iptables服務(3)
網絡防火牆和NAT轉發web
當一臺主機當作網絡防火牆的時候,外部的網絡報文要通過三條鏈後才能進入本地網絡:PREROUTING,FORWARD,POSTROUTING,可是能起到過濾做用的只能是filter表中的FORWARD鏈。並且要開啓核心轉發功能。這樣和主機防火牆就沒有關係了,INPUT鏈和OUTPUT鏈均可以不用管,只設置FORWARD鏈。vim
拓撲圖:centos
保存名稱:iptables.zip安全
前提:三臺虛擬機在一臺物理機上面,其中192.168.22.0網絡是虛擬網絡,不是物理網絡,172網段和10網段是物理網絡。6-10和7-30鏈接10網絡是爲了下載rpm包方便,不參與此處實驗。中間7-20主機扮演的是防火牆主機,7-30扮演的是互聯網的其餘主機,6-10扮演的是局域網內的一個主機。而且如上所說,網絡都是互通的。服務器
清空三臺虛擬機的防火牆,否則出錯。網絡
centos6:#iptables -F,併發
centos7:ssh
#systemctl stop firewalldcurl
#iptables -Ftcp
在6-10主機:能夠ping通172.18.19.20主機,在7-20沒有打開轉發的狀況下, 由於6-10網關是192.168.22.1,不是本地IP都要轉發到網關,網關發現要ping的172的IP就是本機的IP,直接返回響應。 [root@localhost ~]#ping 172.18.19.20 PING 172.18.19.20 (172.18.19.20) 56(84) bytes of data. 64 bytes from 172.18.19.20: icmp_seq=1 ttl=64 time=0.471 ms 能夠用tcpdump命令來抓包測試,當在6-10主機ping 172.18.19.30。用tcpdump在7-20主機抓包eno33網卡,能夠發現ping報文,當抓eno16網卡的時候,發現沒有報文通過。 在7-20主機: [root@localhost ~]#tcpdump -i eno33554984 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno33554984, link-type EN10MB (Ethernet), capture size 65535 bytes 12:53:13.322056 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 54048, seq 69, length 64 12:53:14.322253 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 54048, seq 70, length 64 [root@localhost ~]#tcpdump -i eno16777736 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 無數據 在7-20主機:打開路由轉發功能 [root@localhost ~]#echo 1 > /proc/sys/net/ipv4/ip_forward 在6-10主機: [root@localhost ~]#ping 172.18.19.30 在7-20主機: [root@localhost ~]#tcpdump -i eno33554984 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno33554984, link-type EN10MB (Ethernet), capture size 65535 bytes 13:05:16.180902 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 64288, seq 201, length 64 13:05:17.180306 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 64288, seq 202, length 64 [root@localhost ~]#!tc tcpdump -i eno16777736 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 13:03:17.153331 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 64288, seq 82, length 64 在7-30主機: [root@localhost ~]#tcpdump -i eno16777736 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 13:09:52.242687 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 64288, seq 477, length 64 13:09:52.242932 IP 172.18.19.30 > 192.168.22.2: ICMP echo reply, id 64288, seq 477, length 64 由於ping包不在172同一網段內,7-30主機將ping的返回包發給了172.18.19.1網關了。 這裏將172.18.18.30的網關設置爲172.18.19.20 在7-30主機: [root@localhost ~]#route del -net 0.0.0.0 gw 172.18.19.1 [root@localhost ~]#route add default gw 172.18.19.20 就能夠看到6-10主機有迴應了。
在6-10主機安裝httpd服務,並打開,能夠在7-30主機訪問到。
在7-30主機安裝httpd服務,並打開,能夠在6-10主機訪問到。
爲FORWARD鏈增長一條規則來設置默認策略,以防清空列表沒法工做
