iptables基礎詳解與實例
1、iptables定義html
iptables是一個工做於用戶空間的防火牆應用軟件,容許系統管理員能夠調整設置X表(Xtables)提供相關的系統表格(目前主要位於iptables/netfilter)以及相關的「鏈」與「規則」來管理網絡數據包的流動與轉送的動做。因相關動做上的須要,iptables的操做須要用到超級用戶的權限。在大部份的Linux系統上面,iptables是使用/usr/sbin/iptables來操做,文件則放置在手冊頁(Man page[2])底下,能夠經過 man iptables 指令取得。一般iptables都須要內核層級的模塊來配合運做,Xtables是主要在內核層級裏面iptables API運做功能的模塊。python
主機防火牆:網絡層防火牆可視爲一種 IP 數據包過濾器,運做在底層的TCP/IP協議堆棧上linux
網絡防火牆:工做於網絡邊緣的硬件設備;對於到達網絡的數據包根據某種規則進行過濾處理。web
2、iptables的四表和五鏈算法
四表 服務器
| raw |
設置爲raw時再也不iptables作數據包鏈接跟蹤處理 |
| mangle | 用於對數據包的一些傳輸特性進行修改(TOS、TTL...) |
| nat | 用於對地址轉發功能(端口映射、地址隱射等) |
| filter | 對數據包的過濾功能(最經常使用的;默認項) |
五鏈網絡
| PREROUTING | 數據包進入路由以前 |
| INPUT | 數據經過路由表後的目標位本機 |
| FORWARD | 數據經過路由表後的目標不爲本機 |
| OUTPUT | 由本機出去的數據包向外發送 |
| POSTROUTING | 從網卡接口出去以前 |
對應關係併發
| 鏈 | 表 |
| FORWARD | filter、mangle |
| INPUT | filter、mangle |
| OUTPUT | filter、mangle、nat |
| PREROUTING | mangle、nat |
| POSTROUTING | mangle、nat |
| 表 | 鏈 |
| filter | INPUT、FORWARD、OUTPUT |
| nat | PREROUTING、OUTPUT、POSTROUTING |
| mangle | PREROUTING、INPUT、OUTPUT、FORWARD、POSTROUTING |
| raw | PREROUTING、OUTPUT |
3、基本的用法app
一、格式ssh
[Linux85]#man iptables
IPTABLES(8) iptables 1.4.7 IPTABLES(8)
NAME
iptables -- administration tool for IPv4 packet filtering and NAT
SYNOPSIS
iptables [-t table] {-A|-D} chain rule-specification
#指定的鏈附加或刪除規則
iptables [-t table] -I chain [rulenum] rule-specification
#指定的鏈插入一條規則,默認爲第一條
iptables [-t table] -R chain rulenum rule-specification
#覆蓋指定的鏈中的規則;規則須要從新寫
iptables [-t table] -D chain rulenum
#刪除指定鏈的規則以行號格式
iptables [-t table] -S [chain [rulenum]]
#只顯示指定鏈的規則添加命令
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
#-F:清空鏈中的規則
#-L:列出表中的全部規則
#-Z:清空規則計數器
iptables [-t table] -N chain
#建立一條自定義空的規則鏈
iptables [-t table] -X [chain]
#刪除一條自定義空的規則鏈
iptables [-t table] -P chain target
#爲鏈指定默認策略;指定默認規則
iptables [-t table] -E old-chain-name new-chain-name
#修改自定義鏈名稱
二、匹配條件
通用匹配
-s 匹配源地址;ip或網絡地址;! 能夠取反。 -d 匹配目標地址;ip或網絡地址;! 能夠取反。 -p 匹配協議{tcp|udp|icmp} -i 數據報文流入的接口;一般{INPUT|FORWARD|PREROUTING} -o 數據報文流出的接口;一般{OUTPUT|FORWARD|POSTROUTING} 擴展匹配
隱含擴展:使用-p{tcp|udp|icmp}指定某特定協議後;自動可以對協議進行的擴展
--dport m[-n]:匹配的目標端口;能夠是連續的多個端口
--sport m[-n]:匹配的目標端口;能夠是連續的多個端口
--tcp-flags:根據tcp的標誌位來匹配
--icmp-type:icmp的狀態
顯式擴展:必需要明確指定的擴展模塊
-m:擴展模塊名稱 --專用選項1 --專用選項2...(/lib64/xtables/*)
