iptables(3)

----------------------------iptables企业应用

****************************单机防火墙列表
#!/bin/bash
#===================<set variable>=================
IPT=/sbin/iptables
SERVER=192.168.0.1
PARTNER=192.168.0.200
#===================<Clear Original Rule>==========
$IPT -A INPUT -p tcp -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp -d $SERVER --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -d $SERVER --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -d $SERVER --dport 110 -j ACCEPT
$IPT -A INPUT -p tcp -s $PARTNER -d $SERVER --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s $PARTNER -d $SERVER --dport 23 -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
****************************网关防火墙列表
-------外网 --------------------网关防火墙-------------------内网PC1 192.168.0.200
10.0.100 eth0 eth1 |
10.0.1.200 192.168.0.1 内网PC2 192.168.0.100
#!/bin/bash
#===================<set variable>=================
IPT=/sbin/iptables
MAIL_SER=10.0.1.100
ACC_PC=192.168.0.200
INTERNAL=192.168.0.0/24
EXTERNAL=10.0.1.200
#===================<Set Default Policy>==========
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
#===================<Clear Original Rule>=========
$IPT -t filter -F
#===================<Set INPUT Rule>==============
$IPT -A INPUT -p tcp -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp -m state --state ESTABLISEHD,RELATED -j ACCEPT
#===================<Set FORWARD Rule>==============
$IPT -A FORWARD -i eth0 -o eth1 -m state --state INVALID -j DROP
$IPT -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISEHD,RELATED -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -s $ACC_PC -d $MAIL_SER --dport 25:100 -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -p all -s $ACC_PC -j DROP
$IPT -A FORWARD -i eth1 -o eth0 -p tcp --dport 25,110 -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -p tcp --dport 80,443 -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j ACCEPT
$IPT -A POSTROUTING -o eth0 -s $INTERNAL -j NAT --to $EXTERNAL
****************************发布ssh端口
-------外网 --------------------网关防火墙-------------------内网PC1 192.168.0.200
10.0.100 eth0 eth1 |
10.0.1.200 192.168.0.1 内网PC2 192.168.0.100
#!/bin/bash
#===================<set variable>=================
IPT=/sbin/iptables
INTERNAL=192.168.0.0/24
NAT_E=10.0.1.200
PC1=192.168.0.200
PC2=192.168.0.100
#===================<Set Default Policy>==========
echo 1 > /proc/sys/net/ipv4/ip_forward
#===================<Clear Original Rule>=========
$IPT -t filter -F
$IPT -t nat -F
#===================<Set INPUT Rule>==============
$IPT -A INPUT -p tcp -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp -m state --state ESTABLISEHD,RELATED -j ACCEPT
#===================<Set PREROUTING Chain>==============
$IPT -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to $PC1:22
$IPT -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to $PC1:23
#===================<Set POSTROUTING Chain>==============
$IPT -A POSTROUTING -o eth0 -s $INTERNA -j DNAT --to $NAT_E
*****************升级kernel
# rpm -ivh kernel-2.6.32-431.5.1.el6.src.rpm
# cd rpmbuild/SOURCES
# tar -jxvf linux-2.6.32-431.5.1.el6.tar.bz2 -C /usr/src/
# cd /usr/src/
# ln -sv linux-2.6.32-431.5.1.el6 linux
# tar -zxvf netfilter-layer7-v2.23.tar.gz -C /usr/src/
# cd /usr/src/linux
# patch -p1 < /usr/src/netfilter-layer7-v2.23/kernel-2.6.32-layer7-2.23.patch
# cp /boot/config-2.6.32-431.el6.x86_64 ./config
你多次使用了这些源程序编译内核，那么最好要先运行一下这个命令
#make mrproper
使用make oldconfig可以继承老的kernel的配置，为自己的配置省去很多麻烦
#make oldconfig
#make menuconfig是文字界面下推荐一种方式，在这里可以选择你需要编译到核心的模块
# make menuconfig
yum install gcc* -y
yum install ncurses-devel -y
# make menuconfig
空格键用于选择配置类型
对不同功能的配置选择
[ ]：空选时表示不需要在新内核中使用该功能
[ M ]：表示将此项功能编译为模块，以便在需要时加载 Module
[ * ]：将此项功能直接编入新内核，作为新内核的一部分需要配置哪些内核编译参数
*/
#Networking support --->
# Networking options --->
# Network packet filtering framework (Netfilter) --->
# iP:netfilter configuraton --->
<M> IPv4 connection tracking support (required for NAT)
# Full NAT
#Networking support --->
# Networking options --->
# Network packet filtering framework (Netfilter) --->
# core netfilter configuration --->
<M> Netfilter connection tracking support
# "connlimit" match support"
# "time" match support
# "string" match support
# "layer7" match support
# [*] Layer 7 debugging output
或者：
Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration
Ü <M> Netfilter connection tracking support
Ü <M> “layer7” match support
Ü <M> “string” match support
Ü <M> “time” match support
Ü <M> “iprange” match support
Ü <M> “connlimit” match support
Ü <M> “state” match support
Ü <M> “conntrack” connection match support
Ü <M> “mac” address match support
Ü <M> "multiport" Multiple port match support
v Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration
Ü <M> IPv4 connection tracking support (required for NAT)
Ü <M> Full NAT
v <M> MASQUERADE target support
# make (报错)
‘ksign_def_public_key’ undeclared (first use in this function)
解决方法：
#make menuconfig（进入基于文本菜单的配置界面）
1.选择”Enable loadable module support“，选择"Module signature verification (EXPERIMENTAL)"，按”N“取消该选项。
2.回到主菜单（main menu），选择”Cryptographic API“，取消”In-kernel signature checker (EXPERIMENTAL)“即可。
# make modules
# make modules_install
# make install
# vim /boot/grub/grub.conf （选择新内核）
# reboot
# cp /etc/init.d/iptables ~/
# cp /etc/sysconfig/iptables-config ~/
# rpm -e iptables-1.4.7-11.el6.x86_64 --nodeps
# tar -jxvf iptables-1.4.12.1.tar.bz2 -C /usr/src/
# cd /usr/src/iptables-1.4.12.1/
# cp /usr/src/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* ./extensions/
# ./configure --prefix=/usr --with-ksource=/usr/src/linux
# make
# make install
# tar -zxvf I7-protocols-2009-05-28.tar.gz
# cd l7-protocols-2009-05-28/
# make install
# mv ~/iptables /etc/init.d/
# cp iptables-config /etc/sysconfig/
# cp /usr/sbin/iptables /sbin/
# cp /usr/sbin/iptables-restore /sbin/
# cp /usr/sbin/iptables-save /sbin/
# /etc/init.d/iptables restart
# iptables -t mangle -A POSTROUTING -m layer7 --l7proto qq -j DROP
# iptables -A FORWARD -m layer7 --l7proto qq -j REJECT 禁止QQ登录
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP
测试：
iptables -t mangle -A POSTROUTING -m layer7 --l7proto qq -j DROP