In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)05/31 Report--
This article will explain in detail how to carry out the actual combat analysis of iptables, the quality of the article content is high, so Xiaobian shares it with you as a reference, I hope you have a certain understanding of relevant knowledge after reading this article.
case
The company has three divisions.
Engineering 2.10-2.20
Software Division 2.21-2.30
Manager Office 2.31-2.40
Working hours (Monday_Friday 08:20:00)
Engineering ftp after hours unlimited
Software Department http does not allow illegal sites sina, does not allow the use of Thunder, the maximum number of connections 3, does not allow qq, does not allow downloading movies, does not allow browsing pictures, after work unlimited
Manager's office http qq is OK, after work unlimited
dmz zone www server for publishing
iptable+l7 +squid+ transparent proxy
Analysis:
For this experiment, we can use squid transparent proxy at work to facilitate the setting of user behavior control, while using iptables to assist in limiting user behavior online. NAT translation is used after work to achieve unlimited. Squid uses transparent proxies and sets up listening addresses and ports, various Internet rules. Iptables uses tighter controls Default setting is DROP
The experimental map is as follows:
basic settings
Set SSHD and loopback interfaces via
[root@localhost ~]# iptables -t filter -A INPUT -s 192.168.101.130 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -t filter -A OUTPUT -d 192.168.101.130 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -i lo -j ACCEPT
[root@localhost ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -P OUTPUT DROP
[root@localhost ~]# iptables -P FORWARD DROP
[root@localhost ~]# ping 127.0.0.1
Test ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.436 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.045 ms
The engineering department is configured as follows:
Configure NAT translation for NAT eth0 egress
[root@localhost ~]# iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.2.10-192.168.2.20 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 08:00 --timestop 20:00 -p tcp --dport 21 -o eth0 -j MASQUERADE
Set FORWARD to ACCEPT
[root@localhost ~]# iptables -t filter -A FORWARD -m iprange --src-range 192.168.2.10-192.168.2.20 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 08:00 --timestop 20:00 -p tcp --dport 21 -j ACCEPT
[root@localhost ~]# iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
load module
[root@localhost ~]# modprobe ip_nat_ftp
The software department is configured as follows:
Configure redirection of port 80 to 3128
[root@localhost ~]# iptables -t nat -A PREROUTING -m iprange --src-range 192.168.2.21-192.168.2.40 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 08:00 --timestop 20:00 -p tcp --dport 80 -j REDIRECT --to-ports 3128
Set 3128 INPUT to ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
[root@localhost ~]# iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow HTTP and DNS out
[root@localhost ~]# iptables -t filter -I OUTPUT 3 -p tcp --dport 80 -j ACCEPT
[root@localhost ~]# iptables -t filter -I OUTPUT 3 -p udp --dport 53 -j ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Set NAT translation for client DNS
[root@localhost ~]# iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.2.21-192.168.2.40 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 08:00 --timestop 20:00 -p udp --dport 53 -o eth0 -j MASQUERADE
Setting up DNS queries for clients can be done via
[root@localhost ~]# iptables -t filter -I FORWARD 2 -m iprange --src-range 192.168.2.21-192.168.2.40 -p udp --dport 53 -j ACCEPT
Limit Thunder and QQ Chat
[root@localhost ~]# iptables -t filter -I FORWARD 3 -m iprange --src-range 192.168.2.21-192.168.2.30 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 08:00 --timestop 20:00 -m layer7 --l7proto xunlei -j DROP
[root@localhost ~]# iptables -t filter -I FORWARD 3 -m iprange --src-range 192.168.2.21-192.168.2.30 -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 08:00 --timestop 20:00 -m layer7 --l7proto qq -j DROP
Set up squid proxy
Modify squid's configuration file to set listening address and port and add the following rules
927 http_port 192.168.2.1:3128 transparent
591 acl badip src 192.168.2.21-192.168.2.30/255.255.255.255
592 acl worktime time 08:00-20:00
593 acl badsite url_regex -i sina
594 acl badcont urlpath_regex -i \.jpg$
595 acl conn3 maxconn 3
596 http_access deny badip worktime badsite
597 http_access deny badip worktime badcont
598 http_access deny badip conn3
Set off duty unlimited use of NAT and allow iptables rules for pass through
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -m time --weekdays Mon,Tue,Wek,Thu,Fri --timestart 20:01 --timestop 23:59 -o eth0 -j MASQUERADE
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -m time --weekdays Mon,Tue,Wek,Thu,Fri --timestart 00:00 --timestop 07:59 -o eth0 -j MASQUERADE
[root@localhost ~]# iptables -t filter -I FORWARD 5 -s 192.168.2.0/24 -m time --weekdays Mon,Tue,Wek,Thu,Fri --timestart 00:00 --timestop 07:59 -j ACCEPT
[root@localhost ~]# iptables -t filter -I FORWARD 5 -s 192.168.2.0/24 -m time --weekdays Mon,Tue,Wek,Thu,Fri --timestart 20:01 --timestop 23:59 -j ACCEPT
server settings
Use DNAT and set iptables rule to pass-through firewall
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.101.25 -p tcp --dport 80 -j DNAT --to 192.168.3.100
[root@localhost ~]# iptables -t filter -I FORWARD 8 -d 192.168.3.100 -p tcp --dport 80 -j ACCEPT
Apache for configuring 192.68.3.100 clients
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# vim /var/www/html/index.html
Hi ~~ This is my web!
[root@localhost ~]# service httpd start
Configuration screenshot:
On how to carry out iptables actual combat analysis to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
