Original address: http://www.ta139.com: 8080 / ~ pangty / mylinux / iptables.htm
In practice, we will have such a need: let multiple computer / LAN share a line access Internet, to implement this function, there are usually two ways:
l Using NAT (Network Address Translation)
l Set up a proxy server (Proxy Server)
A typical application environment is shown below:
In the figure, we divide the network into two areas: Private districts and Internet districts. The Internet Server of the External Service is also placed in the Private area, and other hosts of the LAN (of course, you can also install Internet Services on the access server without separate Internet servers). Linux Access Server is the focus of our work, which is responsible for driving hosts in the LAN to access the Internet and protect hosts and servers in the LANs from Internet from Internet.
To make it easy for future scripts, first make a few necessary parameters. The Linux access server is configured to the Internet's NIC ETH0, which is obtained from ISP:
IP address 61.156.35.114 (only one public IP address, so little? Enough)
Subnet mask 255.255.255.192
Gateway address 61.156.35.126
DNS server 202.102.152.3 202.102.134.68
The IP address in the LAN is 192.168.100.0/255.255.255.0, we have installed the Internet server within the local area network, the address is 192.168.100.1, and the security rules on the Linux access server allow it to provide WWW, SMTP, POP3, etc. service. The Linux access server faces the private network card is Eth1, its IP address is: IP address 192.168.100.254.
When accessing the Internet, the computer directly connected to the Internet is the focus of security issues. Whether it is a computer or a computer (LAN) connected by a computer, its focus is a machine (or device) directly connected to the Internet, which is usually called Internet Gateway, a firewall or proxy server according to its function. I am used to calling it to access the server for an Internet.
As an access server: We hope that our local area network can share our Internet connection, and control the host or users within the local area network, depending on the actual situation, to access the Internet free or limited access to the Internet. If the traffic of the local area network accesss is large, frequent use, we also hope that this host can implement various cache functions (DNS cache, web cache) to reduce traffic and speed accesses.
As a firewall: We run local private services in the LAN, such as sharing printer or shared file systems, we hope that these services are only valid in the LAN, or some services can be published on the Internet, which can be set to set corresponding security policies. achieve.
The Linux access server implemented is the proxy server / firewall we often say. Terminals in the LAN pass through the Linux server, Linux server is a gateway between the LAN and the Internet connection, and all access to the Internet will pass through the Linux server.
From the function of sharing Internet access, the NAT has the advantage of being online users. When the client does not need to make any special settings, there is no difference between using the public network IP address. And Proxy is more convenient to permissions to the user. Control, and the local cache of access content can also be implemented to speed up access speed and content filtering, and the like. The implementation of NAT and Proxy on Linux is one of the typical applications of Linux, and can also combine the NAT and Proxy to configure transparent proxy and implement the perfect combination of both. This article describes the Linux NAT and Packet Filtering Firewall.
§§ Install iptables
Before you begin, you need to know the history of the Linux kernel to NAT, firewall functionality, and the Linux kernel uses different systems in different versions to implement these features:
Linux 2.0 kernel uses IPFWADM implementation, the kernel of version 2.0 in actual application is not very common;
Linux 2.2 kernel Using the IPchains implementation, I extracted a pretty bar about Ipchains on my homepage, friends who are using Linux 2.2 kernels can read:
Http://www.ta139.com:8080/~pangty/ipchains/0.htm;
Red Hat Linux 7.3 is used in version 2.4, Linux 2.4 kernel realms this part of the function is Netfilter and iptables, which can complete packet filtering, network address translation NAT (Network address translation), and other pairs of packets (Packet) operation.
Netfilter is a Linux 2.4.x kernel embedded function, which implements processing that flows through its packets, and iptables are defined as a rule table to describe how to process packets. Netfilter, iptables, connection tracking, and NAT functions form a network security system for Linux 2.4.x kernel. In addition to accessing the LAN sharing lines over NAT, these features can also create a full-featured firewall system on Linux.
Many articles will refer to IPTables will refer to the ability to recompile the kernel to provide support for Netfilter and iptables, which makes most novice feels no. In fact, the kernel of various Linux distributions currently widely provided has provided default support unless otherwise needed, there is no need to compile the kernel.
