iptables的使用

iptables

        firewall:隔离工具;Packets Filter Firewall;工作于主机或网络的边缘,对经由的报文根据预先定义的规则(匹配条件)进行检测,对于能够被规则匹配到的报文实行某预定义的处理机制的一条组件;

硬件防火墙:在硬件级别实现部分顾虑功能;另一个部分功能基于软件实现

         软件防火墙:应用软件处理逻辑运行于通用硬件平台之上的防火墙

                  

         主机防火墙:服务范围为当前主机

         网络防火墙:服务范围为防火墙内的局域网

                  

         iptables/netfilter

                   netfilter:防火墙框架,framework;位于内核空间

                   iptables:命令行工具程序,位于用户空间,规则管理工具

                  

                   netfilter

                            hooks function钩子函数

                                     prerouting

                                     input

                                     forward

                                     output

                                     postrouting

                   iptables

                            CHAINS:

                                     PREROUTING

                                     INPUT

                                     OUTPUT

                                     FORWARD

                                     POSTROUTING

                           

                            报文流向

                                     到本机某进程的报文:PREROUTING–>INPUT

                                     由本机转发的报文:PREROUTING–>FORWARD–>POSTROUTING

                                     由本机的某进程发出报文:OUTPUT–>POSTROUTING

                           

                            tables

                                     filter:过滤,防火墙

                                     natnetwork address transition,网络地址转换

                                     mangle:拆解报文,做出修改,并重新封装

                                     raw:关闭nat表上启用的链接追踪机制;

                                    

                                     优先级次序(由高而低)

                                               raw–>mangle—>nat—>filter

 1.png

                                              

                                     功能<–>钩子:

                                               rawPREROUTING,OUTPUT

                                               manglePREROUTING ,INPUT,FORWARD,OUTPUT,POSTROUTING

                                               natPREROUTING,INPUT,OUTPUT,POSTROUTING

                                               filterINOUT,FORWARD,OUTPUT

 2.png

 

 

                            iptables规则的组成部分

                                     匹配条件:

                                               网络层首部:Source IP,Destination

                                               传输层首部:Source portDestination

                                               扩展检查机制:

                                     处理动作:target

                                               ACCEPT,DROP,REJECT

                           

                   安装:

                            netfilter:位于内核中的tcp/ip协议栈报文处理框架

                            iPtables

                                     CentOS 5/6iptables命令编写规则

                                               iptables -t  filter -F

                                               #service iptables save

                                     CentOS 7 firewalfirewall-cmd,firewall-config

                                               systemctl disable firewalld

                                              

                                     程序包:iptablesiptstate

                                    

                   iptables命令

                            规则:根据指定的撇皮条件来尝试匹配每个流经此处的报文,一旦匹配成功,则由规则后面指定的处理动作进行处理;

                                     匹配条件:

                                               基本匹配条件:源地址,目标地址,传输层协议

                                               扩展匹配条件:需要借助于扩展模块进行指定的匹配条件

                                                        隐式扩展:已经在基本匹配条件中指明的协议相关的扩展

                                                        显示扩展:隐式扩展之外的其他扩展匹配条件

                                                                

                                     处理动作:

                                               基本动作:ACCEPT,DROP,…

                                               扩展动作:需要借助于扩展模块进行,但无需显示指定,仅需指明动作

                                                       

                            添加规则时需要考量的问题:

                                     1)报文流经的位置:用于判断将规则添加至那个链

                                     2)实现的功能:用于判断将规则添加至那个表

                                     3)报文的方向:用于判断那个为“源”,那个为”目标“

                                     4)匹配条件:用于编写能够正确匹配目标报文的规则;

                                              

                            iptables命令的使用格式:

                                     iptables [-t table] {-A|-C|-D} chain rule-specification

 

                                     iptables [-t table] -I chain [rulenum] rule-specification

 

                                     iptables [-t table] -R chain rulenum rule-specification

 

                                     iptables [-t table] -D chain rulenum

 

                                     iptables [-t table] -S [chain [rulenum]]

 

                                     iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options…]

 

                                     iptables [-t table] -N chain

 

                                     iptables [-t table] -X [chain]

 

                                     iptables [-t table] -P chain target

 

                                     iptables [-t table] -E old-chain-name new-chain-name

 

                                               rule-specification = [matches…] [target]

 

                                               match = -m matchname [per-match-options]

