iptables

Evernote Export

 

基于本机服务器的iptables:


创建、重命名、删除自定义chain


~]# iptables -N testchain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain testchain (0 references)

target     prot opt source               destination

~]# iptables -E testchain mychain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain mychain (0 references)

target     prot opt source               destination

~]# iptables -X mychain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

[root@localhost ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination


-P:Policy,设置默认策略;对filter表中的链而言,其默认策略有:

ACCEPT:接受

DROP:丢弃

REJECT:拒绝

默认table为filter,如对filter进行操作时可以不写

~]#iptables -t filter -P FORWARD DROP

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

iptables查看:

-S:seletced,以iptables-save命令的格式显示链上的规则

-L:list, 列出指定鏈上的所有规则;

    -n:numberic,以数字格式显示地址和端口号;

    -v:verbose,详细信息;

    -vv, -vvv

    -x:exactly,显示计数器结果的精确值;

    –line-numbers:显示规则的序号;

~]# iptables -nvxL –line-numbers

Chain INPUT (policy ACCEPT 275 packets, 18823 bytes)

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 154 packets, 24528 bytes)

[root@localhost ~]# iptables -nvvxL –line-numbers

Chain INPUT (policy ACCEPT 300 packets, 20863 bytes)

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 175 packets, 26988 bytes)

libiptc vlibxtables.so.10. 632 bytes.

Table `filter'

Hooks: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff

Underflows: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff

Entry 0 (0):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 300 packets, 20863 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_ACCEPT

Entry 1 (152):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_DROP

Entry 2 (304):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 175 packets, 26988 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_ACCEPT

Entry 3 (456):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

Target name: `ERROR' [64]

error=`ERROR'

