Linux iptables與sudo

時間 2019-11-24

標籤 linux iptables sudo 欄目 Linux 简体版

原文原文鏈接

一、詳述iptables五鏈

Iptables的主要功能是實現網絡數據包進出設備及轉發的控制，當數據包須要進入設備、從設備中流出或者經該設備轉發、路由時，均可以使用iptables進行控制。
Netfilter/iptables IP 信息包過濾系統是一種功能強大的工具，可用於添加、編輯和除去規則，這些規則是在作信息包過濾決定時，防火牆所遵循和組成的規則。這些規則存儲在專用的信息包過濾表中，而這些表集成在Linux內核中。在信息包過濾表中，規則被分組放在咱們所謂的鏈（chain）中。
Netfilter/iptables IP 信息包過濾系統都被稱爲單個實體，但它實際上由兩個組件netfilter和iptables組成。
Netfilter組件也稱爲內核空間（kernelspace）,是內核的一部分，由一些信息表過濾表組成，這些表包含內核用來控制信息包過濾處理的規則集。安全

Iptables組件是一種工具，也稱爲用戶空間（userspace）,它使插入、修改和除去信息包過濾表中的規則變得容易。Iptables包含4個表，5個鏈。
Iptables 五鏈

如上圖所示，iptables五種連接分別是prerouting、input、output、forward、postroutingbash
prerouting: 流入的數據包進入路由表以前
input: 經過路由表判斷後目的地址是本機，而後進入本機內部資源
output: 由本機產生的數據向外轉發
forward: 經過路由表判斷目的地址是本機，而後經過路由轉發到其餘地方

postrouting: 傳出的數據包到達網卡出口前

流入本機： prerouting --> input ==> 用戶空間進程；
流出本機： 用戶空間進程==> output --> postrouting;
轉發： prerouting --> forward --> postrouting;

四表：

filter:過濾表，能被INPUT、FORWARD、OUTPU這三個規則鏈使用。
nat: 網絡地址轉換表，能被PREROUTING、OUTPUT、POSTROUTING使用。
mangle: 報文修改表，能被PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING使用。
raw: 通常是爲了避免再讓iptables對數據包進行跟蹤，提升性能，能被PREROUTING、OUTPUT使用。
其執行順序是raw>mangle>nat>filter

二、舉例實現iptables多端口匹配、鏈接追蹤、字符串匹配、時間匹配、併發鏈接限制、速率匹配、報文狀態匹配等應用

iptables 多端口匹配

[root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 237 packets, 17727 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 151 packets, 17334 bytes)
pkts bytes target     prot opt in     out     source               destination
[root@xiaochen ~]# iptables -I INPUT 1 -d 192.168.10.10 -p tcp -m multiport --dports 21,22,80,8080,443 -j ACCEPT  
[root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 3 packets, 176 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   576 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8 packets, 1388 bytes)
 pkts bytes target     prot opt in     out     source               destination

鏈接追蹤：

[root@xiaochen ~]# iptables -A INPUT -d 192.168.10.10 -p tcp -m multiport --dports 21,22,80 -m state --state INVALID -j REJECT
  [root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  343 22920 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 30 packets, 3048 bytes)
 pkts bytes target     prot opt in     out     source               destination

字符串匹配：

[root@xiaochen ~]# iptables -A OUTPUT -s 192.168.10.10 -d 192.168.10.0/24 -p tcp --sport 80 -m string --algo bm --string "sex" -j REJECT
  [root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 2 packets, 100 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  755 53000 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 44 packets, 4388 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 REJECT     tcp  --  *      *       192.168.10.10        192.168.10.0/24      tcp spt:80 STRING match  "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable

時間匹配：

[root@xiaochen ~]# iptables -A INPUT -s 192.168.10.0/24 -d 192.168.10.10 -p tcp --dport 80 -m time --timestart 00:30 --timestop 12:30 --weekdays Mon,Sun -j DROP
   [root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 4 packets, 200 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1133 78104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
    0     0 DROP       tcp  --  *      *       192.168.10.0/24      192.168.10.10        tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 41 packets, 3852 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 REJECT     tcp  --  *      *       192.168.10.10        192.168.10.0/24      tcp spt:80 STRING match  "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable

併發鏈接限制：

[root@xiaochen ~]# iptables -A INPUT -d 192.168.10.10 -p tcp --dport 21 -m connlimit --connlimit-above 2 -j REJECT
 [root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1403 96028 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
    0     0 DROP       tcp  --  *      *       192.168.10.0/24      192.168.10.10        tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        tcp dpt:21 #conn src/32 > 2 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 1584 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 REJECT     tcp  --  *      *       192.168.10.10        192.168.10.0/24      tcp spt:80 STRING match  "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable

速率匹配：

[root@xiaochen ~]# iptables -I INPUT -d 192.168.10.10 -p icmp --icmp-type 8 -m limit --limit 5/minute --limit-burst 3 -j ACCEPT
  [root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.10.10        icmptype 8 limit: avg 5/min burst 3
 1665  113K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
    0     0 DROP       tcp  --  *      *       192.168.10.0/24      192.168.10.10        tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        tcp dpt:21 #conn src/32 > 2 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 20 packets, 1944 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 REJECT     tcp  --  *      *       192.168.10.10        192.168.10.0/24      tcp spt:80 STRING match  "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable

報文狀態匹配：

[root@xiaochen ~]# iptables -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT
[root@xiaochen ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x3F/0x02 reject-with icmp-port-unreachable
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.10.10        icmptype 8 limit: avg 5/min burst 3
 1910  130K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80,8080,443
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
    0     0 DROP       tcp  --  *      *       192.168.10.0/24      192.168.10.10        tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.10.10        tcp dpt:21 #conn src/32 > 2 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17 packets, 1724 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 REJECT     tcp  --  *      *       192.168.10.10        192.168.10.0/24      tcp spt:80 STRING match  "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable

三、舉例實現iptables之SNAT源地址修改及DNAT目標地址修改和PNAT端口修改等應用

一臺網關主機用上nat的主要目的是要隱藏網關內網中的主機。若是一個網關設備不開啓nat功能，僅僅只能將報文實現網絡轉發，而不會修改報文的任何源ip和目標ip。此時內網中的客戶端和互聯網外的主機通訊時，一個懷有惡意的外網主機會獲得內網客戶端的地址，而後用掃描工具掃描客戶端主機的各類端口服務，找到有薄弱項的服務發起遠程***，此時很容易攻克這臺主機，並用這臺主機看成跳板，繼續從內網去***內部其餘的重要的主機。當網關主機上開啓了nat功能後，網關在轉發報文到互聯網或者從互聯網轉發報文到內網服務器的時候，把報文中的內網主機地址通通改爲網關的外網地址，外部的主機只能看到網關的地址，這樣就作到安全保護內網中主機的操做。
網關開啓nat後，請求報文和相應報文是經過內存中的鏈接追蹤表來進行地址轉換的。內網中的客戶端經過網關的地址轉換訪問外網的服務器主機叫作SNAT（source network address translation），外網主機訪問通過網關地址轉換的內網中提供各類服務的主機叫作DNAT(destination network address translation)，httpd只開放8080端口，把8080端口映射到80，能正常以80訪問叫作PNAT服務器

環境搭建

[root@localhost ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@localhost ~]# route add default gw 192.168.10.11
[root@localhost ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.10.11   0.0.0.0         UG    0      0        0 eno16777736
default         192.168.10.2    0.0.0.0         UG    100    0        0 eno16777736
default         192.168.50.1    0.0.0.0         UG    101    0        0 eno33554960
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 eno16777736
192.168.50.0    0.0.0.0         255.255.255.0   U     100    0        0 eno33554960
[root@localhost ~]# route add -net 192.168.0.0/24 gw 192.168.50.10
[root@localhost ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.10.11   0.0.0.0         UG    0      0        0 eno16777736
default         192.168.10.2    0.0.0.0         UG    100    0        0 eno16777736
default         192.168.50.1    0.0.0.0         UG    101    0        0 eno33554960
192.168.0.0     192.168.50.10   255.255.255.0   UG    0      0        0 eno33554960
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 eno16777736
192.168.50.0    0.0.0.0         255.255.255.0   U     100    0        0 eno33554960

