10. 15 iptables filter表小案例bash
輸入以下的內容:
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -i ACCEPT
$ipt -A INPUT -s 192.168.218.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPTssh
ipt 定義了一個變量,變量要寫絕對路徑,這樣纔不會被環境變量所影響。而後使用 -F 命令清空規則,-P 是定義默認的策略,-A 增長規則。這邊用腳本執行命令tcp
iptables -I INPUT -p icmp --icmp-type 8 -j DROP 禁ping操做測試
10.16 iptables nat表應用spa
查詢(將 /proc/sys/net/ipv4/ip_forward設置爲1爲轉發,默認爲0);code
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward 0 [root@shu-test ~]#
打開端口轉發ip
echo "1" > /proc/sys/net/ipv4/ip_forward路由
[root@shu-test ~]# echo "1" > /proc/sys/net/ipv4/ip_forward [root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@shu-test ~]#
(記住B機器的網關必須指向機器A的ens37也就是192.168.100.1)get
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
在機器A上增長nat 將源地址192.168.100.0/24的全部路由(數據包)指向ens33出去it
[root@shu-test ~]# iptables -F [root@shu-test ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 659 packets, 67162 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 18 packets, 1935 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 50 packets, 3782 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 50 packets, 3782 bytes) pkts bytes target prot opt in out source destination 42 3201 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 [root@shu-test ~]#
若是能ping通機器A的ens33網卡,而ping不通外網,能夠清空下iptables -F配置的規則;
機器B上ping www.hao123.com
[root@localhost ~]# ping 192.168.188.1 PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data. 64 bytes from 192.168.188.1: icmp_seq=1 ttl=127 time=1.58 ms 64 bytes from 192.168.188.1: icmp_seq=2 ttl=127 time=0.814 ms ^C --- 192.168.188.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.814/1.199/1.585/0.387 ms [root@localhost ~]# ping www.hao123.com PING hao123.n.shifen.com (112.34.111.167) 56(84) bytes of data. 64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=1 ttl=127 time=31.1 ms 64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=2 ttl=127 time=31.5 ms 64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=3 ttl=127 time=31.2 ms ^C --- hao123.n.shifen.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 31.116/31.291/31.502/0.159 ms [root@localhost ~]#
需求2:C機器只能和A通訊,讓C機器能夠直接經過B機器22端口;(端口映射)
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward [root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@localhost ~]#
使用iptables -F與 -D 命令,詳情見前文章
iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
將192.168.100.101的22端口 映射到A機器的ens33的1122端口上,
使外網經過訪問192.168.188.2:1122來達到訪問機器C(ip:192.168.100.101)的22端口;
[root@shu-test ~]# iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22 [root@shu-test ~]# [root@shu-test ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 13 packets, 1072 bytes) pkts bytes target prot opt in out source destination 5 260 DNAT tcp -- * * 0.0.0.0/0 192.168.188.2 tcp dpt:1122 to:192.168.100.101:22 Chain INPUT (policy ACCEPT 6 packets, 549 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 7 packets, 412 bytes) pkts bytes target prot opt in out source destination 113 8561 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 [root@shu-test ~]#
iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
將從192.168.100.101的過來的包,返回給192.168.188.2;
有來有回
[root@shu-test ~]# iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2 [root@shu-test ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 260 DNAT tcp -- * * 0.0.0.0/0 192.168.188.2 tcp dpt:1122 to:192.168.100.101:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 122 9236 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 0 0 SNAT all -- * * 192.168.100.101 0.0.0.0/0 to:192.168.188.2 [root@shu-test ~]#
在Windows上直接ssh 192.168.188.2:1122