Use iptables to implement nat and Port ing

Use iptabels to implement NAT transparent proxy for the LAN, such as Internet cafes or internet proxy servers of companies! At the same time, the intranet WEB server port ING is realized! And solved the problem that the visitor IP address of the WEB server is the proxy server IP address! At the same time, both the intranet and internet can access the intranet WEB server through a public IP! Goals: the hardware and software environments are as follows: the operating system uses iptabels to implement NAT transparent proxy for the LAN, such as Internet cafes or internet proxy servers of companies! At the same time, the intranet WEB server port ING is realized! And solved the problem that the visitor IP address of the WEB server is the proxy server IP address! At the same time, both the intranet and internet can access the intranet WEB server through a public IP! Goals:
The software and hardware environment is as follows:
The OS is RHEL 4, 3 Com Nic, eth0 is an Internet Nic, IP: 221.222.111.10, eth1 is an intranet Nic, IP: 192.168.0.1, and intranet WEB server IP: 192.168.0.200. Network Environment: China Telecom 10 m optical fiber, fixed IP!
The method is as follows:
First, I commented out IptablesAll the original content of the file, and then IptablesWrite the following content in the file!
##################################### Start the Nat segment ######################################## #
* Nat
: Prerouting accept [0: 0]
: Output accept [0: 0]
: Postrouting accept [0: 0]
#
# ------------------------------ Web Server port ing ------------------------------
#192.168.0.200 port 80
######################
# Use DNAT for Port ing! Note that the following commands must be in front of the NAT transparent proxy; otherwise, the command is invalid!
-A prerouting-I eth1-p tcp-d 221.222.111.10 -- dport 80-jDNAT -- to-destination 192.168.0.200: 80
-A prerouting-I eth0-p tcp-d 221.222.111.10 -- dport 80-jDNAT -- to-destination 192.168.0.200: 80
#
# ---------------------------- Iptables NAT transparent proxy ------------------------------
#
-A postrouting-s 192.168.0.0/255.255.255.0-j SNAT -- to221.222.111.10
#
COMMIT
##################################### End of a Nat segment ######################################## #
###################################### Filter segment start #####################################
#
* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
#
# Prevent other computers on the network from using the Ping command to detect the local machine:
-A input-p icmp -- icmp-type echo-request-I eth0-j DROP
#
# Prevent the broadcast package from accessing the LAN from the IP proxy server:
-A input-s limit 255-I eth0-j DROP
-A input-s 224.0.0.0/224.0.0.0-I eth0-j DROP
-A input-d 0.0.0.0-I eth0-j DROP
# Shield the following TCP and UDP ports:
-A input-I eth1-p udp-m udp -- dport 3-j DROP
-A input-I eth1-p tcp-m tcp -- dport 3-j DROP
-A input-I eth1-p tcp-m tcp -- dport 111-j DROP
-A input-I eth1-p udp-m udp -- dport 111-j DROP
-A input-I eth1-p udp-m udp -- dport 587-j DROP
-A input-I eth1-p tcp-m tcp -- dport 587-j DROP
#
COMMIT
###################################### Filter segment end #####################################
After modifying the above files, modify the/etc/sysctl. conf file to net. ipv4.ip _ forward = 1. this is very important, otherwise the NAT proxy will not take effect!
Run the command #: service iptables restart to restart the iptables service !! OK. You can try the ghost proxy service and the WEB service again. Otherwise, the service can be accessed normally. I think so!
Appendix:
The Web Server port ING must be prior to the IptablesNAT transparent proxy command. Otherwise, the intranet user will not be able to access the intranet Web Server through the public IP or domain name!