Class 12: Firewall IPTABLES Comprehensive Experiment
Article Directory
12.1 Experimental requirements
Topology (text version):
A(.1) -LAN ( 172.16.10.0/24)-(eth0:0 interface: 10.254) B (eth0 interface: 6.146)-Internet ( 192.168.6.0/24)-(6.128 ) C
Claim:
1. Ping 172.16.20.2 on A
2. On C, ssh [email protected] jumps to host A in the LAN
prompt:
-
All virtual machines use NAT mode
-
Gateway A points to 172.16.10.254
-
B as the gateway, configure the NAT policy
-
B can use network card alias to configure multiple addresses, ifconfig eth0:0 xxxx natmask xxxx
-
B is for Centos 6.x system
12.2 Experiment preparation
- Prepare 3 virtual machines, one intranet client PC1, one virtual machine PC2 (Centos6.9) for NAT forwarding, and one external virtual machine PC3
- The topology is as follows:
12.3 PC1 network configuration
- Configure the network
[root@localhost ~]vim /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=static #手动配置
IPADDR=172.16.10.1 #内网ip
NETMASK=255.255.255.0 #掩码
GATEWAY=172.16.10.254 #默认网关
DNS=114.114.114.114
[root@localhost ~]service network restart #文件保存后 重启服务
It can be seen from the figure below that the network card configuration of PC1 is successful
[root@localhost ~]ifconfig
It can be seen from the figure below: PC1 can ping PC2 in the intranet
[root@localhost ~]ping 172.16.10.254 #ping PC2
12.4 PC2 network card and firewall configuration
- Configure network card
[root@lin ~]# ifconfig eth0:0 172.16.10.254 netmask 255.255.255.0 up #网卡配置
[root@lin ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:DD:00:64
inet addr:192.168.6.146 Bcast:192.168.6.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fedd:64/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7701 errors:0 dropped:0 overruns:0 frame:0
TX packets:167 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:476055 (464.8 KiB) TX bytes:18437 (18.0 KiB)
#网卡已经启动使用
eth0:0 Link encap:Ethernet HWaddr 00:0C:29:DD:00:64
inet addr:172.16.10.254 Bcast:172.16.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
- Configure firewall
#清除防火墙规则
[root@lin ~]# iptables -F
#调整内核参数,开启ip路由转发功能
[root@lin ~]# echo 1 >/proc/sys/net/ipv4/ip_forward
[root@lin ~]# cat /proc/sys/net/ipv4/ip_forward
1
#nat设置
#在POSTROUTING链上:PC2对来自网卡接口eth0:0的ip地址进行nat转换,数据包源地址改为PC2的在网卡接口eth0的地址
[root@lin ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j SNAT --to-source 192.168.6.146
#在PREROUTING链上,对来自外网192.168.6.0/24的ip主机对PC2发起的ssh连接请求进行连接跳转,跳转到内网ip:172.16.10.1对应22号端口
[root@lin ~]# iptables -t nat -A PREROUTING -d 192.168.6.146 -s 192.168.6.0/24 -p tcp --dport 22 -j DNAT --to 172.16.10.1:22
#在FORWARD链上 ,允许目的地址为内网ip:172.16.10.1的tcp包通过
[root@lin ~]# iptables -A FORWARD -d 172.16.10.1 -p tcp --dport 22 -j ACCEPT
12.5 Testing
1. ping
It can be seen from the figure below: PC1 on the internal network pings PC3 on the external network
#在PC1:172.16.10.1测试
[root@localhost ~]ping 192.168.6.128
2. ssh
It can be seen from the figure below: PC3 from the external network initiates an SSH connection to PC2 (192.168.6.146). After the connection is successful, check the interface address of the network card and find that it is the ip address of PC3 (172.16.10.1), indicating that PC2 successfully completed the SSH jump and logged in to PC1.
#在PC3:192.168.6.128测试
[root@localhost ~]ssh root@192.168.6.146 #向PC2发起ssh连接请求
root@192.168.6.146's password: #此处输入的是PC1:172.16.10.1的root密码
[root@localhost ~]iconfig