First install the iptables package. Query if the iptables package is installed on the system:
[root @ rh73 ~] # rpm -qa | grep iptables
If not, then find the Red Hat Linux 7.3 installation CD and start installing iptables:
[root @ RH73 / MNT / CDROM / Red Hat / RPMS] # rpm -ivh iptables-1.2.5-3.i386.rpm
Preparing ... #################################################### ]
1: iptables ##########################################
It is also important to note that the Red Hat Linux High Version (after version 7.1) starts formally supporting iptables, but will also provide IPChains based on Linux 2.2.x kernels. These two systems do not exist at the same time, so it is necessary to confirm and stop the services of Ipchains: [Root @ rh73 ~] # /etc/rc.d/init.d/ipchains STOP
[root @ rh73 ~] # chkconfig --level 0123456 ipchains off
If it is more thorough, you can uninstall the IPChains already installed:
[root @ rh73 ~] # rpm -e ipchains
§§ The simplest NAT script
In order to more intuitive understanding of NAT on Linux, let's write a script fw.sh, the content is as follows:
#! / bin / sh
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
iptables -a postrouting -t nat-t 192.168.100.0/24 -o eth0 -j snat --to-source 61.156.35.114
Only three lines, write after writing. Then modify the file properties, plus executable permissions:
[root @ rh73 ~] # chmod x fw.sh
Run this script
[root @ rh73 ~] # ./fw.sh
Try it to the client. If you are not using DHCP to use the DHCP to automatically configure the NIC parameters, you need to manually configure the client network card IP address, subnet mask, default gateway (according to the configuration in front, here should be on the Linux server. Eth1's address 192.168.100.254), and ISP provide you with DNS server address. Now enter an URL in your browser ... if there is no accident, you can now get online!
Take it back to see this script:
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
This line is to inform Linux kernel launch IP forwarding, only IP forwarding features can be used to use NAT.
iptables -a postrouting -t nat-t 192.168.100.0/24 -o eth0 -j snat --to-source 61.156.35.114
This is the meaning of NAT from 192.168.100.0 subnet and passing through Eth0 to modify the source address of the packet 61.156.35.114.192.168.100.0 / 24 can also be written into 192.168.100.0/255.255.255.0 24. On behalf of the subnet mask, it is 235.255.255.0.
If your ISP is not assigned to your fixed public network address, then this line can be written:
iptables -a postrol -t nat -s 192.168.100.0/24 -o eth0 -j masquerade
MODEM or ISDN and other dial-up methods Internet, if it is dial-up through PPP0, you can write this:
iptables -a postrouting -t nat-t 192.168.100.0/24 -o ppp0 -j masquerade
This is NAT is a special case, we call it IP camouflage (Masquerading).
Here is for a subnet (192.168.100.0/24) to do NAT, or you can specifically to a host:
iptables -a postrouting -t nat -s 192.168.100.9 -o eth0 -j masquerade § Nat - Network Address Translation
Let us take a closer look at the NAT of Linux 2.4. In the script we have written in front of the NAT function can drive the LAN to access the Internet, and Linux's NAT can do far more than one.
In Nat Table, packets are usually sent to several different destinations DNAT, SNAT, and Masquerade, usually we can divide NAT into two different types: Destination NAT (DNAT) and Source Nat (SNAT).
Destination NAT will change the destination to be reached by the packet. Using DNAT We can forward requests from the Internet to our real IP address to a server on the internal server, such as we configure the internal two servers into the company's web server and Mail server, by setting DNAT rules. You can send the external WWW request for our server public network address to the web server within the LAN, or you can send a request from the Mail service to the internal mail server, which is also called port forwarding.
Redirection is a special case of Destination Nat. Some occasions are handled for another program that passes Linux's packets to this unit. For example, we know that the cache feature that uses the proxy server can speed up the speed of accessing Internet, which is when using a low speed very meaningful. At this time, you can send a request for the Linux server to a proxy service. The proxy server completes the access request. We often mention the transparent agent is this way, which is called transparent because of this You can't feel the existence of the agent in the way. Squid can configure this work.
Source Nat changes the source address of the packet. The most typical example of using SNAT is the functionality of our script implementation. At this time, the source address from the internal LAN through the Linux Access server is modified to the website of the server. This can also hide the role of the internal address, whether you access the Internet from the interior, from the Internet, it is your IP address of your outernet card.