[root@localhost ~]# iptables -S

-P INPUT ACCEPT

-P FORWARD DROP

-P OUTPUT ACCEPT

[root@localhost ~]# iptables -S INPUT

-P INPUT ACCEPT

可以通过查看安装包的库文件看下相关对应的命令



~]# rpm -ql iptables

/etc/sysconfig/ip6tables-config

/etc/sysconfig/iptables-config

/usr/bin/iptables-xml

/usr/lib64/libip4tc.so.0

/usr/lib64/libip4tc.so.0.1.0

/usr/lib64/libip6tc.so.0

/usr/lib64/libip6tc.so.0.1.0

/usr/lib64/libiptc.so.0

/usr/lib64/libiptc.so.0.0.0

/usr/lib64/libxtables.so.10

/usr/lib64/libxtables.so.10.0.0

/usr/lib64/xtables

/usr/lib64/xtables/libip6t_DNAT.so

/usr/lib64/xtables/libip6t_DNPT.so

/usr/lib64/xtables/libip6t_HL.so

/usr/lib64/xtables/libip6t_LOG.so

/usr/lib64/xtables/libip6t_MASQUERADE.so

/usr/lib64/xtables/libip6t_NETMAP.so

/usr/lib64/xtables/libip6t_REDIRECT.so

/usr/lib64/xtables/libip6t_REJECT.so

/usr/lib64/xtables/libip6t_SNAT.so

/usr/lib64/xtables/libip6t_SNPT.so

/usr/lib64/xtables/libip6t_ah.so

/usr/lib64/xtables/libip6t_dst.so

/usr/lib64/xtables/libip6t_eui64.so

/usr/lib64/xtables/libip6t_frag.so

/usr/lib64/xtables/libip6t_hbh.so

/usr/lib64/xtables/libip6t_hl.so

/usr/lib64/xtables/libip6t_icmp6.so

/usr/lib64/xtables/libip6t_ipv6header.so

/usr/lib64/xtables/libip6t_mh.so

/usr/lib64/xtables/libip6t_rt.so

/usr/lib64/xtables/libipt_CLUSTERIP.so

/usr/lib64/xtables/libipt_DNAT.so

/usr/lib64/xtables/libipt_ECN.so

/usr/lib64/xtables/libipt_LOG.so

/usr/lib64/xtables/libipt_MASQUERADE.so

/usr/lib64/xtables/libipt_MIRROR.so

/usr/lib64/xtables/libipt_NETMAP.so

/usr/lib64/xtables/libipt_REDIRECT.so

/usr/lib64/xtables/libipt_REJECT.so

/usr/lib64/xtables/libipt_SAME.so

/usr/lib64/xtables/libipt_SNAT.so

/usr/lib64/xtables/libipt_TTL.so

/usr/lib64/xtables/libipt_ULOG.so

/usr/lib64/xtables/libipt_ah.so

/usr/lib64/xtables/libipt_icmp.so

/usr/lib64/xtables/libipt_realm.so

/usr/lib64/xtables/libipt_ttl.so

/usr/lib64/xtables/libipt_unclean.so

/usr/lib64/xtables/libxt_AUDIT.so

/usr/lib64/xtables/libxt_CHECKSUM.so

/usr/lib64/xtables/libxt_CLASSIFY.so

/usr/lib64/xtables/libxt_CONNMARK.so

/usr/lib64/xtables/libxt_CONNSECMARK.so

/usr/lib64/xtables/libxt_CT.so

/usr/lib64/xtables/libxt_DSCP.so

/usr/lib64/xtables/libxt_HMARK.so

/usr/lib64/xtables/libxt_IDLETIMER.so

/usr/lib64/xtables/libxt_LED.so

/usr/lib64/xtables/libxt_MARK.so

/usr/lib64/xtables/libxt_NFLOG.so

/usr/lib64/xtables/libxt_NFQUEUE.so

/usr/lib64/xtables/libxt_NOTRACK.so

/usr/lib64/xtables/libxt_RATEEST.so

/usr/lib64/xtables/libxt_SECMARK.so

/usr/lib64/xtables/libxt_SET.so

/usr/lib64/xtables/libxt_SYNPROXY.so

/usr/lib64/xtables/libxt_TCPMSS.so

/usr/lib64/xtables/libxt_TCPOPTSTRIP.so

/usr/lib64/xtables/libxt_TEE.so

/usr/lib64/xtables/libxt_TOS.so

/usr/lib64/xtables/libxt_TPROXY.so

/usr/lib64/xtables/libxt_TRACE.so

/usr/lib64/xtables/libxt_addrtype.so

/usr/lib64/xtables/libxt_bpf.so

/usr/lib64/xtables/libxt_cgroup.so

/usr/lib64/xtables/libxt_cluster.so

/usr/lib64/xtables/libxt_comment.so

/usr/lib64/xtables/libxt_connbytes.so

/usr/lib64/xtables/libxt_connlabel.so

/usr/lib64/xtables/libxt_connlimit.so

/usr/lib64/xtables/libxt_connmark.so

/usr/lib64/xtables/libxt_conntrack.so

/usr/lib64/xtables/libxt_cpu.so

/usr/lib64/xtables/libxt_dccp.so

/usr/lib64/xtables/libxt_devgroup.so

/usr/lib64/xtables/libxt_dscp.so

/usr/lib64/xtables/libxt_ecn.so

/usr/lib64/xtables/libxt_esp.so

/usr/lib64/xtables/libxt_hashlimit.so

/usr/lib64/xtables/libxt_helper.so

/usr/lib64/xtables/libxt_iprange.so

/usr/lib64/xtables/libxt_ipvs.so

/usr/lib64/xtables/libxt_length.so

/usr/lib64/xtables/libxt_limit.so

/usr/lib64/xtables/libxt_mac.so

/usr/lib64/xtables/libxt_mark.so

/usr/lib64/xtables/libxt_multiport.so

/usr/lib64/xtables/libxt_nfacct.so

/usr/lib64/xtables/libxt_osf.so

/usr/lib64/xtables/libxt_owner.so

/usr/lib64/xtables/libxt_physdev.so

/usr/lib64/xtables/libxt_pkttype.so

/usr/lib64/xtables/libxt_policy.so

/usr/lib64/xtables/libxt_quota.so

/usr/lib64/xtables/libxt_rateest.so

/usr/lib64/xtables/libxt_recent.so

/usr/lib64/xtables/libxt_rpfilter.so

/usr/lib64/xtables/libxt_sctp.so

/usr/lib64/xtables/libxt_set.so

/usr/lib64/xtables/libxt_socket.so

/usr/lib64/xtables/libxt_standard.so

/usr/lib64/xtables/libxt_state.so

/usr/lib64/xtables/libxt_statistic.so

/usr/lib64/xtables/libxt_string.so

/usr/lib64/xtables/libxt_tcp.so

/usr/lib64/xtables/libxt_tcpmss.so

/usr/lib64/xtables/libxt_time.so

/usr/lib64/xtables/libxt_tos.so

/usr/lib64/xtables/libxt_u32.so

/usr/lib64/xtables/libxt_udp.so

/usr/sbin/ip6tables

/usr/sbin/ip6tables-restore

/usr/sbin/ip6tables-save

/usr/sbin/iptables

/usr/sbin/iptables-restore

/usr/sbin/iptables-save

/usr/sbin/xtables-multi

/usr/share/doc/iptables-1.4.21

/usr/share/doc/iptables-1.4.21/COPYING

/usr/share/doc/iptables-1.4.21/INCOMPATIBILITIES

/usr/share/man/man1/iptables-xml.1.gz

/usr/share/man/man8/ip6tables-restore.8.gz

/usr/share/man/man8/ip6tables-save.8.gz

/usr/share/man/man8/ip6tables.8.gz

/usr/share/man/man8/iptables-extensions.8.gz

/usr/share/man/man8/iptables-restore.8.gz

/usr/share/man/man8/iptables-save.8.gz

/usr/share/man/man8/iptables.8.gz

创建iptables规则

规则格式:iptables   [-t table]   COMMAND   chain   [-m matchname [per-match-options]]   -j targetname [per-target-options]


[root@localhost ~]# iptables -A INPUT -s 192.168.150.0/24 -j ACCEPT

[root@localhost ~]# iptables -A OUTPUT -d 192.168.150.0/24 -j ACCEPT

[root@localhost ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  —  192.168.150.0/24     0.0.0.0/0

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  —  0.0.0.0/0            192.168.150.0/24

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

146 10462 ACCEPT     all  —  *      *       192.168.150.0/24     0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

