iptables基礎詳解與實例

1、iptables定義html

iptables是一個工做於用戶空間防火牆應用軟件,容許系統管理員能夠調整設置X表(Xtables)提供相關的系統表格(目前主要位於iptables/netfilter)以及相關的「鏈」與「規則」來管理網絡數據包的流動與轉送的動做。因相關動做上的須要,iptables的操做須要用到超級用戶的權限。在大部份的Linux系統上面,iptables是使用/usr/sbin/iptables來操做,文件則放置在手冊頁(Man page[2])底下,能夠經過 man iptables 指令取得。一般iptables都須要內核層級的模塊來配合運做,Xtables是主要在內核層級裏面iptables API運做功能的模塊。python

主機防火牆:網絡層防火牆可視爲一種 IP 數據包過濾器,運做在底層的TCP/IP協議堆棧上linux

網絡防火牆:工做於網絡邊緣的硬件設備;對於到達網絡的數據包根據某種規則進行過濾處理。web


2、iptables的四表和五鏈算法

四表 服務器

raw
設置爲raw時再也不iptables作數據包鏈接跟蹤處理
mangle 用於對數據包的一些傳輸特性進行修改(TOS、TTL...)
nat 用於對地址轉發功能(端口映射、地址隱射等)
filter 對數據包的過濾功能(最經常使用的;默認項)


五鏈網絡

PREROUTING 數據包進入路由以前
INPUT 數據經過路由表後的目標位本機
FORWARD 數據經過路由表後的目標不爲本機
OUTPUT 由本機出去的數據包向外發送
POSTROUTING 從網卡接口出去以前


對應關係併發

FORWARD filter、mangle
INPUT filter、mangle
OUTPUT filter、mangle、nat
PREROUTING mangle、nat
POSTROUTING mangle、nat



filter INPUT、FORWARD、OUTPUT
nat PREROUTING、OUTPUT、POSTROUTING
mangle PREROUTING、INPUT、OUTPUT、FORWARD、POSTROUTING
raw PREROUTING、OUTPUT



3、基本的用法app

一、格式ssh

[Linux85]#man iptables
IPTABLES(8)                     iptables 1.4.7                     IPTABLES(8)
NAME
       iptables -- administration tool for IPv4 packet filtering and NAT
SYNOPSIS
       iptables [-t table] {-A|-D} chain rule-specification
        #指定的鏈附加或刪除規則
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
       iptables [-t table] -I chain [rulenum] rule-specification
        #指定的鏈插入一條規則,默認爲第一條
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
       iptables [-t table] -R chain rulenum rule-specification
        #覆蓋指定的鏈中的規則;規則須要從新寫
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
       iptables [-t table] -D chain rulenum
        #刪除指定鏈的規則以行號格式
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
       iptables [-t table] -S [chain [rulenum]]
        #只顯示指定鏈的規則添加命令
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
       iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
            #-F:清空鏈中的規則
            #-L:列出表中的全部規則
            #-Z:清空規則計數器
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
       iptables [-t table] -N chain
        #建立一條自定義空的規則鏈
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
       iptables [-t table] -X [chain]
        #刪除一條自定義空的規則鏈
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
       iptables [-t table] -P chain target
        #爲鏈指定默認策略;指定默認規則
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
       iptables [-t table] -E old-chain-name new-chain-name
        #修改自定義鏈名稱


二、匹配條件

  • 通用匹配

    -s
    匹配源地址;ip或網絡地址;! 能夠取反。
    -d 匹配目標地址;ip或網絡地址;! 能夠取反。
    -p 匹配協議{tcp|udp|icmp}
    -i 數據報文流入的接口;一般{INPUT|FORWARD|PREROUTING}
    -o 數據報文流出的接口;一般{OUTPUT|FORWARD|POSTROUTING}
  • 擴展匹配

   隱含擴展:使用-p{tcp|udp|icmp}指定某特定協議後;自動可以對協議進行的擴展

       --dport m[-n]:匹配的目標端口;能夠是連續的多個端口

       --sport m[-n]:匹配的目標端口;能夠是連續的多個端口

       --tcp-flags:根據tcp的標誌位來匹配

       --icmp-type:icmp的狀態


   顯式擴展:必需要明確指定的擴展模塊

    -m:擴展模塊名稱 --專用選項1 --專用選項2...(/lib64/xtables/*)