Masquerading is a special form of SNAT, which is exactly the same as SNAT. The difference between the two is that when Internet access, if the server side is used by DHCP, dialing, etc., Masquerading can automatically determine which IP address used, and SNAT is more for The occasion of fixed IP addresses.
§§ Control NAT rule table
As everyone is seen, we use iptables to create NAT rules, use the "-t NAT" parameter to modify NAT TABLE, telling Linux kernel which connection request will be changed and how to change.
The NAT rule table contains two lists called "chains": preloading (for Destination NAT, check when packets); PostRouting (check when Source Nat, check, we have used it in front). Match the rule table in the rule table by the NAT host. As shown below:
_____ _____
/ / / / -> - preording -> [routing] -----------------> PostRouting ----->
/ D-NAT / [DECISION] / S-NAT /
| ^
| | |
| | |
| | |
| | |
| | |
| | |
--------> Local Process ------
This chart describes how the packets passing through the Linux server are processed, and the packet is routed by the Linux server, and is checked to match the DNAT or SNAT rules, and the packets that match the rules will be processed.
Below examples, explain how to use iptables to define NAT rules
Source Nat
Source Nat changes the source address of the packet before the packet is sent, and the rules are defined in PostRouting Chain.
Several parameters:
-J SNAT Definition SNAT
--to-source specifies the source site [: port] after the conversion, you can be abbreviated - TO
[: port], port, is an option, use only when specifying the TCP or UDP protocol
-o exit interface (Outgoing Interface)
Example:
Convert the data package source address to 1.2.3.4.
iptables -t nat -a postrol -o eth0 -j snat --to 1.2.3.4
There is also the previous we use
iptables -a postrouting -t nat-t 192.168.100.0/24 -o eth0 -j snat --to-source 61.156.35.114
Convert the data package source address to 1.2.3.4, 1.2.3.5 or 1.2.3.6
iptables -t nat -a posning -o th0 -j snat --to 1.2.3.4-1.2.3.6
Convert the data package source address to 1.2.3.4, using the port range is 1-1023
iptables -t nat -a postrol -p tcp -o eth0 -j snat --to 1.2.3.4:1-1023
Masquerading
The camouflage is a special case of Source Nat, which is commonly used in the case where the dynamic IP address such as dial-up is:
Camouflage all packets sent by PPP0
iptables -t nat -a postrouting -o ppp0 -j masquerade
IP camouflage can also be used when there is a fixed IP address, such as we used before.
iptables -a postrouting -t nat-t 192.168.100.0/24 -o eth0 -j snat --to-source 61.156.35.114
Can also write
iptables -t nat -a postrol -s 192.168.100.0/24 -o eth0 -j masquerade
Destination NAT
Destination NAT rules define in preording chain, which changes the value of destination addresses in the packet.
Several parameters:
-J DNAT Definition DNAT
--to-destination [: port] Specifies the converted destination address [: port], you can shortly write --to [: port], port, is an option, only when specifying the TCP or UDP protocol
-i entry interface (incoming interface)
Example:
The conversion packet target address is 5.6.7.8
iptables -t nat -a preording -i eth0 -j dnat --to 5.6.7.8
The conversion packet target address is 5.6.7.8, 5.6.7.9 OR 5.6.7.10.
iptables -t nat -a preording -i eth0 -j dnat - TO 5.6.7.8-5.6.7.10
Change the target address of the WWW access request to 5.6.7.8 8080 port
iptables -t nat -a preording -p tcp --dport 80 -i eth0 /
-J DNAT - TO 5.6.7.8:8080
Redirection
The redirection is a special case of the Destination NAT. For example, the Squid transparent agent we often mention is to send the client to the 80-port request (WWW request) to the Squid proxy:
iptables -t nat -a preording -i eth1 -p TCP - DPORT 80 /
-j redirect --to-port 3128
§§ Treatment to special protocols when using NAT
In addition to the Internet browsing page, we may also need other Internet services, such as FTP, now we open a DOS window, log in to an FTP server, as shown below:
Pay attention to this prompt information:
500
Illegal
Port
COMMAND.
425 CAN't Build Data Connection: Connection Refused
We can't list the content on the FTP server, and you cannot transfer files.