21  2308 ACCEPT     all  —  *      *       0.0.0.0/0            192.168.150.0/24

[root@localhost ~]#

[root@localhost ~]#

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -A INPUT -s 192.168.150.1 -d 192.168.150.137 -j ACCEPT

[root@localhost ~]# iptables -A OUTPUT -d 192.168.150.1 -s 192.168.150.137 -j ACCEPT

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 8 packets, 817 bytes)

pkts bytes target     prot opt in     out     source               destination

214 16156 ACCEPT     all  —  *      *       192.168.150.1        192.168.150.137

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7 packets, 588 bytes)

pkts bytes target     prot opt in     out     source               destination

24  2136 ACCEPT     all  —  *      *       192.168.150.137      192.168.150.1

[root@localhost ~]# iptables -P INPUT  DROP

[root@localhost ~]# iptables -P OUTPUT  DROP

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

483 34060 ACCEPT     all  —  *      *       192.168.150.1        192.168.150.137

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

176 26324 ACCEPT     all  —  *      *       192.168.150.137      192.168.150.1

[root@localhost ~]# iptables -P INPUT ACCEPT

[root@localhost ~]# iptables -P FORWARD ACCEPT

[root@localhost ~]# iptables -P OUTPUT ACCEPT

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 73 packets, 4880 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 40 packets, 3608 bytes)

pkts bytes target     prot opt in     out     source               destination


iptabels之http


~]# vim /var/www/html/index.html

~]# more /var/www/html/index.html

<h1>192.168.150.137</h1>

~]# systemctl start httpd

~]# ss -tn;

State       Recv-Q Send-Q         Local Address:Port                        Peer Address:Port

ESTAB       0      0            192.168.150.137:22                         192.168.150.1:63850

ESTAB       0      0            192.168.150.137:22                         192.168.150.1:59463

~]# ss -tnl

State       Recv-Q Send-Q         Local Address:Port                        Peer Address:Port

LISTEN      0      50                         *:3306                                   *:*

LISTEN      0      128                        *:22                                     *:*

LISTEN      0      100                127.0.0.1:25                                     *:*

LISTEN      0      128                       :::80                                    :::*

LISTEN      0      128                       :::22                                    :::*

LISTEN      0      100                      ::1:25                                    :::*

~]# iptables -P INPUT DROP^C

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 22 -j ACCEPT

~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

32  2112 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 17 packets, 1596 bytes)

pkts bytes target     prot opt in     out     source               destination

~]# iptables -A OUTPUT  -d 0/0 -s 192.168.150.137 -p tcp –dport 22 -j ACCEPT

~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

221 15948 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp dpt:22

[root@localhost ~]# iptables -P INPUT DROP

[root@localhost ~]# iptables -P OUTPUT DROP

Connection closed by foreign host.

~]# iptables -nvL

Chain INPUT (policy DROP 5 packets, 378 bytes)

pkts bytes target     prot opt in     out     source               destination

486 40089 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 136 packets, 14751 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp dpt:22

~]# iptables -nvL –line-number

Chain INPUT (policy DROP 5 packets, 378 bytes)

num   pkts bytes target     prot opt in     out     source               destination

1      592 47177 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 200 packets, 21999 bytes)

num   pkts bytes target     prot opt in     out     source               destination

1        0     0 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp dpt:22

~]# iptables -D OUTPUT 1

~]# iptables -A OUTPUT  -d 0/0 -s 192.168.150.137 -p tcp –sport 22 -j ACCEPT

~]# iptables -P OUTPUT DROP

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

1027 76713 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

74  7144 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:22

~]# iptables -nvL

Chain INPUT (policy DROP 8 packets, 472 bytes)

pkts bytes target     prot opt in     out     source               destination

1037 77393 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

82  8380 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:22

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 80 -j ACCEPT

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –sport 80 -j ACCEPT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

1474  110K ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:22

10  1004 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

386 37764 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:22

8   954 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:80

iptables之ICMP

icmp

[!] –icmp-type {type[/code]|typename}

echo-request:8

echo-reply:0


服务器开通ping ip功能,此时服务器的OUTPUT发送request至外部ip,并reply至服务器的INPUT口

~]# iptables -A OUTPUT -s 192.168.150.137 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

~]# ping 192.168.150.136

PING 192.168.150.136 (192.168.150.136) 56(84) bytes of data.

64 bytes from 192.168.150.136: icmp_seq=1 ttl=64 time=1.68 ms

64 bytes from 192.168.150.136: icmp_seq=2 ttl=64 time=0.750 ms

^C

— 192.168.150.136 ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 0.750/1.216/1.682/0.466 ms

服务器开通被ping功能,此时外部ip发送request至服务器INPUT,服务器发送reply至OUTPUT

~]# iptables -A INPUT -d 192.168.150.137 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A OUTPUT -s 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT


iptables之multiport

           以离散方式定义多端口匹配;最多指定15个端口;


           [!] –source-ports,–sports port[,port|,port:port]…:指定多个源端口;

           [!] –destination-ports,–dports port[,port|,port:port]…:指定多个目标端口;

           [!] –ports port[,port|,port:port]…:指明多个端口;


