watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=firewalld One 、 Firewall Security Overview firewalld It supports both the command line and GUI Set up , be relative to iptables,firewalld Configuration is more convenient . The orders at the bottom are iptables, firewalld It's all about stopping . The outflow from the inside will not stop . iptables All are released by default . Two 、 Firewall area management Area options

firewalld

One 、 Firewall Security Overview

firewalld It supports both the command line and GUI Set up , be relative to iptables,firewalld Configuration is more convenient . The orders at the bottom are iptables,

firewalld It's all about stopping . The outflow from the inside will not stop .

iptables All are released by default .

Two 、 Firewall area management

Area options Default rule strategy
trusted Allow all packets to flow in and out
home Reject incoming traffic , Unless it's related to the flow out ; And if the flow and ssh、mdns、ipp-client、amba-client And dhcpv6-client Service related , Then the flow is allowed
internal Equate to home Area
work Reject incoming traffic , Unless it's related to the flow out ; And if the flow and ssh、ipp-client、dhcpv6-client Service related , Then the flow is allowed
public Reject incoming traffic , Unless it's related to the flow out ; And if the flow and ssh、dhcpv6-client Service related , Then the flow is allowed
external Reject incoming traffic , Unless it's related to the flow out ; And if the flow and ssh Service related , Then the flow is allowed
dmz Reject incoming traffic , Unless it's related to the flow out ; And if the flow and ssh Service related , Then the flow is allowed
block Reject incoming traffic , Unless it's related to the flow out
drop Reject incoming traffic , Unless it's related to the flow out

Three frequently used areas :

trusted:  White list
public: Default
drop: The blacklist 

3、 ... and 、 Operation of firewall area

Parameters effect
zone Regional directives
--get-default-zone Get the default zone name
--set-default-zone=< name > Set default area , Make it permanent
--get-active-zones Display the area and network card name currently in use
--get-zones Shows the total available area
--get-zone= New Area             There was a problem in the lecture
services Service related commands
--get-services List all manageable services in the service list
--add-service= Set the default area to allow the traffic of the filling service
--remove-service= Setting the default area does not allow the traffic of the deletion service
Port Port related instructions
--add-port=< Port number / agreement > Set the default area to allow the flow of the filling port
--remove-port=< Port number / agreement > Setting the default area does not allow the deletion of port traffic
Interface Website related instructions
--add-interface=< The network card name > All traffic from the network card is directed to a specific area
--change-interface=< The network card name > Associate a network card with an area
Other related directives
--list-all Display the network card configuration parameters of the current area 、 resources 、 Port and service information
--reload Give Way “ permanent ” The configuration rules for are now in effect , And override the current rule of Oh AI

The location of the firewall's configuration file /usr/lib/firewalld

[[email protected] /usr/lib/firewalld]# ll
total 16
drwxr-xr-x. 2 root root  224 Apr 30 20:39 helpers
drwxr-xr-x. 2 root root 4096 Apr 30 20:39 icmptypes
drwxr-xr-x. 2 root root   20 Apr 30 20:39 ipsets
drwxr-xr-x. 2 root root 8192 Apr 30 20:39 services
drwxr-xr-x. 2 root root   94 Apr 30 20:39 xmlschema
drwxr-xr-x. 2 root root  163 Apr 30 20:39 zones

3、 ... and 、 Firewall zone configuration policy

1. For normal use firewalld Services and related tools to manage firewalls , Must be started firewalld service , Colleagues shut down old firewall related services , We need to pay attention to firewalld There are two states to the rule of :

runtime Runtime : The revised rules will take effect immediately , But if you restart the service, it will immediately fail , Test suggestions .
permanent Persistent configuration : After modifying the rules, you need to reload Overload service will take effect , Production advice .