[Linux85]#ls /lib64/xtables/ libip6t_HL.so libipt_SET.so libxt_SECMARK.so libxt_osf.so libip6t_LOG.so libipt_SNAT.so libxt_TCPMSS.so libxt_owner.so libip6t_REJECT.so libipt_TTL.so libxt_TCPOPTSTRIP.so libxt_physdev.so libip6t_ah.so libipt_ULOG.so libxt_TOS.so libxt_pkttype.so libip6t_dst.so libipt_addrtype.so libxt_TPROXY.so libxt_policy.so libip6t_eui64.so libipt_ah.so libxt_TRACE.so libxt_quota.so libip6t_frag.so libipt_ecn.so libxt_cluster.so libxt_rateest.so libip6t_hbh.so libipt_icmp.so libxt_comment.so libxt_recent.so libip6t_hl.so libipt_realm.so libxt_connbytes.so libxt_sctp.so libip6t_icmp6.so libipt_set.so libxt_connlimit.so libxt_socket.so libip6t_ipv6header.so libipt_ttl.so libxt_connmark.so libxt_standard.so libip6t_mh.so libipt_unclean.so libxt_conntrack.so libxt_state.so libip6t_rt.so libxt_AUDIT.so libxt_dccp.so libxt_statistic.so libipt_CLUSTERIP.so libxt_CHECKSUM.so libxt_dscp.so libxt_string.so libipt_DNAT.so libxt_CLASSIFY.so libxt_esp.so libxt_tcp.so libipt_ECN.so libxt_CONNMARK.so libxt_hashlimit.so libxt_tcpmss.so libipt_LOG.so libxt_CONNSECMARK.so libxt_helper.so libxt_time.so libipt_MASQUERADE.so libxt_DSCP.so libxt_iprange.so libxt_tos.so libipt_MIRROR.so libxt_MARK.so libxt_length.so libxt_u32.so libipt_NETMAP.so libxt_NFLOG.so libxt_limit.so libxt_udp.so libipt_REDIRECT.so libxt_NFQUEUE.so libxt_mac.so libipt_REJECT.so libxt_NOTRACK.so libxt_mark.so libipt_SAME.so libxt_RATEEST.so libxt_multiport.so
-
-
multiport:多端口匹配;一次指定多個(15個之內的)離散端口 [!] --sports port[,port|,port:port] 源端口 [!] --dports port[,port|,port:port] 目標端口 [!] --ports port[,port|,port:port] 不區分源與目標端口 -
string:字符串匹配 --algo {bm|kmp} 字符匹配查找時使用算法;必選 [!] --string pattern 要查找的字符串;能夠取反 [!] --hex-string pattern 要查找的字符;先編碼成16進制的格式 -
iprange:ip地址範圍 [!] --src-range from[-to] 源IP; [!] --dst-range from[-to] 目標IP; -
time:指定時間範圍 --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 起始日期 --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 結束日期 --timestart hh:mm[:ss] 起始時間 --timestop hh:mm[:ss] 結束時間 [!] --monthdays day[,day...] 每個月幾號 [!] --weekdays day[,day...] 每週幾 -
limit:報文速率控制 --limit rate[/second|/minute|/hour|/day] number/單位 --limit-burst number 峯值;最大值 -
connlimit:每IP對指定服務最大併發鏈接數 [!] --connlimit-above n 併發超出個數 -
state:狀態匹配;根據netfilter內部會話表匹配;能創建鏈接的都能追蹤 根據ip_conntrack和nf_conntrack來實現對整個系統鏈接追蹤 INVALID 沒法識別的鏈接;例如:tcp-flags ALL ALL/ALL NONE ESTABLISHED 已創建鏈接的 NEW 新創建的鏈接 RELATED 相關聯的;例如命令鏈接到數據鏈接 [Linux85]#iptables -A INPUT -d 172.16.251.85 -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT #使用state後;鏈接追蹤模塊會自動加載 [Linux85]#lsmod Module Size Used by nf_conntrack_ipv4 9506 2 nf_defrag_ipv4 1483 1 nf_conntrack_ipv4 xt_state 1492 2 nf_conntrack 79758 2 nf_conntrack_ipv4,xt_state [Linux85]#iptables -L -n -v Chain INPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 50 3768 ACCEPT