~]# iptables -I INPUT -s 0/0 -d 192.168.150.137 -p tcp -m multiport –dports 22,80 -j  ACCEPT

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

tcp dpt:22

tcp dpt:80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

tcp spt:22

tcp spt:80

icmptype 8

icmptype 0

~]# iptables -D INPUT 2

~]# iptables -D INPUT 2

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

tcp spt:22

tcp spt:80

icmptype 8

icmptype 0

~]# iptables -D OUTPUT 2

~]# iptables -D OUTPUT 2

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

icmptype 8

icmptype 0


iptables至iprange

           指明连续的(但一般不是整个网络)ip地址范围;


           [!] –src-range from[-to]:源IP地址;

           [!] –dst-range from[-to]:目标IP地址;


~]# iptables -A OUTPUT -s 192.168.150.137 -p tcp –sport 23 -m iprange –dst-range 192.168.150.130-192.168.150.140 -j ACCEPT

~]# iptables -A INPUT -d 192.168.150.137 -p tcp –sport 23 -m iprange –src-range 192.168.150.130-192.168.150.140 -j ACCEPT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

ports 22,80

2   168 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 0

4   336 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 8

source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

ports 22,80

2   168 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 8

4   336 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 0

estination IP range 192.168.150.130-192.168.150.140

[root@localhost ~]# ss -tnl

State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port

LISTEN      0      50                     *:3306                               *:*

LISTEN      0      128                    *:22                                 *:*

LISTEN      0      100            127.0.0.1:25                                 *:*

LISTEN      0      128                   :::80                                :::*

LISTEN      0      128                   :::22                                :::*

LISTEN      0      100                  ::1:25                                :::*

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 10 packets, 931 bytes)

pkts bytes target     prot opt in     out     source               destination

orts 22,80

2   168 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 0

4   336 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 8

ource IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

orts 22,80

2   168 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 8

4   336 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 0

estination IP range 192.168.150.130-192.168.150.140

[root@localhost ~]# systemctl start telnet.socket

[root@localhost ~]# ss -tnl

State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port

LISTEN      0      50                                                                  *:3306                                                                            *:*

LISTEN      0      128                                                                 *:22                                                                              *:*

LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*

LISTEN      0      128                                                                :::80                                                                             :::*

LISTEN      0      128                                                                :::22                                                                             :::*

LISTEN      0      128                                                                :::23                                                                             :::*

LISTEN      0      100                                                               ::1:25                                                                             :::*

[root@localhost ~]# useradd centos

useradd:用户“centos”已存在

[root@localhost ~]# echo "oracleadmin" | passwd –stdin centos

更改用户 centos 的密码 。

passwd:所有的身份验证令牌已经成功更新。

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

4277  289K ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      multiport dports 22,80

2   168 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 0

4   336 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 8

164  8892 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:23 source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 6 packets, 440 bytes)

pkts bytes target     prot opt in     out     source               destination

2516  790K ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            multiport sports 22,80

2   168 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 8

4   336 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 0

113  6638 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:23 destination IP range 192.168.150.130-192.168.150.140


iptables之string

对报文中的应用层数据做字符串模式匹配检测;


           –algo {bm|kmp}:字符串匹配检测算法;

               bm:Boyer-Moore

               kmp:Knuth-Pratt-Morris

           [!] –string pattern:要检测的字符串模式;

           [!] –hex-string pattern:要检测的字符串模式,16进制格式;


~]# vim /var/www/html/test.html

~]#iptables -I OUTPUT -s 192.168.150.137 -d 0/0 -p tcp –sport 80 -m string –algo bm –string "old" -j REJECT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

4894  332K ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      multiport dports 22,80

2   168 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 0

4   336 ACCEPT     icmp —  *      *       0.0.0.0/0            192.168.150.137      icmptype 8

263 14230 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.150.137      tcp dpt:23 source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 REJECT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:80 STRING match  "old" ALGO name bm TO 65535 reject-with icmp-port-unreachable

2907  839K ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            multiport sports 22,80

2   168 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 8

4   336 ACCEPT     icmp —  *      *       192.168.150.137      0.0.0.0/0            icmptype 0

174 10487 ACCEPT     tcp  —  *      *       192.168.150.137      0.0.0.0/0            tcp spt:23 destination IP range 192.168.150.130-192.168.150.140

~]# vim /var/www/html/test2.html


iptables之time

           根据将报文到达的时间与指定的时间范围进行匹配;


           –datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

           –datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]


           –timestart hh:mm[:ss]

           –timestop hh:mm[:ss]


           [!] –monthdays day[,day…]

           [!] –weekdays day[,day…]


           –kerneltz:使用内核上的时区,而非默认的UTC;


~]# iptables -R INPUT 4 -d 192.168.150.137 -p tcp –dport 23 -m iprange –src-range 192.168.150.130-192.168.150.140 -m time –timestart 09:00:00 –timestop 18:00:00 -j ACCEPT


iptabels之connlimit

           根据每客户端IP做并发连接数数量匹配;


           –connlimit-upto n:连接的数量小于等于n时匹配;

           –connlimit-above n:连接的数量大于n时匹配;


