Original: 2000.6.6 by jephe wu URL: http://www.linuxforum.net/docnew/showthread.PHP? Cat = & Board = Sys & Number = 348 & Page = 0 & view = collapsed & sb = 5 & o = all & fpart =
iptables are stateful.
The state means that if a package is a reply to the package originally issued from the firewall, it is automatically inspected.
The rules immediately allow the reply to enter and return to the requester, so that we don't have to set a number of rules definitions.
Some functions, using this stateful ability in the new kernel is strongly recommended, so how to open and use
This function? See below. (Figure II)
We assume that a company has a typical Internet connection scheme as shown below:
_______
10.0.0.2 | |
| PC | (10.0.0.1) Eth1 | | ETH0 (1.2.3.4)
B | ___ | _ ___________________ | firewall | --------- Internet
(LAN: 10.0.0.0/24) | A |
| ________ |
You can use the following rule set to use the status of iptables and open the IP camouflage feature.
1 modprobe ip_tables 2 Echo 1> / Proc / Sys / Net / IPv4 / IP_forward 3 iptables -f INPUT 4 iptables -f forward 5 iptables -f postrouting -t NAT 6 iptables -p Forward Drop 7 iptables -a forward -s 10.0. 0.0 / 24 -J ACCEPT 8 iptables -a forward -i eth0 -m state --state established, Related -j Accept 9 iptables -t nat -a postrouting -o eth0 -s 10.0.0.0.0.0.0.0/24 -j masquerade 10 iptables - A INPUT -P TCP -I Eth0 - Syn - Dport 80 -J ACCEPT 11 iptables -a INPUT -P TCP -I Eth0 --Syn -j Drop
Note:
1. When using the modular kernel of the redhat, after loading the IP_TABLES module, the future command will be as required.
Load the required modules.
Also note that if you load an IPChains or IPFWADM module, you cannot load the iptables module, available
The RMMOD command removes them to load the iptables module. Under Redhat, you can remove ipchains from NTSYSV and
The iptables tag is restarted to run the above command.
Or put it automatically in /etc/rc.d/rc.local.
2. The second line opens the IP forwarding function.
3. Thirty-five lines Clear Input, Forward and PostRouting keys rules
4. The sixth line setting default forwarding strategy is DROP, when a package is forwarded, but it cannot be applied to any turn
Apply the default rules on the rules.
5. The seventh line forwards the machine to the machine to anywhere.
6. The eighth line utilizes the status capability, as long as it is a reply to the request packet out of the front of the firewall, allowed.
ESTABLISHED means the TCP connection, the related is an active FTP, ICMP PING request, etc. When the reply package arrives, it is actually checked whether the file / proc / net / ip_conntrack is inside, if in the table,
Check any chain and package is allowed.
7. The ninth line opens the IP camouflage ability, from the package out of the ETH0 being rewritten after the source address, is the source address SNAT
special case. Here should be noted here is -O Eth0, not -i eth0, in iptables, from one interface
Package with -O, incoming package
8. Chapter 10 Description If this firewall is also a web server, the external newly established request is allowed and the target port is
80 packs can enter
9. The eleventh bank is not the TCP new connection request package for the target port is 80, refuses to enter.
Note: The relationship between NAT and Forward chains
a. Regardless of any NAT, the source and destination address of the package filtering rules is the real source and destination address, although
When you perform IP camouflage (DNAT), you can rewrite the package, which you can see from file / proc / net / ip_conntrack.
b. If we don't use the status of iptables, it is like the situation above, if the network segment is allowed
10.0.0.0/24 machine can IP camouflage, we have to add a forwarding rule iptables -a
Forward -D 10.0.0.0.0.0.04 -j accept, otherwise the response to the camouflage package will not reply to the interior through the forwarding chain
Machines because the reply package needs to pass forwarding the chain.
Note: How to prove that only one rule chain is applied?
One package in the previous ipchains is input, forward, output chain to send from the firewall to
Internet, now use iptables, just one chain is applied, you can join the following rule test
iptables -ainput -s 10.0.0.2/24 -j drop
The above line only refers to any machine of any of this network segment in iptables, is rejected when the target is a firewall, but never
Impact NAT and forwarding packages,
This is impossible in previous ipchains.
