七週四次課（5月9日)iptables filter表案例、iptables nat表應用

 10. 15 iptables filter表小案例

輸入以下的內容：
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -i ACCEPT
$ipt -A INPUT -s 192.168.218.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

ipt 定義了一個變量，變量要寫絕對路徑，這樣纔不會被環境變量所影響。而後使用 -F 命令清空規則，-P 是定義默認的策略，-A 增長規則。這邊用腳本執行命令

 iptables -I INPUT -p icmp --icmp-type 8 -j DROP   禁ping操做

10.16 iptables nat表應用

一、打開端口轉發模式

查詢（將 /proc/sys/net/ipv4/ip_forward設置爲1爲轉發，默認爲0）；

[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@shu-test ~]#

打開端口轉發

echo "1" > /proc/sys/net/ipv4/ip_forward

[root@shu-test ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@shu-test ~]#

二、在機器A上增長規則

（記住B機器的網關必須指向機器A的ens37也就是192.168.100.1）

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

在機器A上增長nat 將源地址192.168.100.0/24的全部路由（數據包）指向ens33出去

[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 659 packets, 67162 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain INPUT (policy ACCEPT 18 packets, 1935 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 50 packets, 3782 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 50 packets, 3782 bytes)
pkts bytes target     prot opt in     out     source               destination         
   42  3201 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
[root@shu-test ~]#

三、測試：

若是能ping通機器A的ens33網卡，而ping不通外網，能夠清空下iptables -F配置的規則；
機器B上ping www.hao123.com

[root@localhost ~]# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.
64 bytes from 192.168.188.1: icmp_seq=1 ttl=127 time=1.58 ms
64 bytes from 192.168.188.1: icmp_seq=2 ttl=127 time=0.814 ms
^C
--- 192.168.188.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.814/1.199/1.585/0.387 ms
[root@localhost ~]# ping www.hao123.com
PING hao123.n.shifen.com (112.34.111.167) 56(84) bytes of data.
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=1 ttl=127 time=31.1 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=2 ttl=127 time=31.5 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=3 ttl=127 time=31.2 ms
^C
--- hao123.n.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 31.116/31.291/31.502/0.159 ms
[root@localhost ~]#

端口映射

需求2：C機器只能和A通訊，讓C機器能夠直接經過B機器22端口；（端口映射）

一、打開A機器的端口轉發功能；

echo "1" > /proc/sys/net/ipv4/ip_forward

[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]#

二、清空和刪除全部配置

使用iptables -F與 -D 命令，詳情見前文章

三、在A機器上添加規則

iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
將192.168.100.101的22端口 映射到A機器的ens33的1122端口上，
使外網經過訪問192.168.188.2:1122來達到訪問機器C（ip：192.168.100.101）的22端口；

[root@shu-test ~]# iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
[root@shu-test ~]#
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 13 packets, 1072 bytes)
pkts bytes target     prot opt in     out     source               destination         
    5   260 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.188.2        tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 6 packets, 549 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 7 packets, 412 bytes)
pkts bytes target     prot opt in     out     source               destination         
  113  8561 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
[root@shu-test ~]#

四、在A機器上添加回包規則

iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
將從192.168.100.101的過來的包，返回給192.168.188.2；
有來有回

[root@shu-test ~]# iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    5   260 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.188.2        tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  122  9236 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
    0     0 SNAT       all  --  *      *       192.168.100.101      0.0.0.0/0            to:192.168.188.2
[root@shu-test ~]#

五、測試

在Windows上直接ssh 192.168.188.2：1122