Linux之iptables(四、网络防火墙及NAT)
2024-08-31 00:26:05
网络防火墙
- iptables/netfilter网络防火墙:
- (1) 充当网关
- (2) 使用filter表的FORWARD链
- 注意的问题:
- (1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
- (2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行
NAT
- NAT: network address translation
- PREROUTING,INPUT,OUTPUT,POSTROUTING
- 请求报文:修改源/目标IP,由定义如何修改
- 响应报文:修改源/目标IP,根据跟踪机制自动实现
- SNAT:source NAT POSTROUTING, INPUT
- 让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装
- 请求报文:修改源IP
- DNAT:destination NAT PREROUTING , OUTPUT
- 把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP
- 请求报文:修改目标IP
- PNAT: port nat,端口和IP都进行修改
SNAT
- nat表的target:
- SNAT:固定IP
- --to-source [ipaddr[-ipaddr]][:port[-port]]
- --random
- iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
[root@centos7a ~]#iptables -t nat -A POSTROUTING -s 10.0.1.0/ ! -d 10.0.1.0/ -j SNAT --to-source 172.16.32.6-172.16.32.10
[root@centos7a ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination
SNAT all -- * * 10.0.1.0/ !10.0.1.0/ to:172.20.71.105-172.20.71.110
SNAT
- MASQUERADE:动态IP,如拨号网络
- --to-ports port[-port]
- --random
- iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE
[root@centos7a ~]#iptables -t nat -I POSTROUTING -s 10.0.1.0/ ! -d 10.0.1.0/ -j MASQUERADE
[root@centos7a ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination
MASQUERADE all -- * * 10.0.1.0/ !10.0.1.0/
DNAT
- --to-destination [ipaddr[-ipaddr]][:port[-port]]
- iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
[root@centos7a ~]#iptables -t nat -A PREROUTING -s / -d 172.16.32.6 -p tcp --dport -j DNAT --to-destination 10.0.1.22
[root@centos7a ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination
DNAT tcp -- * * 0.0.0.0/ 172.32.20.6 tcp dpt: to:10.0.1.22
[root@centos7a ~]#iptables -t nat -A PREROUTING -s / -d 172.16.32.6 -p tcp --dport -j DNAT --to-destination 10.0.1.22:
[root@centos7a ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination
DNAT tcp -- * * 0.0.0.0/ 172.18.100.6 tcp dpt: to:10.0.1.22:
PNAT:利用虚拟端口进行数据转发
转发
- REDIRECT:
- NAT表
- 可用于:PREROUTING OUTPUT 自定义链
- 通过改变目标IP和端口,将接受的包转发至不同端口
- --to-ports port[-port]
[root@centos7a ~]#iptables -t nat -A PREROUTING -d 172.16.32.6 -p tcp --dport -j REDIRECT --to-ports
[root@centos7a ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT packets, bytes)
pkts bytes target prot opt in out source destination
REDIRECT tcp -- * * 0.0.0.0/ 172.16.100.10 tcp dpt: redir ports
最新文章
- Spring代理模式及AOP基本术语
- 回归基础: JavaScript 变量提升
- OracleGateway11gR2访问异构数据库(MSSQL)配置文档(转)
- 字符串 —— String?StringBuffer?StringBuilder?
- HDU 1227 Fast Food (DP)
- 页面javascript 和jquery 的一些用法
- delphi xe5 android 使用样式(风格)
- JUnit学习总结
- putty 与winscp 区别
- 微信自带浏览器不支持form表单post提交方案解决
- ubuntu默认的Python版本号修改
- ajax后台输出有红点
- 重新设计导出API
- 第四章 栈与队列(c3)栈应用:栈混洗
- 成为JAVA架构师必看书籍推荐
- 《廖雪峰 . Git 教程》学习总结
- JDBC事务保存点(setSavepoint, releaseSavepoint )实例
- Tdrag
- 【转】dijkstra算法
- CentOS6.5(3)----设置自己安装的程序开机自动启动