Linux環境でNATテーブルにファイアウォールを設定する方法
1.NAT設定内容を確認
[root@tp rc.d]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all – 192.168.0.0/24 anywhere to:211.101.46.235
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.NATファイアウォールルールをクリア
[root@tp ~]# iptables -F -t nat
[root@tp ~]# iptables -X -t nat
[root@tp ~]# iptables -Z -t nat
3.ファイアウォールルールを追加
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
211.101.46.235の全ての接続を拒否
[root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.235 -j DROP
211.101.46.225のFTP接続のみを拒否
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp –dport 21 -d 211.101.46.225 -j DROP
4.drop不法接続
[root@tp ~]# iptables -A INPUT -m state –state INVALID -j DROP
[root@tp ~]# iptables -A OUTPUT -m state –state INVALID -j DROP
[root@tp ~]# iptables-A FORWARD -m state –state INVALID -j DROP
5.既存接続と関連接続を許可
[root@tp ~]# iptables-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# iptables-A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# /etc/rc.d/init.d/iptables save
6.iptablesが再起動
[root@tp ~]# service iptables restart