Shulou(Shulou.com)06/02 Report--

Iptables realizes the function of network firewall, SNAT and DNAT.

First, the realization of network firewall

1. Environmental preparation:

Virtual machine vmware workstation 11

System CentOS 7.3

two。 prerequisite

2.1 each host sets the IP address / subnet mask correctly

Host A network card ens33:10.0.0.110/24 intranet client

Host B network card ens33:10.0.0.111/24 ens37:172.16.252.52/24 gateway server

Host C network card ens33:172.16.254.52/24 external network server

2.2 each host sets the gateway address correctly

Host An adds default route information

Route add default gw 10.0.0.111

Route add-net 10.0.0.0 shock 24 gw 172.16.252.52

3. Recommended implementation steps

Enable routing forwarding function

Implemented in the FORWARD chain in the filter table

4.

1. Both the request and the response will pass through the FORWARD chain. Pay attention to the direction of the rules.

two。 If you want to enable the conntrack mechanism, it is recommended that messages with the status of ESTABLISHED in both directions be released directly.

3. You can use tcpdump to grab packets and analyze data packets when configuring rules.

Steps:

1. Host An adds default routing information route add default gw 10.0.0.111 route-N2. Host B turns on the core forwarding function sysctl-w net.ipv4.ip_forward=13.tcpdump packet capture test data host A:ping 172.16.254.52 host B grab packet: tcpdump-I ens33-nn icmp test results: there are 10.0.0.110 to 172.16.254.52 request message information, but no response message message 4. Host C uses tcpdump to grab packet test data tcpdump-I ens33-nn icmp test results: there is a response message, but the response message is sent to other hosts, so it is necessary to set gateway information 5. Host C adds routing information route add-net 10.0.0.0 gw 24 gw 172.16.252.52 route-n6. Host A ping request test ping 172.16.254.52 test results: ping 7. Host C starts the httpd service systemctl start httpd.service8. Host An accesses the web page of host C curl http://172.16.254.52 # should display the page content normally at this time

Build a network firewall on the basis of the above

Method 1: 9. Deny all forwarding services iptables-A FORWARD-j REJECT10. Add chain rule: allow local host A to access the service iptables-I FORWARD-s 10.0.0.0and24-p tcp-- dport 80-j ACCEPT11 of host C in the public network. Add chain rule: allow the 80-port http service of external host C to respond to native iptables-I FORWARD 2-d 10.0.0.0 ACCEPT12 24-p tcp-- sport 80-j ACCEPT12. Host A tests whether it can access the web page of host C curl http://172.16.254.52# at this time should be normal explicit page content mode 2: 9. Deny all forwarding services iptables-A FORWARD-j REJECT10. Release all connected datagrams iptables-I FORWARD-m state-- state ESTABLISHED-j ACCEPT11. A new chain rule allows local host A to access the extranet host C iptables-I FORWARD 2-s 10.0.0.0max 24-m state-- state NEW-j ACCEPT12. Host A tests curl http://172.16.254.52 # at this time should be normal explicit page content 13. Add chain rule: allow external host C to access http service iptables-I FORWARD 3-d 10.0.0.110-p tcp-dport 80-m state-state NEW-j ACCEPT 14 on port 80 of local host A. Host C tests curl http://10.0.0.110 # at this time should be normal explicit page content 15. Add chain rule: iptables-R FORWARD 3-d 10.0.0.110-p tcp-m multiport-- dport 21pur2380-m state-- state NEW-j ACCEPT16 that allows host A to open more ports. Load FTP module (two ways) 1.modprobe nf_conntrack_ftp 2.vi / etc/sysconfig/iptables-config IPTABLES_MODULES= "nf_conntrack_ftp" 17. Establish FTP access chain rules and open FTP passive mode iptables-A FORWARD-d 10.0.0.110-p tcp-m state-- state RELATED-j ACCEPT18. Host C test lftp 10.0.0.110 ssh root@10.0.0.110 curl http://10.0.0.110 # should be able to get information normally at this time

Second, the realization of SNAT forwarding function

prerequisite

Each host sets the IP address / subnet mask correctly

Host B network card ens33:10.0.0.111/24 ens37:172.16.252.52/24 gateway server

Host C network card ens33:172.16.254.52/24 external network server

Each host sets the gateway address correctly

Reference settings:

Host An adds default route information

Route add default gw 10.0.0.111

Host C adds routing information

Route add-net 10.0.0.0 shock 24 gw 172.16.252.52

Recommended implementation steps

1.

Host B enables the core forwarding function

Sysctl-w net.ipv4.ip_forward=1

two。 Add firewall rules that use SNAT policy

Rule exampl

Iptables-t nat-I POSTROUTING-j SNAT-- to-source 172.16.252.52

3.

Host A curl http://172.16.254.52

The ip address viewed by host C tail-f / var/log/httpd/access_log # should be the public network address of host B.

prerequisite

Reference settings:

Host C network card ens33:172.16.254.52/24 external network client

Each host sets the gateway address correctly

Reference settings:

Host An adds default route information

Route add default gw 10.0.0.111

Route add-net 10.0.0.0 shock 24 gw 172.16.252.52

Recommended implementation steps

1. Enable the routing forwarding function of the gateway host

Host B enables the core forwarding function

Sysctl-w net.ipv4.ip_forward=1

two。 Add firewall rules that use SNAT policy

Rule exampl

Iptables-t nat-I PREROUTING-d 172.16.252.52-p tcp-- dport 80-j DNAT-- to-destination 10.0.0.110

3. Verify the DNAT result (host C accesses the web content of host An explicitly inside the public network address of host B)

Host C curl http://172.16.252.52

The ip address viewed by host A tail-f / var/log/httpd/access_log # should be the address of the external network host C.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.