Two classic applications of iptables in the Network

I. port forwarding:
Before describing port forwarding, let's talk about one thing I encountered recently. I am engaged in testing. A manufacturer calls me to test a server software. Based on win2k, the port number is 881. The server is directly connected to the external network, and the client is accessed through the Server ip address. However, they do not have linux-based server software, as they mean, the server must be switched to windows. As a linux enthusiast, I want everyone to understand this pain. I flipped through the information and found that the port forwarding function of iptables can be solved. After one afternoon, I finally completed the task. The following describes my method: Thought: using port forwarding, when the server receives a 881 port request, it forwards it to 10.10.2.200: 881, and 10.10.2.200 then returns the data to the request connection.
Eth0: connect to ADSL, that is, the ppp0 Interface
Eth1: connects to the internal network. The ip address is 10.10.1.1.
10.10.2.200 is a win2k server with port 881 providing network services.
Iptbles script:
Iptables-t nat-a prerouting-p tcp-m tcp -- dport 881-j DNAT -- to-destination 10.10.2.200: 881; send 881 requests to port 10.10.2.00: 881
Iptables-t nat-a postrouting-s 10.10.0.0/16-d 10.10.2.200-p tcp-m tcp -- dport 881-j SNAT -- to-source 10.10.1.1; return. b. b. d. When the data source comes from the same subnet, change the source address to 10.10.1.1, issue the data source from eth0, and find a in the connection tracking table. b. c. d. The data is sent from ppp0 by ppp0.
Of course, do not forget to add a statement to allow access to port 881. Iptables-a input-p tcp-dport 881-I ppp0-j ACCEPT
Can I place the server in a local area and use port forwarding? The answer is of course yes. Since port 881 can be forwarded, ports and 80 will not be used, and many server software can customize ports, as long as there is an appropriate port, even if you open an ftp server for each user in the LAN. All services you want to implement can be implemented, of course, based on port forwarding.
In the LAN, 10.10.2.101 is win2k and provides the www Service. The port number is 800.
Access through server http: // serverip: 800.
Iptables-t nat-a prerouting-p tcp-m tcp -- dport 800-j DNAT -- to-destination 10.10.2.101: 800
Iptables-t nat-a postrouting-s 10.10.0.0/16-d 10.10.2.101-p tcp-m tcp -- dport 800-j SNAT -- to-source 10.10.1.1
Iptables-a input-p tcp-dport 800-I ppp0-j ACCEPT
Because port forwarding is implemented, you only need to install iptables on the server to forward data. All services are done by the internal server. In this case, my linux server is actually a firewall.
Ii. Experience in using IPTABLES Firewall
Recently, a small LINUX server was set up to use LINUX machines as soft routers.
Iptables features are very powerful, such as IP Forwarding and disguised defense against DoS, scanning and sniffing attacks.
My system environment: redhat 7.2, adsl 2 m, 8139 fast Nic
1: How to Use soft routing in linux:
Speaking of this, you may think that if you are in/etc/rc. d/rc. add cat 1>/proc/sys/net/ipv4/ip_forward in local to enable ip_forward for linux, but you will find that even if you set other computers in your LAN to be unable to share why is it because when you only have one public ip address, you must use the iptables IP address camouflage function to disguise the IP address as your public IP address? How can you achieve this? iptables-t nat-a postrouting-o ppp0-j MASQUERADE can disguise your outgoing IP address as the IP address of ppp0 (because my ADSL can be changed if it is different)
2: I don't want to open my port, but I want to enable http service on my computer and provide external services:
Because you don't want to open ports other than 80, you can use iptables-p input-j DROP to intercept all communication.
Which ports can be used in the request? You can write as follows:
Iptables-a input-p tcp-dport 80-j ACCEPT
You can add the port you want to open in this format as appropriate. Of course, if you think this is not a good management, you can create an iptables table.

Iptables-N test creates A test table) iptables-A test DROPiptables-A test-p tcp-dport 80-j ACCEPT (port 80 is allowed to be accessed) iptables-a input-j testiptables-a output-j testiptables-a forward-j test

These three values indicate that all input output forward values are set according to test)
3. What should I do if I want to set up an ftp service on my Intranet computer:
This requires another powerful function port ing of iptables.
Iptables-t nat-a prerouting-p tcp-m tcp -- dport 25-j DNAT -- to-destination 192.168.0.6: 21
Iptables-t nat-a postrouting-s 192.168.0.0/24-d 192.168.0.6-p tcp-m tcp -- dport 25-j SNAT -- to-source 192.168.0.1
The above two sentences mean to map port 25 of the server to 192.168.0.6.
4: I don't want people to PING me.
This is probably the most commonly used method in the firewall. You can write this sentence in iptables-a input-p icmp -- icmp-type echo-request-I ppp0-j DROP if you have created A new test table. You can also write iptables-A test-p icmp -- icmp-type echo-request-I ppp0-j DROP.
In this case, PING is not allowed because the icmp protocol is used for ping. Because icmp does not have a port, you do not need to specify a port. This is the basic usage of iptables.
Here are some common commands for iptbales.
Iptables-F clear all iptables rule settings
/Sbin/iptables-save> iptables-save saves your rules because all the rules you set will not be saved after being restarted. Therefore, you must write a script to make it you can use this command to save your rules and enable them to run automatically upon startup.