Firewall Configuration Forwarding vsftpd Service
Firewall Configuration Forwarding vsftpd Service
1) Turn on passive mode of vsftpd service
[root@centos03 ~]# vim /etc/vsftpd/vsftpd.conf pasv_enable=YES pasv_min_port=24500 pasv_max_port=24600
2) Write firewall rules
[root@centos01 ~]# iptables -I FORWARD -s 192.168.100.0/24 -p tcp --dport 20:21 -j ACCEPT [root@centos01 ~]# iptables -I FORWARD -d 192.168.100.0/24 -p tcp --sport 20:21 -j ACCEPT [root@centos01 ~]# iptables -A FORWARD -p tcp --dport 24500:24600 -j ACCEPT
Configure the firewall to allow 80 and 22 inbound access to block other TCP connections
Configure the firewall to allow 80 and 22 inbound access to block other TCP connections
1) Allow 192.168.100.10 network sshd
[root@centos01 ~]# iptables -I INPUT -s 192.168.100.0/24 -p tcp -m multiport --dport 22 -j ACCEPT
2) Prohibit all inbound connections
[root@centos01 ~]# iptables -P INPUT DROP
3) Allow access to 80 services inside the firewall
[root@centos01 ~]# iptables -I INPUT -p tcp -m multiport --dport 80 -j ACCEPT
4) Configure firewall to respond to established TCP requests to avoid forged DDOS attacks
[root@centos01 ~]# iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Set on forwarding rules
[root@centos01 ~]# iptables -I FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT [root@centos01 ~]# iptables -I FORWARD -p tcp -m multiport --dport 80 -j ACCEPT
External Network Client Access Verification
Application of SNAT Strategy and DNA T Strategy
Application of SNAT Strategy and DNA T Strategy
Configure SNAT Shared Intranet Access to the Internet
1) Turn on firewall routing
[root@centos01 ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1
2) Map 192.168.100.0/24 network to 192.168.179.138 IP address of ens34 external network card to access WAN
[root@centos01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens34 -j SNAT --to-source 192.168.179.138
3) View SNAT conversion rules
[root@centos01 ~]# iptables -t nat -L
Client Writes Public Network DNS8.8.8 Access
Configure SNAT mapping to external network dynamic IP addresses
Configure SNAT mapping to external network dynamic IP addresses
[root@centos03 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens34 -j MASQUERADE
Use an intranet client to access an extranet site for verification, and no gateway is configured for the extranet site
Configuration DNA T
Configuration DNA T
1) Map the 80 ports of the internal network server IP address 192.168.100.20 to the 80 ports of the external network IP address 192.168.200.10 and enter the internal network through the external network card
[root@centos01 ~]# iptables -t nat -I PREROUTING -i ens34 -d 192.168.200.10 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.20
2) Map the 22 ports of the internal network server IP address 192.168.100.20 to the 1111 port of the external network IP address 192.168.200.10
[root@centos01 ~]# iptables -t nat -I PREROUTING -i ens34 -d 192.168.200.10 -p tcp --dport 1111 -j DNAT --to-destination 192.168.100.20:22