Basic configuration tutorial for IpTables under Linux

1. Specify the table filter as the packet filtering firewall default table, nat table, mangle table 2. Specify the operation command Add, delete, update 3. Specify the chain Operation packet filtering firewall input, output, forward. It is also possible to operate your own definition. 4. Specify rule matchers Various rules match. For example, IP, port, packet type 5, specified target action ACCEPT means discarded by DROP means REJECT means rejection packet LOG indicates that the packet information is recorded. TOS value of the log TOS overwrite package usage: <strictly case sensitive > iptables [ ,null,null,3],-t table] cmd [chain][rule-matcher][-j target] cmd: -A Add one or more rules at the end of the selected chain -D Delete -R Replace -I Insert -L List all rules - F Clear -N Create -X Delete the specified user-defined chain -P Specify the default rule for the permanent chain -C Check if the given package matches the rule of the specified chain -Z will count the packet bytes of all rules in the specified chain Cleared -h displays help information //example # touch /etc/rc.d/filter-firewall //IPT=/sbin/iptables WWWSERVER=192.168.168.119 FTPSERVER=192.168.168.119 IPRANGE=192.168.168.0/24 $IPT -F $IPT -P FORWARD DROP $IPT -A FORWARD -p tcp -d $WWWSERVER --dport www -i eth0 -j ACCEPT $IPT -A FORWARD -p tcp -d $ FTPSERVER --dport ftp -i eth0 -j ACCEPT $IPT -A INPUT -s 192.168.168.81 -i eth0 -j DROP ----------------------- - Case: A small problem was encountered a few days ago: A small network with a telecommunications public IP. After using NAT to do NAT, all users go out of this IP. There are some servers inside to be announced, such as: 80, do SNAT on NAT (let everyone go here on the external network): iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 222.111.33.88 Then do DNAT for the service to be announced (outside customers can access the server through the public IP): iptables -t nat -A PREROUTING -d 222.111.33.88 -p tcp -m tcp --dport 80 -j DNAT --to- Destination 192.168.1.250:80 After two steps, internal users should be able to access the external network, and external users can access our internal servers. **Note: To turn on forwarding, and clear the previous rules. ****** echo 1 >/proc/sys/net/ipv4/ip_forward iptables -F iptables -X iptables -t nat -F iptables -t nat -X************ ********************

But now there is a problem, that is, the user behind the NAT (LAN) does not pass directly through the WAN IP: 222.111.33.88 Access the internal server. Customers feel that only one IP (222.111.33.88) is convenient, and they don't want to buy a domain name. He just wants everyone to remember this IP. It can be accessed anytime, anywhere (intranet and extranet).

Now let's see why the intranet cannot access the server through WAN IP. Let's see how the packet goes: Assume that the user IP of the intranet access is: 192.168.1.123 The server IP is: 192.168 .1.250, the whole process is like this: 192.168.1.123 access port 202 of 222.111.33.88 through XXX port, source IP port: 192.168.1.123: XXX target IP port: 222.1111.33.88: 80 After receiving the data packet, NAT The request was found to be internal (DNAT) and the packet was sent directly to 192.168.1.250. 192.168.1.250 received the package from 192.168.1.123. Re-respond to 192.168.1.123, 192.168.1.123 will receive a response similar to: 192.168.1.250:80 ---> 192.168.1.123XXX. However, 192.168.1.123 requests: 222.111.33.88:80, so it does not receive a response of 192.168.1.250:80. Data transfer failed. Therefore, internal users cannot access directly through the WAN IP. Through the above process, we found that the problem mainly comes from the intranet request to the gateway, entering the first chain PREROUTING is DNAT (port mapping) will not go through SNAT for source address translation, because it is not from the external network card. So if you want the packet to come back correctly, you have to do a SNAT after PREROUTING. Iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -p tcp -d 192.168.1.250 --dport 80 -j SNAT --to 192.168.1.1 OK, the problem is solved. ***If it is FORWARD DROP, remember to open 192.168.1.250:80 iptables -A FORWARD -p tcp -d 192.168.1.250 --dport 80 -j ACCEPT

If you want to use FTP service, remember to Load the appropriate FTP module: modprobe ip_conntrack_ftp modprobe ip_nat_ftp Also pay attention to the active and passive mode

-------------------------- An article: 1, iptables introduction

iptables is complex, it is integrated into the linux kernel. Users can filter packets coming in and out of your computer through iptables. Set your rules with the iptables command to guard your computer network -- which data is allowed to pass, which cannot pass, and which data is passed (log). Next, I will show you how to set up your own rules, starting now.

2, initialization work

In the shell prompt # under the

iptables -F