Linux之iptables(四、網絡防火墻及NAT)
阿新 • • 發佈:2018-10-26
ipad entos centos 註意 put oca -s 網絡訪問 network
網絡防火墻
- iptables/netfilter網絡防火墻:
- (1) 充當網關
- (2) 使用filter表的FORWARD鏈
- 註意的問題:
- (1) 請求-響應報文均會經由FORWARD鏈,要註意規則的方向性
- (2) 如果要啟用conntrack機制,建議將雙方向的狀態為ESTABLISHED的報文直接放行
NAT
- NAT: network address translation
- PREROUTING,INPUT,OUTPUT,POSTROUTING
- 請求報文:修改源/目標IP,由定義如何修改
- 響應報文:修改源/目標IP,根據跟蹤機制自動實現
- SNAT:source NAT POSTROUTING, INPUT
- 讓本地網絡中的主機通過某一特定地址訪問外部網絡,實現地址偽裝
- 請求報文:修改源IP
- DNAT:destination NAT PREROUTING , OUTPUT
- 把本地網絡中的主機上的某服務開放給外部網絡訪問(發布服務和端口映射),但隱藏真實IP
- 請求報文:修改目標IP
- PNAT: port nat,端口和IP都進行修改
SNAT
- nat表的target:
- SNAT:固定IP
- --to-source [ipaddr[-ipaddr]][:port[-port]]
- --random
- iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
[root@centos7a ~]#iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.16.32.6-172.16.32.10 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.0.1.0/24 !10.0.1.0/24 to:172.20.71.105-172.20.71.110
SNAT
- MASQUERADE:動態IP,如撥號網絡
- --to-ports port[-port]
- --random
- iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE
[root@centos7a ~]#iptables -t nat -I POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j MASQUERADE [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 4 packets, 765 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 4 packets, 765 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.1.0/24 !10.0.1.0/24
DNAT
- --to-destination [ipaddr[-ipaddr]][:port[-port]]
- iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
[root@centos7a ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 22 -j DNAT --to-destination 10.0.1.22 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 172.32.20.6 tcp dpt:22 to:10.0.1.22
[root@centos7a ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.22:80 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 172.18.100.6 tcp dpt:80 to:10.0.1.22:80
PNAT:利用虛擬端口進行數據轉發
轉發
- REDIRECT:
- NAT表
- 可用於:PREROUTING OUTPUT 自定義鏈
- 通過改變目標IP和端口,將接受的包轉發至不同端口
- --to-ports port[-port]
[root@centos7a ~]#iptables -t nat -A PREROUTING -d 172.16.32.6 -p tcp --dport 80 -j REDIRECT --to-ports 8080 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 172.16.100.10 tcp dpt:80 redir ports 8080
Linux之iptables(四、網絡防火墻及NAT)