[Linux85]#ls /lib64/xtables/
libip6t_HL.so          libipt_SET.so         libxt_SECMARK.so      libxt_osf.so
libip6t_LOG.so         libipt_SNAT.so        libxt_TCPMSS.so       libxt_owner.so
libip6t_REJECT.so      libipt_TTL.so         libxt_TCPOPTSTRIP.so  libxt_physdev.so
libip6t_ah.so          libipt_ULOG.so        libxt_TOS.so          libxt_pkttype.so
libip6t_dst.so         libipt_addrtype.so    libxt_TPROXY.so       libxt_policy.so
libip6t_eui64.so       libipt_ah.so          libxt_TRACE.so        libxt_quota.so
libip6t_frag.so        libipt_ecn.so         libxt_cluster.so      libxt_rateest.so
libip6t_hbh.so         libipt_icmp.so        libxt_comment.so      libxt_recent.so
libip6t_hl.so          libipt_realm.so       libxt_connbytes.so    libxt_sctp.so
libip6t_icmp6.so       libipt_set.so         libxt_connlimit.so    libxt_socket.so
libip6t_ipv6header.so  libipt_ttl.so         libxt_connmark.so     libxt_standard.so
libip6t_mh.so          libipt_unclean.so     libxt_conntrack.so    libxt_state.so
libip6t_rt.so          libxt_AUDIT.so        libxt_dccp.so         libxt_statistic.so
libipt_CLUSTERIP.so    libxt_CHECKSUM.so     libxt_dscp.so         libxt_string.so
libipt_DNAT.so         libxt_CLASSIFY.so     libxt_esp.so          libxt_tcp.so
libipt_ECN.so          libxt_CONNMARK.so     libxt_hashlimit.so    libxt_tcpmss.so
libipt_LOG.so          libxt_CONNSECMARK.so  libxt_helper.so       libxt_time.so
libipt_MASQUERADE.so   libxt_DSCP.so         libxt_iprange.so      libxt_tos.so
libipt_MIRROR.so       libxt_MARK.so         libxt_length.so       libxt_u32.so
libipt_NETMAP.so       libxt_NFLOG.so        libxt_limit.so        libxt_udp.so
libipt_REDIRECT.so     libxt_NFQUEUE.so      libxt_mac.so
libipt_REJECT.so       libxt_NOTRACK.so      libxt_mark.so
libipt_SAME.so         libxt_RATEEST.so      libxt_multiport.so
    • multiport:多端口匹配;一次指定多個(15個之內的)離散端口
      [!] --sports port[,port|,port:port] 源端口
      [!] --dports port[,port|,port:port] 目標端口
      [!] --ports port[,port|,port:port] 不區分源與目標端口
    • string:字符串匹配
      --algo {bm|kmp} 字符匹配查找時使用算法;必選
      [!] --string pattern 要查找的字符串;能夠取反
      [!] --hex-string pattern 要查找的字符;先編碼成16進制的格式
    • iprange:ip地址範圍
      [!] --src-range from[-to] 源IP;
      [!] --dst-range from[-to] 目標IP;
    • time:指定時間範圍
      --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 起始日期
      --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 結束日期
      --timestart hh:mm[:ss] 起始時間
      --timestop hh:mm[:ss] 結束時間
      [!] --monthdays day[,day...] 每個月幾號
      [!] --weekdays day[,day...] 每週幾
    • limit:報文速率控制
      --limit rate[/second|/minute|/hour|/day] number/單位
      --limit-burst number 峯值;最大值
    • connlimit:每IP對指定服務最大併發鏈接數
      [!] --connlimit-above n 併發超出個數
    • state:狀態匹配;根據netfilter內部會話表匹配;能創建鏈接的都能追蹤

