Linux環境でNATテーブルにファイアウォールを設定する方法

1.NAT設定内容を確認
[root@tp rc.d]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all – 192.168.0.0/24 anywhere to:211.101.46.235
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

2.NATファイアウォールルールをクリア
[root@tp ~]# iptables -F -t nat
[root@tp ~]# iptables -X -t nat
[root@tp ~]# iptables -Z -t nat

3.ファイアウォールルールを追加
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP

211.101.46.235の全ての接続を拒否
[root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.235 -j DROP

211.101.46.225のFTP接続のみを拒否
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp –dport 21 -d 211.101.46.225 -j DROP

4.drop不法接続
[root@tp ~]# iptables -A INPUT -m state –state INVALID -j DROP
[root@tp ~]# iptables -A OUTPUT -m state –state INVALID -j DROP
[root@tp ~]# iptables-A FORWARD -m state –state INVALID -j DROP

5.既存接続と関連接続を許可
[root@tp ~]# iptables-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# iptables-A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# /etc/rc.d/init.d/iptables save

6.iptablesが再起動
[root@tp ~]# service iptables restart

Linux

Posted by arkgame