In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
System environment: centos6.3 x64
IPTABLES: the system comes with
one。 Deployment environment:
1. Close SELINUX
# setenforce 0
# vi / etc/sysconfig/selinux
-
SELINUX=disabled
-
two。 Clear the default policy and restart iptables
# iptables-t NAT-F
# iptables-F
# service iptables save
# service iptables restart
3. Enable server-side routing and forwarding function
# vi / etc/sysctl.conf
-
Net.ipv4.ip_forward = 1
-
# sysctl-p
In this example, we simulate a WEB site. Only the SSH:22 and WEB:80 ports are opened at the firewall, and the port mapping from firewall to intranet servers 22 and 80 is configured. If other port services are enabled, please modify them.
two。 Gateway Firewall iptables configuration:
1. The internal loopback network is always open.
# iptables-An INPUT-I lo-s 127.0.0.1-j ACCEPT
# iptables-An OUTPUT-o lo-s 127.0.0.1-j ACCEPT
two。 Use DNAT for port mapping:
# iptables-t nat-A PREROUTING-d 1.2.3.4-p tcp-- dport 22-j DNAT-- to 192.168.100.10
# iptables-t nat-A PREROUTING-d 1.2.3.4-p tcp-- dport 80-j DNAT-- to 192.168.100.10
# use SNAT as the source address translation (key) so that the response packet can return correctly
# iptables-t nat-A POSTROUTING-d 192.168.100.10-p tcp-- dport 22-j SNAT-- to 192.168.100.1
# iptables-t nat-A POSTROUTING-d 192.168.100.10-p tcp-- dport 80-j SNAT-- to 192.168.100.1
3. Open the relevant port of the forward chain (route forwarding)
# iptables-A FORWARD-o eth2-d 192.168.100.10-p tcp-- dport 22-j ACCEPT
# iptables-A FORWARD-I eth2-s 192.168.100.10-p tcp-- sport 22-m state-- state
ESTABLISHED,RELATED-j ACCEPT
# iptables-A FORWARD-o eth2-d 192.168.100.10-p tcp-- dport 80-j ACCEPT
# iptables-A FORWARD-I eth2-s 192.168.100.10-p tcp-- sport 80-m state-- state
ESTABLISHED,RELATED-j ACCEPT
4. The subnet accepts other tcp packets.
# iptables-A FORWARD-p tcp-I eth2-o eth0-j ACCEPT
5. Subnets can access public network services of other UDP protocols.
# iptables-A FORWARD-p udp-I eth0-s 192.168.0.0 eth2 24-o eth2-j ACCEPT
# iptables-A FORWARD-p udp-I eth2-d 192.168.0 ACCEPT 24-o eth0-m state-- state ESTABLISHED-j ACCEPT
6. The mode of subnet access to the public network is disguised as the address of the gateway, so that internal network users can route out of the public network.
# iptables-t nat-A POSTROUTING-s 192.168.100.0 take 24-o eth0-j MASQUERADE
7. Reject all other policies:
# iptables-P FORWARD REJECT
# iptables-An INPUT-j REJECT
# iptables-P OUTPUT REJECT
8. Save and restart the service:
# service iptables save
# service iptables restart
-configuration completed-
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
