1. Add the following content to the/etc/rc. Local file:
Note: eth0 binds the Intranet IP address eth1 and the Internet IP Address
################
[Root @ rhnat01 root] # vi/etc/rc. Local
#! /Bin/sh
#
# This script will be executed * after * all the other init scripts.
# You can put your own initialization stuff in here if you don't
# Want to do the full sys V style init stuff.
Touch/var/lock/subsys/local
Route add-net 0.0.0.0 GW Internet gateway netmask 0.0.0.0 Dev eth1
Route add-Net Intranet CIDR Block a gw Intranet gateway netmask 255.255.240.0 Dev eth0
Route add-net 220.114.128.0 GW 211.162.0.129 netmask 255.%224.0 Dev eth0
Route add-Net Intranet segment B GW Intranet gateway netmask 255.255.255.0 Dev eth0
Route add-Net Intranet CIDR Block c gw Intranet gateway netmask 255.255.255.0 Dev eth0
Route add-Net Intranet segment d gw Intranet gateway netmask 255.255.0.0 Dev eth0
Route add-Net Intranet CIDR Block e gw Intranet gateway netmask 255.255.0.0 Dev eth0
#### Nat #####
Echo 1048576>/proc/sys/NET/IPv4/Netfilter/ip_conntrack_max
Sysctl-W net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 1800
Echo "1">/proc/sys/NET/IPv4/tcp_syncookies
Echo "1">/proc/sys/NET/IPv4/icmp_ignore_bogus_error_responses
Echo 268435456>/proc/sys/kernel/Shmall
Echo 268435456>/proc/sys/kernel/shmmax
Echo "1024 65000">/proc/sys/NET/IPv4/ip_local_port_range
#####
Echo 1>/proc/sys/NET/IPv4/ip_forward
/Sbin/modprobe ip_tables
/Sbin/modprobe iptable_filter
/Sbin/modprobe iptable_nat
/Sbin/modprobe ip_conntrack
/Sbin/modprobe ip_conntrack_ftp
/Sbin/modprobe ip_nat_ftp
/Sbin/iptables -- flush Input
/Sbin/iptables -- flush forward
/Sbin/iptables -- flush postrouting -- table Nat
/Sbin/iptables -- policy forward drop
/Sbin/iptables -- table Nat -- append postrouting -- Out-interface eth1 -- source Intranet CIDR Block A/19 -- jump Masquerade
/Sbin/iptables -- table Nat -- append postrouting -- Out-interface eth1 -- source Intranet segment B/18 -- jump Masquerade
/Sbin/iptables -- table Nat -- append postrouting -- Out-interface eth1 -- source Intranet CIDR Block C/24 -- jump Masquerade
/Sbin/iptables -- table Nat -- append postrouting -- Out-interface eth1 -- source Intranet segment D/24 -- jump Masquerade
/Sbin/iptables -- append forward -- In-interface eth1 (enter the Internet IP address network port here) -- match state -- State established, related -- jump accept
/Sbin/iptables -- append forward -- source Intranet CIDR Block A/19 -- jump accept
/Sbin/iptables -- append forward -- source Intranet CIDR Block B/18 -- jump accept
/Sbin/iptables -- append forward -- source Intranet CIDR Block C/24 -- jump accept
/Sbin/iptables -- append forward -- source Intranet CIDR Block D/24 -- jump accept
/Sbin/iptables-I forward-M state -- state new-J log -- log-level debug
/Sbin/iptables -- table Nat -- append postrouting -- Out-interface eth0 (intranet port)-j snat -- to *. * (Internet IP address)
Configuration complete
Ii. log storage
VI/etc/syslog. conf
Add
# Remote net recevie stepup
Kern. = debug @ *. X # Save the local file and use this sentence-/var/log/iptables. log.
*. * @ *. X
So far, iptables NAT configuration and remote log sending settings have been completed.
Several commands
################
Service syslog restart
Syslog Service reload
Iptables-l
This command will display the currently used rule set as easily as possible. For example, it will try to use the corresponding name in the file/etc/services to represent the port number, and use the corresponding DNS record to represent the IP address.
However, the latter may cause some problems. For example, it tries its best to resolve the lan ip address (such as 192.168.1.1) to the corresponding name. However, the CIDR Block 192.168.0.0/16 is private, that is, it can only
It is used in a LAN instead of the internet, so it will not be resolved by the DNS server on the Internet. Therefore, when parsing this address, the command seems to have been stopped there. To avoid this situation
, We need to use the options:
Iptables-l-N
If you want to see the simple traffic statistics for each policy, rule, and chain, you can add a verbose mark after the preceding Command, as shown below:
Iptables-l-N-V
Do not forget. The iptables-l command can also view the content of the NAT table and mangle table (not to mention, the default table is filter). You only need to use the-T option, for example, if we only want to view the rules of the NAT table
Run the following command:
Iptables-l-T Nat
You may be interested in some files in/proc. For example, you can view the current connections in the connection trace table. This table contains all the current connections. You can also learn about each
Status of the connection. Note that this table cannot be edited. You should not change it even if you can. Run the following command to view the table:
CAT/proc/NET/ip_conntrack | less
This command will display all the currently tracked connections, but it is difficult to read those records.
Modify and clear iptables command iptables-D input 10
Iptables-F Input
Iptables -- list