iptables firewall (2)

Article directory

  • Firewall (2)
    • 1. SNAT strategy
        • SNAT application environment:
        • SNAT principle:
        • SNAT conversion prerequisites:
      • 1. Application:
      • 2. SNAT conversion 1: fixed public IP address
      • 3. SNAT conversion 2: Non-fixed public IP address (shared dynamic IP address)
      • 4. Example:
        • 1. Prepare three virtual machines to do separately: client, gateway server, web server, and all close the firewall and selinux
        • 2. Download the httpd service on the web server: yum -y install httpd
        • 3. Configure on the client side
        • 4. After the gateway server is configured:
        • 6. Clear all host rules
        • 7. Gateway server: yum -y install iptables*
    • 2. Overview of DNAT strategy
        • DNAT application environment:
        • Principle of DNAT:
        • DNAT conversion prerequisites:
      • 1. DNAT conversion 1: Publishing web services on the intranet
      • 2. DNAT conversion 2: modify the target port when publishing
      • 3. Examples
        • 1. Prepare 4 hosts and close all firewalls and selinux
        • 2. Gateway server configuration
        • 3. Server side: Modify the network card configuration and download the httpd service
        • 4. Client (two)
        • 5. Gateway server side
    • 3. Export and export of rules
      • Automatic restore:
      • Linux packet capture: tcpdump

Firewall (2)

One. SNAT strategy

SNAT application environment:

LAN hosts share a single public IP address to access the Internet (private IP cannot be routed normally in the Internet)

SNAT principle:

Modify the source address of the packet

Prerequisites for SNAT conversion:

  • The IP address, subnet mask, and default gateway address of each host in the LAN have been correctly set
  • The Linux gateway enables IP routing and forwarding

1. Application:

Temporarily open:
echo 1 > /proc/sys/net/ipv4/ip_forward
or
sysctl -w net.ipv4.ip_forward=1

Open permanently:
vim /etc/sysctl.conf
net.ipv4.ip_forward=1 ###Add this line to the configuration file and save and exit
sysctl -p ###Read and load the modified configuration on the command line

2. SNAT conversion 1: fixed public IP address

iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j SNAT --to 12.0.0.200
                                             
iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j SNAT --to-source 12.0.0.100-12.0.0.200
External network IP or address pool Intranet IP segment Outbound external network card

3.SNAT conversion 2: non-fixed public IP address (shared dynamic IP address)

iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j MASQUERADE

tips:

With SNAT conversion of an IP address, generally 100 to 200 hosts in the intranet can access the Internet

4. Example:

1. Prepare three virtual machines: client, gateway server, and web server, and turn off the firewall and selinux

2. Download the httpd service on the web server: yum -y install httpd

Enable the httpd service and modify the IP and gateway of the web server, because the source IP address was used to access before, so you need to restart the httpd service



3. Configure on the client side

4. After the gateway server is configured:


6. Clear all host rules

7. Gateway server: yum -y install iptables*







2. Overview of DNAT strategy

DNAT application environment:

Publish the server located in the LAN in the Internet

DNAT principle:

Modify the destination address of the packet

Prerequisites for DNAT conversion:

  • The server in the LAN can access the Internet
  • The external network address of the gateway has correct DNS resolution records
  • The Linux gateway enables IP routing and forwarding

1. DNAT conversion 1: Publishing web services on the intranet

iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to 192.168.80.10 Inbound external network card external network IP
or
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.80.10
                  Intranet server IP
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.80.10-192.168.80.20
###Convert the destination address of the data packet coming from ens33 to access the web service to 192.168.80.10

2. DNAT conversion 2: modify the target port when publishing

iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 250 -j DNAT --to 192.168.80.10:22
###Publish the OpenSSH server inside the LAN, and the host on the external network needs to use port 250 to connect

3. Example

1. Prepare 4 hosts and close all firewalls and selinux

2. Gateway server configuration


3. Server side: modify network card configuration and download httpd service

4. Client (two)



5. Gateway server side






Note: When using DNAT, it must also be used in conjunction with SNAT to achieve the correct return of the response packet

tips:

  • The host-type firewall mainly uses the INPUT and OUTPUT chains, and the port should be specified in detail when setting the rules
  • Network firewalls mainly use the FORWARD chain. When setting rules, it is rare to specify ports. Generally, IP addresses or network segments can be specified

3. Export and export of rules

Export (backup) rules for all tables: iptables-save > /opt/ipt.txt

Import (restore) rules: iptables-restore </opt/ipt.txt

Auto Restore:

iptables-save> /etc/sysconfig/iptables
###Save the iptables rule file in /etc/sysconfig/iptables, and the iptables service will automatically restore the rules when it starts
systemctl stop iptables ###Stopping the iptables service will clear all table rules
systemctl start iptables ###Starting the iptables service will automatically restore the rules in /etc/sysconfig/iptables

Linux packet capture: tcpdump

tcpdump tcp -i ens33 -t -s0 -c 100 and dst port ! 22 and src net 192.168.58.0/24 -w ./target.cap
field description
tcp Protocol options such as ip icmp arp rarp and tcp, udp, icmp, etc. must be placed in the first parameter position to filter the type of data packets
-i ens33 Only capture packets passing through interface ens33
-t Do not display timestamp
-s0 When capturing data packets, the default capture length is 68 bytes. After adding -s0, you can capture complete data packets
-c 100 Only grab 100 packets
dst port! 22 Do not capture packets whose target port is 22
src net 192.168.58.0/24 The source of the packet The network address is 192.168.58.0/24
-w ./target.cap Save it as a cap file for easy analysis with ethereal (ie wireshark)