Linux之iptables(四、网络防火墙及NAT)
网络防火墙
- iptables/netfilter网络防火墙:
- (1) 充当网关
- (2) 使用filter表的FORWARD链
- 注意的问题:
- (1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
- (2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行
NAT
- NAT: network address translation
- PREROUTING,INPUT,OUTPUT,POSTROUTING
- 请求报文:修改源/目标IP,由定义如何修改
- 响应报文:修改源/目标IP,根据跟踪机制自动实现
- SNAT:source NAT POSTROUTING, INPUT
- 让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装
- 请求报文:修改源IP
- DNAT:destination NAT PREROUTING , OUTPUT
- 把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP
- 请求报文:修改目标IP
- PNAT: port nat,端口和IP都进行修改
SNAT
- nat表的target:
- SNAT:固定IP
- --to-source [ipaddr[-ipaddr]][:port[-port]]
- --random
- iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
[root@centos7a ~]#iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.16.32.6-172.16.32.10 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.0.1.0/24 !10.0.1.0/24 to:172.20.71.105-172.20.71.110
SNAT
- MASQUERADE:动态IP,如拨号网络
- --to-ports port[-port]
- --random
- iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE
[root@centos7a ~]#iptables -t nat -I POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j MASQUERADE [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 4 packets, 765 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 4 packets, 765 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.1.0/24 !10.0.1.0/24
DNAT
- --to-destination [ipaddr[-ipaddr]][:port[-port]]
- iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
[root@centos7a ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 22 -j DNAT --to-destination 10.0.1.22 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 172.32.20.6 tcp dpt:22 to:10.0.1.22
[root@centos7a ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.22:80 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 172.18.100.6 tcp dpt:80 to:10.0.1.22:80
PNAT:利用虚拟端口进行数据转发
转发
- REDIRECT:
- NAT表
- 可用于:PREROUTING OUTPUT 自定义链
- 通过改变目标IP和端口,将接受的包转发至不同端口
- --to-ports port[-port]
[root@centos7a ~]#iptables -t nat -A PREROUTING -d 172.16.32.6 -p tcp --dport 80 -j REDIRECT --to-ports 8080 [root@centos7a ~]#iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 172.16.100.10 tcp dpt:80 redir ports 8080