Shulou(Shulou.com)06/01 Report--

This article mainly explains "the introduction of the configuration method of iptables under Linux". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn the "introduction to the configuration of iptables under Linux"!

As a router for a company to access the Internet, the functions that need to be implemented are nat address translation, dhcp, dns cache, flow control, application control, nat address translation can be directly realized through iptables, dhcp service requires the installation of dhcpd,dns cache function requires the use of bind, flow control can use tc, application control: for example, the blockade of qq can be achieved using netfilter-layer7-v2.22+17-protocols-2009-05-28.tar.gz

1. Network planning

The operating system is centos5.8

2. Install dhcpd

The code is as follows:

Yum install dhcp-3.0.5-31.el5

Vim / etc/dhcp/dhcpd.conf

Ddns-update-style interim

Ignore client-updates

Subnet 10.0.0.0 netmask 255.255.255.0 {

Option routers 10.0.0.1

Option subnet-mask 255.255.255.0

Option domain-name-servers 10.0.0.1

Range dynamic-bootp 10.0.0.100 10.0.0.200

Default-lease-time 21600

Max-lease-time 43200

}

3. Install bind to implement dns cache

The code is as follows:

Yum install bind97.i386 bind97-libs.i386 bind97-utils.i386

Vim / etc/named.conf

Options {

Directory "/ var/named"

Allow-recursion {10.0.0.0amp 24;}

Recursion yes

Forward first; # forwards all requests

Forwarders {114.114.114.114;}; # define the forwarding server address

}

Zone "." IN {

Type hint

File "named.ca"

}

Zone "localhost" IN {

Type master

File "named.localhost"

Allow-transfer {none;}

}

Zone "0.0.127.in-addr.arpa" IN {

Type master

File "named.loopback"

Allow-transfer {none;}

}

Create a root domain file. The default is

The code is as follows:

Dig-t NS. > / var/named/named.ca

Chown: named/ var/named/named.ca

Create a local forward parsing file. By default,

The code is as follows:

Vim / var/named/named.localhost

$TTL 1D

@ IN SOA @ rname.invalid. (

0; serial

1D; refresh

1H; retry

1W; expire

3H); minimum

NS @

A 127.0.0.1

Chown: named/ var/named/named.localhost

Create a local reverse resolution file, which is available by default

The code is as follows:

Vim / var/named/named.loopback

$TTL 1D

@ IN SOA @ rname.invalid. (

0; serial

1D; refresh

1H; retry

1W; expire

3H); minimum

NS @

A 127.0.0.1

PTR localhost.

Chown: named/ var/named/named.loopback

Check the master configuration file

The code is as follows:

Named-checkconf

Check the root zone profile

The code is as follows:

Named-checkzone "." / var/named/named.ca

Check the area file

The code is as follows:

Named-checkzone "localhost" / var/named/named.localhost

Start the service

The code is as follows:

Service named start

4. Recompile the kernel and iptables to support application layer filtering

Because the netfilter kernel module implements the firewall function, the kernel needs to be recompiled, the new kernel source code needs to be downloaded, and netfilter-layer7-v2.22 is used as a kernel patch to compile into the kernel. The iptables tool controls netfiler, so iptables must also be recompiled and installed, and finally the application filter signature library 17-protocols-2009-05028.tar.gz will be installed.

1. Patch the kernel and recompile the kernel

2. Patch the iptables source code and recompile iptables

3. Install 17proto

Back up iptables scripts and configuration files

The code is as follows:

Cp / etc/rc.d/init.d/iptables / root/iptables.sysv

Cp / etc/sysconfig/iptables-config / root/iptables-config

2.6 Kernel download address

Https://www.kernel.org/pub/linux/kernel/v2.6/

Netfilter download address

Http://download.clearfoundation.com/l7-filter/

Download address of iptables source code

Http://www.netfilter.org/projects/iptables/downloads.html

Download address of application signature library

Http://download.clearfoundation.com/l7-filter/

The code is as follows:

Xz-d linux-2.6.28.10.tar.xz

Tar-xvf linux-2.6.28.10.tar.gz-C / usr/src # new kernel source code for recompilation

Tar-zxvf netfilter-layer7-v2.22.tar.gz-C / usr/src # kernel patch and iptables patch, only supported up to 2.6.28

# enter the decompression directory and create a soft connection

Cd / usr/src

Ln-sv linux-2.6.28.10 linux

# enter the kernel directory

Cd / usr/src/linux

# patching the current kernel

Patch-p1

< ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.path #为了方便编译内核将系统上的内核配置文件复制过来 cp /boot/config-2.6.18-164.el5 /usr/src/linux/.config 编译内核 代码如下: make menuconfig Networking support ->

Networking Options-> Network packet filtering framework-> Core Netfilter Configuration

Netfilter connection tracking support

"lawyer7" match support

"string" match support

"time" match support

"iprange" match support

"connlimit" match support

"state" match support

"conntrack" connection match support

"mac" address match support

"multiport" Multiple port match support

Networking support-> Networign options-> Network packet filtering framework-> IP:Netfiltr Configuration