~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 23 -m connlimit –connlimit-upto 2 -j ACCEPT


iptable之limit

基于收发报文的速率做匹配;


               令牌桶过滤器;


           –limit rate[/second|/minute|/hour|/day]

           –limit-burst number    突发速率


~]# iptables -R INPUT 3 -d 192.168.150.137 -p icmp –icmp-type 8 -m limit –limit 20/minute –limit-burst 3 -j ACCEPT

~]# iptables -A OUTPUT -s 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT


iptables之state

           根据”连接追踪机制“去检查连接的状态;


           conntrack机制:追踪本机上的请求和响应之间的关系;状态有如下几种:

               NEW:新发出请求;连接追踪模板中不存在此连接的相关信息条目,因此,将其识别为第一次发出的请求;

               ESTABLISHED:NEW状态之后,连接追踪模板中为其建立的条目失效之前期间内所进行的通信状态;

               RELATED:相关联的连接;如ftp协议中的数据连接与命令连接之间的关系;

               INVALID:无效的连接;

               UNTRACKED:未进行追踪的连接;


           [!] –state state


~]# iptables -A INPUT -d 172.16.100.67 -p tcp -m multiport –dports 22,80 -m state –state NEW,ESTABLISHED -j ACCEPT

~]# iptables -A OUTPUT -s 172.16.100.67 -p tcp -m multiport –sports 22,80 -m state –state ESTABLISHED -j ACCEPT

调整连接追踪功能所能够容纳的最大连接数量:

/proc/sys/net/nf_contrack_max

sysctl -w net.nf_conntrack_max=300000

echo 300000>/proc/sys/net/nf_conntrack_max

已经追踪到到的并记录下来的连接:

/proc/net/nf_conntrack

不同的协议的连接追踪时长:

/proc/sys/net/netfilter/

iptables的链接跟踪表最大容量为/proc/sys/net/nf_contrack_max,链接碰到各种状态的超时后就会从表中删除;当模板满载时,后续的连接可能会超时

解決方法一般有两个:

(1) 加大nf_conntrack_max 值

vi /etc/sysctl.conf

net.ipv4.nf_conntrack_max = 393216

net.ipv4.netfilter.nf_conntrack_max = 393216

(2)  降低 nf_conntrack timeout时间

vi /etc/sysctl.conf

net.ipv4.netfilter.nf_conntrack_tcp_timeout_established = 300

net.ipv4.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.ipv4.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.ipv4.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

~]# watch -n1 'iptables -nvL'

规则的检查次序:规则在链接上的次序即为其检查时的生效次序;因此,其优化使用有一定法则;

(1)同类规则(访问同一应用),匹配范围小的放前面;用于特殊处理;

(2)不同类的规则(访问不同应用),匹配范围大的放前面;

(3)应该将那些可由一条规则描述的多个规则合并为一;

(4)设置默认策略;

如何开放被动模式的ftp服务?

(1) 装载ftp连接追踪的专用模块:

~]# modproble  nf_conntrack_ftp

(2) 放行命令连接(假设Server地址为172.16.100.67):

~]# iptables -A INPUT -d 172.16.100.67 -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT

~]# iptables -A OUTPUT -s 172.16.100.67 -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT

(3) 放行数据连接(假设Server地址为172.16.100.67):

~]# iptables -A INPUT -d 172.16.100.67 -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT

~]# iptables -I OUTPUT -s 172.16.100.67 -m state –state ESTABLISHED -j ACCEPT

规则优化:

服务器端规则设定:任何不允许的访问,应该在请求到达时给予拒绝;

(1) 可安全放行所有入站的状态为ESTABLISHED状态的连接;

(2) 可安全放行所有出站的状态为ESTABLISHED状态的连接;

(3) 谨慎放行入站的新请求

(4) 有特殊目的限制访问功能,要于放行规则之前加以拒绝;


iptables之save


~]# iptables-save

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:49:53 2016

*nat

:PREROUTING ACCEPT [569:58999]

:INPUT ACCEPT [95:11029]

:OUTPUT ACCEPT [512:34919]

:POSTROUTING ACCEPT [153:9591]

COMMIT

# Completed on Thu Nov 17 19:49:53 2016

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:49:53 2016

*filter

:INPUT DROP [11:1438]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -d 192.168.150.137/32 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m multiport –dports 22,23,80 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m tcp –dport 21 -m state –state NEW -j ACCEPT

-A OUTPUT -m state –state ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Nov 17 19:49:53 2016

~]# iptables-save > /etc/sysconfig/iptables.v1

~]# cat /etc/sysconfig/iptables.v1

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:51:01 2016

*nat

:PREROUTING ACCEPT [572:59233]

:INPUT ACCEPT [95:11029]

:OUTPUT ACCEPT [512:34919]

:POSTROUTING ACCEPT [153:9591]

COMMIT

# Completed on Thu Nov 17 19:51:01 2016

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:51:01 2016

*filter

:INPUT DROP [14:1672]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -d 192.168.150.137/32 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m multiport –dports 22,23,80 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m tcp –dport 21 -m state –state NEW -j ACCEPT

-A OUTPUT -m state –state ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Nov 17 19:51:01 2016

