How to configure iptables for routing function in Linux

Time:2020-9-23

As a company’s Internet router, it needs to realize NAT address translation, DHCP, DNS cache, traffic control and application control. NAT address translation can be directly realized through iptables. DHCP service needs to install dhcpd, DNS cache function needs to use bind, traffic control can use TC, application control: for example, QQ blocking can be used netfilter-layer7-v2.22+17-protocols-2009-05-28. tar.gz To achieve
1. Network planning
20151222113716570.png (814×275)

The operating system is CentOS 5.8
 
2. Installing dhcpd

Copy code

The code is as follows:

yum install dhcp-3.0.5-31.el5
vim /etc/dhcp/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 10.0.0.1;
range dynamic-bootp 10.0.0.100 10.0.0.200;
default-lease-time 21600;
max-lease-time 43200;
}

20151222113735955.png (837×146)

3. Install bind to implement DNS cache

Copy code

The code is as follows:

yum install bind97.i386 bind97-libs.i386 bind97-utils.i386
vim /etc/named.conf
options {
directory “/var/named”;
allow-recursion { 10.0.0.0/24; };
recursion yes;
Forward first; ා forward all requests
Forwarders {114.114.114.114;}; ා define forwarding server address
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “localhost” IN {
type master;
file “named.localhost”;
allow-transfer { none; };
};
zone “0.0.127.in-addr.arpa” IN {
type master;
file “named.loopback”;
allow-transfer { none; };
};

Create a root domain file. The default is

Copy code

The code is as follows:

dig -t NS . > /var/named/named.ca
chown :named /var/named/named.ca

Create a local forward resolution file. The default is

Copy code

The code is as follows:

vim /var/named/named.localhost
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
chown :named /var/named/named.localhost

Create a local reverse resolution file. The default is

Copy code

The code is as follows:

vim /var/named/named.loopback
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
PTR localhost.
chown :named /var/named/named.loopback

Check master profile

Copy code

The code is as follows:

named-checkconf

Check root zone profile

Copy code

The code is as follows:

named-checkzone “.” /var/named/named.ca

Check area file

Copy code

The code is as follows:

named-checkzone “localhost” /var/named/named.localhost

Start service

Copy code

The code is as follows:

service named start

4. Recompile and compile the kernel and iptables to support application layer filtering
Because the firewall function is implemented by the Netfilter kernel module, it is necessary to recompile the kernel, download the new kernel source code, and use netfilter-layer7-v2.22 as the kernel patch to compile into the kernel. The control of Netfiler is the iptables tool, so iptables must be recompiled and installed. Finally, the application filtering signature library 17-protocols-2009-05028 is installed tar.gz

1. Patch the kernel and recompile the kernel
2. Patch the iptables source code and recompile iptables
3. Install 17proto

Backup iptables scripts and configuration files

Copy code

The code is as follows:

cp /etc/rc.d/init.d/iptables /root/iptables.sysv
cp /etc/sysconfig/iptables-config /root/iptables-config

2.6 kernel download address

https://www.kernel.org/pub/linux/kernel/v2.6/

Netfilter download address

http://download.clearfoundation.com/l7-filter/

Iptables source download address

http://www.netfilter.org/projects/iptables/downloads.html

Download address of application signature Library

http://download.clearfoundation.com/l7-filter/

Copy code

The code is as follows:

xz -d linux-2.6.28.10.tar.xz
tar -xvf linux-2.6.28.10. tar.gz -C / usr / SRC ා new kernel source code for recompiling
tar -zxvf netfilter-layer7-v2.22. tar.gz -C / usr / SRC # kernel patch and iptables patch, only support to 2.6.28
#Enter the unzip directory and create a soft connection</p>
ln -sv linux-2.6.28.10 linux
#Enter the kernel directory</p>
#Patch the current kernel</p>
#To facilitate the compilation of the kernel, copy the kernel configuration files on the system</p>

Compiling kernel

Copy code

The code is as follows:

make menuconfig
Networking support -> Networking Options -> Network packet filtering framework -> Core Netfilter Configuration
<M> Netfilter connection tracking support
<M> “lawyer7” match support
<M> “string” match support
<M> “time” match support
<M> “iprange” match support
<M> “connlimit” match support
<M> “state” match support
<M> “conntrack” connection match support
<M> “mac” address match support
<M> “multiport” Multiple port match support
Networking support -> Networign options -> Network packet filtering framework -> IP:Netfiltr Configuration
<M> IPv4 connection tracking support (required for NAT)
<M> Full NAT
<M> MASQUERADE target support
<M> NETMAP target support
<M> REDIRECT target support