[root@localhost ~]#iptables -A FORWARD -j DROP [root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 2 packets, 156 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
此時內外都不能訪問網站,都被防火牆drop掉了。
讓內網訪問互聯網的任意web服務。
[root@localhost ~]#iptables -I FORWARD -s 192.168.22.0/24 -p tcp --dport 80 -j ACCEPT [root@localhost ~]#iptables -I FORWARD -d 192.168.22.0/24 -p tcp --sport 80 -j ACCEPT [root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 529 ACCEPT tcp -- * * 0.0.0.0/0 192.168.22.0/24 tcp spt:80 12 833 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 tcp dpt:80 30 1816 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
此時6-10主機能夠訪問到7-30的web服務。而且FORWARD鏈上有報文匹配
進一步簡化,只要是已創建的報文都是安全的,能夠將第一條規則替換掉。
[root@localhost ~]#iptables -D FORWARD 1 [root@localhost ~]#iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT [root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 1 packets, 32 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 tcp dpt:80 36 2176 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
此時6-10主機能夠訪問到7-30的web服務。而且FORWARD鏈上有報文匹配
能夠再次簡化,並增長21,22號端口
[root@localhost ~]#iptables -R FORWARD 2 -s 192.168.22.0/24 -p tcp -m multiport --dport 21:23,80 -m state --state NEW -j ACCEPT [root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 9 902 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 multiport dports 21:23,80 state NEW 36 2176 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
網頁能夠訪問,ssh能夠登陸,注意:ssh遠程登陸上之後和當前的界面如出一轍,一直覺得沒有登陸上,能夠經過ifconfig看ip地址來查看。坑坑
NAT轉發
分類:
源地址轉換:SNAT,局域網內的客戶端請求互聯網的服務器,在最後要離開公網的網卡的時候才轉換,放在POSTROUTING鏈上,就是將全部內網的IP都轉換爲一個公網IP。
靜態地址轉換:外網地址是固定的
動態地址轉換:外網地址是動態的
能夠適用:MASQUERADE:懶,不寫了
目標地址轉換:DNAT,局域網內有服務器,互聯網客戶端請求局域網的服務器,是剛進公網網卡的時候就要轉換,放在PROROUTING鏈上,將一個公網IP轉換爲幾個內網IP。
端口轉換PAT:port address transfore
當內網中有三臺物理服務器,提供web服務,ftp服務,mail服務,可是隻有一個公網IP,能夠設置一個主機防火牆,當外部客戶端請求web服務的時候,會經過nat轉換併發送到提供web服務的物理服務器。
---------------------------------------------------我是誰-----------------------------------------------------------
示例:源地址轉換
保存文件名:nat轉換1.zip
當本地網絡中A,B兩臺電腦同時訪問淘寶網頁和登陸qq的時候,每臺電腦都要把請求發送到淘寶服務器,也要把qq的請求發送到qq的服務器。
在局域網中ip報文如上圖中的AA所示,報文到達網關(10.1.0.1)的時候,先通過路由,讓路由選擇該把此報文發送給哪一個路由,即下一跳。通過路由的時候報文源IP和目標IP都不會發生變化,仍是AA所示的格式。再通過防火牆過濾,快要通過公網網卡的時候,進行nat轉換,一個是內網地址必須轉換爲公網地址才能發送,二是也能夠隱藏本局域網內部的網絡狀況,統一由一個公網IP代理。
在外面看來,全部的服務局域網內的全部服務都是由一個公網IP來進行訪問的,
報文返回的時候相反,報文進入外網地址後,先根據保存的nat表進行轉換,轉換爲本地IP和端口,而後發送給各個電腦。
照這樣講,返回報文不用通過路由就能夠?
看看路由自帶的nat表
-------------------------------------噹噹噹-----------------------------------
仍是上面的虛擬機配置,繼續作實驗,
將7-20防火牆主機防火牆清空,
在6-10主機訪問7-30主機的httpd服務,能夠在7-30主機httpd日誌裏查到是:192.168.22.2 地址訪問的,這個是防火牆的內網地址,如何將其內網地址隱藏,用nat轉發
在iptables的擴展命令裏面,屬於可執行的動做
SNAT:This target is only valid in the nat table, in the POSTROUTING and INPUT chains, and user-defined chains which are only called from those chains.
