iptabales configure forwarding vsftpd service, configure SNAT, DNA T

Firewall Configuration Forwarding vsftpd Service

Firewall Configuration Forwarding vsftpd Service
1) Turn on passive mode of vsftpd service

[root@centos03 ~]# vim /etc/vsftpd/vsftpd.conf 
pasv_enable=YES
pasv_min_port=24500
pasv_max_port=24600

2) Write firewall rules

[root@centos01 ~]# iptables -I FORWARD -s 192.168.100.0/24 -p tcp --dport 20:21 -j ACCEPT
[root@centos01 ~]# iptables -I FORWARD -d 192.168.100.0/24 -p tcp --sport 20:21 -j ACCEPT
[root@centos01 ~]# iptables -A FORWARD -p tcp --dport 24500:24600 -j ACCEPT

Configure the firewall to allow 80 and 22 inbound access to block other TCP connections

Configure the firewall to allow 80 and 22 inbound access to block other TCP connections
1) Allow 192.168.100.10 network sshd

[root@centos01 ~]# iptables -I INPUT -s 192.168.100.0/24 -p tcp -m multiport --dport 22 -j ACCEPT

2) Prohibit all inbound connections

[root@centos01 ~]# iptables -P INPUT DROP

3) Allow access to 80 services inside the firewall

[root@centos01 ~]# iptables -I INPUT -p tcp -m multiport --dport 80 -j ACCEPT

4) Configure firewall to respond to established TCP requests to avoid forged DDOS attacks

[root@centos01 ~]# iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Set on forwarding rules

[root@centos01 ~]# iptables -I FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos01 ~]# iptables -I FORWARD -p tcp -m multiport --dport 80 -j ACCEPT

External Network Client Access Verification

Application of SNAT Strategy and DNA T Strategy

Application of SNAT Strategy and DNA T Strategy
Configure SNAT Shared Intranet Access to the Internet

1) Turn on firewall routing

 [root@centos01 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

2) Map 192.168.100.0/24 network to 192.168.179.138 IP address of ens34 external network card to access WAN

[root@centos01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens34 -j SNAT --to-source 192.168.179.138

3) View SNAT conversion rules

[root@centos01 ~]# iptables -t nat -L


Client Writes Public Network DNS8.8.8 Access

Configure SNAT mapping to external network dynamic IP addresses

Configure SNAT mapping to external network dynamic IP addresses

[root@centos03 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens34 -j MASQUERADE


Use an intranet client to access an extranet site for verification, and no gateway is configured for the extranet site

Configuration DNA T

Configuration DNA T
1) Map the 80 ports of the internal network server IP address 192.168.100.20 to the 80 ports of the external network IP address 192.168.200.10 and enter the internal network through the external network card

[root@centos01 ~]# iptables -t nat -I PREROUTING  -i ens34 -d 192.168.200.10 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.20 


2) Map the 22 ports of the internal network server IP address 192.168.100.20 to the 1111 port of the external network IP address 192.168.200.10

[root@centos01 ~]# iptables -t nat -I PREROUTING  -i ens34 -d 192.168.200.10 -p tcp --dport 1111 -j DNAT --to-destination 192.168.100.20:22


Tags: iptables network firewall vsftpd

Posted on Fri, 05 Jun 2020 22:46:04 -0400 by cac_azure03