本文详细介绍了iptables防火墙的基础配置和高级应用,包括iptables的基本语法、常用命令、状态检测、多端口匹配、IP范围指定等。并通过具体案例展示了如何通过脚本设定规则、实现内网机器访问外网及端口映射等功能。
10.15 iptables filter表小案例
iptables扩展选项(了解)
其实匹配扩展中,还有需要加-m引用模块的显示扩展,默认是隐含扩展,不要使用-m。
状态检测的包过滤:
-
-m state --state {NEW,ESTATBLISHED,INVALID,RELATED} 指定检测那种状态
-
-m multiport 指定多端口号
--sport
--dport
--ports -
-m iprange 指定IP段
--src-range ip-ip
--dst-range ip-ip -
-m connlimit 连接限定
--comlimit-above # 限定大连接个数 -
-m limit 现在连接速率,也就是限定匹配数据包的个数
--limit 指定速率
--limit-burst # 峰值速率,最大限定 -
-m string 按字符串限定
--algo bm|kmp 指定算法bm或kmp
--string "STRING" 指定字符串本身
规则:放行指定端口
使用脚本设定规则:
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1501 116K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 240 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
301 37516 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 446 packets, 35731 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables" # 定义一个变量——iptables命令(定义变量时尽量使用绝对路径,避免环境变量的影响)
$ipt -F # 清空原有规则
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
# 上面三行是定义其默认策略
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# -m是指定检测状态,--state指定数据包状态(配合-m使用),该命令行的目的是使数据处理(通信
)更顺畅
$ipt -A INPUT -s 192.168.230.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
# 上面三行命令是指定放行的包的类型
[root@cham002 ~]# vim !$
vim /usr/local/sbin/iptables.sh
[root@cham002 ~]# w
16:38:06 up 2 days, 2:06, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 三15 25:20m 0.11s 0.11s -bash
root pts/0 192.168.230.1 16:25 6.00s 0.47s 0.36s w
[root@cham002 ~]# vim /usr/local/sbin/iptables.sh
[root@cham002 ~]# w
16:38:45 up 2 days, 2:07, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 三15 25:21m 0.11s 0.11s -bash
root pts/0 192.168.230.1 16:25 5.00s 0.11s 0.00s w
[root@cham002 ~]# ls
1.txt 2.txt anaconda-ks.cfg a.txt awk chamlinux grep sed
[root@cham002 ~]# sh /usr/local/sbin/iptables.sh
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.230.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33 2168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.230.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 2708 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# ls /usr/local/sbin/iptables.sh
/usr/local/sbin/iptables.sh
[root@cham002 ~]# ls /usr/local/sbin/
iptables.sh
[root@cham002 ~]# cat /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.230.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
注意: 脚本中指定的IP如果和本主机IP不同时不要在远程端口直接运行该脚本!!!!
icmp示例#################################################################################################
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
该规则的含义是:只允许本机访问外网,不允许外网访问本机!
[root@cham002 ~]# ping www.qq.com
PING www.qq.com (59.37.96.63) 56(84) bytes of data.
^C
--- www.qq.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
ping外网可以ping通,外网ping过来是Ping不通的!!
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 60 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
75 5260 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 25 packets, 3136 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP
10.16-10.18 iptables nat表应用
应用1
环境:
A(cham2)机器两块网卡ens33(192.168.230.135)、ens37(192.168.100.10),ens33可以上外网,ens37仅仅是内部网络,Bcham2(2)机器只有ens37(192.168.100.100),和A机器ens37可以通信互联。
准备工作:
- 准备两台虚拟机
- A机器添加一块网卡ens37,ens37的网络连接方式选择‘VLAN1’(内网交换机连接,该模式下Windows无法与该客户端连接),开机后并设定IP为192.168.100.1
- B机器关闭原有网卡连接,新增网卡ens37,开机后设定IP为192.168.100.100(网络连接模式选择VLAN1区段,并和A机器中的ens37网卡选择相同区段)
设置ens37的IP:
- 方法1:
直接在命令行使用ifconfig命令
[root@cham002 ~]# ifconfig ens37 192.168.100.10/24
[root@cham002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.230.135 netmask 255.255.255.0 broadcast 192.168.230.255
inet6 fe80::6f15:52d3:ebeb:e193 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b6:9f:e3 txqueuelen 1000 (Ethernet)
RX packets 118107 bytes 59389847 (56.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 120509 bytes 41188215 (39.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.230.150 netmask 255.255.255.0 broadcast 192.168.230.255
ether 00:0c:29:b6:9f:e3 txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:feb6:9fed prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b6:9f:ed txqueuelen 1000 (Ethernet)
RX packets 17 bytes 5814 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 9472 (9.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 164 bytes 13656 (13.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 164 bytes 13656 (13.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
注: 该方法只是临时设定IP,重启后会丢失
- 方法2: 复制ens33的配置文件,然后在配置文件内进行设置!
需求:
-
需求1: 可以让B机器连接外网
- 步骤一:A机器打开路由转发
[root@cham002 ~]# cat /proc/sys/net/ipv4/ip_forward 0 [root@cham002 ~]# echo "1" > !$ echo "1" > /proc/sys/net/ipv4/ip_forward [root@cham002 ~]# cat /proc/sys/net/ipv4/ip_forward 1 - 步骤二:在A机器的nat表中增加一条规则
-
[root@cham002 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@cham002 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0说明: -o 选项后面跟设备名称,表示出口网卡,MASQUERADE是伪装、冒充的意思。
- 步骤三:为B设置网关为A机器ens37的IP:
- 然后使用ping命令检测,网络通畅!
注: 此时B机器可以连通外网,但是外网机器无法访问B机器,A机器的作用就类似于一个路由器!
- 步骤一:A机器打开路由转发
-
需求2: C机器只能和A通信,让C机器可以直接连通B机器的22端口(端口映射)
- 步骤一:A机器打开路由转发
[root@cham002 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward 该命令是更改内核设置,打开路由转发功能,默认值是0. - 步骤二:在A机器的nat表中增加2条规则(执行该步骤前先清除nat表原有规则)
[root@cham002 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE规则1: [root@cham002 ~]# iptables -t nat -A PREROUTING -d 192.168.230.135 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 规则2: [root@cham002 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.230.135 - 步骤三:为B设置网关为A机器ens37的IP:
-
[root@cham002 ~]# route add default gw 192.168.100.10finishi 打开xshell连接1122端口
10.19 iptables规则备份和恢复
备份(另存为)
命令:iptables-save
[root@cham002 ~]# iptables-save > /tmp/ipt.txt
恢复
[root@cham002 ~]# iptables-restore < /tmp/ipt.txt© 著作权
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