                                               target = -j targetname [per-target-options]

                           

                    规则管理:iptable[-t able] COMMAND chain cretieria [-m -m matchname [per-match-options]] [j targetname] [per-target-options]]

                              

                               -t table:指定要管理的表,默认为filter

                              

         COMMANDS:

                   链管理:

                   -Piptables[-t table] -P chain target,定义链的默认策略;其target一般可使用ACCEPTDROP

3.png

 

 

 

                   -Niptables [-t table] -N chain,自定义规则链,仅在默认链,仅在默认链通过某规则进行吊用方可生效,因此,每个自定义链都有其引用记数;

4.png

此时链a没有被引用所以0 references

 

 

                   -Xiptables [-t table] -X [chain],删除自定义的空的引用记数为0的链

5.png

 

                   -Fiptables  [-t chain [rulenum] [options]清空指定的链,或删除指定链上的规则;


                   -Eiptables [-t table] -E old-chain-name new-chain-name:重命令自定义的引用记数为0的链

 6.png

                   -Z iptables [-t table] -Z [chain [rulenum]] [options…] 置零指定链中的所有计数器

                                                       

                   -Aappendiptables [-t table] -A chain rule-specification ,追加规则到指定的链尾部

 

                   -Iinsertiptables [-t table] -I chain [rulenum] rule-specification,插入规则到指定的链中的指定位置,默认为链首

                   -Ddeleteiptables [-t table] -D chain rule-specification    iptables [-t table] -D chain rulenum  删除指定的链上的指定规则

                   -Rreplaceiptables [-t table] -R chain rule-specification 将指定的链上的指定规则替换为新的规则

                                              

                                    

  查看:

        -Llistiptables [-t table] -L [chain [rulenum]][options]

                       -n:数字格式

                       -vverbose,详细格式信息,

                       -vv -vvv 以更详细的信息显示

                       –line-number:显示链上的规则的编号

                       -xexactly,显示计数器的精确值

   7.png                                   

                                    

                   计数器:

                            每条规则以及链的默认策略分别有各自的两个计数器;

                                     1)匹配到的报文的个数:pkts

                                     2)匹配到的所有报文的大小之和,bytes

                                                       

        

                                                       

                   iptables [-t able] COMMAND chain cretieria [-m -m matchname [per-match-options]]  [-j targetname [per-target-options]]

                   匹配条件:

                            基本匹配条件

                            扩展匹配条件

                                     隐式扩展

                                     显示扩展

                                    

                   注意:多重条件之间的隐含逻辑为“与”操作;

                                    

         基本匹配条件

         [!] -s, –source address[/mask][,…]检查报文中的源IP地址是否符合此处指定的地址或地址范围

         [!]-d,–destination address[/mask]:检查报文中的目标IP地址是否符合此处指定的地址或地址范围

         [!] -p, –protocol protocol:检查报文中传输层的协议类型,支持tcpudpdupliteicmpicmpv6espahsctpmh,或者“all

[!] -i, –in-interface 

                   name:检查报文即将离开本机时经由的接口是否符合本处指定的接口:FORWARD,OUTPUT, and POSTROUTING

 [!] -o, –out-interface name:检查报文即将离开本机时经由的接口是否符合本处指定的接口;FORWARD, OUTPUT and POSTROUTING                                 

         -m–match match:显示致命要使用的扩展模块

         -j–jump target:跳转目标

                                              

                                              

         扩展匹配条件:

                   隐式扩展:不用-m选项明确给出要使用的扩展机制的扩展,此处主要使用-p{tcp|udp|icmp}给定-p tcp { udp|tcp|icmp}给定协议后可直接对给定的协议所进行的扩展

                   -p tcp:可直接使用tcp协议对应的扩展选项

                   [!] –source-port –sport

                   port[:port]:匹配报文中的传输层的源端口;可给出多个连接的端口;

                   [!] –tcp-flags mask compSYNACKFINRSTURGPSH

                            SYN,ACK,FIN,RST,URG,PSH

                            mask:要检查中标志位列表,以逗号分隔,例如SYN,FIN,RST

                            compmask给定的众标志位中,其值必须为1的标志位列表,余下的必须为0

                       –tcp-flags SYN,ACK,FIN,RST SYN

                            [!] –syn:相当于–tcp-flags SYN,ACK,FIN,RST SYN

                            -p udp:可直接使用udp协议对应的扩展选项:

                            [!] –source-port,–sport port[:port]:匹配报文中的传输层的源端口;可给出多个连接的端口;

                            iptable –A INPUT –d 10.1.48.21 –p tcp  –source

                            [!] –destination-port,–dport port[:port]:匹配报文中的传输层的目标端口;可给出多个连接的端口;

                                                       

                            -p icmp:可直接使用icmp协议对应的扩展选项;

                            [!] –icmp-type {type[/code]|typename}

                            –icmp-type  0/0:匹配对ping请求的响应报文

                            –icmp-type 8/0:匹配ping请求报文

     9.png                                                           

 

                                    

 

显式扩展:必须使用-m选项给出matchname的扩展,而且有些扩展都还存在专用选项;

                                    

         1multiport以离散或连续的方式定义的多端口匹配条件; Up to 15 ports can be specified.

                                                 

         [!] –source-ports,–sports port[,port|,port:port]…:指定多个源端口;

         [!] –destination-ports,–dports port[,port|,port:port]…:指定多个目标端口;

         [!] –ports port[,port|,port:port]…:匹配此处指定的源或目标端口;

                                                       

示例:

  iptables –A INPUT –d 10.1.48.21 –p tcp –m multiport –sports  21:23,80,138 –j ACCEPT

  iptables –A INPUT –s 10.1.48.21 –p tcp –m multiport –dports  21:23,80,138 –j ACCEPT

 

         2iprange以连续的ip地址范围指明多地址匹配条件               [!] –src-range from[-to]

                    [!] –dst-range from[-to]

示例:

         iptables –A INPUT –d 10.1.48 –p tcp –dport 80 –m iprange –src-range 10.1.1.1-10.1.255.255 –j ACCEPT

iptables –A OUTPUT –s 10.1.48 –p tcp –sport 80 –m iprange –dst-range 10.1.1.1-10.1.255.255 –j ACCEPT

                                              

3string对报文中的应用层数据做字符串匹配检测

                    [!] –string pattern

                    [!] –hex-string pattern

                    –algo {bm|kmp}:字符串匹配检查算法;

                    –from offset  偏移量

                    –to offset 取多少个字符

示例:

                  iptables -I INPUT 1 -p tcp –dport 80 -m string –string "cmd.exe" –algo bm -j DROP

                  iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string –algo kmp –string "cmd.exe"

                  iptables -I INPUT 1 -p tcp –dport 80 -m string –string "domain.com" –algo kmp -j DROP

                                                       

4time根据报文到达的时间与指定的时间范围进行匹配度检测

                   –datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]  2016-1

                   –datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

                   –timestart hh:mm[:ss]

                   –timestop hh:mm[:ss]

             [!] –monthdays day[,day…] 某月中的某天

             [!] –weekdays day[,day…]  一个星期中的某一天

示例:

iptables –A INPUT –d 10.1.48.21 –p tcp –dport 80 –m time –timestart 09:00:00 –timestop 17:00:00 –j ACCEPT

iptables –A INPUT –d 10.1.48.21 –p tcp –dport 80 –m time –datastart 2016-10-20 11:44:00 –datestop 2016-10-21 11:40:00–j ACCEPT

 

5connlimit根据每客户端IP做并发连接数限制,即限制单IP可同时发起连接请求

        

–connlimit-upto n:连接数小于等于阈值;

                  –connlimit-above n:连接数超出阈值;

示例:

                  iptables -I INPUT -d 10.1.0.6 -p tcp –dport 22 -m connlimit –connlimit-above 2 -j REJECT

                                                       

6limit基于收发报文的速率进行匹配

                                                                                                                        

                  –limit rate[/second|/minute|/hour|/day]  限制速率

                  –limit-burst number   限制数量

示例:

                  iptables -A INPUT -d 10.1.0.6 -p icmp –icmp-type 8 -m limit –limit-burst 3 –limit 20/minute -j ACCEPT

                                                         

7state          状态检测:连接追踪机制(conntrack

 

                                                                                                               

                   NEW:新连接

                   ESTABLISHED:已建立的连接

                   RELATED:相关联的连接

                   INVALID:无法识别的连接

                   UNTRACKED:未被追踪连接;

                   MASQUERADE 地址伪装

                   SNAT:源地址转换

                   DNAT:目标地址转换

                   MARK:防火墙标记

                                                       

