2. Tech
  3. Configuration instructions for configuring firewalls and NAT features about Slackware 9.1.0 system

Configuration instructions for configuring firewalls and NAT features about Slackware 9.1.0 system

zhaozj2021-02-16  109

About Slackware 9.1.0 system configured firewall and NAT function configuration instructions Date: 2004/07/30 Author: zcatlinux Source: zclinux

*********************************************************** ******* ******* About firewall system recovery operation and startup method Description ****************** ***** *********************************************************** ***

The main role of the system is to perform static NAT mapping and port access control for internal servers.

In the firewall, the system starts automatically launched the above firewall scripts, the startup position is: /etc/rc.d/rc.local file, sh /etc/rc.d/nat_firewall.sh automatically starts automatically when the system is started This script

If you need to manually enable the firewall and static NAT mapping, you can operate the following steps. CD /etc/rc.d/./portnat.sh

If the user does not need to perform any port control for the internal server, only the following file is required, and the firewall state can be restored as long as the following file is executed. CD /etc/rc.d/./NO_FIREWALL.SH

*********************************************************** ******** **** About SLACKWARE 9.1.0 system configuration firewall and NAT function configuration instructions ********* (NAT_FIREWALL.SH) ******** *********************************************************** *

#! / bin / sh # make: zcatlinux # Time: 2004-06-18 # e-mail: zcatlinux@yahoo.com.cn

PATH = / sbin: / bin: / usr / sbin: / usr / bin

# Set the TCP port of the internal server, if you need to modify the port number to internal access, you can modify it here, # Add a rule is that there is a space between the port number. The following UPD port adds a rule. ## TCP allow portstports = "80 22" # Only only the user is allowed to access the firewall 22, 80 port

# Set the UDP port outside the internal server ## udp allow portsuports = "53 123"

# Set the firewall parallel network card and IP address ## config out_eth interfaceout_eth = "Eth1" OUT_ETH_IP = "202.138.164.110" # Setting the firewall network card TCP port ## set out_ip outs = "22" # # 程 只 只Allow users to access the 22-port of the firewall

# Set the firewall to the intranet card and IP address ## config in_eth interfacein_eth = "Eth0" IN_ETH_IP = "10.10.11.110"

# Set the IP address segment of the internal server of the firewall ## IP Rangeserver_ip = "10.10.11.0/24"

1. The system initializes the configuration file of the IP transmission package. The input value is 0 indicates that it is not forwarded. 1 is turned on the forwarding function, which needs to initialize the 0 # disable forward echo 0> / proc / sys / net / ipv4 / ip_forward # That is, the list of iptables rules is initialized. #reset default policiesiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -t nat -P PREROUTING ACCEPTiptables -t nat -P POSTROUTING ACCEPTiptables -t nat -P OUTPUT ACCEPT

# Delete all rules of iptables ## del all iptables rulesiptables -f input ## Remove iptables -f forward ## Delete iptables - FORWARD RF IPTables -f Output ## Remove iptables Output rule

# 清 清 全 规 链 ## Clean All Non-Default Chainsiptables -XipTables -t NAT -X

# Defines the default rule of iptables secure ## iptables default rulesiptables -p input drop ## Reject all external data packets to this unit, that is, all packets for internal packets are not allowed to allow all packets from IPTables -P Forward Drop ## Forwarding iptables -p output accept ## Allows all internal packages to external packages

# Allow ICMP packages, ie allowing ping ## allow ping packetsiptables -a input -p icmp -s 0/ICMP-TYPE 0 -J ACCEPTIPTABLES -A INPUT -P ICMP -S 0/0 --ICMP-TYPE 3 -J Acceptiptables -a INPUT -P ICMP -S 0/ICMP-TYPE 5 -J Acceptiptables -a INPUT -P ICMP -S 0/ICMP-TYPE 8 -J ACCEPTIPTABLES -A INPUT -P ICMP -S 0/0 --icmp-type 11 -j acceptiptiptables -a infut -p iCMP -S 0/ICMP-TYPE 11 -J ACCEPT

# When establishing an online state, the data is allowed to forward. Among them, ESTABLISHED indicates that the package belongs to a connection that has been established, # related indicates that the package belongs to an online, and the newly established. ## Enable forwardingiptables -a forward -m state --state Established, Related -j Accept ## Allows to require a bundle package or response packet

# 数据 数据 状态 状态 # # #,,,,,,,,,,,,,,,,,, 入 入 入 进 入 入 入 入

# 源 地址 地址 允 服务 服务 服务 服务 进 进 # # 入 # # # # # # # # # # # # # # a # a # # a # t # t # # # t t

# Control the port of the firewall itself ip address ## accept firewall out i ip portsfor OEP IN $ OUT_ETH_IP_PORTSDO IPTABLES -A INPUT -D $ OUT_ETH_IP -P TCP --DESTINATION-Port $ OEP -J AcceptDone # Controls the external port of internal server #open ports on router for Server / Services # TCP Ports For ATP IN $ TPORTSDO # Allow source addresses all IPs of the non-internal server segment, destination address is the connection package of the internal server IP TCP port enters iptables -A Input! -S $ server_ip -d $ server_ip -p tcp --dstination-port $ attp -j accept iptables -a forward -p tcp --dstination-port $ atp -j accept # is allowed between destination port connections Transfer your data package