#  Provisional effect is immediate
[[email protected] ~]# firewall-cmd --add-port=80/tcp
success
#  How to use it permanently , need --reload Take a look at the firewall
[[email protected] ~]# firewall-cmd --permanent --add-port=80/tcp
success

5、 ... and 、 Disable firewall rules

#1.  Disable the old firewall service or make sure it doesn't start
[[email protected] ~]# systemctl mask iptables
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
[[email protected] ~]# systemctl mask ip6tables
Created symlink from /etc/systemd/system/ip6tables.service to /dev/null.
#2.  start-up firewalld A firewall , And join the boot service
[[email protected] ~]# systemctl start firewalld
[[email protected] ~]# systemctl enable firewalld
#3. Disable firewall
[[email protected] ~]# systemctl unmask iptables

5、 ... and 、firewalld Common commands

#  View the default area
[[email protected] ~]# firewall-cmd --get-default-zone 
public
#  See the rules for the default zone
[[email protected] ~]# firewall-cmd --list-all
public (active) # The name of the area ( state )
  target: default #  state : Default
  icmp-block-inversion: no # ICMP
  interfaces: eth0 eth1 #  Area bound network card
  sources:  #  Allowed sources IP
  services: dhcpv6-client http https    #  Permitted Services
  ports: 80/tcp #  Allowed ports
  protocols:        #  Permitted agreements
  masquerade: no     #  Open or not IP camouflage
  forward-ports:  #  Port forwarding
  source-ports:  #  Source port
  icmp-blocks:        # icmp block
  rich rules:  #  Complex rule  
rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
#  View the rules for the specified area
[[email protected] ~]# firewall-cmd --list-all --zone=drop
drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  
#  Query whether a service is allowed in an area , Can pass list_all The way
[[email protected] services]# firewall-cmd --zone=public --query-service=ssh
yes
#  Add multiple services at the same time
[[email protected] /usr/lib/firewalld]# firewall-cmd --add-service={http,https}
success

Configure the instance

Configuration requirements : Adjust the firewall , The default area rejects all traffic , If the source IP yes 10.0.0.0/24 allows

#  remove public All the default allowed content in the region
[[email protected] ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}
success
# Configure the allowed network segments to trusted Area
[[email protected] services]# firewall-cmd --add-source=10.0.0.0/24 --zone=trusted 
success

Firewall configuration release policy

1.firewalld Release service

#  The first method , By default, the , You can add it directly in this way .
[[email protected] ~]# firewall-cmd --add-service=ssh
success
#  The second method , If there is no service name , You need to configure a configuration file
[[email protected] /usr/lib/firewalld/services]# cp mysql.xml nginx.xml
[[email protected] /usr/lib/firewalld/services]# vi nginx.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Ngix</short>
  <description>Nginx Server</description>
  <port protocol="tcp" port="80"/>
</service>
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]# firewall-cmd --add-service=nginx
success

2.firewalld Release port

[[email protected] ~]# firewall-cmd --add-port=443/tcp
success
[[email protected] ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: ssh dhcpv6-client nginx
  ports: 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

3.firewalld Release network segment

#  Add segments to the white list
[[email protected] services]# firewall-cmd --add-source=10.0.0.0/24 --zone=trusted

Firewall Port Forwarding Policy

 Port forwarding refers to the traditional target address mapping , Access to intranet resources from the Internet ,firewalld The forward command format is :
firewalld-cmd --permanent --zone=< Area > --add-forward-port=port=< Source port number >:proto=< agreement >:toport=< Target port number >:toaddr=< The goal is IP Address >
#1. Configure port forwarding
[[email protected] ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=172.16.1.8
success
[[email protected] ~]# firewall-cmd --reload
#2. Turn on IP camouflage
[[email protected] ~]# firewall-cmd --add-masquerade 
success
[[email protected] ~]# firewall-cmd --add-masquerade --permanent 
success
#3. Test access
[[email protected] ~]# ssh 10.0.0.7 -p5555
[email protected]'s password: 
Last login: Tue Jul  7 01:06:01 2020 from 172.16.1.7

When forwarding on the port, it will be because , The problem of packet format is blocked and no result is returned , This is the time , Turn on IP Disguise to solve .