Take a look: FTP generally needs to use two ports, port 21 is just a command port, when you really transfer data, you also need another data port (usually TCP / UDP 20). The problem appears on the second data port. There are two ways to open this data port, one is a passive (PASV Command) mode, which provides a connection IP / PORT by the FTP Server side, and the FTP Client is connected to this IP / Port for data transfer. The other is an Active (Port Command), supplied by the FTP Client, and then calls the address provided by the FTP Server to the address provided. Which way is made specifically, it is determined by the FTP Client, and the client notifies the Server adoption by the PASV or Port command. It is this handshake method, causing trouble to the Server side and the client. Detailed description of this problem See http://www.daemonnews.org/200109/ftpnat.html
For the client, there are several situations:
FTP Client uses a Passive mode to tell the FTP Server end to provide a data port. The general FTP Client software supports Passive mode. I use the network ant, the Internet Express (Flashget) is Passive.
FTP Client does not support Passive or use a browser as an FTP Client. It is an Active method that directly accesses FTP through the browser is Active. The problem occurs here.
There are also some FTP sites that do not support Passive mode. At this time, we need to modify Linux NAT, add the corresponding module to support Active mode: [root @ rh73 ~] # modprobe ip_nat_ftp
[root @ rh73 ~] # modprobe ip_conntrack_ftp
There is no problem with logging in to the FTP again. Similarly, other services such as IRC also have corresponding modules to support. You can write these two lines in fw.sh:
#! / bin / sh
Modprobe ip_nat_ftp
Modprobe ip_conntrack_ftp
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
iptables -a postrouting -t nat-t 192.168.100.0/24 -o eth0 -j snat --to-source 61.156.35.114
§§ Destination NAT to the same network
As described in the previous network topology, in practical applications, we may also provide services to the internal host as a server external, which may encounter DNAT to the same network. The most typical example is: Inside we have a server running a web service, now we want the user on the Internet to access it through the Linux server.
For example, let the internal 192.168.100.1 serve the server as a web server, when others send the request to the web to our public network address, assume that 61.156.35.114, by setting the DNAT rule, let the internal 192.168.100.1 response:
iptables -t nat -a preording -d 61.156.35.114 -p TCP - Dport 80 -J DNAT - TO 192.168.100.1
Suppose I applied for a domain name www.silly.com to point to 61.156.35.114, accessing http://www.silly.com on the public online, but from 192.168.100.0, the terminals on this network cannot be used with http: // Www.silly.com to access the web service, because Linux NAT is only modified to the packet through its packet, while the internal access request is just looped when the external network card interface arrived in the Linux server.
There are two ways to solve the problem:
A. Set an internal DNS to point your domain www.silly.com to the internal IP address 192.168.100.1, and other domain names are correct. This way, your DNS will automatically point it to 192.168.100.1, without Linux servers from internal access to www.silly.com.
b, modify the NAT rules, add such a line:
Iptables -a posteing -s 192.168.100.0 -d 192.168.100.1 -p TCP -M TCP - DPORT 80 /
-J Snat - TO-Source 192.168.100.254
As of this, we already know how to use iptables to set the NAT rules to implement access from the LAN to the Internet, and know how to use the IP address or NIC MAC address to control the Internet privileges. If the Internet server is set in the local area network, we can also implement access from Internet to LAN for specific services from Internet to LAN.
§§ Packing filter - Packet Filter
Just use NAT to solve the local area network access problem, now take a look at Netfilter's powerful packet filtering, which is often used to configure firewalls.
Packet filter is a header that uses a specific software to view the Packets of the Linux server and determine the fate of the packet based on the setting of the filtering rule. For example, discard (DROP) the packet, receive (Accept) the packet (allowed by pass), or other actions. §§ Control Packing Filtering Rules
Take a look at how the package filter under Linux works. There are three filter forms called "Firewall Rules" in the Linux kernel, namely Input, Output, and Forward. As shown below:
_____
Incoming / / Outgoing
------> [Routing] ---> | Forward | -------->
[Decision] / _____ / ^
| | |
v ____
___ / /
/ / | OUTPUT |
| Infut | / ____ / /
/ ___ / ^
| | |
----> Local Process -----
The packet enters the Linux server via a network interface (such as a network card), first, the packet will be routed to determine its goal, then match the INPUT, FORWARD, OUTPUT rule table to determine if the data is allowed The package is passed or forwarded. The firewall rule table completely determines the fate of the data package through the server.
Connect to the network connection described earlier, we connected to the Internet through the ETH0 on the Linux server, and the following modified scripts will disable any active access from the Internet, that is, the access rights of the entire network is one-way. Only allow access from the internal network to the Internet.
