10.15 iptables filter表案例 10.16/10.17/10.18 iptables nat表應用

時間  2019-11-11
標籤 10.15 iptables filter 案例 10.16 10.17 10.18 nat 應用 欄目 系統網絡 简体版
原文   原文鏈接

10.15 iptables filter表小案例

iptables擴展選項(瞭解)

其實匹配擴展中,還有須要加-m引用模塊的顯示擴展,默認是隱含擴展,不要使用-m。linux

狀態檢測的包過濾:算法

  • -m state --state {NEW,ESTATBLISHED,INVALID,RELATED} 指定檢測那種狀態shell

  • -m multiport 指定多端口號
    --sport
    --dport
    --portsvim

  • -m iprange 指定IP段
    --src-range ip-ip
    --dst-range ip-ipbash

  • -m connlimit 鏈接限定
    --comlimit-above # 限定大鏈接個數網絡

  • -m limit 如今鏈接速率,也就是限定匹配數據包的個數
    --limit 指定速率
    --limit-burst # 峯值速率,最大限定tcp

  • -m string 按字符串限定
    --algo bm|kmp 指定算法bm或kmp
    --string "STRING" 指定字符串自己oop

規則:放行指定端口

使用腳本設定規則:spa

[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1501  116K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   240 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
  301 37516 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 446 packets, 35731 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[root@cham002 ~]# vi /usr/local/sbin/iptables.sh

#!/bin/bash
ipt="/usr/sbin/iptables"   # 定義一個變量——iptables命令(定義變量時儘可能使用絕對路徑,避免環境變量的影響)           
$ipt -F                    # 清空原有規則
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
# 上面三行是定義其默認策略
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# -m是指定檢測狀態,--state指定數據包狀態(配合-m使用),該命令行的目的是使數據處理(通訊
)更順暢	
$ipt -A INPUT -s 192.168.230.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT  
# 上面三行命令是指定放行的包的類型  

[root@cham002 ~]# vim !$
vim /usr/local/sbin/iptables.sh
[root@cham002 ~]# w
 16:38:06 up 2 days,  2:06,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                      三15   25:20m  0.11s  0.11s -bash
root     pts/0    192.168.230.1    16:25    6.00s  0.47s  0.36s w
[root@cham002 ~]# vim /usr/local/sbin/iptables.sh
[root@cham002 ~]# w
 16:38:45 up 2 days,  2:07,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                      三15   25:21m  0.11s  0.11s -bash
root     pts/0    192.168.230.1    16:25    5.00s  0.11s  0.00s w
[root@cham002 ~]# ls
1.txt  2.txt  anaconda-ks.cfg  a.txt  awk  chamlinux  grep  sed
[root@cham002 ~]# sh /usr/local/sbin/iptables.sh
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  1848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.230.0/24     0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   33  2168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.230.0/24     0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19 packets, 2708 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@cham002 ~]# ls /usr/local/sbin/iptables.sh 
/usr/local/sbin/iptables.sh
[root@cham002 ~]# ls /usr/local/sbin/
iptables.sh
[root@cham002 ~]# cat /usr/local/sbin/iptables.sh 
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT	
$ipt -A INPUT -s 192.168.230.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT  

注意: 腳本中指定的IP若是和本主機IP不一樣時不要在遠程端口直接運行該腳本!!!!

icmp示例#################################################################################################

[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  1848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
[root@cham002 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
該規則的含義是:只容許本機訪問外網,不容許外網訪問本機!
[root@cham002 ~]# ping www.qq.com
PING www.qq.com (59.37.96.63) 56(84) bytes of data.
^C
--- www.qq.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
ping外網能夠ping通,外網ping過來是Ping不通的!!

[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   75  5260 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    60 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 25 packets, 3136 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@cham002 ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP

10.16-10.18 iptables nat表應用

應用1

環境:
A(cham2)機器兩塊網卡ens33(192.168.230.135)、ens37(192.168.100.10),ens33能夠上外網,ens37僅僅是內部網絡,Bcham2(2)機器只有ens37(192.168.100.100),和A機器ens37能夠通訊互聯。命令行

準備工做:

  • 準備兩臺虛擬機
  • A機器添加一塊網卡ens37,ens37的網絡鏈接方式選擇‘VLAN1’(內網交換機鏈接,該模式下Windows沒法與該客戶端鏈接),開機後並設定IP爲192.168.100.1
  • B機器關閉原有網卡鏈接,新增網卡ens37,開機後設定IP爲192.168.100.100(網絡鏈接模式選擇VLAN1區段,並和A機器中的ens37網卡選擇相同區段)

設置ens37的IP:

  • 方法1:
    直接在命令行使用ifconfig命令
[root@cham002 ~]# ifconfig ens37 192.168.100.10/24
[root@cham002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.230.135  netmask 255.255.255.0  broadcast 192.168.230.255
        inet6 fe80::6f15:52d3:ebeb:e193  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:9f:e3  txqueuelen 1000  (Ethernet)
        RX packets 118107  bytes 59389847 (56.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 120509  bytes 41188215 (39.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.230.150  netmask 255.255.255.0  broadcast 192.168.230.255
        ether 00:0c:29:b6:9f:e3  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.10  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:feb6:9fed  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:9f:ed  txqueuelen 1000  (Ethernet)
        RX packets 17  bytes 5814 (5.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 57  bytes 9472 (9.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 164  bytes 13656 (13.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 164  bytes 13656 (13.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

注: 該方法只是臨時設定IP,重啓後會丟失

  • 方法2: 複製ens33的配置文件,而後在配置文件內進行設置!

需求:

  • 需求1: 可讓B機器鏈接外網

    • 步驟一:A機器打開路由轉發 
      [root@cham002 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@cham002 ~]# echo "1" > !$
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@cham002 ~]# cat /proc/sys/net/ipv4/ip_forward
1

       

    • 步驟二:在A機器的nat表中增長一條規則
    • [root@cham002 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@cham002 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0

      說明: -o 選項後面跟設備名稱,表示出口網卡,MASQUERADE是假裝、冒充的意思。

    • 步驟三:爲B設置網關爲A機器ens37的IP:
    • 而後使用ping命令檢測,網絡通暢!
      注: 此時B機器能夠連通外網,可是外網機器沒法訪問B機器,A機器的做用就相似於一個路由器!

  • 需求2: C機器只能和A通訊,讓C機器能夠直接連通B機器的22端口(端口映射)

  • 步驟一:A機器打開路由轉發 
    [root@cham002 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
該命令是更改內核設置,打開路由轉發功能,默認值是0.

     

  • 步驟二:在A機器的nat表中增長2條規則(執行該步驟前先清除nat表原有規則) 
    [root@cham002 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
    規則1:
[root@cham002 ~]# iptables -t nat -A PREROUTING -d 192.168.230.135 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22

規則2:
[root@cham002 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.230.135

     

  • 步驟三:爲B設置網關爲A機器ens37的IP:
  • [root@cham002 ~]# route add default gw 192.168.100.10

    finishi   打開xshell鏈接1122端口

10.19 iptables規則備份和恢復

備份(另存爲)

命令:iptables-save

[root@cham002 ~]# iptables-save > /tmp/ipt.txt

恢復

[root@cham002 ~]# iptables-restore < /tmp/ipt.txt

© 著做權

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程