                   相关的内核模块:

                            nf_conntrack

                            nf_conntrack_ipv4

                            nf_conntrack_ftp

                                                                

                   追踪到的连接:/proc/net/nf_conntrack文件中;

                                                                

                   能追踪的最大连接数量定义在:/proc/sys/net/nf_conntrack_max建议调整至足够大;

                                                                          

                  不同的协议的连接追踪时长:/proc/sys/net/netfilter/

 

                                                                                              

                   [!] –state state

                                                       

                   如何开放被动模式的ftp服务:

                            (1) 装载追踪ftp协议的模块;

                                     # modprobe nf_conntrack_ftp

                                                                          

                             (2) 放行入站命令连接

                                     # iptables -A INPUT -d SERVER_IP -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT

                                                                          

                             (3) 放行入站数据连接

                                     # iptables -A INPUT -d SERVER_IP -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT

                                                                          

                             (4) 放行出站的ESTABLISHED连接

                                     # iptabls -A OUTPUT -s SERVER_IP -m state –state ESTABLISHED -j ACCEPT

                                                                          

                   处理动作(跳转目标):

                            -j tagetname [per-target-options]

                                     简单target

                                               ACCEPTDROP

                                              

                                     扩展target

                                               REJECT

                                                        –reject-with type

                icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited,默认为icmp-port-unreachable

                                               LOG

                                                        Turn  on  kernel  logging of matching packets.

                                                       

                                                        –log-level level 日志级别

                                                        –log-prefix prefix:日志信息的前导信息;

                                                       

                                                       

         保存和载入规则:

                   保存:iptables-save > /PATH/TO/SOME_RULE_FILE

                   重载:iptables-restore < /PATH/FROM/SOME_RULE_FILE

                            -n, –noflush:不清除原有规则

                            -t, –test:仅分析生成规则集,但不予提交;

                           

                            注意:重载文件中的规则,会清除已有规则;

                           

                   CentOS 6

                            保存规则:service  iptables  save

                                     保存规则于/etc/sysconfig/iptables,保存操作会清除文件中原有的内容;

                            重载规则:server iptables restart

                                     默认重载/etc/sysconfig/iptables文件中的规则

                                    

                            脚本配置文件:/etc/sysconfig/iptables-config

                                     用于指明要装载的模块;

                                    

                   CentOS 7开机自动生效规则:

                            (1) firewalld服务;

                            (2) shell脚本,直接记录iptables命令;

                            (3) 自定义unit fileinit script

                           

         规则优化的思路:

                   (1) 优先放行双方向状态为ESTABLISHED的报文;

                   (2) 服务于不同类别的功能的规则,匹配到报文可能性更大的放前面;

                   (3) 服务于同一类别的功能的规则,匹配条件较为严格的放前面;

                   (4) 设置默认策略:白名单机制

                            (a) 可使用iptables -P设定默认策略;

                            (b) 建议在规则链的最后定义规则做为默认策略;

                           

        

帮助文档:http://ipset.netfilter.org/iptables-extensions.man.html

 

        #安装所需要的服务#[root@server1 ~]# yum -y  install telnet ftp ssh httpd samba

            -A INPUT -d 10.1.48.21/32 -p tcp -m tcp  22 –dport  -m connlimit connlimit-above 3  -j ACCEPT

            -A OUTPUT -s 10.1.48.21/32 -p tcp -m tcp –sport 22 -j ACCEPT

            -A OUTPUT -s 10.1.48.21/32 -p tcp -m tcp –sport 80 -j ACCEPT

            -A INPUT -d 10.1.48.21/32 -p tcp -m tcp –dport 80 -j ACCEPT

            -A INPUT -d 10.1.48.21/32 -p icmp -m icmp –icmp-type 8   -m limit –limit 1/minute –limit-burst 20  -j ACCEPT

            -A OUTPUT -s 10.1.48.21/32 -p icmp -m icmp –icmp-type 0 -j ACCEPT

            -A INPUT -s 10.1.48.21/32 -p icmp -m icmp –icmp-type 8 -j ACCEPT

            -A INPUT -d 10.1.48.21/32 -p icmp -m icmp –icmp-type 0 -j ACCEPT

      -A INPUT -d 10.1.48.21/32 -p tcp -m tcp –dport 23 –m time –timestart 09:00:00 –timestop 17:00:00 ! –weekend Sat,Sun -j ACCEPT