~]# iptables -P INPUT ACCEPT

~]# iptables -P OUTPUT ACCEPT

~]# iptables -F

~]# iptables -nvL

Chain INPUT (policy ACCEPT 33 packets, 2188 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 18 packets, 1636 bytes)

pkts bytes target     prot opt in     out     source               destination

~]# iptables-restore < /etc/sysconfig/iptables.v1

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

D,ESTABLISHED

orts 22,23,80 state NEW

tate NEW

tate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

ISHED

通过iptables做Firewall(FORWARD)

实验拓扑图

内部服务器 1.1.1.2 默认网关设置为1.1.1.100

Firewall 1.1.1.100,192.168.31.120

外部服务器 192.168.31.32 添加路由指向route add -net 1.1.1.0/24 gw 192.168.31.120

防火墙默认的ip forward是关闭的,手动进行开启

~]# cat /proc/sys/net/ipv4/ip_forward

0

~]# echo 1 > /proc/sys/net/ipv4/ip_forward

1.1.1.2和192.168.31.32网络通

通过iptables将FORWARD DROP,并添加策略使两台机子可以ping通

~]# iptables -P FORWARD DROP

~]# iptables -A FORWARD -s 1.1.1.0/24 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A FORWARD -s 0/0 -d 1.1.1.0/24 -p icmp –icmp-type 0 -j ACCEPT

通过tcpdump工具可以查看结果

~]# tcpdump -i eno33554976 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno33554976, link-type EN10MB (Ethernet), capture size 65535 bytes

21:26:59.297765 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 54, length 64

21:27:00.298340 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 55, length 64

21:27:01.298184 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 56, length 64

21:27:02.298255 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 57, length 64

21:27:03.298343 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 58, length 64

21:27:04.298548 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 59, length 64

^C

6 packets captured

6 packets received by filter

0 packets dropped by kernel

通过state设定防火墙规则

~]# iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p icmp –icmp-type 8 -m state –state NEW

开启80和21  ftp开启设定

~]# iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p tcp –dport 80 -m state –state NEW -j

CCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p tcp –dport 21 -m state –state NEW -j A

CCEPT

~]# modprobe nf_conntrack_ftp

~]# iptables -R FORWARD 1 -m state –state ESTABLISHED,RELATED -j ACCEPT

设定策略开启自动生成

~]# iptables-save >/etc/sysconfig/iptables.v2

~]# vim /etc/rc.local

~]# cat /etc/rc.local

#!/bin/bash

# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES

#

# It is highly advisable to create own systemd services or udev rules

# to run scripts during boot instead of using this file.

#

# In contrast to previous versions due to parallel execution during boot

# this script will NOT be run after all other services.

#

# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure

# that this script will be executed during boot.

touch /var/lock/subsys/local

iptables-restore < /etc/sysconfig/iptables.v2

[END] 2016/11/18 21:57:53

iptables之NAT

默认情况下内部服务器发送http访问,外部服务器记录的是内部主机ip

1.1.1.2

[root@localhost ~]# curl http://192.168.31.32

<h1>remote </h1>

192.168.31.32

[root@MiWiFi-R3-srv ~]# tail /var/log/httpd/access_log

192.168.31.32 – – [08/Nov/2016:14:23:20 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.19.7 (x86

_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"1.1.1.2 – – [08/Nov/2016:14:27:00 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

1.1.1.2 – – [08/Nov/2016:15:12:41 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

1.1.1.2 – – [08/Nov/2016:15:24:40 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

nat: network address translation

snat: source nat

修改IP报文中的源IP地址

让本地网络中的主机可使用统一地址与外部主机通信,从而实现地址伪装;

请求:修改源IP,如何修改则由管理员定义;

相应:修改目标IP,由nat自动根据会话表中追踪机制实现相应修改;

dnat: destination nat

修改IP报文中的目标IP地址

让本地网络中的服务器使用统一的地址向外提供服务(发布服务),但隐藏了自己的真实地址;

请求:由外网主机发起,修改其目标地址,由管理员定义;

相应:修改源地址,但由nat自动根据会话表中的追踪机制实现对应修改;

pnat: port nat

SNAT示例:

~]# iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j SNAT –to-source 172.16.100.67

[root@MiWiFi-R3-srv ~]# iptables -t nat -A POSTROUTING -s 1.1.1.0/24 -j SNAT –to-source 192.168.31.1 20

可以添加一个范围

[root@MiWiFi-R3-srv ~]# iptables -t nat -A POSTROUTING -s 1.1.1.0/24 -j SNAT –to-source 192.168.31.120-192.168.31.255

示例验证

1、ping验证

1.1.1.2上进行ping操作

[root@localhost ~]# ping 192.168.31.32

PING 192.168.31.32 (192.168.31.32) 56(84) bytes of data.