Select networking options in networking support

Find network packet filtering framework (Netfilter) – > core Netfiler configuration – > Netfilter connection tracking support (New), “layer7” match support (New), “time” match support (New), “iprange”

Find IP: Netfilter configuration – > IPv4 connection tracking support, full nat (New)

Copy code

The code is as follows:

make
make modules_install
make install

Restart the operating system and select a new kernel to log in

Uninstall old iptables

Copy code

The code is as follows:

rpm -e iptables-1.3.5-9.1.el5 iptables-ipv6-1.3.5-9.1.el5 iptstate-1.4-2.el5 –nodeps

Install the new iptables to support the new Netfiler module

Copy code

The code is as follows:

tar -jsvf iptables-1.4.6.tar.bz2 -C /usr/src
cd /usr/src/netfilter-layer7-v2.23
cd iptables-1.4.3forward-for-kernel-2.6.20forward
cp * /usr/src/iptables-1.4.6/extensions/
cd /usr/src/iptables-1.4.6/
./configure –prefix=/usr –with-ksource=/usr/src/linux
make
make install

View the files of iptables after installation

Copy code

The code is as follows:

ls /usr/sbin |grep iptables
ls /usr/libexec/xtables

Copy the previously backed up configuration files and scripts

Copy code

The code is as follows:

cp /root/iptables-config /etc/sysconfig/
cp /root/iptables.sysv /etc/rc.d/init.d/iptables

Modify the path of iptables in the script

Copy code

The code is as follows:

vim /etc/rc.d/init.d/iptables
:.,[email protected]/sbin/[email protected]/usr/sbin/[email protected]

Let iptables service start automatically

Copy code

The code is as follows:

chkconfig –add iptables

Modify iptables configuration file
In / etc / sysconfig / iptables config
IPTABLES_ MODULES=”ip_ conntrack_ netbios_ “Ns”

Installation protocol signature

Copy code

The code is as follows:

tar xvf 17-protocols-2009-05028.tar.gz
make install

After completion, the file will be generated in / etc / L7 protocols
Supported protocols / etc / L7 protocols / protocols

Add iptables policy, run the internal network, prohibit QQ and video

Copy code

The code is as follows:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT –to-soure 192.168.6.67
iptables -A FORWARD -m layer7 –l7proto qq -j DROP
iptables -A FORWARD -m layer7 –l7proto httpvideo -j DROP
iptables -A FORWARD -m layer7 –l7proto httpaudio -j DROP

No internet access from 8:00 to 12:00

Copy code

The code is as follows:

iptables -A FORWARD -m time –timestart 08:00 –timestop 12:00 -j DROP

5. Using TC to control bandwidth
For example, the company’s export bandwidth is 10Mbps, and the maximum download bandwidth allocated to user a is 500kb, and the maximum download bandwidth allocated to user B is 200KB
A user IP: 10.0.0.100
B user IP: 10.0.0.101

Copy code

The code is as follows:

#Create a root queue rule on the eth0 NIC. The algorithm of the queue rule uses HTB. Default 2 specifies a default category number and a default flow control policy. If the IP address is not matched in the following filter, it will have this policy
tc qdisc add dev eth0 root handle 1:0 htb default 2
#Define a class on eth0 NIC. 1 in Prant 1:0 corresponds to handle 1:0 in root queue rule, and CLassID 1:2 represents the current class identification. In the following filter, rate 200kbsp indicates bandwidth of 200KB / s, ceil 200kbps indicates maximum bandwidth is 200KB / s, prio 2 is priority
tc class add dev eth0 parent 1:0 classid 1:2 htb rate 200kbps ceil 200kbps prio 2
tc class add dev eth0 parent 1:0 classid 1:3 htb rate 500kbps ceil 500kbps prio 2
#Change the default fifq queue rule for both classes to SFQ
tc qdisc add dev eth0 parent 1:2 handle 20 sfq
tc qdisc add dev eth0 parent 1:3 handle 30 sfq
#Add a U32 filtering rule to the 1:0 node (corresponding to handle 1:0 in qdisc) on the netcard eth0, with priority of 1. All packets with the target address of 10.0.0.100 use the 1:2 class (corresponding to the class ID of 1:2)
tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.100 flowid 1:2
tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.101 flowid 1:3

If there are other users, such as users C and D, whose IP addresses are 102 and 103, and the required download bandwidth also requires 500, then join the

Copy code

The code is as follows:

tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.102 flowid 1:3
tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.0.0.103 flowid 1:3

Clear rules on eth0

Copy code

The code is as follows:

tc qdisc del dev eth1 root> /dev/null