      根據ip_conntrack和nf_conntrack來實現對整個系統鏈接追蹤
      INVALID 沒法識別的鏈接;例如:tcp-flags ALL ALL/ALL NONE
      ESTABLISHED 已創建鏈接的
      NEW 新創建的鏈接
      RELATED 相關聯的;例如命令鏈接到數據鏈接
    • [Linux85]#iptables -A INPUT -d 172.16.251.85 -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
      #使用state後;鏈接追蹤模塊會自動加載
      [Linux85]#lsmod
      Module                  Size  Used by
      nf_conntrack_ipv4       9506  2
      nf_defrag_ipv4          1483  1 nf_conntrack_ipv4
      xt_state                1492  2
      nf_conntrack           79758  2 nf_conntrack_ipv4,xt_state
      [Linux85]#iptables -L -n -v
      Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
       pkts bytes target     prot opt in     out     source               destination    
         50  3768 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            172.16.251.85       tcp dpt:22 state NEW,ESTABLISHED
      Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
       pkts bytes target     prot opt in     out     source               destination    
      Chain OUTPUT (policy ACCEPT 35 packets, 3252 bytes)
       pkts bytes target     prot opt in     out     source               destination    
      [Linux85]#cat /proc/sys/net/nf_conntrack_max
      15692  #定義了鏈接追蹤的最大值;能夠按需調整
      [Linux85]#
      [Linux85]#iptables -L -n -v
      Chain INPUT (policy DROP 0 packets, 0 bytes)
       pkts bytes target     prot opt in     out     source               destination    
        357 25520 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            172.16.251.85       tcp dpt:22 state NEW,ESTABLISHED
      Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
       pkts bytes target     prot opt in     out     source               destination    
      Chain OUTPUT (policy DROP 0 packets, 0 bytes)
       pkts bytes target     prot opt in     out     source               destination    
         63  6928 ACCEPT     tcp  --  *      *       172.16.251.85        0.0.0.0/0           tcp spt:22 state ESTABLISHED



4、實例演示

一、自定義一個規則鏈;過濾非法數據包;並被調用

[Linux85]#iptables -N clean_in
#創建一條空規則鏈
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
[Linux85]#iptables -A clean_in -d 172.16.251.85 -p tcp --tcp-flags ALL ALL -j DROP
#DROP掉tcp-flags值全爲1的
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
[Linux85]#iptables -A clean_in -d 172.16.251.85 -p tcp --tcp-flags ALL NONE -j DROP
#DROP掉tcp-flags值全爲0的
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
[Linux85]#iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
[Linux85]#iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
# 廣播包
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
[Linux85]#iptables -A clean_in -d 172.16.251.85 -j RETURN
#檢測完無匹配就跳回主鏈;繼續下一條檢測
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
[Linux85]#iptables -A INPUT -d 172.16.251.85 -j clean_in
#在INPUT調用
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
[Linux85]#iptables -L -n -v
Chain INPUT (policy ACCEPT 38 packets, 2738 bytes)
 pkts bytes target     prot opt in     out     source               destination    
   35  2504 clean_in   all  --  *      *       0.0.0.0/0            172.16.251.85  
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
Chain OUTPUT (policy ACCEPT 23 packets, 3260 bytes)
 pkts bytes target     prot opt in     out     source               destination    
Chain clean_in (1 references)
 pkts bytes target     prot opt in     out     source               destination    
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            172.16.251.85       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            172.16.251.85       tcp flags:0x3F/0x00
    0     0 DROP       icmp --  *      *       0.0.0.0/0            172.16.255.255 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            255.255.255.255
   35  2504 RETURN     all  --  *      *       0.0.0.0/0            172.16.251.85


二、放行本機的ssh端口給指定IP

[Linux85]#iptables -A INPUT -s 172.16.254.28 -d 172.16.251.85 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#放行新創建和已鏈接的
[Linux85]#iptables -A OUTPUT -s 172.16.251.85 -m state --state ESTABLISHED -j ACCEPT
#放行已鏈接的狀態
[Linux85]#iptables -P INPUT DROP
[Linux85]#iptables -P OUTPUT DROP
[Linux85]#iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1378 bytes)
 pkts bytes target     prot opt in     out     source               destination    
  396 29036 ACCEPT     tcp  --  *      *       172.16.254.28        172.16.251.85       tcp dpt:22 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
   91  8328 ACCEPT     all  --  *      *       172.16.251.85        0.0.0.0/0           state ESTABLISHED
[Linux87]#ssh 172.16.251.85
ssh: connect to host 172.16.251.85 port 22: Connection timed out
[Linux87]#測試87這臺機器沒法鏈接