tcp -- eth0 * 0.0.0.0/0 172.16.251.85 tcp dpt:22 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 3252 bytes) pkts bytes target prot opt in out source destination [Linux85]#cat /proc/sys/net/nf_conntrack_max 15692 #定義了鏈接追蹤的最大值;能夠按需調整 [Linux85]# [Linux85]#iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 357 25520 ACCEPT tcp -- eth0 * 0.0.0.0/0 172.16.251.85 tcp dpt:22 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 63 6928 ACCEPT tcp -- * * 172.16.251.85 0.0.0.0/0 tcp spt:22 state ESTABLISHED
-
4、實例演示
一、自定義一個規則鏈;過濾非法數據包;並被調用
[Linux85]#iptables -N clean_in
#創建一條空規則鏈
[Linux85]#iptables -A clean_in -d 172.16.251.85 -p tcp --tcp-flags ALL ALL -j DROP
#DROP掉tcp-flags值全爲1的
[Linux85]#iptables -A clean_in -d 172.16.251.85 -p tcp --tcp-flags ALL NONE -j DROP
#DROP掉tcp-flags值全爲0的
[Linux85]#iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
[Linux85]#iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
# 廣播包
[Linux85]#iptables -A clean_in -d 172.16.251.85 -j RETURN
#檢測完無匹配就跳回主鏈;繼續下一條檢測
[Linux85]#iptables -A INPUT -d 172.16.251.85 -j clean_in
#在INPUT調用
[Linux85]#iptables -L -n -v
Chain INPUT (policy ACCEPT 38 packets, 2738 bytes)
pkts bytes target prot opt in out source destination
35 2504 clean_in all -- * * 0.0.0.0/0 172.16.251.85
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 3260 bytes)
pkts bytes target prot opt in out source destination
Chain clean_in (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 172.16.251.85 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 172.16.251.85 tcp flags:0x3F/0x00
0 0 DROP icmp -- * * 0.0.0.0/0 172.16.255.255
0 0 DROP icmp -- * * 0.0.0.0/0 255.255.255.255
35 2504 RETURN all -- * * 0.0.0.0/0 172.16.251.85
二、放行本機的ssh端口給指定IP
[Linux85]#iptables -A INPUT -s 172.16.254.28 -d 172.16.251.85 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT #放行新創建和已鏈接的 [Linux85]#iptables -A OUTPUT -s 172.16.251.85 -m state --state ESTABLISHED -j ACCEPT #放行已鏈接的狀態 [Linux85]#iptables -P INPUT DROP [Linux85]#iptables -P OUTPUT DROP [Linux85]#iptables -L -n -v Chain INPUT (policy DROP 11 packets, 1378 bytes) pkts bytes target prot opt in out source destination 396 29036 ACCEPT tcp -- * * 172.16.254.28 172.16.251.85 tcp dpt:22 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 91 8328 ACCEPT all -- * * 172.16.251.85 0.0.0.0/0 state ESTABLISHED [Linux87]#ssh 172.16.251.85 ssh: connect to host 172.16.251.85 port 22: Connection timed out [Linux87]#測試87這臺機器沒法鏈接
三、本機禁ping
[Linux86]#ping 172.16.251.87
PING 172.16.251.87 (172.16.251.87) 56(84) bytes of data.