The complex rules of firewall

firewalld Rich language rules in are more detailed , More detailed firewall policy configuration , He can target system services 、 Port number 、 The original address and target address and many other information for more targeted policy configuration , Priority is also the highest of all firewall policies , The following is firewalld Rich language rules help book

          rule
             [source]
             [destination]
             service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
             [log]
             [audit]
             [accept|reject|drop|mark]
            
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
accept | reject [type="reject type"] | drop

Complex rules are commonly used commands

--add-rich-rule='<RULE>'        # Add a rich language rule to the specified area
--remove-rich-rule='<RULE>'     # Delete a rich language rule in the specified area
--query-rich-rule='<RULE>'      # Find the rule and return yes, No return found no
--list-rich-rules               # List all rich language rules in the specified area 

1. Instance of a

requirement : For example, allow 10.0.0.1 The host can access http service , allow 172.16.1.0/24 Access to 22 port

[[email protected] ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.1" service name="httpd" accept'
success
[[email protected] ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="172.16.1.0/24" port port=22 protocol=tcp accept'

2. example

#  Use public Regional external   Open up what everyone can get through ssh The server , But refuse 172.16.1.0/24 The host of the network segment .
firewall-cmd --add-rich-rule='rule family=ipv4 source address="172.16.1.0/24" port port="22" protocol="tcp" drop'
#  Use firewalld, Allow everyone access to http,https, But only 10.0.0.1 You can visit ssh service .
[[email protected] /usr/lib/firewalld]# firewall-cmd --add-service={http,https}
success
[[email protected] /usr/lib/firewalld]# firewall-cmd --remove-service=ssh
success
[[email protected] /usr/lib/firewalld]# firewall-cmd --add-rich-rule='rule family=ipv4 source address="10.0.0.1/24" port port="22" protocol="tcp" accept'
success
### 5. When the user comes from IP The address is 10.0.0.1 host , The user requested 5555 Port forward to back end 172.16.1.7 Of 22 port
It's used in the testing machine .9 So the virtual machine has been changed IP
[[email protected] ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address="10.0.0.9/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"'

Firewall rule backup

 We all aim at public The permanently added rules written in the region will be written to the backup file (--permanent) /etc/firewalld/zones/public.xml
# Our firewall configuration , It will be stored in  /etc/firewalld/zones/ Under the table of contents , therefore , Server expansion in the future , Or configure the same firewall , Just copy the files in the directory
Backup also backup the files in the above directory 

Share Internet access inside the firewall

1. Turn on IP camouflage

#  On a host with an external network connection
#  permanent , Needed --reload once .
[[email protected] ~]# firewall-cmd --add-masquerade --permanent 
success
#  With immediate effect ,--reload After that, the rules are cleared .
[[email protected] ~]# firewall-cmd --add-masquerade
success

2. Firewall turns on kernel forwarding ( If it is Centos6 Need configuration ,Centos7 Unwanted )

[[email protected] ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# Configure kernel forwarding
[[email protected] ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
# stay CentOS6 The command will take effect after it is opened in
[[email protected] ~]# sysctl -p
# Check if kernel forwarding is on
[[email protected] ~]# sysctl -a|grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
notes :0 close ,1 Turn on 

3. Configure the gateway address of the machine without external network

[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
# Add the configuration
GATEWAY=172.16.1.7    # Firewall intranet address
DNS1=223.5.5.5
# Restart NIC
[[email protected] ~]# ifdown eth1
[[email protected] ~]# ifup eth1

iptables A firewall

One 、iptables A firewall

1、 Application scenarios

1、 Host security
2、 Internal sharing Internet access
3、 Port or IP mapping 

2、iptables Working mechanism

1、 Matching rules match from top to bottom
2、 As long as the rules are matched, there will be no downward matching
3、 If there is no matching rule , Follow the default rule
4、 The default rule is to allow all
#  Be careful :  Always match the rules up .