三、本機禁ping

[Linux86]#ping 172.16.251.87
PING 172.16.251.87 (172.16.251.87) 56(84) bytes of data.
64 bytes from 172.16.251.87: icmp_seq=1 ttl=64 time=0.848 ms
64 bytes from 172.16.251.87: icmp_seq=2 ttl=64 time=0.401 ms
64 bytes from 172.16.251.87: icmp_seq=3 ttl=64 time=0.412 ms
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
[Linux87]#iptables -A INPUT -d 172.16.251.87 -p icmp --icmp-type 8 -j DROP
#禁止任何主機對於本機的icmp的請求
[Linux87]#iptables -L -vn       查看已匹配到包
Chain INPUT (policy ACCEPT 221 packets, 27594 bytes)
 pkts bytes target     prot opt in     out     source               destination     
   71  5964 DROP       icmp --  *      *       0.0.0.0/0            172.16.251.87       icmp type 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
Chain OUTPUT (policy ACCEPT 98 packets, 14732 bytes)
 pkts bytes target     prot opt in     out     source               destination
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
[Linux86]#ping 172.16.251.87   已經沒法ping了
PING 172.16.251.87 (172.16.251.87) 56(84) bytes of data.


四、放行本機80端口

#首先先放行ssh的22號端口
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[Linux86]#iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
[Linux86]#iptables -P INPUT DROP
[Linux86]#iptables -P OUTPUT DROP
[Linux87]#curl http://172.16.251.86/index.html
curl: (7) couldn't connect to host
[Linux87]#
#測試沒法訪問
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 80 -m state --state NEW -j ACCEPT
#放行80端口
[Linux87]#curl http://172.16.251.86/index.html
This a test Page!
[Linux87]#測試能夠訪問了
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 76 packets, 11352 bytes)
 pkts bytes target     prot opt in     out     source               destination     
  340 27369 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       tcp dpt:22 state NEW
    3   164 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       tcp dpt:80 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
  304 34487 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED
#上述均可以看到匹配的包


五、放行被動工做的ftp服務

[Linux87]#lftp 172.16.251.86/pub
cd `ftp://172.16.251.86/pub' [Connecting...]
#測試目前沒法鏈接
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
[Linux86]#iptables -A OUTPUT -s 172.16.251.86 -p tcp --sport 21 -j ACCEPT
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 21 -j ACCEPT
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[Linux86]#iptables -A OUTPUT -s 172.16.251.86 -p tcp -m state --state ESTABLISHED -j ACCEPT
#上述是放行ftp的端口和相關聯的會話鏈接;還須要裝載兩個模塊才能生效
[Linux86]#modprobe nf_nat_ftp
[Linux86]#modprobe nf_conntrack_ftp
[Linux86]#vi /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="nf_nat_ftp nf_conntrack_ftp"
#寫到配置文件;下次開機能夠自動裝載
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
[Linux87]#lftp 172.16.251.86/pub
cd ok, cwd=/pub
lftp 172.16.251.86:/pub> ls
-rw-r--r--    1 0        0             103 Mar 24 06:23 issue
lftp 172.16.251.86:/pub> #測試能夠正常訪問了
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 326 packets, 41008 bytes)
 pkts bytes target     prot opt in     out     source               destination     
 1115 80408 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       tcp dpt:22
  174  9245 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       tcp dpt:21
   14   696 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
Chain OUTPUT (policy DROP 13 packets, 780 bytes)
 pkts bytes target     prot opt in     out     source               destination     
  671 72480 ACCEPT     tcp  --  *      *       172.16.251.86        0.0.0.0/0           tcp spt:22
  199 13355 ACCEPT     tcp  --  *      *       172.16.251.86        0.0.0.0/0           tcp spt:21
   14   885 ACCEPT     tcp  --  *      *       172.16.251.86        0.0.0.0/0           state ESTABLISHED
匹配到了包;對於上述規則能夠進行優化處理;下述進行優化規則
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
[Linux86]#iptables -I INPUT 1 -d 172.26.251.86 -m state --state RELATED,ESTABLISHED -j ACCEPT
[Linux86]#iptables -I INPUT 2 -d 172.26.251.86 -p tcp -m multiport --dports 21,22 -m state --state NEW -j ACCEPT
[Linux86]#iptables -I OUTPUT 1 -s 172.16.251.86 -m state --state ESTABLISHED -j ACCEPT
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 2 packets, 406 bytes)
 pkts bytes target     prot opt in     out     source               destination     
  380 29174 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       state RELATED,ESTABLISHED
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       state NEW multiport dports 22,21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
   50  6192 ACCEPT     all  --  *      *       172.16.251.86        0.0.0.0/0           state ESTABLISHED
#優化後;測試ftp正常;且還能夠放行例如80等端口