            -A OUTPUT -s 10.1.48.21/32 -p tcp -m tcp –sport 23 -j ACCEPT

            -A INPUT -d 10.1.48.21/32 -p udp -m multiport –dports 137,138 -j ACCEPT

            -A OUTPUT -s 10.1.48.21/32 -p tcp -m multiport –sports 137,138 -j ACCEPT

            -A INPUT -d 10.1.48.21/32 -p tcp -m multiport –dports 139,445 -j ACCEPT

            -A OUTPUT -s 10.1.48.21/32 -p tcp -m multiport –sports 139,445 -j ACCEPT

 

 

改进后

            iptables –A INPUT –d 10.1.48.21 –p icmp –icmp-type 8  -m limit –limit 1/minute –limit-burst 20 –m state NEW –j ACCEPT

            iptables  -A INPUT –d 10.1.48.21  -m state –state RELATED,ESTABLISHED –j ACCEPT

            iptables –A INPUT –d 10.1.48.21 –p tcp –dport 22 –m connlimit –limit-above 3 –m state –state NEW –j REJECT

      iptabels -A INPUT -d 10.1.48.21/32 -p tcp -m tcp –dport 23 –m time –timestart 09:00:00 –timestop 17:00:00 ! –weekend Sat,Sun  -m state –state NEW -j ACCEPT

      iptables -A INPUT -d 10.1.48.21 -p icmp –icmp-type  8 -m limit –limit 1/minute –limit-burst 20  -m state –state NEW-j ACCEPT

           iptables –A INPUT –d 10.1.48.21 –p tcp –m multiport –dpots 21,,80,139,445 –m state –state NEW –j ACCEPT

           iptables –A INPUT d 10.1.48.21 –p udp –m multiport –dports 137,138 –m  state –state NEW –j ACCEPT

 

           iptables –A OUTPUT –s 10.1.48.21 –m state ESTABLISHED,RELATED  -j ACCEPT

 

   注意:在防火墙开放ftp时需要加载nf_conntrack_ftp nf_nat_ftp

 

 

 

 

iptables 网络防火墙

 10.png

 

A网卡地址是192.168.1.101

B网卡地址是192.168.1.100

C网卡地址是10.1.48.21

D网卡地址是10.1.48.23

A、 B网卡使用vmne1连接模式,CD使用的是桥接模式

 

理解下面的集中概念

桥接:虚拟主机使用桥接模式接到软桥上去了,使用物理网卡出去和其他主机通信

仅主机:虚拟主机之间使用仅主机模式仅能与虚拟主机和物理主机的虚拟网卡之间通信

vmnet1,:只能虚拟主机之间能通信

四台虚拟机AB网卡使用的是虚拟网络vmnet2  C,D网卡使用的是桥接

 

 

 

如果四台主机需要通信,中间网络防火墙主机需要打开ip_forward功能,现在将防火墙的FORWARD链规则设置为DROP,当内网客户端访问外网机器的http服务时就会被拒绝

iptables –A FORWARD  –j DROP

D机器提供了http服务现在内网用户需要访问外网主机的服务则需要对方问的服务开防火墙进行转发,此操作一律在防火墙那台主机上做

iptables –I FORWARD –s 192.168.1.0/24 –p tcp –dport 80 –j ACCEPT

此时服务还是不能访问,只有去的响应没有回的响应,所以还需要开放规则

iptabales –I FORWARD –d 192.168.1.0/24 –p tcp –sport 80 –j ACCEPT

 11.png

12.png 

 

现在开放ssh连接,以及smb服务,并优化策略

iptables –I  FORWARD –m state –state ESTABLISHED,RELATED –j ACCEPT

iptables –I FORWARD 2 –s 192.168.1.0/24 –p tcp –-m multiport –dports 21:23,80,139,445  –m state NEW –j ACCEPT

iptables –A FORWARD –j DROP

允许内网主机访问外网主机的ftp服务器时,网络防火墙主机还需要添加nf_conntrack_ftp模块和nf_nat_ftp模块,随后进行访问

 

 

 

 

如果是外网主机访问内网主机的服务则只需要添加策略即可

 

iptables –I  FORWARD –m state –state ESTABLISHED,RELATED –j ACCEPT

iptables –I FORWARD 2 –d 192.168.1.0/24 –p tcp –-m multiport –dports 21:23,80,139,445 –m state NEW –j ACCEPT

iptables –A FORWARD –j DROP

 

