Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to use iptables to do NAT and log on RedHat 9. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Using iptables as NAT Gateway on RedHat 9-- the setting I'm using

Add the following to the / etc/rc.local file:

Note: eth0 binds private network IP eth2 and public network IP

[root@RHNAT01 root] # vi / etc/rc.local

#! / bin/sh # This script will be executed * after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.

Touch / var/lock/subsys/local

Route add-net 0.0.0.0 gw public network gateway netmask 0.0.0.0 dev eth2

Route add-net private network segment A gw private network gateway netmask 255.255.240.0 dev eth0

Route add-net 220.114.128.0 gw 211.162.0.129 netmask 255.255.224.0 dev eth0

Route add-net private network segment B gw private network gateway netmask 255.255.255.0 dev eth0

Route add-net private network segment C gw private network gateway netmask 255.255.255.0 dev eth0

Route add-net private network segment D gw private network gateway netmask 255.255.0.0 dev eth0

Route add-net private network segment E gw private network gateway netmask 255.255.0.0 dev eth0

Echo 1048576 > / proc/sys/net/ipv4/netfilter/ip_conntrack_max

Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1800

Echo "1" > / proc/sys/net/ipv4/tcp_syncookies

Echo "1" > / proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Echo 268435456 > / proc/sys/kernel/shmall

Echo 268435456 > / proc/sys/kernel/shmmax

Echo "1024 65000" > / proc/sys/net/ipv4/ip_local_port_range

Echo 1 > / proc/sys/net/ipv4/ip_forward

/ sbin/modprobe ip_tables

/ sbin/modprobe iptable_filter

/ sbin/modprobe iptable_nat

/ sbin/modprobe ip_conntrack

/ sbin/modprobe ip_conntrack_ftp

/ sbin/modprobe ip_nat_ftp

/ sbin/iptables-- flush INPUT

/ sbin/iptables-- flush FORWARD

/ sbin/iptables-flush POSTROUTING-table nat

/ sbin/iptables-- policy FORWARD DROP

/ sbin/iptables-- table nat-- append POSTROUTING-- out-interface eth2-- source private network segment A _ max 19-- jump MASQUERADE

/ sbin/iptables-- table nat-- append POSTROUTING-- out-interface eth2-- source private network segment Bame18-- jump MASQUERADE

/ sbin/iptables-- table nat-- append POSTROUTING-- out-interface eth2-- source private network segment Cmax 24-- jump MASQUERADE

/ sbin/iptables-- table nat-- append POSTROUTING-- out-interface eth2-- source private network segment DUnix 24-- jump MASQUERADE

/ sbin/iptables-- append FORWARD-- in-interface eth2 (fill in the public network IP port here)-- match state-- state ESTABLISHED,RELATED-- jump ACCEPT

/ sbin/iptables-- append FORWARD-- source private network segment A _ swap 19-- jump ACCEPT

/ sbin/iptables-- append FORWARD-- the source private network segment Bazaar 18-- jump ACCEPT

/ sbin/iptables-- append FORWARD-- source private network segment C _ swab 24-- jump ACCEPT

/ sbin/iptables-- append FORWARD-- source private network segment D _ Unique 24-- jump ACCEPT

/ sbin/iptables-I FORWARD-m state-- state NEW-j LOG-- log-level debug

/ sbin/iptables-- table nat-- append POSTROUTING-- out-interface eth0 (internal network port)-j SNAT-- to *. * (external network IP)

Setup complete

II. Log preservation

Vi / etc/syslog.conf

Add on the basis of the original unchanged

# remote net recevie stepup

This sentence is used when kern.=debug @ * .x # saves locally-/ var/log/iptables.log

*. X

At this point, the settings of Iptables Nat and remote log sending are completed.

A few orders.

#

Service syslog restart

Syslog service reload

Iptables-L

This command displays the rule set currently in use in an easy-to-read form as much as possible. For example, he will try to use the corresponding name in the file / etc/services to represent the port number and the corresponding DNS record to represent the IP address.

But the latter may cause some problems, for example, he wants to try to resolve the IP address of LAN (such as 192.168.1.1) to the corresponding name. But the network segment of 192.168.0.0amp 16 is private, that is to say, it can only

It is used in the local area network, but not in Internet, so it will not be parsed by the DNS server on Internet. Therefore, when parsing this address, the command seems to stop there. In order to avoid this situation

If it happens, we will use the option:

Iptables-L-n

If you want to see simple traffic statistics for each policy or rule or chain, you can add a verbose flag after the above command, as follows:

Iptables-L-n-v

Don't forget that the iptables-L command can also view the contents of the nat table and the mangle table (not to mention that the default table is filter). You only need to use the-t option, for example, if we only want to see the rules of the nat table,

Use the following command:

Iptables-L-t nat

In / proc, there may be some more files that you will be interested in. For example, you can see what connections are currently in the connection tracking table. This table contains all the current connections, and you can learn about each through it.

What state the connection is in. Note that this table cannot be edited, and even if it can, it should not be changed. You can view this table with the following command:

Cat / proc/net/ip_conntrack | less

This command displays all currently tracked connections, but it is difficult to read those records.

Commands for correcting and emptying iptables iptables-D INPUT 10

Iptables-F INPUT

Iptables-- list view filter table

Thank you for reading! This is the end of the article on "how to use iptables to do NAT and log on RedHat 9". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.