六、屏蔽指定字符串的網頁

[Linux87]#curl http://172.16.251.86/admin.html
This a admin page!
[Linux87]#curl http://172.16.251.86/index.html
This a test Page!
[Linux87]#
上述訪問正常;下面來寫規則進行屏蔽admin字符的頁面
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
[Linux86]#iptables -I INPUT 1 -d 172.16.251.86 -p tcp -m string --algo bm --string "admin" -j DROP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
[Linux87]#curl http://172.16.251.86/index.html
This a test Page!
[Linux87]#curl http://172.16.251.86/admin.html
curl: (52) Empty reply from server
[Linux87]#
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 13 packets, 1264 bytes)
 pkts bytes target     prot opt in     out     source               destination     
   13  5510 DROP       tcp  --  *      *       0.0.0.0/0            172.16.251.86       STRING match "admin" ALGO name bm TO 65535
  931 79380 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       state RELATED,ESTABLISHED
   12   672 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.251.86       multiport dports 22,21,80 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination     
  416 47643 ACCEPT     all  --  *      *       172.16.251.86        0.0.0.0/0           state ESTABLISHED


5、配置nat轉發在不一樣網絡放行web等服務

NAT:網絡地址轉換;iptables基於SNAT和DNAT這兩個目標實現地址轉換技術。

SNAT:源地址轉換;用於讓內網主機訪問互聯網。在POSTROUTING或OUTPUT上寫規則。

DNAT:目標地址轉換;讓互聯網上主機訪問本地內網中的某服務器上的服務。在PREROUTING上寫規則。


大體規劃:

配置三臺虛擬機:

linux87:172.16.251.87(內網)/192.168.111.11(外網)

linux86:172.16.251.86    網關指向:172.16.251.87

linux12:192.168.111.12  

假設由192.168.111.12充當外網提供ftp和web等服務;

linux87:

[Linux87]#ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:5E:1E:4F
          inet addr:172.16.251.87  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::20c:29ff:fe5e:1e4f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44356 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8569 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5091283 (4.8 MiB)  TX bytes:4238794 (4.0 MiB)
          Interrupt:19 Base address:0x2000
eth1      Link encap:Ethernet  HWaddr 00:0C:29:5E:1E:59
          inet addr:192.168.111.11  Bcast:192.168.111.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe5e:1e59/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11513 (11.2 KiB)  TX bytes:2615 (2.5 KiB)
                                                                                                                                                                                                                                                                                                                                            
#配置好IP地址後開啓轉發功能;
[Linux87]#sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[Linux87]#

linux86:

[Linux86]#ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:DF:70:B6
          inet addr:172.16.251.86  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::20c:29ff:fedf:70b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21060 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5558 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1984222 (1.8 MiB)  TX bytes:707372 (690.7 KiB)
#配置網關
[Linux86]#route add default gw 172.16.251.87
[Linux86]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         172.16.251.87   0.0.0.0         UG    0      0        0 eth0


爲了演示方便;這裏先把192.168.111.12的網關指向111.11;後續操做時在刪除這個網關

linux12:

