10.15 iptables filter table case
1. iptables filter table case
Requirements: Only for the filter table, preset the policy INPUT chain DROP , the other two chains ACCEPT , and then open port 22 for 192.168.1.0/24, open port 80 to all network segments , and open port 21 to all network segments .
There are many rules required, it is better to write it in the form of a script for better operation:
Command: vim /usr/local/sbin/iptables.sh is configured as follows:
#! /bin/bash
ipt="/usr/sbin/iptables" $ipt -F $ipt -P INPUT DROP $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT $ipt -A INPUT -p tcp --dport 80 -j ACCEPT $ipt -A INPUT -p tcp --dport 21 -j ACCEPT
Description: -m state –state followed by these two states can make communication smoother RELATED , ESTABLISHED
1.1 After adding the shell script content, execute the script, command sh /usr/local/sbin/iptables.sh // Execute the script
1.2 View the added rules, iptables -nvL // View the rules
2.1 icmp example scene:
You can ping an external machine, but you can't ping the local machine (you can ping other people's machines, but others can't ping your machine)
命令:iptables -I INPUT -p icmp –icmp-type 8 -j DROP
( Explanation: The --icmp-type option here should be used with -p icmp , followed by the type number. This 8 means that this machine can ping other machines, but other machines cannot ping this machine, please keep in mind. )
2.1.2 After deleting the rule , you can ping each other normally :
命令:iptables -D INPUT -p icmp –icmp-type 8 -j DROP
10.16-10.17-10.18 iptables nat table application
iptables nat table application scenario:
The iptables function rules of linux are very powerful and can realize many functions. The function of router sharing Internet access is realized by iptables of linux , and iptables is realized by the function of nat table.
1. Experiment: Machine A has two network cards ens33(192.168.133.130) , ens37(192.168.100.1) , ens33 can access the external network, ens37 is only the internal network, machine B only has ens37 ( 192.168.100.100 ), and machine A can access ens37 Communication interconnection.
1.1 The requirement can let the B machine connect to the external network
Turn on routing forwarding on machine A :
echo "1" > /proc/sys/net/ipv4/ip_forward // echo 1 to the configuration file to enable forwarding
Execute on A :
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ens37 -j MASQUERADE
//-o table indicates the network card for export, MASQUERA indicates masquerading.
Set the gateway on B to 192.168.100.1
explain:
1. The first command involves configuration files related to kernel parameters. Its purpose is to open the routing forwarding function, otherwise our application cannot be implemented.
2. The second command is that iptables performs an IP forwarding operation on the nat table. The -O option is followed by the device name, which means the network card of the exit, and MASQUERADE means masquerading.
2 .需求:C机器只能和A通信,让C机器可以直接连通B机器的22端口(就是端口映射把A的192.168.133.130:1122 映射到B机器的192.168.100.100:22)
2.1 A上打开路由转发echo "1">/ proc/sys/net/ipv4/ip_forward
2.2 A上执行iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 //进去的包
2.3 Execute iptables on A -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130 // returned packets
2.4 Set the gateway on B to 192.168.100.1