iptables 防火墙
运行源地址为192.168.10.10-192.168.10.50 这个网段的机器访问本机的20-25还有80、443、6379端口进来的流量
iptables -A INPUT -p tcp -m iprange --src-range 192.168.10.10-192.168.10.50 -m multiport --dports 20:25,80.443,6379 -j ACCEPT
开放出去的端口
iptables -A OUTPUT -p tcp -m iprange --dst-range 192.168.10.10-192.168.10.50 -m multiport --ports 20:25,80,443,6379 -j ACCEPT
保存防火墙规则与读入防火墙规则
root@chenxi ~]# iptables-save > /etc/iptables-test
[root@chenxi ~]# iptables-restore < /etc/iptables-test
[root@chenxi ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.10.1
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.10.10-192.168.10.50 multiport ports 20:25,80,443,6379
| 192.168.10.17 | 外主机 |
| 192.168.10.40 | 防火墙 |
| 192.168.8.5 | 防火墙 |
| 192.168.8.12 | 内主机 |
防火墙打开转发功能
[root@chenxi ~]# vi /etc/sysctl.conf # sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@chenxi ~]# sysctl -p
net.ipv4.ip_forward = 1
机器网关
[root@mail ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.10.40 0.0.0.0 UG 0 0 0 eth0
[root@chenxi ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1
0.0.0.0 192.168.8.5 0.0.0.0 UG 0 0 0 eth1
拒绝192.168.10.17ping192.168.8.12
[root@chenxi ~]# iptables -A FORWARD -p icmp -s 192.168.10.17 -d 192.168.8.12 -j REJECT
[root@mail ~]# ping 192.168.8.12
PING 192.168.8.12 (192.168.8.12) 56(84) bytes of data.
From 192.168.10.40 icmp_seq=1 Destination Port Unreachable
From 192.168.10.40 icmp_seq=2 Destination Port Unreachable
From 192.168.10.40 icmp_seq=3 Destination Port Unreachable
^C
[root@chenxi ~]# ping -c 3 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data. --- 192.168.10.17 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12002ms
[root@mail ~]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:19:20.308225 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 1, length 64
18:19:20.308285 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 1, length 64
18:19:20.348839 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 40546 unreachable, length 92
18:19:21.308164 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 2, length 64
18:19:21.308222 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 2, length 64
18:19:21.308543 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 13920 unreachable, length 92
18:19:22.308205 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 3, length 64
18:19:22.308258 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 3, length 64
18:19:22.308781 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 6751 unreachable, length 92
SNAT源地址转换,内网访问外网;将192.168.8.12内部主机访问外网是,转换成192.168.10.40这个地址,路由后
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.12 -j SNAT --to-source 192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问外网时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.10.40
查看规则
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.40
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 192.168.10.0/24 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成由外网卡决定使用哪个IP地址,使用与拨号上网
[root@chenxi ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.8.0/24 -j MASQUERADE 替换第一条
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# ping 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data.
64 bytes from 192.168.10.17: icmp_seq=1 ttl=63 time=51.8 ms
64 bytes from 192.168.10.17: icmp_seq=2 ttl=63 time=1.03 ms
64 bytes from 192.168.10.17: icmp_seq=3 ttl=63 time=1.55 ms
DNAT 目标地址转换,外网访问内网;路由前,源地址为所有主机的IP访问本机的tcp22端口,都转发到192.168.8.12
[root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:22 to:192.168.8.12 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3 packets, 212 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# ssh 192.168.10.40
The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established.
RSA key fingerprint is 3a:17:29:f8:f9:c5:a5:67:db:cd:c4:ab:5a:3d:c2:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts.
root@192.168.10.40's password:
Last login: Fri Mar 22 18:22:15 2019 from 192.168.8.1
[root@chenxi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ad:a3:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.12/24 brd 192.168.8.255 scope global eth1
inet6 fe80::20c:29ff:fead:a372/64 scope link
valid_lft forever preferred_lft forever
将源地址为192.168.10.17的地址访问本机22端口替将目标地址换成成192.168.8.12的22端口 -R替换规则
[root@chenxi ~]# iptables -t nat -R PREROUTING 1 -s 192.168.10.17/24 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
将源地址为所有主机的地址访问本机80端口替将目标地址换成成192.168.8.12的8080端口
[root@chenxi ~]# service httpd restart
停止 httpd: [确定]
正在启动 httpd:httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[确定]
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::8080 :::*
users:(("httpd",2842,4),("httpd",2844,4),("httpd",2845,4),("httpd",2846,4),("httpd",2847,4),("httpd",2848,4),("httpd",2849,4),("httpd",2850,4),("httpd",2851,4))LISTEN 0 128 :::22 :::*
users:(("sshd",1266,4))LISTEN 0 128 *:22 *:*
users:(("sshd",1266,3))LISTEN 0 100 ::1:25 :::*
users:(("master",1345,13))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",1345,12))[root@chenxi ~]# echo chenxi > /var/www/html/index.html [root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 80 -j DNAT --to-destination 192.168.8.12:8080
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# curl 192.168.10.40
chenxi
端口转发将访问本机的90端口转发到,本机80端口上
[root@chenxi ~]# iptables -t nat -A PREROUTING -d 192.168.10.40 -p tcp --dport 90 -j REDIRECT --to-ports 80
[root@chenxi ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
DNAT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080
REDIRECT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:90 redir ports 80 Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# echo "fhq" > /var/www/html/index.html
[root@chenxi ~]# service httpd start
Redirecting to /bin/systemctl start httpd.service
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
users:(("sshd",pid=1052,fd=3))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1146,fd=13))LISTEN 0 128 :::80 :::*
users:(("httpd",pid=3825,fd=4),("httpd",pid=3824,fd=4),("httpd",pid=3823,fd=4),("httpd",pid=3822,fd=4),("httpd",pid=3821,fd=4),("httpd",pid=3820,fd=4))LISTEN 0 128 :::22 :::*
users:(("sshd",pid=1052,fd=4))LISTEN 0 100 ::1:25 :::*
users:(("master",pid=1146,fd=14))
[root@chenxi ~]# setenforce 0
[root@mail ~]# curl 192.168.10.40:90
fhq
iptables 防火墙的更多相关文章
- CentOS系统配置 iptables防火墙
阿里云CentOS系统配置iptables防火墙 虽说阿里云推出了云盾服务,但是自己再加一层防火墙总归是更安全些,下面是我在阿里云vps上配置防火墙的过程,目前只配置INPUT.OUTPUT和FO ...