--to-source [ipaddr[-ipaddr]]
未設置以前:
主機:6-10:發送ping請求 [root@localhost ~]#ping 172.18.19.30 PING 172.18.19.30 (172.18.19.30) 56(84) bytes of data. 64 bytes from 172.18.19.30: icmp_seq=1 ttl=63 time=0.578 ms 主機7-20 [root@localhost ~]#tcpdump -i eno33554984 -nn icmp #防火牆內網網卡 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno33554984, link-type EN10MB (Ethernet), capture size 65535 bytes 19:12:33.521397 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 63507, seq 53, length 64 19:12:33.522075 IP 172.18.19.30 > 192.168.22.2: ICMP echo reply, id 63507, seq 53, length 64 [root@localhost ~]#tcpdump -i eno16777736 -nn icmp #防火牆公網網卡 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 19:12:16.493475 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 63507, seq 36, length 64 19:12:16.493965 IP 172.18.19.30 > 192.168.22.2: ICMP echo reply, id 63507, seq 36, length 64
主機7-30 [root@localhost ~]#tcpdump -i eno16777736 -nn icmp #服務器數據包 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 19:12:42.534878 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 63507, seq 62, length 64 19:12:42.534984 IP 172.18.19.30 > 192.168.22.2: ICMP echo reply, id 63507, seq 62, length 64
設置nat轉換以後:
在7-20主機:
[root@localhost ~]#iptables -t nat -A POSTROUTING -s 192.168.22.0/24 -j SNAT --to-source 172.18.19.20 [root@localhost ~]#iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.22.0/24 0.0.0.0/0 to:172.18.19.20
主機:6-10:發送ping請求 [root@localhost ~]#ping 172.18.19.30 PING 172.18.19.30 (172.18.19.30) 56(84) bytes of data. 64 bytes from 172.18.19.30: icmp_seq=1 ttl=63 time=0.578 ms 主機7-20 [root@localhost ~]#!t tcpdump -i eno33554984 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno33554984, link-type EN10MB (Ethernet), capture size 65535 bytes 20:09:38.595011 IP 192.168.22.2 > 172.18.19.30: ICMP echo request, id 56352, seq 7, length 64 20:09:38.595442 IP 172.18.19.30 > 192.168.22.2: ICMP echo reply, id 56352, seq 7, length 64 [root@localhost ~]#tcpdump -i eno16777736 -nn icmp #防火牆公網網卡 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 20:09:52.618004 IP 172.18.19.20 > 172.18.19.30: ICMP echo request, id 56352, seq 21, length 64 20:09:52.618570 IP 172.18.19.30 > 172.18.19.20: ICMP echo reply, id 56352, seq 21, length 64 主機7-30 [root@localhost ~]#tcpdump -i eno16777736 -nn icmp #服務器數據包 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes 20:09:59.628846 IP 172.18.19.20 > 172.18.19.30: ICMP echo request, id 56352, seq 28, length 64 20:09:59.628893 IP 172.18.19.30 > 172.18.19.20: ICMP echo reply, id 56352, seq 28, length 64
能夠發現內網的報文通過防火牆的時候會進行nat轉換,通過防火牆的公網地址的時候,報文已經發生改變了。返回的時候也是。
--------------------------------啦啦啦------------------------------------------------
DNAT
文件名:nat轉換2.zip
做用,當路由的外面鏈接的是公網地址的時候,能夠本身在內網作個網頁,經過dnat轉換,經過外網來訪問內網的網站。
下面的實驗的拓撲圖如上,互聯網全部的訪問,在防火牆都會通過nat轉換,轉換爲局域網內對應主機和對應的端口,內網的web服務不必定要監聽在80端口,只要對應的服務套接字不一樣就能夠正常工做。
DNAT:This target is only valid in the nat table, in the PREROUTING and OUT‐PUT chains, and user-defined chains which are only called from those chains.
--to-destination [ipaddr][:port] #不加要轉換的端口表示對應的端口不變。
在6-10主機上添加一個IP地址來模擬另外一臺主機,並配置好httpd對應的端口8080,這裏的端口是隨意設置的。
[root@localhost ~]#ifconfig eth0:0 192.168.22.3/24 up [root@localhost /etc/httpd/conf]#vim httpd.conf Listen 8080 [root@localhost /etc/httpd/conf]#service httpd restart [root@localhost /etc/httpd/conf]#ss -tnl #保證對應的端口是監聽的 LISTEN 0 128 :::8080
在7-20主機上,同時清除snat轉換,設置nat轉換,全部訪問172.18.19.20的80端口的報文,都通過nat轉換髮送給192.168.22.2的8080端口
[root@localhost ~]#iptables -t nat -F [root@localhost ~]#iptables -t nat -A PREROUTING -d 172.18.19.20 -p tcp --dport 80 -j DNAT --to-destination 192.168.22.2:8080 [root@localhost ~]#iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:80 to:192.168.22.2:8080 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
在7-30主機,訪問的是防火牆的80端口,可是實際是局域網內的8080端口。工做正常。7-20主機沒有安裝httpd服務。
[root@localhost ~]#curl 172.18.19.20 192.168.22.2
測試ssh,
在7-20主機:假如在防火牆主機加一條,凡是訪問防火牆22號端口都轉發到內網中的(192.168.22.3)主機,
[root@localhost ~]#iptables -t nat -A PREROUTING -d 172.18.19.20 -p tcp --dport 22 -j DNAT --to-destination 192.168.22.3:22
[root@localhost ~]#iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 60 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:80 to:192.168.22.2:8080 0 0 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:22 to:192.168.22.3:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
這樣在7-30主機登陸(172.18.19.20)的ssh服務的時候,實際是訪問的內網(192.168.22.3)主機的ssh服務。登陸後看本機的ip地址是內網的。
由於DNAT轉換是數據報文剛進入防火牆主機的外網網卡後,就會進行NAT轉換,將本機的ssh報文中的IP轉換爲內網的IP,所以訪問的是內網的ssh。
爲了ssh的安全,通常將內網的ssh服務隱藏起來,防火牆nat上設置高位端口映射, 即設置nat轉換:訪問(172.18.19.20:22022)則轉到內網某個主機的ssh。
[root@localhost ~]#iptables -t nat -R PREROUTING 2 -d 172.18.19.20 -p tcp --dport 22022 -j DNAT --to-destination 192.168.22.3:22 [root@localhost ~]#iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 60 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:80 to:192.168.22.2:8080 0 0 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:22022 to:192.168.22.3:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
這樣的話
[root@localhost ~]#ssh 172.18.19.20 #訪問的是防火牆的ssh
[root@localhost ~]#ssh -p 22022 172.18.19.20 #訪問的是內網指定主機的ssh
--------------------------------------------呵呵呵-----------------------------------------------------
重定向:表示訪問本機的一個端口的時候,會自動重定向到本機的另一個端口,好比本機的httpd服務爲8080端口,將此端口重定向爲80端口,則遠端的主機也能夠正常訪問httpd服務。
REDIRECT:This target is only valid in the nat table, in the PREROUTING and OUT‐ PUT chains, and user-defined chains which are only called from those chains.