64 bytes from 172.16.251.87: icmp_seq=1 ttl=64 time=0.848 ms
64 bytes from 172.16.251.87: icmp_seq=2 ttl=64 time=0.401 ms
64 bytes from 172.16.251.87: icmp_seq=3 ttl=64 time=0.412 ms
[Linux87]#iptables -A INPUT -d 172.16.251.87 -p icmp --icmp-type 8 -j DROP
#禁止任何主機對於本機的icmp的請求
[Linux87]#iptables -L -vn 查看已匹配到包
Chain INPUT (policy ACCEPT 221 packets, 27594 bytes)
pkts bytes target prot opt in out source destination
71 5964 DROP icmp -- * * 0.0.0.0/0 172.16.251.87 icmp type 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 98 packets, 14732 bytes)
pkts bytes target prot opt in out source destination
[Linux86]#ping 172.16.251.87 已經沒法ping了
PING 172.16.251.87 (172.16.251.87) 56(84) bytes of data.
四、放行本機80端口
#首先先放行ssh的22號端口
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[Linux86]#iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
[Linux86]#iptables -P INPUT DROP
[Linux86]#iptables -P OUTPUT DROP
[Linux87]#curl http://172.16.251.86/index.html
curl: (7) couldn't connect to host
[Linux87]#
#測試沒法訪問
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 80 -m state --state NEW -j ACCEPT
#放行80端口
[Linux87]#curl http://172.16.251.86/index.html
This a test Page!
[Linux87]#測試能夠訪問了
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 76 packets, 11352 bytes)
pkts bytes target prot opt in out source destination
340 27369 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:22 state NEW
3 164 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:80 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
304 34487 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
#上述均可以看到匹配的包
五、放行被動工做的ftp服務
[Linux87]#lftp 172.16.251.86/pub
cd `ftp://172.16.251.86/pub' [Connecting...]
#測試目前沒法鏈接
[Linux86]#iptables -A OUTPUT -s 172.16.251.86 -p tcp --sport 21 -j ACCEPT
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 21 -j ACCEPT
[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[Linux86]#iptables -A OUTPUT -s 172.16.251.86 -p tcp -m state --state ESTABLISHED -j ACCEPT
#上述是放行ftp的端口和相關聯的會話鏈接;還須要裝載兩個模塊才能生效
[Linux86]#modprobe nf_nat_ftp
[Linux86]#modprobe nf_conntrack_ftp
[Linux86]#vi /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="nf_nat_ftp nf_conntrack_ftp"
#寫到配置文件;下次開機能夠自動裝載
[Linux87]#lftp 172.16.251.86/pub
cd ok, cwd=/pub
lftp 172.16.251.86:/pub> ls
-rw-r--r-- 1 0 0 103 Mar 24 06:23 issue
lftp 172.16.251.86:/pub> #測試能夠正常訪問了
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 326 packets, 41008 bytes)
pkts bytes target prot opt in out source destination
1115 80408 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:22
174 9245 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:21
14 696 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 13 packets, 780 bytes)
pkts bytes target prot opt in out source destination
671 72480 ACCEPT tcp -- * * 172.16.251.86 0.0.0.0/0 tcp spt:22
199 13355 ACCEPT tcp -- * * 172.16.251.86 0.0.0.0/0 tcp spt:21
14 885 ACCEPT tcp -- * * 172.16.251.86 0.0.0.0/0 state ESTABLISHED
匹配到了包;對於上述規則能夠進行優化處理;下述進行優化規則
[Linux86]#iptables -I INPUT 1 -d 172.26.251.86 -m state --state RELATED,ESTABLISHED -j ACCEPT
[Linux86]#iptables -I INPUT 2 -d 172.26.251.86 -p tcp -m multiport --dports 21,22 -m state --state NEW -j ACCEPT
[Linux86]#iptables -I OUTPUT 1 -s 172.16.251.86 -m state --state ESTABLISHED -j ACCEPT
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 2 packets, 406 bytes)
pkts bytes target prot opt in out source destination
380 29174 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state RELATED,ESTABLISHED
2 104 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state NEW multiport dports 22,21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
50 6192 ACCEPT all -- * * 172.16.251.86 0.0.0.0/0 state ESTABLISHED
#優化後;測試ftp正常;且還能夠放行例如80等端口
六、屏蔽指定字符串的網頁
[Linux87]#curl http://172.16.251.86/admin.html
This a admin page!
