ipad entos centos 註意 put oca -s 網絡訪問 network

網絡防火墻

  • iptables/netfilter網絡防火墻:
  • (1) 充當網關
  • (2) 使用filter表的FORWARD鏈
  • 註意的問題:
  • (1) 請求-響應報文均會經由FORWARD鏈,要註意規則的方向性
  • (2) 如果要啟用conntrack機制,建議將雙方向的狀態為ESTABLISHED的報文直接放行

NAT

  • NAT: network address translation
  • PREROUTING,INPUT,OUTPUT,POSTROUTING
  • 請求報文:修改源/目標IP,由定義如何修改
  • 響應報文:修改源/目標IP,根據跟蹤機制自動實現
  • SNAT:source NAT POSTROUTING, INPUT
  • 讓本地網絡中的主機通過某一特定地址訪問外部網絡,實現地址偽裝
  • 請求報文:修改源IP
  • DNAT:destination NAT PREROUTING , OUTPUT
  • 把本地網絡中的主機上的某服務開放給外部網絡訪問(發布服務和端口映射),但隱藏真實IP
  • 請求報文:修改目標IP
  • PNAT: port nat,端口和IP都進行修改

SNAT

  • nat表的target:
  • SNAT:固定IP
  • --to-source [ipaddr[-ipaddr]][:port[-port]]
  • --random
  • iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
[[email protected] ~]#iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.16.32.6-172.16.32.10
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       10.0.1.0/24         !10.0.1.0/24          to:172.20.71.105-172.20.71.110

SNAT

  • MASQUERADE:動態IP,如撥號網絡
  • --to-ports port[-port]
  • --random
  • iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE
[[email protected] ~]#iptables -t nat -I POSTROUTING -s 10.0.1.0/24 ! -d  10.0.1.0/24 -j MASQUERADE
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 4 packets, 765 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 4 packets, 765 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       10.0.1.0/24         !10.0.1.0/24     

DNAT

  • --to-destination [ipaddr[-ipaddr]][:port[-port]]
  • iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
[[email protected] ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 22 -j DNAT --to-destination 10.0.1.22
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.32.20.6          tcp dpt:22 to:10.0.1.22
[[email protected] ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.22:80
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.18.100.6         tcp dpt:80 to:10.0.1.22:80

PNAT:利用虛擬端口進行數據轉發

轉發

  • REDIRECT:
  • NAT表
  • 可用於:PREROUTING OUTPUT 自定義鏈
  • 通過改變目標IP和端口,將接受的包轉發至不同端口
  • --to-ports port[-port]
[[email protected] ~]#iptables -t nat -A PREROUTING -d 172.16.32.6 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            172.16.100.10        tcp dpt:80 redir ports 8080

Linux之iptables(四、網絡防火墻及NAT)