前提知识
防火墙的类型与作用的链
iptables/netfilter基于SNAT和DNAT原理实现报文转发
实例:
# 将外网对172.16.100.7:22022的访问转发至内网的192.168.20.12.22iptables -t nat -A PREROUTING -d 172.16.100.7 -p tcp –dport 22022 -j DNAT –to-destination 192.168.20.12.22
iptables/netfilter实战解析
需求分析
架构设计
配置部署
DNS Server配置
网络配置
# vi /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=”eth0″BOOTPROTO=”static”NM_CONTROLLED=”no”ONBOOT=”yes”TYPE=”Ethernet”IPADDR=172.16.251.178NETMASK=255.255.0.0GATEWAY=172.16.251.236
DNS主配置文件:/etc/named.conf
# named.conf中需修改的部分listen-on port 53 { 127.0.0.1; 172.16.251.178;};allow-query{ any; };recursion no;#zone “.” IN {# type hint;# file “named.ca”;#};
DNS辅助配置文件:/etc/named.rfc1912.zones
acl inter_net {172.16.251.0/24;};view inter_net {match-clients { inter_net; };zone “.” IN {type hint;file “named.ca”;};zone “jason.com” IN {type master;file “jason.com.inter_net”;};};view outer_net {match-clients { any; };zone “jason.com” IN {type master;file “jason.com.outer_net”;};};
区域数据文件:
# vi /var/named/jason.com.inter_net$TTL 1Djason.com. IN SOA dns.jason.com. admin.jason.com (2014032920 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimum@ NS dnsdns A 172.16.251.178www A 172.16.251.182# vi /var/named/jason.com.outer_net$TTL 1Djason.com. IN SOA dns.jason.com. admin.jason.com (2014032920 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimum@ NS dnsdns A 172.16.251.178www A 3.3.3.1
启动named服务
chown root.named jason.com.inter_netchown root.named jason.com.outer_netservice named restart
Web Server配置
配置一个虚拟主机,监听端口8080在DocumentRoot目录下创建一简单的测试文件test.html,内容随意,如“Hello Mageedu”启动httpd服务即可
Firewall配置
网络配置
# vi /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=”eth0″BOOTPROTO=”static”NM_CONTROLLED=”no”ONBOOT=”yes”TYPE=”Ethernet”IPADDR=172.16.251.236NETMASK=255.255.0.0GATEWAY=172.16.0.1# vi /etc/sysconfig/network-scripts/ifcfg-eth1DEVICE=”eth1″BOOTPROTO=”static”NM_CONTROLLED=”no”ONBOOT=”yes”TYPE=”Ethernet”IPADDR=3.3.3.1NETMASK=255.255.255.0DNS1=3.3.3.1
注:因为3.3.3.1和3.3.3.3都是模拟的外网IP地址,故对应的网卡应处于同一信道内,且不能和内网的通信信道一致,故在用虚拟机测试时,可将对应内网IP的网卡的网络方式改为桥接,,而对应外网IP的网卡的网络方式改为自定义,如vmnet2
添加iptables规则
iptables -t nat -A PREROUTING -d 3.3.3.1/32 -p udp -m udp –dport 53 -j DNAT –to-destination 172.16.251.178iptables -t nat -A PREROUTING -d 3.3.3.1/32 -p tcp -m tcp –dport 8080 -j DNAT –to-destination 172.16.251.182
Inter Client配置
# vi /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=”eth0″BOOTPROTO=”static”NM_CONTROLLED=”no”ONBOOT=”yes”TYPE=”Ethernet”IPADDR=172.16.251.176NETMASK=255.255.255.0GATEWAY=172.16.251.236DNS1=172.16.251.178# vi /etc/resolv.confnameserver 172.16.251.178
Outer Client配置
# vi /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=”eth0″BOOTPROTO=”static”NM_CONTROLLED=”no”ONBOOT=”yes”TYPE=”Ethernet”IPADDR=3.3.3.3NETMASK=255.255.255.0GATEWAY=3.3.3.1DNS1=3.3.3.1# vi /etc/resolv.confnameserver 3.3.3.1
DNS解析测试
HTTP访问测试
大功告成,哦也!
上一篇:iptables规则基本用法
本文出自 “小小忍者” 博客,请务必保留此出处
却只能这样。只有对爱的人,我们才会斤斤计较,锱铢必较。