64 bytes from 192.168.31.32: icmp_seq=1 ttl=63 time=2.79 ms

64 bytes from 192.168.31.32: icmp_seq=2 ttl=63 time=0.502 ms

64 bytes from 192.168.31.32: icmp_seq=3 ttl=63 time=0.689 ms

64 bytes from 192.168.31.32: icmp_seq=4 ttl=63 time=0.451 ms

192.168.31.32上抓包看,原地址已经转换

[root@MiWiFi-R3-srv ~]# tcpdump -i eth0 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:54:07.722067 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 73, length 64

16:54:07.722106 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 73, length 64

16:54:08.722394 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 74, length 64

16:54:08.722429 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 74, length 64

16:54:09.722782 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 75, length 64

16:54:09.722817 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 75, length 64

16:54:10.723160 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 76, length 64

16:54:10.723196 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 76, length 64

nat服务器上的抓包

内网网卡:

[root@MiWiFi-R3-srv ~]# tcpdump -i eno16777736 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes

13:53:29.354768 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 8, length 64

13:53:29.355038 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 8, length 64

13:53:30.355449 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 9, length 64

13:53:30.355803 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 9, length 64

13:53:31.357455 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 10, length 64

13:53:31.357842 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 10, length 64

外网网卡:

[root@MiWiFi-R3-srv ~]# tcpdump -i eno33554976 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno33554976, link-type EN10MB (Ethernet), capture size 65535 bytes

13:53:57.372568 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2702, seq 36, length 64

13:53:57.372842 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2702, seq 36, length 64

13:53:58.373001 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2702, seq 37, length 64

13:53:58.373249 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2702, seq 37, length 64

2、http验证

1.1.1.2主机上进行http请求

[root@localhost ~]# curl http://192.168.31.32

<h1>remote </h1>

192.168.31.32查看日志

~]# tail /var/log/httpd/access_log

192.168.31.120 – – [08/Nov/2016:16:58:47 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

NAT服务和filter结合,禁用22端口

~]# iptables -t filter -A FORWARD -s 1.1.1.0/24 -p tcp –dport 22 -j REJECT

1.1.1.2主机上进行ssh请求

~]# ssh 192.168.31.32

ssh: connect to host 192.168.31.32 port 22: Connection refused

MASQUERADE:


源地址转换:当源地址为动态获取的地址时,MASQUERADE可自行判断要转换为的地址;

~]# iptables -t nat -A POSTROUTING -s 1.1.10.24 -j MASQUERADE

DNAT


测试环境

1.1.1.2作为网http服务器

[root@localhost ~]# systemctl start httpd.service

[root@localhost ~]# vim /var/www/html/index.html

[root@localhost ~]# cat /var/www/html/index.html

<h1>INTERAL SERVER</h1>

[root@localhost ~]# ss -tnl

State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port

LISTEN      0      50                     *:3306                               *:*

LISTEN      0      128                    *:22                                 *:*

LISTEN      0      100            127.0.0.1:25                                 *:*

LISTEN      0      128                   :::80                                :::*

LISTEN      0      128                   :::22                                :::*

LISTEN      0      100                  ::1:25                                :::*

DNAT规则添加

1.1.1.100主机,外网ip192.168.31.120

自己的对外80端口没有被监听

[root@MiWiFi-R3-srv ~]# ss -tnl

State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port

LISTEN      0      5          192.168.122.1:53                                 *:*

LISTEN      0      128                    *:22                                 *:*

LISTEN      0      128            127.0.0.1:631                                *:*

LISTEN      0      100            127.0.0.1:25                                 *:*

LISTEN      0      128            127.0.0.1:6010                               *:*

LISTEN      0      128                   :::22                                :::*

LISTEN      0      128                  ::1:631                               :::*

LISTEN      0      100                  ::1:25                                :::*

LISTEN      0      128                  ::1:6010                              :::*

~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 80 -j D

NAT –to-destination 1.1.1.2

[root@MiWiFi-R3-srv ~]# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 1 packets, 246 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 DNAT       tcp  —  *      *       0.0.0.0/0            192.168.31.120       tcp dpt:80 t

o:1.1.1.2

使用外网主机192.168.31.31访问192.168.31.120,实际指向1.1.1.2

[root@MiWiFi-R3-srv ~]# curl http://192.168.31.120

<h1>INTERAL SERVER</h1>

端口映射测试:

首先修改1.1.1.2主机的http端口

~]# vim /etc/httpd/conf/httpd.conf

Listen 8090

[root@localhost ~]# systemctl restart httpd.service

[root@localhost ~]# ss -tnl

State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port

LISTEN      0      50                     *:3306                               *:*

LISTEN      0      128                    *:22                                 *:*

LISTEN      0      100            127.0.0.1:25                                 *:*

LISTEN      0      128                   :::22                                :::*

LISTEN      0      100                  ::1:25                                :::*

LISTEN      0      128                   :::8090                              :::*

dnat主机设定

~]# iptables -t nat -F

[root@MiWiFi-R3-srv ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 80 -j D

