Home > Others

Using Iptables to implement a simple server publishing strategy for the DMZ zone

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Publishing servers within the DMZ enables Internet clients to access mail services, Web sites, FTP, and other servers in the DMZ, enabling internal hosts to connect to the Internet to send extranet mail, rejecting abnormal connections and hacking attacks.

Second, the host configuration:

Specific configuration file:

Host Name: iptables.bdqn.com

/etc/hosts

/etc/sysconfig/network

Internal interface: eth0 IP 192.168.10.2/24

/etc/sysconfig/network-scripts/ifcfg-eth0

Public interface: Eth1 IP 202.202.202.100/24

/etc/sysconfig/network-scripts/ifcfg-eth1

Third, the specific configuration of the IPTABLES firewall

Install the Iptables package, the Redhat system has been installed by default

The specific configuration rules are as follows:

First turn on the kernel forwarding function: echo "echo 1 >/proc/sys/net/ipv4/ip_forward" >/etc/rc.d/rc/local

Iptables-f empty the rules in this table

Iptables-x clear the custom rule in this table

Iptables-z clear the counter in this table is 0

Configuration of the NetFilter table:

1. Iptables–p INPUT DROP

2. Iiptables–p OUTPUT DROP

3. Iptables–p FORWARD ACCEPT

4. Iptables–a–p icmp–i eth1–j DROP

5. Iptables-a-input-m limit--limit 3/minute--limit-burst 3

-j LOG--log-level INFO--log-prefix "IP INPUT Packr\et Died:"

6. Iptables-a-forward-m limit--limit 3/minute--limit-burst 3

-j LOG--log-level DEBUG--log-prefix "IP INPUT Packr\et Died:"

7. Iptables-a-output-m limit--limit 3/minute--limit-burst 3

-j LOG--log-level DEBUG--log-prefix "IP INPUT Packr\et Died:"

Nat Table Configuration:

1. Iptables-t nat–p OUTPUT DROP

2. Iptables-t nat–p prerouting DROP

3. Iptables-t nat–p postrouting DROP

4. Iptables-t nat–a postrouting–o eth1–s 192.168.10.0/24–j SNAT--to 202.202.202.100

Address to public network address interface for #转换 192.168.10.0 network segment

5. Iptables-t nat–a prerouting-i eth1–p tcp–dport 80–j dnat--to 192.168.10.5:80

#转换外部请求的www服务到 192.168.10.5 on this WWW server

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More