agak kompleks banding dengan pf(bsd).
1) secara default(table filter) rantaian(flow) paket seperti rajah dibawah.
2) arahan
iptables -F ;# flush semua
iptables -P INPUT DROP -t filter ;# default policy INPUT adalah DROP dlm tbl filter
iptables -L -t filter ;# list rules dalam table filter
iptables -t filter -A INPUT -s 192.168.117.57/32 -i eth0 -j ACCEPT ;# add dlm chain INPUT tbl filter
iptables-save > rules.txt ;# boleh pipe ke file (utk restore )
iptables-restore < rules.txt
contoh:
3) nat
iptables -t nat -A POSTROUTING -o <external-interface> -j MASQUERADE
4) port forwarding
iptables -t nat -A PREROUTING -p tcp -i <external-interface> --dport <port-num> -j DNAT --to <int_ip>:<port>
contoh 1:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to 192.168.9.35:22
contoh 2:
iptables -t nat -A PREROUTING -i eth0 -j DNAT -d 202.1.1.4 --to 192.168.1.1
# any packet to 202.1.1.4 will be forward to 192.168.1.1 tanpa disedari(transparent)
5) iptables ada 3 tables
1) secara default(table filter) rantaian(flow) paket seperti rajah dibawah.
2) arahan
iptables -F ;# flush semua
iptables -P INPUT DROP -t filter ;# default policy INPUT adalah DROP dlm tbl filter
iptables -L -t filter ;# list rules dalam table filter
iptables -t filter -A INPUT -s 192.168.117.57/32 -i eth0 -j ACCEPT ;# add dlm chain INPUT tbl filter
iptables-save > rules.txt ;# boleh pipe ke file (utk restore )
iptables-restore < rules.txt
contoh:
#!/bin/shiptables -F INPUT
iptables -F OUTPUT
Cara baca rules berbeza dengan pf, bila dah match rules pada line tertentu, tak baca lagi rules yg kat bawah. Sama macam 'quick' dalam pf.iptables -F FORWARDiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROP#Permit DNS trafficiptables -A INPUT -p udp --sport 53 -j ACCEPTiptables -A OUTPUT -p udp --sport 53 -j ACCEPT#Accept local-network return traffic for clientsiptables -A INPUT -m state -p tcp --dport 1024:65535 --state ESTABLISHED,RELATED -s 192.168.9.0/24 -j ACCEPTiptables -A OUTPUT -m state -p tcp --dport 1024:65535 ! --state INVALID -d 192.168.9.0/24 -j ACCEPT#Accept local (192.168.9.0/24) SSH trafficsiptables -A INPUT -m state -p tcp --dport 22 ! --state INVALID -s 192.168.9.0/24 -j ACCEPTiptables -A OUTPUT -m state -p tcp --sport 22 --state ESTABLISHED,RELATED -d 192.168.9.0/24 -j ACCEPT
3) nat
iptables -t nat -A POSTROUTING -o <external-interface> -j MASQUERADE
4) port forwarding
iptables -t nat -A PREROUTING -p tcp -i <external-interface> --dport <port-num> -j DNAT --to <int_ip>:<port>
contoh 1:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to 192.168.9.35:22
contoh 2:
iptables -t nat -A PREROUTING -i eth0 -j DNAT -d 202.1.1.4 --to 192.168.1.1
# any packet to 202.1.1.4 will be forward to 192.168.1.1 tanpa disedari(transparent)
5) iptables ada 3 tables
- filter: ada 3 chain
- FORWARD
- INPUT
- OUTPUT
- nat: ada 3 chain
- PREROUTING
- POSTROUTING
- OUTPUT
- mangle (jarang guna, boleh abaikan je)
- PREROUTING
- POSTROUTING
- OUTPUT
- INPUT
- FORWARD
Rujuk rajah utk lebih detail
No comments:
Post a Comment
Terima kasih