Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use iptables". Friends who are interested might as well take a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn how to use iptables.

The server forbids pingiptables-An INPUT-p icmp--icmp-type 8-s 0 DROP 0-j server

/ / No one is allowed to use ping on this computer. "

In addition to the above method that forbids PING, we can also modify the kernel configuration, as follows:

Echo net.ipv4.icmp_echo_ignore_all=1 > > / etc/sysctl.conf

Sysctl-p

/ / if PING is allowed, modify `ignore_all= 1` to `ingore_all= 0`. 2 use iptables to protect the company's web server 2.1 web server configuration: 1. Install httpd and vsftpd services

Yum-y install httpd

Yum-y install vsftpd / / install the vsfptd service to compare iptables

2. Start httpd and vsftpd services

Systemctl start httpd

Systemctl start vsftpd 2.2 client authentication (iptables is not configured)

Test web access

Test vsftpd

2.3 configure iptables firewall policy iptables-An INPUT-I lo-j ACCEPT

/ / release loop return all data

Iptables-An INPUT-p tcp-m multiport-- dports 22Pol 80-j ACCEP

/ / release the TCP/22,80 port

Iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

/ / allow packets that have established a tcp connection and those related to the connection to pass through

Iptables-P INPUT DROP

/ / set the default rules for INPUT chains of filter tables. When the packet is not matched by any rule, all are rejected according to the default rule

2.4 verify again

Test web access

Test vsftpd

"

The test result is as expected: the web service can be accessed normally, but the ftp service cannot be accessed because the ftp-related ports are not released by the iptables rule.

Practice 3 using iptables to build Gateway Server "

Background: the company uses a dual network card Linux host as the gateway server, in which the network card eth0 is connected to the local area network and the network card eth2 is connected to Internet. Since the company has registered only one public network IP address, it is required to configure the gateway policy reasonably so that PCs in the LAN can access Internet through sharing, as shown in the following figure:

For specific experimental steps, click: practical information | build a gateway server using iptables

Practice 4 using iptables to implement Port Mapping (DNAT) Experimental Topology figure 4.1 qll252 web Server 1, install httpd Services

[root@qll252 ~] # yum-y install httpd

2. Set the content of the home page of http service

[root@qll252 ~] # echo 10.10.10.2 > index.html

3. Start the httpd service

[root@qll252 ~] # systemctl start httpd

4. Specify qll251 as the gateway

[root@qll252 ~] # vim / etc/sysconfig/network-scripts/ifcfg-eth0

GATEWAY=10.10.10.1

5. Restart the network card service

[root@qll252 ~] # systemctl restart network

4.2 do DNAT1 on qll251 and enable kernel forwarding

Echo "net.ipv4.ip_forward = 1" > > etc/sysctl.conf

Sysctl-p

2. Add iptables rules

[root@qll252] # iptables-t nat-A PREROUTING-d 20.20.20.20-p tcp-- dport 8000-j DNAT-- to 10.10.10.2virtual 80

3. Save iptables rules

[root@qll251 ~] # service iptables save

4.3 Verification "

As a result, as we expected, by typing http://20.20.20.20:8000 on the browser, you can jump to the contents of qll252 to achieve port mapping.

At this point, I believe you have a deeper understanding of "how to use iptables". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.