There are three tables (queues):
1. mangle table - which is responsible for the alteration of "qos" bits in the TCP header.
2. filter queue - which is responsible for packet filtering.
2.a. Input chain: Filters packets destined for the firewall.
2.b. Output chain: Filters packets originating from the firewall.
2.c. Forward chain: Filters packets to servers protected by the firewall.
3. nat queue - which is responsible for network address translation.
3.a. Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
3.b. Post-routing chain: NATs packets when the source address of the packet needs to be changed
#!/bin/sh
#nat.sh
# flush and delete all non-buildin chains
nat-flush.sh
# eth0 is connected to the internet
# eth1 is connected to a private LAN
# Set up IP FORWARDing and Masquerading
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#!/bin/sh
#nat-flush.sh
echo "Stopping firewall and allowing everyone..."
# flush all chains (INPUT, OUTPUT, FILTER, ...)
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
# delete all non-buildin chains in the table
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -Z //Zero packet and byte counters in all chains.
iptables -L -v //List all rules in in the chains.
//Reject ping with reply "Host Unreachable"
1. chkconfig rsyslog on
2. service rsyslog restart
3. iptables -t filter -A INPUT -p icmp -j LOG
4. iptables -t filter -A INPUT -p icmp -j REJECT \
--reject-with icmp-host-unreachable
5. tail -f /var/log/messages
6. chkconfig iptables on
7. service iptables save // /etc/sysconfig/iptables
Reference:
Firewalls_Using_iptables
Linux Tutorial Iptables Network Gateway
No comments:
Post a Comment