[root @ rh73 ~] # cat fw.sh
#! / bin / sh
Modprobe ip_nat_ftp
Modprobe ip_conntrack_ftp
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
# Set the default Input and Forward Policies to Drop
iptables -p input drop
iptables -p forward DROP
# 禁 禁 请 发 请 from Internet to Eth0
iptables -a forward! -i eth0 -m state --state new -j accept 1
iptables -a forward -m state --state established, Related -j AccePt 2
iptables -a infut! -i eth0 -m state --state new -j accept 3
iptables -ainput -m state --state established, Related -j Accept 4
iptables -a postrouting -t nat-t 192.168.100.0/24 -o eth0 -j snat --to-source 61.156.35.114
Since the INPUT and FORWARD are set, the 1234 section can be simplified:
# Create a new rule table for ALLOWED
iptables -n allowed
iptables -a allowed! -i eth0 -m state --state new -j acceptables -a allowed -m state --state established, Related -j Accept
#Input and forward use the setting of the Allowed rule table
iptables -a input -j allowed
iptables -a forward -j allowed
This script uses several new parameters and methods of use of iptables, which will be a small summary below.
§§ IPTables common commands and options
As we have always used the iptables tool to create and maintain rule tables, which set these rules through rich commands and options, so far this article only tells some of these content, but I want to be enough in most cases. It is used, (I hope you think so 8)).
iptables command:
Maintain the command:
1. (-N) Create a new rule table
2. (-X) Delete an air rule
3. (-P) Change the default policy of the built rule table
4. (-L) List the rules in the rule table
5. (-f) rules in the emptying rule table
6. (-z) Clear the rule meter counter
Management rules in the management rules:
1. (-A) Add new rules to rule tables
2. (-i) Insert a new rule to a location of the rule table
3. (-r) Replace the rules in the rule table
4. (-D) Delete a rule in the rule table
When debugging the iptables rule, you may need to repeatedly modify your script to implement some specific features, then it is recommended to add such a line in your script to prevent repeat setting rules:
# Clear all rules
iptables -f -t filter
iptables -x -t filter
iptables -z -t filter
iptables -f -t nat
iptables -x -t nat
iptables-z -t nat
# Set the default policy for the built-in rule table
iptables -p input accept accept
iptables -p output accept accept
iptables -p forward accept
iptables -t nat -p preloading accept
iptables -t nat -p postrouting accept
iptables -t nat -p output accept
The "-t" option is "--Table" story, it indicates which type of rule table you want to operate, the default refers to the Filter.
The following is an example of the use of partial options for iptables:
Specified source address and destination address
Specify the source address of the rule operation - Source or -SRC
Specify the target address of the rule operation - D or --Destination or -DST
Allow packets from 192.168.100.0/24 pass
iptables -a input -s 192.168.100.0/24 -d 0.0.0.0/0 -j accept
"-J" option is "--jump" shorthand, which indicates the specific processing method of the packet that matches the rule, which may be Accept, DROP, etc.
Reverse: add "!!" before the parameter! "
Accept all packets from 192.168.100.0/24
iptables -a input -s! 192.168.100.0/24 -d 0.0.0.0/0 -j accept specified protocol (TCP, UDP or ICMP)
-P or --Protocol
Prohibited ICMP protocol
iptables -a input -p icmp -j drop
Specified interface
Specify interface-I or - INTERFACE entering the packet
Specify the interface to which the packet is sent - O or --Out-Interface
Only the -i interface is allowed in the INPUT rule table, and only the specified -o interface is allowed in the Output rule table, and the Forward table can specify these two interfaces.
Accommissible packets from Eth1
iptables -a input -i eth1 -j accept
Packet allowed from ETH0 interface
iptables -a output -o eth0 -j accept
Forwarding the packet sent from Eth1 into, ETH0
iptables -a forward -i eth1 -o eth0 -j acid
TCP / UDP extension
Specify source port - Sport or - Source-Port
Specify destination port - DPORT or --DESTINATION-Port
Allow TCP packets access to the target port to 21 from ETH0
iptables -ainput -i eth0 -p tcp --dport 21 -j accept
Allow UDP packets access to the target port to 21 from ETH0
iptables -ainput -i eth0 -p udp --dport 21 -j accept