#Udp ports (UDP type port) for AUP IN $ UPTSDO IPTABLES -A INPUT -P UDP - DESTINATION-PORT $ AUP -J Accept iptables -a forward -p udp --dstination-port $ Aup -j AcceptDone

# In the connection of the internal access, as long as INVALID (ie, invalid connection), discard the package ## bad_packets chain ## Drop Invalid Packets Immediately # iptables -a input -p all -m state --state invalid -j drop

# Limit the alignment of the filter rule to 100 packets per second, set the instantaneous flow to a maximum of 100 packets at a time (more than the upper packet will be discarded), preventing an attacker with rejection, That is, a large amount of packet attack of floodability. ## limited syn flood # iptables -a input -f -m limited --LIMIT 100 / s --LIMIT-BURST 100 -J ACCEPT ## Limit to the internal packet Send speed #iptables -a forward -f -m limited - -limit 100 / s --Limit-Burst 100 -j Accept ## limit the speed of building an online forwarding package

# Allow this machine Loopback interface, namely 127.0.0.1 ## allow loopbackiptables -a input -i lo -p all -j acceptiptables -a output -o lo -p all -j acceptpt

# 启 i 启 接 ## Enable Forwardingecho 1> / Proc / Sys / Net / IPv4 / IP_Forward

# When you do NAT, the IP address of multiple static mappings is bound to the outer network card. If you want to add ip address changes nat static mapping, where you can add ## config net-eth ip addressifconfig eth0 accordance with the rules: 1 202.138.164.101 netmask 255.255.255.128ifconfig eth0: 2 202.138.164.102 netmask 255.255.255.128ifconfig eth0: 3 202.138.164.103 netmask 255.255.255.128ifconfig eth0: 4 202.138.164.104 netmask 255.255.255.128ifconfig eth0: 5 202.138.164.105 netmask 255.255.255.128ifconfig eth0: 8 202.138.164.108 netmask 255.255.255.128 # set to do a static nat mapping rules. If you need to add an entries that delete static NAT, you can modify it here. ## set static ip nat rule, postrouting / preording ## (snat) iptables -t nat -a postrouting -j snat --to 202.202.210.10 ## (dnat) iptables -t nat -a preording -j dnat --to 10.10.10.10 # iptables -t nat -a postrouting -s 10.10.11.101 -j snat --to 202.138.164.101 # 收 的 地址 为 数据 10.10.10.101 packet for packets for source NAT (SNAT) iptables -t NAT -A preording -d 202.138.164.101 -j DNAT - TO 10.10.11.101 ## Received purpose IP All packets of 202.38.64.101 Performance NAT (DNAT)

iptables -t nat -a postrouting -s 10.10.11.102 -J snat --to 202.138.164.102iptables -t nat -a preording -d 202.138.164.102 -j DNAT - TO 10.10.11.102

iptables -t nat -a postrouting -s 10.10.11.103 -j snat --to 202.138.164.103iptables -t nat -a preording -d 202.138.164.103 -j DNAT - TO 10.10.11.103

iptables -t nat -a postrouting -s 10.10.11.104 -j snat --to 202.138.164.104iptables -t nat -a preloading -d 202.138.164.104 -j DNAT - TO 10.10.11.104

iptables -t nat -a postrol -s 10.10.11.105 -j snat --to 202.318.164.105iptables -t nat -a preording -d 202.138.164.105 -j DNAT - TO 10.10.11.105

iptables -t nat -a postrouting -s 10.10.11.108 -j snat --to 202.138.164.108iptables -t nat -a preording -d 202.138.164.108 -j DNAT - TO 10.10.11.108

*********************************************************** ****************** *********** Net: Delete Firewall rules only do NAT file instructions (no_firewall.sh) **** ******* ************************************************************** ************************* #! / bin / shpath = / sbin: / bin: / usr / sbin: / usr / bin

# Delete all rules of iptables ## del all iptables rulesiptables -f input ## Remove iptables -f forward ## Delete iptables - FORWARD RF IPTables -f Output ## Remove iptables Output rule

# 清 清 全 规 链 ## Clean All Non-Default Chainsiptables -XipTables -t NAT -X

## packets for all connections are made to accept the default processing, that does not make any control #reset the default policies in the nat table. # Iptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -t nat -P PREROUTING ACCEPTiptables -t nat -P postrouting acceptiptables -t Nat -P Output Accept

## Open IP Forward Forwarding Interface Echo 1> /Proc/sys/net/ipv4/ip_forwardmailto: zcatlinux@yahoo.com.cn

转载请注明原文地址:https://www.9cbs.com/read-11111.html

9cbs

New Post(0)