IPv4 connection tracking support (required for NAT)

Full NAT

MASQUERADE target support

NETMAP target support

REDIRECT target support

Select Networking options in Networking support

Find Network packet filtering framework (Netfilter)-> Core Netfiler Configrationg- > Netfilter connection tracking support (NEW), "layer7" match support (NEW), "time" match support (NEW), "iprange"

Find IP:Netfilter Configuration- > IPv4 connection tracking support,Full NAT (NEW)

The code is as follows:

Make

Make modules_install

Make install

Restart the operating system and select a new kernel login

Uninstall the old iptables

The code is as follows:

Rpm-e iptables-1.3.5-9.1.el5 iptables-ipv6-1.3.5-9.1.el5 iptstate-1.4-2.el5-- nodeps

Install a new iptables to support the new netfiler module

The code is as follows:

Tar-jsvf iptables-1.4.6.tar.bz2-C / usr/src

Cd / usr/src/netfilter-layer7-v2.23

Cd iptables-1.4.3forward-for-kernel-2.6.20forward

Cp * / usr/src/iptables-1.4.6/extensions/

Cd / usr/src/iptables-1.4.6/

. / configure-prefix=/usr-with-ksource=/usr/src/linux

Make

Make install

View the files of the installed iptables

The code is as follows:

Ls / usr/sbin | grep iptables

Ls / usr/libexec/xtables

Copy previously backed up configuration files and scripts

The code is as follows:

Cp / root/iptables-config / etc/sysconfig/

Cp / root/iptables.sysv / etc/rc.d/init.d/iptables

Modify the path of iptables in the script

The code is as follows:

Vim / etc/rc.d/init.d/iptables

:., $s@/sbin/$IPTABLES@/usr/sbin/$IPTABLES@g

Let the iptables service boot and start automatically

The code is as follows:

Chkconfig-add iptables

Modify iptables configuration file

Set the / etc/sysconfig/iptables-config

Comment out IPTABLES_MODULES= "ip_conntrack_netbios_ns"

Installation protocol signature

The code is as follows:

Tar xvf 17-protocols-2009-05028.tar.gz

Make install

After completion, files will be generated in / etc/l7-protocols.

Supported protocols / etc/l7-protocols/protocols

Add iptables policy, run internal network, disable qq and video

The code is as follows:

Iptables-t nat-A POSTROUTING-s 10.0.0.0Unip 24-j SNAT-- to-soure 192.168.6.67

Iptables-A FORWARD-m layer7-- l7proto qq-j DROP

Iptables-A FORWARD-m layer7-- l7proto httpvideo-j DROP

Iptables-A FORWARD-m layer7-- l7proto httpaudio-j DROP

Do not have access to the Internet from 8: 00 to 12:00.

The code is as follows:

Iptables-A FORWARD-m time-- timestart 08:00-- timestop 12:00-j DROP

5. Use tc to control bandwidth

For example, the company's export bandwidth is 10Mbps, user An allocates the maximum download bandwidth of 500KB, and user B allocates maximum download bandwidth of 200KB.

A user ip:10.0.0.100

B user ip:10.0.0.101

The code is as follows:

# create a root queue rule on the eth0 Nic. The algorithm of the queue rule uses htb,default 2 to specify a default class number and default flow control policy, which will be used if the ip is not matched in the later filter.

Tc qdisc add dev eth0 root handle 1:0 htb default 2

# define a class on the eth0 network card. The 1 corresponding root queue rule in prant 1:0 indicates the current identification of this class at 1:2, which is used for application in the later filter. Rate 200kbsp means that the bandwidth is 200KB, and rate 200kbsp means that the maximum bandwidth is also 200KB, and that the maximum bandwidth is also 200KB, and that the maximum bandwidth is also 200KB.

Tc class add dev eth0 parent 1:0 classid 1:2 htb rate 200kbps ceil 200kbps prio 2

Tc class add dev eth0 parent 1:0 classid 1:3 htb rate 500kbps ceil 500kbps prio 2

# change the default fifq queue rule for both classes to sfq

Tc qdisc add dev eth0 parent 1:2 handle 20 sfq

Tc qdisc add dev eth0 parent 1:3 handle 30 sfq

# add a U32 filtering rule on the 1:0 node on the network card eth0 (corresponding to handle 1:0 in qdisc) with a priority of 1. All packets with a destination address of 10.0.0.100 use class 1:2 (corresponding to class with classid of 1:2)

Tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.100 flowid 1:2

Tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.101 flowid 1:3

If there are other users, such as users C and D, whose ip is 102,103 and the required download bandwidth is also 500, then join

The code is as follows:

Tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.102 flowid 1:3

Tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.103 flowid 1:3

Clear rules on eth0

The code is as follows:

Tc qdisc del dev eth2 root > / dev/null

At this point, I believe you have a deeper understanding of the "introduction to the configuration of iptables under Linux". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.