Thursday, February 9, 2012

packet filtering and configure network address translation using iptable

Use iptables to implement packet filtering and configure network address translation (NAT)

Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.


man iptables

iptables -I INPUT -s -p tcp --dport 22 -j ACCEPT

-I insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A append
-D delete (include rule number)
-m Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s source
-d destination
--dport destination port
--sport source port
-j jump to target (ACCEPT, DENY, DROP)

The last rule should be (to reject all others):

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Block a host:
iptables -I INPUT -p tcp --dport 80 -s -j REJECT

Block a subnet:
iptables -I INPUT -p tcp -s -j REJECT

Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept anything on the loopback interface:
iptables -i lo -j ACCEPT


Allow the gateway to forward IP packets by modifying /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1

Then execute: sysctl -p

iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"

iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"


Forward all incomming tcp traffic on port 8800 to port 80:

iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to

From the web, sorry forgot the source ...

No comments:

Post a Comment