--to-ports port[-port]
仍是接着上面的操做,將防火牆的80NAT的轉換清除,
在7-20主機 [root@localhost ~]#iptables -t nat -R PREROUTING 1 -d 172.18.19.20 -p tcp --dport 80 -j DNAT --to-destination 192.168.22.3 [root@localhost ~]#iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:80 to:192.168.22.3 1 60 DNAT tcp -- * * 0.0.0.0/0 172.18.19.20 tcp dpt:22022 to:192.168.22.3:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
由於(192.168.22.3)的httpd服務已是8080端口了,只要重定向就能夠
在6-10主機 [root@localhost ~]#iptables -t nat -A PREROUTING -d 192.168.22.3 -p tcp --dport 80 -j REDIRECT --to-ports 8080 [root@localhost ~]#iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 192.168.22.3 tcp dpt:80 redir ports 8080 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
能夠經過7-30主機訪問到httpd服務
[root@localhost ~]#curl 172.18.19.20 192.168.22.2
原理:互聯網用戶訪問防火牆的80端口httpd服務,防火牆根據nat轉發,將該套接字發送到內網對應主機的80端口上,內網主機也有nat表,將80端口的報文重定向到8080端口,訪問在8080端口的httpd服務。
--------------------------------------------呵呵呵-----------------------------------------------------
用戶自定義鏈適用
用戶自定義鏈只能被默認的鏈所調用,不能單獨使用,
接着上面的實驗,外部網絡訪問內網的服務器:
先清空防火牆的全部規則,再加一條本身建立的filter鏈,
[root@localhost ~]#iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT [root@localhost ~]#iptables -N web_in [root@localhost ~]#iptables -A web_in -d 192.168.22.0/24 -p tcp --dport 80 -j ACCEPT [root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain web_in (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.22.0/24 tcp dpt:80
[root@localhost ~]#iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT [root@localhost ~]#iptables -N web_in [root@localhost ~]#iptables -A web_in -d 192.168.22.0/24 -p tcp --dport 80 -j ACCEPT [root@localhost ~]#iptables -A FORWARD -j DROP [root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain web_in (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.22.0/24 tcp dpt:80
此時外部網絡不能訪問httpd服務,由於自定義的鏈沒有被引用。能夠將其調用,能夠看到自定義的鏈調用次數1,這樣能夠將全部根web有關的規則都定義到一條鏈上,方便管理,
[root@localhost ~]#iptables -I FORWARD 2 -j web_in [root@localhost ~]#iptables -A web_in -j RETURN
[root@localhost ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 20 1216 web_in all -- * * 0.0.0.0/0 0.0.0.0/0 20 1216 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain web_in (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.22.0/24 tcp dpt:80 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
RETURN:返回調用的鏈表,放到自定義鏈的最後,當自定義鏈規則匹配完後會自動返回默認的鏈再開始匹配下面的規則。就像函數調用同樣,能夠重複嵌套調用。如上面所示,
只有自定義的鏈爲空,而且引用次數爲零的時候才能被刪除。
p
- 1. iptables服務
- 2. Linux之iptables服務
- 3. Linux-Iptables/Firewall服務
- 4. linux服務之iptables
- 5. iptables(3)
- 6. 第三本書 iptables服務
- 7. Centos 使用 iptables 服務
- 8. centos服務器iptables腳本
- 9. Linux中的iptables服務
- 10. iptables-防火牆服務
- 更多相關文章...
- • 啓動MySQL服務 - MySQL教程
- • Git 服務器搭建 - Git 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • 再有人問你分佈式事務,把這篇扔給他
-
每一个你不满意的现在,都有一个你没有努力的曾经。