPUT ACCEPT                  //指定OUTPUT链默认动作ACCEPT$ipt -P FORWARD ACCEPT              //指定OUTPUT链默认动作ACCEPT$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT          //指定状态放行$ipt -A INPUT -s 192.168.204.0/24 -p tcp --dport 22 -j ACCEPT   //针对ip段开通22端口$ipt -A INPUT -p tcp --dport 80 -j ACCEPT        //对所有网段开通80端口$ipt -A INPUT -p tcp --dport 21 -j ACCEPT        //对所有网段开通21端口

Then execute the script:

# sh /usr/local/sbin/iptables.sh

You can see that the number of packages is changing.
The packet on ICMP has a more common application:

[[email protected] ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP

--icmp-type This option is to be used with-p ICMP, followed by the type number specified. This 8 refers to the ability to ping the other machine on the machine, while the other machine can not ping the machine. It's worth remembering.

Second, the application of NAT table

The Linux iptables function is very powerful, only unexpectedly did not do! That is, if you can think of a network of applications, Linux can help you achieve. In daily life believe that you touch the router, its function is to share the Internet. Originally a network cable came over (in fact, only a public IP), through the router, the router assigned a network segment (private network IP), so that the router connected to a number of PCs can connect intnet and the remote device think your IP is the connection router of the public network IP. The function of this router is actually implemented by Linux iptables, and iptables is the function of the NAT table. So direct to illustrate:
Existing conditions:
A machine two Nic Ens33 (192.168.204.128), ENS37 (192.168.100.1), ENS33 can Sisu network, ENS37 is only internal network, B machine only ens37 (192.168.100.100), And a machine ens37 can communicate interconnection.
To achieve the experimental conditions, two virtual machines are prepared first:
1, clone the existing virtual machine (a machine) in VMware, and name the cloned virtual machine as ZHULINUX2 (b machine);
2, the network card of a machine is increased, and the LAN section is set to "Custom section", indicating the internal network address;


3, the network card of the B machine is set to the Ens37,ip address 192.168.100.100/24, and the net adapter is changed to LAN section, as in the A machine, as shown in:

4, set a machine ENS37 website;

5, set the B machine ens37 URL, first turn off the ENS33 network card, because you can access the extranet:

Demand:
1, can let the B machine to connect the external network:
A machine operation:

[[email protected] ~]# echo "1">/proc/sys/net/ipv4/ip_forward   //打开路由转发功能[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

B machine operation, set the default gateway, set up after the network can be connected:

This ping Baidu, because the DNS is set.
2, C machine can only communicate with a, so that the C machine directly connected to the B machine 22 port:
A machine operation:

[[email protected] ~]# iptables-t nat-a prerouting-d 192.168.204.128-p tcp--dport 1122-j DNAT--to 192.168.100. 100:22[[email protected] ~]# iptables-t nat-a postrouting-s 192.168.100.100-j SNAT--to 192.168.204.128[[email&nb Sp;protected] ~]# iptables-t nat-nvlchain prerouting (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt i            N Out Source destination 0 0 DNAT TCP--* * 0.0.0.0/0     192.168.204.128 TCP dpt:1122 To:192.168.100.100:22chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target Prot opt in Out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) Pkts b Ytes Target prot opt in Out source destination Chain postrouting (policy ACCEPT 0 Packet  S, 0 bytes) pkts bytes Target prot opt in Out source destination 3 213 Masquerade  All--* ENS33 192.168.100.0/24 0.0.0.0/0 0 0 SNAT All--* * 192.168.100.100 0.0.0.0/0 to:192.168.204.128

At this point, the connection is successful.

NetFilter Filter Table case and NAT table application