實現SNAT

[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 192.168.50.10
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.0.0/24       anywhere             to:192.168.50.10

DNAT:

[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.0.0/24 -j DNAT --to-destination 192.168.10.10
[root@localhost ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             192.168.0.0/24       to:192.168.10.10

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.0.0/24       anywhere             to:192.168.50.10

PNAT:

[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             192.168.0.0/24       to:192.168.10.10
REDIRECT   tcp  --  anywhere             192.168.0.0/24       tcp dpt:http redir ports 8080

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.0.0/24       anywhere             to:192.168.50.10

四、簡述sudo安全切換工具，及詳細講解visudoer

sudo : 當咱們去執行某個命令時，是切換用戶以另一個用戶的身份運行。這個是在sudo文件中設定的另一個發起人，這個發起人通常是管理員，並在文件中定義好發起人可以運行的命令列表，以後就可以臨時切換髮起人來執行這些命令，這種受權機制就是sudo,其中sudo的配置文件位置在/etc/sudoers,可使用專用命令visudo來編輯這個文件完成受權。
sudo：網絡

su：switch user
用戶切換併發

(1) su  -l  user  
(2) su  -l  user  -c   'COMMAND'

sudo：
可以讓得到受權的用戶以另一個用戶的身份運行指定的命令；tcp

受權機制：受權文件 /etc/sudoers
    root    ALL=(ALL)   ALL 
    %wheel  ALL=(ALL)   ALL 

編譯此文件的專用命令：visudo

    受權項：
        who     where=(whom)    commands

        users   hosts=(runas)       commands

            users：
                username
                #uid
                %groupname
                %#gid
                user_alias

                支持將多個用戶定義爲一組用戶，稱之爲用戶別名，即user_alias；

            hosts:
                ip
                hostname
                NetAddr
                host_alias

            runas:
                ...
                runas_alias

            commands:
                command

                directory
                sudoedit：特殊權限，可用於向其它用戶授予sudo權限；
                cmnd_alias

        定義別名的方法：
            ALIAS_TYPE  NAME=item1, item2, item3, ...
                NAME：別名名稱，必須使用全大寫字符；
            ALIAS_TYPE:
                User_Alias
                Host_Alias
                Runas_Alias
                Cmnd_Alias

示例：ide

[root@localhost ~]# useradd fedora
[root@localhost ~]# echo fedora | passwd --stdin fedora
Changing password for user fedora.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# su – fedora
[fedora@localhost ~]$ useradd user1
-bash: /usr/sbin/useradd: Permission denied
[fedora@localhost ~]$ exit
logout
[root@localhost ~]# visudo
fedora  ALL=(ALL)       /usr/sbin/useradd,/usr/sbin/userdel   ##添加一行內容
[root@localhost ~]# su – fedora
fedora@localhost ~]$ sudo useradd user1

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for fedora:
[fedora@localhost ~]$ tail -1 /etc/passwd
user1:x:1001:1001::/home/user1:/bin/bash
[fedora@localhost ~]$ sudo userdel user1
[fedora@localhost ~]$ id user1
id: user1: no such user

以定義組的方式實現用戶sudo

[root@localhost ~]# usermod -a -G wheel fedora
[root@localhost ~]# newgrp wheel
[root@localhost ~]# id fedora
uid=1000(fedora) gid=1000(fedora) groups=1000(fedora),10(wheel)
[root@localhost ~]# visudo
%wheel  ALL=(ALL)       /usr/sbin/useradd,/usr/sbin/userdel
[root@localhost ~]# su - fedora
Last login: Wed Feb 13 23:19:34 CST 2019 on pts/0
[fedora@localhost ~]$ sudo -k
[fedora@localhost ~]$ sudo useradd user3
[sudo] password for fedora:
[fedora@localhost ~]$ id user3
uid=1001(user3) gid=1001(user3) groups=1001(user3)
[fedora@localhost ~]$ sudo userdel user3
[fedora@localhost ~]$ id user3
id: user3: no such user