NAT –to-destination 1.1.1.2:8090[root@MiWiFi-R3-srv ~]# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 DNAT       tcp  —  *      *       0.0.0.0/0            192.168.31.120       tcp dpt:80 t

o:1.1.1.2:8090

外网访问

[root@MiWiFi-R3-srv ~]# curl http://192.168.31.120

<h1>INTERAL SERVER</h1>

此时在1.1.1.2上面查看访问指向为源地址的192.168.31.32

[root@localhost ~]# tail /var/log/httpd/access_log

192.168.31.32 – – [20/Nov/2016:13:17:46 +0800] "GET / HTTP/1.1" 200 24 "-" "curl/7.19.7 (x86_64-redha

t-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"192.168.31.32 – – [20/Nov/2016:13:22:08 +0800] "GET / HTTP/1.1" 200 24 "-" "curl/7.19.7 (x86_64-redha

t-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

也可以通过tcpdump抓包查看

tcpdump – eno33554976 -nn tcp port 8090

ssh转换

~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 22 -j D

NAT –to-destination 1.1.1.2

外网主机连接ssh会变成1.1.1.2

[root@MiWiFi-R3-srv ~]# ssh 192.168.31.120

The authenticity of host '192.168.31.120 (192.168.31.120)' can't be established.

RSA key fingerprint is 22:fc:db:5b:e5:26:8a:35:96:9f:2d:c4:4f:07:d1:e8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.31.120' (RSA) to the list of known hosts.

root@192.168.31.120's password:

Last login: Sun Nov 20 11:51:47 2016 from 1.1.1.1

[root@localhost ~]# ifconfig

eno33554976: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

inet 1.1.1.2  netmask 255.255.255.0  broadcast 1.1.1.255

inet6 fe80::20c:29ff:fe87:41fd  prefixlen 64  scopeid 0x20<link>

ether 00:0c:29:87:41:fd  txqueuelen 1000  (Ethernet)

RX packets 2298  bytes 203573 (198.8 KiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 1307  bytes 168590 (164.6 KiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

inet 127.0.0.1  netmask 255.0.0.0

inet6 ::1  prefixlen 128  scopeid 0x10<host>

loop  txqueuelen 0  (Local Loopback)

RX packets 620  bytes 52990 (51.7 KiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 620  bytes 52990 (51.7 KiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

原创文章,作者:N23-苏州-void,如若转载,请注明出处:http://www.178linux.com/60128

(0)
上一篇 2016-11-20 10:43
下一篇 2016-11-20 15:47

相关推荐

  • N25-第四周作业

    第四周 1、复制/etc/skel目录为/home/tuser1,要求/home/tuser1及其内部文件的属组和其它用户均没有任何访问权限。 [root@zf ~]# cp -r /etc/skel/ /home/tuser1 [root@zf ~]# chmod -R&nbs…

    Linux干货 2016-12-21
  • http和apache服务器

    超文本传输协议(HTTP,HyperText Transfer Protocol)是互联网上应用最为广泛的一种网络协议。所有的WWW文件都必须遵守这个标准。设计HTTP最初的目的是为了提供一种发布和接收HTML页面的方法。 http/1.1 :1997年1月 引入了持久连接(persistent connection) , tcp连接默认不关闭,可以被多个请…

    2017-12-05
  • HA之corosync+pacemaker+crmsh

    高可用集群框架 图片转载之http://www.178linux.com/16656 实验拓扑: 两台节点服务器: node1     192.168.150.137     node1.com node2     192.168.150.138     node2.com nf…

    Linux干货 2017-01-18
  • CentOS7下利用rsyslog+loganalyzer配置日志服务器及Linux和windows客户端配置

    随着机房内的服务器和网络设备增加,日志管理和查询就成了让系统管理员头疼的事。 系统管理员遇到的常见问题如下: 1、日常维护过程中不可能登录到每一台服务器和设备上去查看日志; 2、网络设备上的存储空间有限,不可能存储日期太长的日志,而系统出现问题又有可能是很久以前发生的某些操作造成的; 3、在某些非法入侵的情况下,入侵者一般都会清除本地日志…

    2017-03-15
  • 基于Cobbler实现多版本操作系统自动部署

    前言     在生产环境中,当需要批量部署几十甚至上百台服务器时,实现自动化安装操作系统尤为重要,按照传统的光盘引导安装是不可想象的;此前我们通过pxe+kickstart简单实现了自动化安装,但只能实现单一版本安装,当需要部署不同版本或不同引导模式(BIOS、EFI)时,此种方式就不够灵活。而Cobbler正是为了解…

    Linux干货 2015-08-11
  • 文件通配符与命令行扩展

    * 匹配零个或多个字符 ? 匹配任何单个字符 ~ 当前用户家目录 ~mage 用户mage家目录 ~+ 当前工作目录 ~- 前一个工作目录 [0-9] 匹配数字范围 [a-z] 字母 [A-Z]字母          [a-Z] 会以aAbBcC…小大小大列出,特别要注意 [wang] 匹配列表中的任何的一个字符 [^wang]匹配列表中的所有字…

    2017-11-12

评论列表(2条)

  • 马哥教育
    马哥教育 2016-11-30 21:20

    整个看下来内容可圈可点。但是这格式看的我眼都花了,并未能将翔实的内容很好的表现出来。好的内容更需要好的展现方式。

    • N23-苏州-void
      N23-苏州-void 2016-12-01 17:41

      @马哥教育我是从我的Evernote上拷贝过来的,格式就变乱了,这样改下应该及好多了。。
      看来以后拷贝过来后得重新整理一下