- 关闭SELinux和iptables防火墙
1.关闭SELinux: 编辑SELinux配置文件: [root@Redis selinux]# vim /etc/selinux/config 修改SELINUX配置项为disable SELIN ...
- CentOS 7.0,启用iptables防火墙
CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop firewalld.service #停止fir ...
- 编译内核实现iptables防火墙layer7应用层过滤 (三)
在前面的两篇文章中我们主要讲解了Linux防火墙iptables的原理及配置规则,想博友们也都知道iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙.以 ...
- [CentOs7]iptables防火墙安装与设置
摘要 CentOS 7.0默认使用的是firewall作为防火墙,如果改为iptables防火墙,如何操作? 关闭firewall: systemctl stop firewalld.service ...
- iptables防火墙作为基本需求的配置
企业中使用iptables防火墙:(一般不要在命令中输入规则) # Firewall configuration written by system-config-firewall# Manual c ...
- [moka同学摘录]iptables防火墙规则的添加、删除、修改、保存
文章来源:http://www.splaybow.com/post/iptables-rule-add-delete-modify-save.html 本文介绍iptables这个Linux下最强大的 ...
- linux 的iptables防火墙
.a文件就是*.o文件的集合, 是object文件的归档文件, 所以, 用nm -A ???.a看到的 symbolic符合名称都是 相应的, 包含的 .o文件.... linux 2.4内核中 ...
- 使用iptables防火墙限制web的访问PV
使用iptables防火墙限制web的访问PV #!/bin/bash while true;do awk '{print $1}' /tmp/test/access.log| grep -v &qu ...
- Netfilter/iptables防火墙
http://os.51cto.com/art/201107/273443.htm [51CTO独家特稿]Linux系统管理员们都接触过Netfilter/iptables,这是Linux系统自带的免 ...
随机推荐
- nc之二:nc命令详解
NetCat,在网络工具中有“瑞士军刀”美誉,其有Windows和Linux的版本.因为它短小精悍(1.84版本也不过25k,旧版本或缩减版甚至更小).功能实用,被设计为一个简单.可靠的网络工具,可通 ...
- 【旧文章搬运】对抗RKU的StealthCode检测
原文发表于百度空间,2009-07-02========================================================================== 快一个月没 ...
- 【社群话题分享】LAMP 还是 LNMP 或者 ?
每周三下午的话题活动是又拍云技术社群的优良传统- 大家一起来看看这周都聊了些啥吧- 往期话题推荐: [社群话题分享]Linux 各大发行版你怎么选? [社群话题分享]数据权限该怎么放? [社群话题分享 ...
- Windows系统下安装fis3
在讲怎么安装FIS3之前我们先来了解一下FIS3 FIS3 是什么? FIS3 是面向前端的工程构建工具.解决前端工程中性能优化.资源加载(异步.同步.按需.预加载.依赖管理.合并.内嵌).模块化开发 ...
- android内存溢出 java.lang.OutOfMemoryError
今天在做ListView 的时候.想做一个音乐列表模块,前面是图片,后面是分类名称,如下图: 结果运行时候,LogCat是总是报 java.lang.OutOfMemoryError的错误,顾名思义, ...
- 在服务器上执行hbase的jar包
hadoop命令执行hbase应用jar包时的环境变量加载问题 Apache HBase ™ Reference Guide HBase, MapReduce, and the CLASSPATH
- fzu 2204 7 dp
题目链接: fzu 2204 7 题目描述: 给出n个小球,每个小球只能涂黑色或者是白色,七个连续的不能是同种颜色,问有多少种涂色方法? 解题思路: 刚开始没有考虑到是环形的,WA的风生水起,怪我咯! ...
- 题解报告:hdu 1392 Surround the Trees(凸包入门)
Problem Description There are a lot of trees in an area. A peasant wants to buy a rope to surround a ...
- 129 Sum Root to Leaf Numbers 求根叶数字总和
给定一个只包含 0-9 数字的二叉树,每个根到叶的路径可以代表一个数字.例如,从根到叶路径 1->2->3则代表数字 123.查找所有根到叶数字的总和.例如, 1 / \ 2 ...
- 135 Candy 分配糖果
There are N children standing in a line. Each child is assigned a rating value.You are giving candie ...