Two 、 Four tables and five chains

#  beyond the limits of the visible world
1.filter surface
2.NAT surface
3.mangle surface
4.raw surface
#  Five chains
1.PREROUTING
2.INPUT
3.FORWARD
4.OUTPUT
5.POSTROUTIONG

Two frequently used tables in the production environment

1.filter surface

# Important to prevent and allow access to the server
# The chain contained :
1.INPUT: Filtering packets into the host
2.FORWARD: Forwarding packets
3.OUTPUT: Filtering packets out of the host 

2.NAT surface

# Mainly for ports or IP forward
# The chain contained
1.PREROUTING: When the packet reaches the firewall , Rewrite packet destination address and port ( Port forwarding )
2.OUTPUT: Filtering packets out of the host
3.POSTROUTIONG: When the packet reaches the firewall , Rewrite packet destination address and port ( Internal sharing Internet access )

3、 ... and 、 install iptables A firewall

3、 ... and 、 install iptables A firewall

1. stop it firewalld A firewall

[[email protected] ~]# systemctl stop firewalld.service

2. install iptables

[[email protected] ~]# yum install -y iptables-services

3. Install the kernel module

[[email protected] ~]# modprobe ip_tables
[[email protected] ~]# modprobe iptable_filter
[[email protected] ~]# modprobe iptable_nat
[[email protected] ~]# modprobe ip_conntrack
[[email protected] ~]# modprobe ip_conntrack_ftp
[[email protected] ~]# modprobe ip_nat_ftp
[[email protected] ~]# modprobe ipt_state
# Check the kernel modules loaded
[[email protected] ~]# lsmod |egrep 'filter|nat'

4. start-up iptables

[[email protected] ~]# systemctl start iptables.service

Four 、iptables Common parameters

(a) Chain Management :
    -N:new,  Customize a new rule chain ;
    -X: delete, Delete custom rule chain ;
             Be careful : You can only delete   User defined   The reference count is 0 Of   Empty   chain ;
    -P:Policy, Set default policy ; Yes filter In terms of the chain in the table , The default strategies are :
           ACCEPT: Accept
           DROP: discarded
           REJECT: Refuse
    -E: Custom chain rename ; Reference count is not 0 The custom chain of cannot be renamed , It can't be deleted ;
    
(b) Rule management :
    -A:append, Additional ;
    -I:insert,  Insert , Point out the location , When omitted, it means the first ;
    -D:delete, Delete ;
        (1)  Specify the rule number ;
        (2)  Specify the rule itself ;
    -R:replace, Replace the specified rule on the specified chain ;
    -F:flush, Clear the specified chain of rules ;
    -Z:zero, Zeroing ;
        iptables There are two counters for each rule of :
            (1)  The number of matched packets ;
            (2)  The sum of the sizes of all matched packets ;        
(c) see :
-L:list,  List all the rules on the specified chain ;
    -n:numberic, Displays the address and port number in numeric format ;
    -v:verbose, Details ;
        -vv, -vvv
    -x:exactly, Display the exact value of the counter result ;
    --line-numbers: Display the sequence number of the rule ;

1. View firewall ( Default filter surface )

[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

2. View the specified table rule

[[email protected] ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

3. Clear firewall rules

[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -X
[[email protected] ~]# iptables -Z

4. Configure firewall rules

[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP
iptables  # command
-t  # Designated table
filter  # surface
-A  # Additional
INPUT  # chain
-p  # Designated agreement
tcp  #tcp agreement
--dport  # Designated port
22  # port
-j  # Designated action
DROP # discarded 

5. Delete firewall rules

-D:delete, Delete ;
(1)  Specify the rule number ;
(2)  Specify the rule itself ;
# View firewall rules
[[email protected] ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:111
4    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10050
5    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:873
6    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
7    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
# Delete the rule that specifies the sequence number
[[email protected] ~]# iptables -D INPUT 7
[[email protected] ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:111
4    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10050
5    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:873
6    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
# Delete the rule itself
[[email protected] ~]# iptables -D INPUT -p tcp --dport 443 -j DROP

