iptables filter表 nat表 應用實例
iptables基礎實例
iptables -nvL 查看規則shell
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33 2412 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 22 packets, 2016 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38 2784 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
iptables -F 清空規則tcp
[root@localhost ~]# iptables -F [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 5 packets, 388 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
service iptables restart 從新加載規則oop
[root@localhost ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service
iptables -Z 清空計數器rest
[root@localhost ~]# iptables -Z
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 388 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt in out source destination
service iptables save 將規則保存到配置文件中/etc/sysconfig/iptablescode
iptables -t 指定表,不加-t默認是filter表blog
[root@localhost ~]# iptables -A INPUT -s 192.168.1.1 -p tcp --sport 8080 -d 192.168.100.100 --dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 224 15912 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 1129 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.1.1 192.168.100.100 tcp spt:8080 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes) pkts bytes target prot opt in out source destination
iptables -A 添加一條規則,添加規則到尾行 iptables -A INPUT -s 192.168.1.1 -p tcp --sport 8080 -d 192.168.100.100 --dport 80 -j DROP這段代碼的意識是添加一條規則在-s表示來源 -p是協議 -sport 是源端口,-d目的地址 -dport是目的端口 -j 是選擇的操做 DROP是丟棄的意思。ip
iptables -I是插入一條規則,會插入到首行,數據通訊匹配iptables中的規則會從上向下匹配,當匹配到合適的就不會再繼續向下匹配。路由
[root@localhost ~]# iptables -I INPUT -s 192.168.1.1 -p tcp --sport 8080 -d 192.168.100.100 --dport 80 -j REJECT
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.1.1 192.168.100.100 tcp spt:8080 dpt:80 reject-with icmp-port-unreachable
438 37040 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
11 1920 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.1.1 192.168.100.100 tcp spt:8080 dpt:80
iptables -nvL --line-number 顯示規則編號get
[root@localhost ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT tcp -- * * 192.168.1.1 192.168.100.100 tcp spt:8080 dpt:80 reject-with icmp-port-unreachable 2 489 40692 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 11 1920 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 7 0 0 DROP tcp -- * * 192.168.1.1 192.168.100.100 tcp spt:8080 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 40 packets, 5000 bytes) num pkts bytes target prot opt in out source destination
iptables -D 刪除規則,可根據行號刪除 iptables -D INPUT 7 刪除第7條規則it
[root@localhost ~]# iptables -D INPUT 7 [root@localhost ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT tcp -- * * 192.168.1.1 192.168.100.100 tcp spt:8080 dpt:80 reject-with icmp-port-unreachable 2 534 43876 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 16 2810 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes) num pkts bytes target prot opt in out source destination
netfilter nat表應用
實例1:A機器兩塊網卡一塊鏈接外網,一塊在內網環境,B機器只有一塊網卡在內網環境,兩臺機器在同一內網中。經過A機器能讓B機器上網。
- A機器上打開路由轉發功能 echo "1" >/proc/sys/net/ipv4/ip_forward
[root@localhost ~]# echo "1">/proc/sys/net/ipv4/ip_forward [root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1
- A機器上執行
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE在外網口開啓端口轉發 - 再給B機器配置好網關,就是A機器的內網口的地址 route add default gw 192.168.100.1
四、B機器就能夠ping通外網了。
實例2 端口映射,能夠讓外部機器訪問B機器
- A機器一樣打開路由轉發功能echo "1" >/proc/sys/net/ipv4/ip_forward
- A機器執行iptables -t nat -A PREROUTING -d 192.168.254.100 (模擬外網ip) -p tcp --dport 3000(借用端口) -j DNAT --to 192.168.100.100:22(C機器地址和端口)
- A 機器執行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.254.100
- B機器一樣要設置網關
Connecting to 192.168.254.100:3000...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Jul 19 21:29:24 2018
[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe50:6d26 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:50:6d:26 txqueuelen 1000 (Ethernet)
RX packets 62 bytes 9270 (9.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 78 bytes 11214 (10.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 6 bytes 504 (504.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 504 (504.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
能夠看到使用C機器的Xshell鏈接A機器的ip指定作過映射的端口3000 ,成功的鏈接到了B機器。
相關文章
- 1. iptables filter表案例、iptables nat表應用
- 2. iptables filter表案例/iptables nat表應用
- 3. iptables filter表案例,iptables nat表應用
- 4. iptables filter表案例 iptables nat表應用
- 5. 32.filter表案例 nat表應用 (iptables)
- 6. 十(4)iptables語法、iptables filter表小案例、iptables nat表應用
- 7. iptables filter表案例和iptables nat表應用
- 8. 10.15 iptables filter表案例, iptables nat表應用
- 9. iptables filter表小案例、iptables nat表應用
- 10. Day32 iptables filter表案例、iptables nat表應用
- 更多相關文章...
- • PHP 完整表單實例 - PHP教程
- • Maven Web 應用 - Maven教程
- • TiDB 在摩拜單車在線數據業務的應用和實踐
- • Java Agent入門實戰(三)-JVM Attach原理與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. iptables filter表案例、iptables nat表應用
- 2. iptables filter表案例/iptables nat表應用
- 3. iptables filter表案例,iptables nat表應用
- 4. iptables filter表案例 iptables nat表應用
- 5. 32.filter表案例 nat表應用 (iptables)
- 6. 十(4)iptables語法、iptables filter表小案例、iptables nat表應用
- 7. iptables filter表案例和iptables nat表應用
- 8. 10.15 iptables filter表案例, iptables nat表應用
- 9. iptables filter表小案例、iptables nat表應用
- 10. Day32 iptables filter表案例、iptables nat表應用