Enterprise iptalbes firewall (3)

Six, iptablesNAT mode-network address translation

Six, iptablesNAT mode-network address translation (enterprise-level applications)

Network address translation NAT (enterprise application, virtual machine experiment is not good)

1. SNAT: Convert the internal network address to the public network address (source address translation)

A data packet is only known who its source IP is after being routed (or after being filtered by a firewall). Before routing, only the destination IP can be seen. If I can't see your source IP, how can it match? Want to filter packets and perform source address translation? My firewall simply cannot determine whether you are an IP that meets the matching conditions, so you can only use POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -d 192.168.122.0/24 -j SNAT --to-source 192.168 .2.1

Note: After routing, the original address 123.0 is accessed to your destination address 122.0, and the source address 123.0 is converted to 2.1 through SNAT translation. Why do you do this? Because the data needs to know who the source address is when returning the packet, otherwise it cannot be returned.

2. DNAT: Change the public network ip to the internal network IP ----- there is only one public network ip, and there are multiple internal network ips . (Destination address translation)

If I do not complete the target address conversion before routing, obviously when the data packet reaches the ingress IP, his purpose has been achieved, because his original target IP is the external public IP of the firewall, then the data packet will go inside go? Obviously it is impossible, so I can only use PREROUTING
1.1 1.2 2.1 2.2
C---------------------B------------- --------A
client forwards web-server

iptables -t nat -A PREROUTING -d 192.168.1.2 -j DNAT --to-destination 192.168.2.2

Seven, enterprise-level firewall configuration

1. Clear firewall rules

# iptables -F

2. Modify the default rule to deny (allow port 22 before modifying to ensure that you can connect to the host)

[root@iptables-server ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT  #放开22号端口
[root@iptables-server ~]# iptables -P INPUT DROP   #将默认所有进来的请求设置为全部拒绝掉
[root@iptables-server ~]# iptables -P FORWARD DROP #将默认所有的转发的规则设置为全部拒绝掉
注意:修改默认规则： 只能使用ACCEPT和DROP
 # iptables -P INPUT DROP      ----拒绝
 # iptables -P INPUT ACCEPT    ----允许

3. Release the designated port

[root@iptables-server ~]# iptables -A INPUT -i lo -j ACCEPT  #允许通过lo网卡进入的请求
[root@iptables-server ~]# iptables -A INPUT  -p tcp  -m multiport --dport  80,443 -j ACCEPT #允许访问80和443端口
[root@iptables-server ~]# iptables -A INPUT -s 192.168.246.0/24 -j ACCEPT  #允许这个内网网段连接服务器

4. Save the iptables configuration

[root@iptables-server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
或者
[root@iptables-server ~]# iptables-save > /etc/sysconfig/iptables