5、 ... and 、 Firewall configuration example

1. No port access

[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

2. Refuse IP visit

[[email protected] ~]# iptables -t filter -A INPUT -p tcp -s 10.0.0.61 -i eth0 -j DROP
-s # Specify the source address
-i # Specify network card
[[email protected] ~]# iptables -t filter -A INPUT -p tcp -s 10.0.0.61 -i eth0 -j REJECT

3. prohibit IP Segment access

[[email protected] ~]# iptables -t filter -A INPUT -p tcp -s 10.0.0.0/24 -i eth0 -j DROP

4. Only one is allowed IP visit

[[email protected] ~]# iptables -t filter -A INPUT -p tcp ! -s 10.0.0.61 -i eth0 -j DROP
! # Take the opposite 

5. Only one port range is allowed to access

[[email protected] ~]# iptables -t filter -A INPUT -m multiport -p tcp --dport 22,23,24 -j ACCEPT
-m # Specify the extension
multiport # Multi port matching
[[email protected] ~]# iptables -t filter -A INPUT -m multiport -p tcp --dport 80:100 -j ACCEPT

6、 ... and 、 How to configure in an enterprise

1. Think before you configure

1. Which machine in the architecture needs to open the firewall
2. Which machines are deployed with firewalls
Nginx
keepalived
3. What ports should the service open
80
443
22
4. By default, everything else is rejected 

2. Configure security rules

# allow access to 80 and 443
[[email protected] ~]# iptables -t filter -I INPUT -m multiport -p tcp --dport 80,443 -j ACCEPT
# Only 61 visit web Of 22 port
[[email protected] ~]# iptables -t filter -A INPUT -p tcp -s 172.16.1.61 --dport=22 -j ACCEPT
# All refuse , Modify the default rule and reject all
[[email protected] ~]# iptables -P INPUT DROP
-P # Modify the default rule 

3. General configuration in an enterprise

iptables -F
iptables -X
iptables -Z
iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -nL

pit :

# After the above configuration , After the springboard machine is connected , Never clear the rules , Otherwise it won't be connected ;
Because the empty rule operation , Not modify `iptables -P INPUT DROP`, Default to reject all
# resolvent :  To physical machine operation
1.iptables -P INPUT ACCEPT
2.systemctl restart iptables
3. Restart the server
# Avoid it :
1. Configure scheduled tasks
* * * * * /usr/sbin/iptables -P INPUT ACCEPT
2. Prepare a machine and configure it first , And then to the production environment configuration 

7、 ... and 、 Firewall rules are permanent

1. Default profile

[[email protected] ~]# vim /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

2. Configure your own firewall rules to take effect forever

[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

8、 ... and 、iptables Configure internal shared Internet access

1. Operate on the firewall machine

# Configure kernel forwarding
[[email protected] ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
# stay CentOS6 The command will take effect after it is opened in
[[email protected] ~]# sysctl -p
# Check if kernel forwarding is on
[[email protected] ~]# sysctl -a|grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# Configure internal shared Internet access
[[email protected] ~]# iptables -A FORWARD -i eth0 -s 172.16.1.0/24 -j ACCEPT
[[email protected] ~]# iptables -A FORWARD -i eth1 -s 10.0.0.0/24 -j ACCEPT
[[email protected] ~]# iptables -A FORWARD -o eth1 -s 10.0.0.0/24 -j ACCEPT
[[email protected] ~]# iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -j ACCEPT
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.7

2. Configure on a machine without an external network

[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
# Add the configuration
GATEWAY=172.16.1.7    # Firewall intranet address
DNS1=223.5.5.5
# Restart NIC
[[email protected] ~]# ifdown eth1
[[email protected] ~]# ifup eth1



FBI WARNING

QQ:1402122292 Be original sheldon Others call me Xiaodong