 

 

 

 

SNAT基于源地址转换,在中间那台主机添加策略

iptables –t nat  -A PORTROUTING –s 192.168.1.0/24  -j SNAT  –to-source 10.1.48.21

 

从内网主机ping外网主机测试

在做了源地址转换之后从内网主机192.168.1.101ping外网主机10.1.48.23,结果是由网关主机10.1.48.21发出的请求,这就应征了,在内网主机向外网主机发送ping请求,在网关出去的时候将源地址转换成了网关主机的ip地址了

在外网主机上抓包查看tcpdump –I eth0 –nn icmp

13.png

 

 

在网关主机的内网网卡上抓包查看,结果是由内网主机给外网主机发送的ping请求,这就说明在内网主机进过PREROUTING时,源地址是没有经过转换的

14.png

 

 

随后在网关的外网网卡抓包查看,结果是由网关的地址想外网主机发送请求,这点就证明了在源地址转换是在POSTROUTING上做的地址转换

 15.png

 

 

 

 

 

 

 

在做一个测试,从内网主机访问外网主机的http服务之后查看外网主机的http访问日志

16.png

 

 

DNAT

假设内网主机上启动了http服务,现在用外网主机访问网关,返回的信息是内网主机所提供的信息,这时需要做目标地址转换,将外网 主机访问网关主机的ip地址转换为内网主机地址

在网关主机添加如下规则

iptables     -t nat –A PREROUTING  -d 10.1.48.21 –j DNAT  –to-destination 192.168.1.101

 

 

从外网主机ping网关你主机抓包查看

17.png

 

在官网主机的外网接口抓包查看,说明在外网主机10.1.48.23ping网关时目标地址还没有发

发生改变

 18.png

 

 

在网关的内网网卡上抓包查看,这是的目标地址已经变成了内网主机的地址,这时候说明已经完成了目标地址转换,从外网的主机10.1.48.23ping 10.1.48.21,最终外网ping的目标地址发生了改变,已经从10..48.21变成了192.168.1.101

 

最后在内网主机网卡上抓包查看,发现发送请求的源地址是外网主机地址

19.png

 

 

 

测试外网主机访问内网主机的http服务查看日志

外网主机对网关主机发送http请求,但最终的结果是由内网主机192.168.1.101返回的资源,这也能说明目标地址发生了转换,由外网主机请求10.1.48.21,最终目标地址变成了192.168.1.101

20.png

 

 

尝试将网关的主机开启htpd服务器,从外网主机请求访问网关主机的http服务器,但最终的返回的结果还是由内网主机提供的服务

iptables –t nat PREROUTING –d 10.1.48.21 –p tcp –dport 80 –j DNAT –to-destination 192.168.1.101

 

 

nat表上添加了策略之后当外网主机访问10.1.48.21网关主机时,网关主机将外网主机请求的目标地址转换为内网主机的地址192.168.1.101,最后返回的资源是内网主机资源,最终实现了目标地址转换

 

 

 

 

自定义链:

目的实现外网主机访问内网主机资源

 

iptables –N web_in 

 

FORWARD链上添加默认拒绝规则

iptable –A FORWARD –j DROP

想要是FORWARD链和自定义链结合工作,那么需要在自定义链上放行规则

iptable –A web_in –d 10.1.48.21 –p tcp –dport 80 –m stae –state NEW –j  ACCEPT

当之后状态是ESTABLISHED时,直接就开放某些主机访问,所以还需要在FORWARD链上加一条状态放行规则

iptable –I FORWARD  –m state –state ESTABLIEHS –j ACCEPT

 

规则写到这里尝试用外网主机访问内网主机,最终的结果还是无法访问,因为第一访问时的状态是NEWESTABLISHED状态是匹配不到的,所以都会交由默认拒绝规则所匹配,只有引用了自定义链上的规则后才允许外网主机访问内网主机资源,链接方法如下:

iptables –I FORWARD 2 –d 192.168.1.0/24  -J web_in

 

当有请求到达时将会应用自定义链上的规则,第一次链接属于NEW状态,放行此次请求,而自定义链的规则又被引用到了FORWARD链上,这是外网主机才能够与内网主机进行通信获取资源

 

 

原创文章,作者:fszxxxks,如若转载,请注明出处:http://www.178linux.com/55672