Article directory
- Firewall (2)
-
- 1. SNAT strategy
-
-
- SNAT application environment:
- SNAT principle:
- SNAT conversion prerequisites:
- 1. Application:
- 2. SNAT conversion 1: fixed public IP address
- 3. SNAT conversion 2: Non-fixed public IP address (shared dynamic IP address)
- 4. Example:
-
- 1. Prepare three virtual machines to do separately: client, gateway server, web server, and all close the firewall and selinux
- 2. Download the httpd service on the web server: yum -y install httpd
- 3. Configure on the client side
- 4. After the gateway server is configured:
- 6. Clear all host rules
- 7. Gateway server: yum -y install iptables*
-
- 2. Overview of DNAT strategy
-
-
- DNAT application environment:
- Principle of DNAT:
- DNAT conversion prerequisites:
- 1. DNAT conversion 1: Publishing web services on the intranet
- 2. DNAT conversion 2: modify the target port when publishing
- 3. Examples
-
- 1. Prepare 4 hosts and close all firewalls and selinux
- 2. Gateway server configuration
- 3. Server side: Modify the network card configuration and download the httpd service
- 4. Client (two)
- 5. Gateway server side
-
- 3. Export and export of rules
-
- Automatic restore:
- Linux packet capture: tcpdump
Firewall (2)
One. SNAT strategy
SNAT application environment:
LAN hosts share a single public IP address to access the Internet (private IP cannot be routed normally in the Internet)
SNAT principle:
Modify the source address of the packet
Prerequisites for SNAT conversion:
- The IP address, subnet mask, and default gateway address of each host in the LAN have been correctly set
- The Linux gateway enables IP routing and forwarding
1. Application:
Temporarily open: echo 1 > /proc/sys/net/ipv4/ip_forward or sysctl -w net.ipv4.ip_forward=1
Open permanently: vim /etc/sysctl.conf net.ipv4.ip_forward=1 ###Add this line to the configuration file and save and exit sysctl -p ###Read and load the modified configuration on the command line
2. SNAT conversion 1: fixed public IP address
iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j SNAT --to 12.0.0.200 iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j SNAT --to-source 12.0.0.100-12.0.0.200 External network IP or address pool Intranet IP segment Outbound external network card
3.SNAT conversion 2: non-fixed public IP address (shared dynamic IP address)
iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j MASQUERADE
tips:
With SNAT conversion of an IP address, generally 100 to 200 hosts in the intranet can access the Internet
4. Example:
1. Prepare three virtual machines: client, gateway server, and web server, and turn off the firewall and selinux
2. Download the httpd service on the web server: yum -y install httpd
Enable the httpd service and modify the IP and gateway of the web server, because the source IP address was used to access before, so you need to restart the httpd service
3. Configure on the client side
4. After the gateway server is configured:
6. Clear all host rules
7. Gateway server: yum -y install iptables*
2. Overview of DNAT strategy
DNAT application environment:
Publish the server located in the LAN in the Internet
DNAT principle:
Modify the destination address of the packet
Prerequisites for DNAT conversion:
- The server in the LAN can access the Internet
- The external network address of the gateway has correct DNS resolution records
- The Linux gateway enables IP routing and forwarding
1. DNAT conversion 1: Publishing web services on the intranet
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to 192.168.80.10 Inbound external network card external network IP or iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.80.10 Intranet server IP iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.80.10-192.168.80.20 ###Convert the destination address of the data packet coming from ens33 to access the web service to 192.168.80.10
2. DNAT conversion 2: modify the target port when publishing
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 250 -j DNAT --to 192.168.80.10:22 ###Publish the OpenSSH server inside the LAN, and the host on the external network needs to use port 250 to connect
3. Example
1. Prepare 4 hosts and close all firewalls and selinux
2. Gateway server configuration
3. Server side: modify network card configuration and download httpd service
4. Client (two)
5. Gateway server side
Note: When using DNAT, it must also be used in conjunction with SNAT to achieve the correct return of the response packet
tips:
- The host-type firewall mainly uses the INPUT and OUTPUT chains, and the port should be specified in detail when setting the rules
- Network firewalls mainly use the FORWARD chain. When setting rules, it is rare to specify ports. Generally, IP addresses or network segments can be specified
3. Export and export of rules
Export (backup) rules for all tables: iptables-save > /opt/ipt.txt
Import (restore) rules: iptables-restore </opt/ipt.txt
Auto Restore:
iptables-save> /etc/sysconfig/iptables ###Save the iptables rule file in /etc/sysconfig/iptables, and the iptables service will automatically restore the rules when it starts systemctl stop iptables ###Stopping the iptables service will clear all table rules systemctl start iptables ###Starting the iptables service will automatically restore the rules in /etc/sysconfig/iptables
Linux packet capture: tcpdump
tcpdump tcp -i ens33 -t -s0 -c 100 and dst port ! 22 and src net 192.168.58.0/24 -w ./target.cap
field | description |
---|---|
tcp | Protocol options such as ip icmp arp rarp and tcp, udp, icmp, etc. must be placed in the first parameter position to filter the type of data packets |
-i ens33 | Only capture packets passing through interface ens33 |
-t | Do not display timestamp |
-s0 | When capturing data packets, the default capture length is 68 bytes. After adding -s0, you can capture complete data packets |
-c 100 | Only grab 100 packets |
dst port! 22 | Do not capture packets whose target port is 22 |
src net 192.168.58.0/24 | The source of the packet The network address is 192.168.58.0/24 |
-w ./target.cap | Save it as a cap file for easy analysis with ethereal (ie wireshark) |