[Linux87]#curl http://172.16.251.86/index.html
This a test Page!
[Linux87]#
上述訪問正常;下面來寫規則進行屏蔽admin字符的頁面
[Linux86]#iptables -I INPUT 1 -d 172.16.251.86 -p tcp -m string --algo bm --string "admin" -j DROP
[Linux87]#curl http://172.16.251.86/index.html
This a test Page!
[Linux87]#curl http://172.16.251.86/admin.html
curl: (52) Empty reply from server
[Linux87]#
[Linux86]#iptables -L -nv
Chain INPUT (policy DROP 13 packets, 1264 bytes)
pkts bytes target prot opt in out source destination
13 5510 DROP tcp -- * * 0.0.0.0/0 172.16.251.86 STRING match "admin" ALGO name bm TO 65535
931 79380 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state RELATED,ESTABLISHED
12 672 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 multiport dports 22,21,80 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
416 47643 ACCEPT all -- * * 172.16.251.86 0.0.0.0/0 state ESTABLISHED
5、配置nat轉發在不一樣網絡放行web等服務
NAT:網絡地址轉換;iptables基於SNAT和DNAT這兩個目標實現地址轉換技術。
SNAT:源地址轉換;用於讓內網主機訪問互聯網。在POSTROUTING或OUTPUT上寫規則。
DNAT:目標地址轉換;讓互聯網上主機訪問本地內網中的某服務器上的服務。在PREROUTING上寫規則。
大體規劃:
配置三臺虛擬機:
linux87:172.16.251.87(內網)/192.168.111.11(外網)
linux86:172.16.251.86 網關指向:172.16.251.87
linux12:192.168.111.12
假設由192.168.111.12充當外網提供ftp和web等服務;
linux87:
[Linux87]#ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:5E:1E:4F
inet addr:172.16.251.87 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fe5e:1e4f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44356 errors:0 dropped:0 overruns:0 frame:0
TX packets:8569 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5091283 (4.8 MiB) TX bytes:4238794 (4.0 MiB)
Interrupt:19 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0C:29:5E:1E:59
inet addr:192.168.111.11 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe5e:1e59/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122 errors:0 dropped:0 overruns:0 frame:0
TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11513 (11.2 KiB) TX bytes:2615 (2.5 KiB)
#配置好IP地址後開啓轉發功能;
[Linux87]#sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[Linux87]#
linux86:
[Linux86]#ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:DF:70:B6
inet addr:172.16.251.86 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fedf:70b6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21060 errors:0 dropped:0 overruns:0 frame:0
TX packets:5558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1984222 (1.8 MiB) TX bytes:707372 (690.7 KiB)
#配置網關
[Linux86]#route add default gw 172.16.251.87
[Linux86]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.16.251.87 0.0.0.0 UG 0 0 0 eth0
爲了演示方便;這裏先把192.168.111.12的網關指向111.11;後續操做時在刪除這個網關
linux12:
[Linux12]#ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:4D:AE:B9
inet addr:192.168.111.12 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe4d:aeb9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268 errors:0 dropped:0 overruns:0 frame:0
TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23231 (22.6 KiB) TX byte
#提供ftp和web等服務
[Linux12]#ss -tunl | grep 80
tcp LISTEN 0 128 :::80 :::*
[Linux12]#ss -tunl | grep 21
udp UNCONN 0 0 *:35216 *:*
tcp LISTEN 0 32 *:21 *:*
[Linux12]#
[Linux12]#vi /var/www/html/index.html
This is 192.168.111.12 page!
