1 / 19

IPTABLES and NAT

IPTABLES and NAT. on Fedora Core 6. Speaker : Rex Wu Date : 2007.6.11. Outline. Introduction What is NAT Private IP Address space Iptables NAT 語法 範例 Reference. Introduction. 說明何謂 Iptables 、 NAT ,並以 Fedora Core 6 的 Iptables 指令來 實際架設 NAT. What is NAT ?(1).

cstreetman
Download Presentation

IPTABLES and NAT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPTABLES and NAT on Fedora Core 6 Speaker:Rex Wu Date :2007.6.11

  2. Outline • Introduction • What is NAT • Private IP Address space • Iptables • NAT語法 • 範例 • Reference

  3. Introduction 說明何謂Iptables、NAT,並以 Fedora Core 6的Iptables指令來 實際架設NAT

  4. What is NAT ?(1) • 全名:Network Address Translation • 功能:允許多個users使用Private IP Address並透過一個Public IP Address連上Internet • DNAT = Destination NAT可用來改變Destination IP Address • SNAT = Source NAT可用來改變Source IP Address

  5. What is NAT ?(2) - 圖示

  6. Private IP Address space The IANA has reserved the following blocks of the IP address space for private internets: • 10.0.0.0 - 10.255.255.255 • 172.16.0.0 -172.31.255.255 • 192.168.0.0 -192.168.255.255

  7. Iptables(1) - What is Netfilter/Iptables? • Netfilter is the framework in Linux 2.4 kernelsthat allow for firewalling, NAT. • Iptables is the userspace tools that works with the Netfilter framework • ie:Netfilter is in the kernel spaceIptables is in the user space

  8. Iptables(2) -架構圖

  9. Iptables(3) - 流程圖

  10. - 語法 Iptables(4) 語法 : iptables [-t 作用的Table][處理Chain的方式] [比對規則] [處理方式] 範例 : iptables –t nat–A POSTROUTING –o eth1 –s 192.168.1.0/24 \–j MASQUERADE 解釋: 在NAT table中,新增以下規則: 規定source IP Address=192.168.1.0~192.168.1.255且 欲通過 eth1介面出去的封包(即output interface = eth1) 就將其偽裝

  11. NAT 的必要設定 Iptables(5) ip_forward=1 功能:啟動封包轉送 法一:echo “1” > /proc/sys/net/ipv4/ip_forward 法二:修改/etc/sysctl.conf設定檔,如下 net.ipv4.ip_forward =1

  12. NAT 的必要載入檔 Iptables(6) • ip_conntrack →IP追蹤連線模組 • ip_conntrack_ftp → ftp追蹤模組 • ip_nat_ftp功能:允許private side的主機使用ftp服務(若無載入,則private side的ftp server無法讓public side存取) 載入方法: modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp

  13. 備份與還原 Iptables(7) • 將iptables內所有tables的設定儲存在 /etc/iptables.save ex:iptables-save > /etc/iptables.save • 將iptables中,NAT table儲存於 /etc/iptables-nat.save ex: iptables-save -t nat > /etc/iptables-nat.save • 以/etc/iptables.save設定檔,將iptables中,所有的設定重新載入 ex:iptables-resotre < /etc/iptables.save

  14. auto loading Iptables(8) • 以iptables-restore 搭配rc.local使用 • 存成script搭配rc.local使用

  15. SNAT NAT語法(1) • Change source addresses to 1.2.3.4ex:iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 • Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6ex:iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to \ 1.2.3.4-1.2.3.6 • Change source addresses to 1.2.3.4, ports 1-1023ex:iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT –to \ 1.2.3.4:1-1023

  16. NAT語法(2) Masquerade is a specialized case of SNAT • Masquerade 為SNAT的特例,若防火牆對外使用 • Static IP Address,則使用SNAT • Dynamic IP Address,則建議使用Masquerade • Masquerade everything out ppp0.ex:iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE • Masquerade everything out eth1.ex:iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

  17. DNAT NAT語法(3) • Change destination addresses to 5.6.7.8 ex:iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 • Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. ex:iptables -t nat -A PREROUTING -i eth0 -j DNAT –to \ 5.6.7.8-5.6.7.10 • Change destination addresses of web traffic to 5.6.7.8, port 8080ex:iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \-j DNAT --to 5.6.7.8:8080

  18. 範例 • 請參考http://ms11.voip.edu.tw/~rex/FC6_nat.html

  19. Reference • Linux 防火牆與 NAT 主機http://linux.vbird.org/linux_server/0250simple_firewall.php • Linux 2.4 NAT HOWTOhttp://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html • Linux 防火牆入門相關網站 http://linux.tnc.edu.tw/techdoc/firewall/ref-url.html • Red Hat Enterprise Linux 4 安全性設定手冊http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-zh_tw-4/index.html

More Related