Use iptables to implement packet filtering and configure network address translation (NAT)
Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.
Filtering:
man iptables
iptables -I INPUT -s 192.168.1.3 -p tcp --dport 22 -j ACCEPT
-I insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A append
-D delete (include rule number)
-m Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s source
-d destination
--dport destination port
--sport source port
-j jump to target (ACCEPT, DENY, DROP)
The last rule should be (to reject all others):
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Block a host:
iptables -I INPUT -p tcp --dport 80 -s 10.168.20.225 -j REJECT
Block a subnet:
iptables -I INPUT -p tcp -s 10.168.20.0/24 -j REJECT
Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept anything on the loopback interface:
iptables -i lo -j ACCEPT
NAT:
Allow the gateway to forward IP packets by modifying /etc/sysctl.conf
Change
net.ipv4.ip_forward = 0
To
net.ipv4.ip_forward = 1
Then execute: sysctl -p
Examples:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"
iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"
DNAT:
Forward all incomming tcp traffic on port 8800 to 192.168.1.3 port 80:
iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to 192.168.1.3:80
From the web, sorry forgot the source ...
No comments:
Post a Comment