[Linux12]#cd /var/ftp/pub/
[Linux12]#touch 192.168.111.12.txt
[Linux12]#ls
192.168.111.12.txt
[Linux12]#
上述配置完成後內部網絡其實已經能夠訪問了;由於轉發功能已開啓;且網關都以指向251.87這臺機器;因此這裏能夠看下效果
[Linux87]#curl http://192.168.111.12 This is 192.168.111.12 page! [Linux87]# [Linux86]#curl http://192.168.111.12 This is 192.168.111.12 page! [Linux86]# [Linux86]#lftp 192.168.111.12/pub cd ok, cwd=/pub lftp 192.168.111.12:/pub> ls -rw-r--r-- 1 0 0 0 Mar 28 08:39 192.168.111.12.txt #測試訪問都是正常的 [Linux12]#tail -3 /var/log/httpd/access_log 192.168.111.11 - - [28/Mar/2014:16:42:39 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" #這臺是中間路由機器 172.16.251.86 - - [28/Mar/2014:16:45:26 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" #這臺是linux86 172.16.254.28 - - [28/Mar/2014:16:45:45 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" #這臺是宿主機的IP [Linux12]#
下面先把192.168.111.12上的網關刪除;然後作SNAT轉發後在查看下日誌
[Linux86]#curl http://192.168.111.12 curl: (7) couldn't connect to host [Linux86]# 下面寫入規則 [Linux87]#iptables -t nat -A POSTROUTING -s 172.16.251.86 -j SNAT --to-source 192.168.111.11 [Linux86]#curl http://192.168.111.12 This is 192.168.111.12 page! [Linux86]#再次測試;訪問正常 加入網關;來查看下日誌 [Linux12]# tail -4 /var/log/httpd/access_log 172.16.254.28 - - [28/Mar/2014:16:45:45 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 192.168.111.11 - - [28/Mar/2014:16:52:33 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 192.168.111.11 - - [28/Mar/2014:16:54:31 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 192.168.111.11 - - [28/Mar/2014:16:54:32 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" [Linux12]# 上面的訪問地址都已變成linux87這臺外網IP了
上面的SNAT轉換以成功;下面進行DNAT地址轉換
[Linux87]#ss -tunl | grep 80
[Linux87]#
#linux87主機上不提供web服務
[Linux86]#curl http://172.16.251.87
curl: (7) couldn't connect to host
[Linux86]#測試也沒法訪問;如今把目標地址轉換到192.168.111.12上。此時192.168.111.12不是做爲外網提供;能夠想象是做爲內網的;與SNAT相互調換便可
[Linux87]#iptables -t nat -A PREROUTING -d 172.16.251.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.111.12
DNAT轉換須要在PREROUTING上添加規則
[Linux86]#curl http://172.16.251.87
This is 192.168.111.12 page!
[Linux86]#
#測試訪問成功;宿主機上也是能夠正常訪問的;由於源地址是開放給全部主機的;如須要屏蔽;能夠在FORWARD上DROP須要屏蔽的IP便可
#支持端口映射;例如
[Linux87]#iptables -t nat -A PREROUTING -d 172.16.251.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.111.12:8080
能夠轉換到8080端口的。
至此;基本的iptables已結束;iptables規則除了要寫出合適的規則;更重要的是要優化好規則才能更能提升效率。
若有錯誤;懇請糾正。
相關文章
- 1. iptables基礎知識詳解
- 2. iptables基礎知識.詳解
- 3. iptables與netfilter基礎與示例
- 4. iptables 基礎與案例配置
- 5. iptables 詳解配置與舉例
- 6. [iptables] iptables基礎
- 7. iptables詳解及實例演示
- 8. centos6.5下iptables基礎知識詳解與配置
- 9. Dubbo入門基礎與實例講解
- 10. Dubbo入門基礎與實例講解(超詳細)
- 更多相關文章...
- • PHP 實例 - AJAX 與 XML - PHP教程
- • Kotlin 基礎語法 - Kotlin 教程
- • Flink 數據傳輸及反壓詳解
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
