防火墙
Firewalld---软件(简单)
iptables----应用软件
netfilter----内核
1、IPtables
四个表
filter (过滤)
nat(地址转换)
mangle(包标记表)
raw(状态跟综表)
5链分别是
INPUT链、(入站规则)
OUTPUT链、出站规则)
FORWARD链、转发规则)
PREROUTING链、(路由前规则)
POSTROUTING链(路由后规则)
关闭Firewall ,开启IPtables
[root@proxy ~]# systemctl stop firewalld
[root@proxy ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
语法格式
iptables [-t 表名] 选项 [链名] [条件] [-j 目标操作]
iptables -t filter -I INPUT -p icmp -j DROP 拒绝ping通
iptables -F 清空规则(过滤表)
注意事项与规律:
#可以不指定表,默认为filter表
#可以不指定链,默认为对应表的所有链
#按顺序匹配,匹配即停止,如果没有找到匹配条件,则执行防火墙默认规则
#选项/链名/目标操作用大写字母,其余都小写
[root@proxy ~]# iptables -t filter -A INPUT -p tcp -j ACCEPT 加在最后一条
[root@proxy ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
[root@proxy ~]# iptables -I INPUT -p udp -j ACCEPT 加在第一条
[root@proxy ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
[root@proxy ~]# iptables -I INPUT 2 -p icmp -j ACCEPT 指定行号(默认第一条)
[root@proxy ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
[root@proxy ~]# iptables -L INPUT --line-number 显示行号
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT tcp -- anywhere anywhere
[root@proxy ~]# iptables -D INPUT 3
[root@proxy ~]# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
[root@proxy ~]# iptables -F 仅清空过滤表中规则
[root@proxy ~]# iptables -t nat -F
[root@proxy ~]# iptables -t mangle -F
[root@proxy ~]# iptables -t raw -F
设置防火墙默认规则 匹配及停止
[root@proxy ~]# iptables -t filter -P INPUT DROP #设置INPUT链默认规则为DROP 远程管理会断开,回到虚拟机修改规则
iptables -t filter -P INPUT ACCEPT #设置INPUT链默认规则为ACCEPT
2、filter过滤和转发控制
主机型防火墙案例
1、 iptables -I INPUT -p tcp --dport 80 -j REJECT 拒绝访问网页
[root@proxy ~]# iptables -F
测试
[root@web1 ~]# curl 192.168.4.5
curl: (7) Failed connect to 192.168.4.5:80; 拒绝连接
清空规则在访问
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
2、 iptables -I INPUT -s 192.168.4.100 -j REJECT 源IP拒绝连接
[root@web1 ~]# ping 192.168.4.5
PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data.
From 192.168.4.5 icmp_seq=1 Destination Port Unreachable
3、 iptables -I INPUT -d 192.168.2.5 -p tcp --dport 80 -j REJECT 目标地址限制
[root@web1 ~]# curl 192.168.2.5
curl: (7) Failed connect to 192.168.2.5:80; 拒绝连接
[root@web1 ~]# curl 192.168.4.5
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
4、iptables -I INPUT -i eth0 -p tcp --dport 80 -j REJECT 网卡限制
[root@web1 ~]# curl 192.168.4.5
curl: (7) Failed connect to 192.168.2.5:80; 拒绝连接
[root@web1 ~]# curl 192.168.2.5
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
网络型防火墙
proxy确认是否打开路由
cat /proc/sys/net/ipv4/ip_forward
0
[root@proxy ~]# echo 1 > /proc/sys/net/ipv4/ip_forward!!!
[root@proxy ~]# cat /proc/sys/net/ipv4/ip_forward #1为开启
1
4网段2网段相互ping通
iptables -I FORWARD -s 192.168.4.10 -p tcp --dport 80 -j REJECT 拒绝原地址为4.10访问
[root@client ~]# curl 192.168.4.5
curl: (7) Failed connect to 192.168.4.5:80; Connection refused禁止ping
[root@proxy ~]# iptables -F
[root@proxy ~]# iptables -I INPUT -p icmp -j DROP
[root@proxy ~]#ping 192.168.2.100
PING 192.168.2.100 (192.168.2.100) 56(84) bytes of data.
[root@client ~]# ping 129.168.4.5
PING 129.168.4.5 (129.168.4.5) 56(84) bytes of data. 结果相互ping不同
2)禁止其他主机ping本机,允许本机ping其他主机
[root@proxy ~]# iptables -F
[root@proxy ~]# iptables -A INPUT -p icmp \
--icmp-type echo-request -j DROP
[root@proxy ~]# ping 192.168.2.100
PING 192.168.2.100 (192.168.2.100) 56(84) bytes of data.
64 bytes from 192.168.2.100: icmp_seq=1 ttl=64 time=0.256 ms
[root@client ~]# ping 129.168.4.5
PING 129.168.4.5 (129.168.4.5) 56(84) bytes of data.
From 192.168.4.5 icmp_seq=1 Destination Net Unreachable
防火墙扩展规则
用法:iptables 选项 链名称 -m 扩展模块 --具体扩展条件 -j 动作
1、根据MAC地址封锁主机
[root@proxy ~]# iptables -F
[root@proxy ~]# iptables -A INPUT -p tcp --dport 22 -m mac --mac-source 00:0c:29:4e:87:72 -j DROP
[root@client ~]# ssh 192.168.4.5 远程失败
^C
2、在一条规则中开放多个TCP服务
[root@proxy ~]# iptables -F
[root@proxy ~]# iptables -I INPUT -p tcp -m multiport --dports 22,25,80,110,200:300 -j ACCEPT
[root@proxy ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,80,110,200:300
3、根据IP范围设置封锁规则
[root@proxy ~]# iptables -F
[root@proxy ~]# iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.4.10 -j DROP
[root@proxy ~]# iptables -A INPUT -p tcp --dport 22 -s 192.168.4.0/24 -j ACCEPT
[root@proxy ~]# ssh 192.168.4.5
The authenticity of host '192.168.4.5 (192.168.4.5)' can't be established.
ECDSA key fingerprint is SHA256:pxR58chfsqvcUOq2C3Y+Gassi/s5eGpY6HSLS1OeQ5U.
ECDSA key fingerprint is MD5:ba:57:42:1e:ab:19:47:60:ae:4c:a4:e1:bb:b5:dc:be.
Are you sure you want to continue connecting (yes/no)? yes
[root@client ~]# ssh 192.168.4.5 远程失败
^C
配置SNAT实现共享上网
搭建内外网案例环境
配置SNAT策略实现共享上网访问
iptables -F
[root@proxy ~]# iptables -t nat -I POSTROUTING -s 192.168.4.0/24 -j SNAT --to-source 192.168.2.5
地址伪装
[root@proxy ~]# iptables -t nat -A POSTROUTING \
-s 192.168.4.0/24 -p tcp --dport 80 -j MASQUERADE
所有iptables规则都是临时规则
安装iptables-services并启动服务,保存防火墙规则(永久)
[root@proxy ~]# yum -y install iptables-services
[root@proxy ~]# systemctl start iptables.service
[root@proxy ~]# systemctl enable iptables.service
[root@proxy ~]# iptables -F
[root@proxy ~]# service iptables save #保存防火墙规则
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
扫一扫
221
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
