Shulou(Shulou.com)06/01 Report--

It is impossible to use centos5.3 with nat, and it is useless to refer to N multi-configuration methods.

Feel that there is something wrong with the operating system, and then use 6.6, which has a configured graphical boot interface, which is easy to fix.

Later found in the English web page

Echo "1" > / proc/sys/net/ipv4/ip_forward

That's all right. Looking for more than N places, I finally know that this is the method to force forwarding when the OS system does not forward traffic by default.

Normally, getting the system to forward requires modification of the configuration file.

/ etc/sysctl.conf

Inside

Net.ipv4.ip_forward = 1

It doesn't work because the default value is 0 enable disable, which is changed to 1.

Sysctl-p

Update, of course, restart is also possible.

Chkconfig iptables on

Normally turn on the firewall as a service.

Then comes the configuration of the / etc/sysconfig/iptables file.

It is also implemented with the add command, where eth0 is external and eth2 is internal.

Iptables-t nat-A POSTROUTING-o eth0-j MASQUERADE

This means that there are no internal and external restrictions, which is easy to use when the IP address of the external network card is DHCP.

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j SNAT-- to-source 172.26.1.79

This is the intranet 192.168.1.0 take 24, to the outside, the replacement source address is 172.26.1.79

Allow external access to internal servers, such as remote desktops

Iptables-t nat PREROUTING-I eth0-p tcp-- dport 3389-j DNAT-- to-destination 192.168.1.2

-I eth0 is the network card that enters, and I means input;-p tcp, the protocol is tcp;-- dport 3389 port number is 3389, which is the IP address of internal server.

That's not enough. It's the nat table.-t specifies the table.

Configuration is also required in the filter table.

Iptables-t filter-A FORWARD-I eth0-m state-- state NEW-m tcp-p tcp-d 192.168.1.2-- dport 3389-j ACCEPT

It is not possible to release internal traffic on the forwarding link. Why the-d here is 192.168.1.2? because PREROUTING has been routed by NAT in the previous nat table. By the time it reaches the FORWARD processing flow, the destination address has changed from the IP address of the external network card to 192.168.1.2. Of course, you can only use the private network IP address to filter when entering the private network.

And forward some traffic licenses.

Iptables-A FORWARD-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-A FORWARD-p icmp-j ACCEPT

Iptables-A FORWARD-I lo-j ACCEPT

Iptables-A FORWARD-o eth0-j ACCEPT

Do not use the firewall graphic configuration that the system itself brings, as soon as it is used, it will be out of RH-Firewall-1-INPUT, making itself a mess.

In addition, the speed of using 5.3 is very slow, and the remote desktop is connected to it, and the screen does not move. There is a reason why 5.3 is blocked and forwarded by default.

There is no problem with 6.6, and the speed is acceptable.

Here are some network configuration commands

If there is only one network card at first and then it is added later, then only

/ etc/sysconfig/network-scripts/ifcfg-eth0

Without ifcfg-eth2, you can copy ifcfg-eth0 to ifcfg-eth2, and then modify the contents.

Need to check the hardware files of the network card

/ etc/udev/rules.d/70-persistent-net.rules

Confirm that there is a new network card in it and record the mac address.

DEVICE=eth2

NAME= "System eth2"

HWADDR=00:50:56:A0:40:18

IPADDR=192.168.1.1

PREFIX=24

GATEWAY=

DNS1=

DOMAIN=

Modifiers, ip address, mask, and HWADDR are mac addresses. If the version is higher and there is UUID, you can change it differently from eth0.

There is no gateway for the internal network card. PREFIX is a prefix, which means the same thing as a mask and is written differently. The version of os is different, and the NETMASK,6 of 5 is PREFIX.

Iptables-F

Clear rules for all rule chains in the preset table filter

Iptables-X

Clear the rules in the user customization chain in the preset table filter

/ etc/rc.d/init.d/iptables save or service iptables save

Save the configuration typed in by the command, or the restart will be gone

Service iptables restart

Restart the service

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.