Iptables part-Building a Network Firewall 02/04 Update SLTechnology News&Howtos

Iptables part-Building a Network Firewall

2025-02-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Preface

The purpose of this paper is to review the relevant knowledge of iptables FORWARD table, build a simple experimental environment, and realize the construction of network firewall through iptables.

Firewall functions implemented by iptables:

Host firewall: the scope of service is the current host

Network firewall: the scope of service is local area network

1. Experimental topology

two。 Host planning

Hostnam

Role Nic IP address node1 intranet host vmnet2:eno16777736192.168.11.2/24node2 gateway host

Vmnet2:eno16777736

Bridging: eno33554984

192.168.11.1/24

172.16.52.52/16

Node3 public network host bridging: eno16777736172.16.52.53/16

Description:

Node1 adds a default gateway to 192.168.11.1

Route add default gw 192.168.11.1

Node2 needs to turn on ip_forward function.

Sysctl-w net.ipv4.ip_forward=1

If the internal network wants to communicate with the external network, node3 also needs to add a route to 192.168.11.0 Universe 24 network.

Route add-net 192.168.11.0 hand 24 gw 172.16.52.52

3. Test experimental environment

Node1: enable the httpd service to test whether node3 can access it.

[root@node3 ~] # ping 192.168.11.2PING 192.168.11.2 (192.168.11.2) 56 (84) bytes ofdata.64 bytes from 192.168.11.2: icmp_seq=1 ttl=63 time=0.467 ms64 bytes from 192.168.11.2: icmp_seq=2 ttl=63 time=0.502 ms [root@node3 ~] # curl 192.168.11.2node1 apache sit ls `ls' at 0 [Making data connection...]

RELATED status has been tracked, port 21 is open, why is it still inaccessible? Because the nf_conntrack_ftp module is not loaded

Load the nf_conntrack_ftp module:

[root@node2 ~] # modprobe nf_conntrack_ ftp [root @ node3 ~] # lftp 192.168.11.2lftp 192.168.11.2 lsdrwxr-xr-x 20 06 Nov 20 2015 pub

Summary: the gateway firewall iptables policy is whitelisted and all is rejected by default. Only open services can be accessed by the public network. Access to the external network from the internal network is generally allowed without special circumstances.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.