Linux Firewall, NAT, traffic control, netem
iptables:
- Consists of tables and chains
- Tables more or less represent three different firewalls:
- Filter: the normal FW for packets
- NAT: the FW rules for packets that are under control of NAT
- Mangle: the FW rules for packets that are under control of rules that can change packet data
- sudo 'iptables -L -v' to see the rules for each of the three chains
- Input chain controls behavior for incoming cxs
- Forward chain is used for incoming cxs that do not involve this host (i.e., for packets that will be forwarded by this host/router)
- Output chain is used for outbound packets
- default config is to ACCEPT everything- very dangerous!!
- iptables --policy INPUT DROP
- iptables --policy OUTPUT DROP
- iptables --policy FORWARD DROP
- Rule action/responses
- Accept: allow
- Drop: deny with no error sent
- Reject: deny and send an error
- Examples
- To sart/stop/restart:
- sudo /etc/init.d/iptables start (or stop or restart)
- To deny all cxs from 192.168.56.102 :
- sudo iptables -A INPUT -s 192.168.56.102 -j DROP
- To deny from the 192/168.56/24 network
- sudo iptables -A INPUT -s 192.168.56/24 -j DROP
- To save the changes:
- To clear all rules
- NAT
- sudo sysctl net.ipv4.conf.all.forwarding=1
- sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.2.15
Further information on NAT
last updated: 4/2/2018