[Linux12]#ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:4D:AE:B9
          inet addr:192.168.111.12  Bcast:192.168.111.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe4d:aeb9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23231 (22.6 KiB)  TX byte
                                                                                                                                                                                                                                                                                                                              
#提供ftp和web等服務
[Linux12]#ss -tunl | grep 80
tcp    LISTEN     0      128                   :::80                   :::*  
[Linux12]#ss -tunl | grep 21
udp    UNCONN     0      0                      *:35216                 *:*  
tcp    LISTEN     0      32                     *:21                    *:*  
[Linux12]#
[Linux12]#vi /var/www/html/index.html
This is 192.168.111.12 page!
[Linux12]#cd /var/ftp/pub/
[Linux12]#touch 192.168.111.12.txt
[Linux12]#ls
192.168.111.12.txt
[Linux12]#


上述配置完成後內部網絡其實已經能夠訪問了;由於轉發功能已開啓;且網關都以指向251.87這臺機器;因此這裏能夠看下效果

[Linux87]#curl http://192.168.111.12
This is 192.168.111.12 page!
[Linux87]#
[Linux86]#curl http://192.168.111.12
This is 192.168.111.12 page!
[Linux86]#
[Linux86]#lftp 192.168.111.12/pub
cd ok, cwd=/pub
lftp 192.168.111.12:/pub> ls
-rw-r--r--    1 0        0               0 Mar 28 08:39 192.168.111.12.txt
#測試訪問都是正常的
[Linux12]#tail -3 /var/log/httpd/access_log
192.168.111.11 - - [28/Mar/2014:16:42:39 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" #這臺是中間路由機器
172.16.251.86 - - [28/Mar/2014:16:45:26 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" #這臺是linux86
172.16.254.28 - - [28/Mar/2014:16:45:45 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" #這臺是宿主機的IP
[Linux12]#


下面先把192.168.111.12上的網關刪除;然後作SNAT轉發後在查看下日誌

[Linux86]#curl http://192.168.111.12
curl: (7) couldn't connect to host
[Linux86]#
下面寫入規則
[Linux87]#iptables -t nat -A POSTROUTING -s 172.16.251.86 -j SNAT --to-source 192.168.111.11
[Linux86]#curl http://192.168.111.12
This is 192.168.111.12 page!
[Linux86]#再次測試;訪問正常
加入網關;來查看下日誌
[Linux12]# tail -4 /var/log/httpd/access_log
172.16.254.28 - - [28/Mar/2014:16:45:45 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
192.168.111.11 - - [28/Mar/2014:16:52:33 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
192.168.111.11 - - [28/Mar/2014:16:54:31 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
192.168.111.11 - - [28/Mar/2014:16:54:32 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
[Linux12]# 上面的訪問地址都已變成linux87這臺外網IP了


上面的SNAT轉換以成功;下面進行DNAT地址轉換

[Linux87]#ss -tunl | grep 80
[Linux87]#
#linux87主機上不提供web服務
[Linux86]#curl http://172.16.251.87
curl: (7) couldn't connect to host
[Linux86]#測試也沒法訪問;如今把目標地址轉換到192.168.111.12上。此時192.168.111.12不是做爲外網提供;能夠想象是做爲內網的;與SNAT相互調換便可
[Linux87]#iptables -t nat -A PREROUTING  -d 172.16.251.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.111.12
DNAT轉換須要在PREROUTING上添加規則
[Linux86]#curl http://172.16.251.87
This is 192.168.111.12 page!
[Linux86]#
#測試訪問成功;宿主機上也是能夠正常訪問的;由於源地址是開放給全部主機的;如須要屏蔽;能夠在FORWARD上DROP須要屏蔽的IP便可
                                    
                                    
#支持端口映射;例如
[Linux87]#iptables -t nat -A PREROUTING  -d 172.16.251.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.111.12:8080
能夠轉換到8080端口的。

至此;基本的iptables已結束;iptables規則除了要寫出合適的規則;更重要的是要優化好規則才能更能提升效率。


若有錯誤;懇請糾正。

相關文章
相關標籤/搜索