iptables 防火墙
运行源地址为192.168.10.10-192.168.10.50 这个网段的机器访问本机的20-25还有80、443、6379端口进来的流量
iptables -A INPUT -p tcp -m iprange --src-range 192.168.10.10-192.168.10.50 -m multiport --dports 20:25,80.443,6379 -j ACCEPT
开放出去的端口
iptables -A OUTPUT -p tcp -m iprange --dst-range 192.168.10.10-192.168.10.50 -m multiport --ports 20:25,80,443,6379 -j ACCEPT
保存防火墙规则与读入防火墙规则
root@chenxi ~]# iptables-save > /etc/iptables-test
[root@chenxi ~]# iptables-restore < /etc/iptables-test
[root@chenxi ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.10.1
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.10.10-192.168.10.50 multiport ports 20:25,80,443,6379
| 192.168.10.17 | 外主机 |
| 192.168.10.40 | 防火墙 |
| 192.168.8.5 | 防火墙 |
| 192.168.8.12 | 内主机 |
防火墙打开转发功能
[root@chenxi ~]# vi /etc/sysctl.conf # sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@chenxi ~]# sysctl -p
net.ipv4.ip_forward = 1
机器网关
[root@mail ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.10.40 0.0.0.0 UG 0 0 0 eth0
[root@chenxi ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1
0.0.0.0 192.168.8.5 0.0.0.0 UG 0 0 0 eth1
拒绝192.168.10.17ping192.168.8.12
[root@chenxi ~]# iptables -A FORWARD -p icmp -s 192.168.10.17 -d 192.168.8.12 -j REJECT
[root@mail ~]# ping 192.168.8.12
PING 192.168.8.12 (192.168.8.12) 56(84) bytes of data.
From 192.168.10.40 icmp_seq=1 Destination Port Unreachable
From 192.168.10.40 icmp_seq=2 Destination Port Unreachable
From 192.168.10.40 icmp_seq=3 Destination Port Unreachable
^C
[root@chenxi ~]# ping -c 3 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data. --- 192.168.10.17 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12002ms
[root@mail ~]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:19:20.308225 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 1, length 64
18:19:20.308285 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 1, length 64
18:19:20.348839 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 40546 unreachable, length 92
18:19:21.308164 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 2, length 64
18:19:21.308222 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 2, length 64
18:19:21.308543 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 13920 unreachable, length 92
18:19:22.308205 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 3, length 64
18:19:22.308258 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 3, length 64
18:19:22.308781 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 6751 unreachable, length 92
SNAT源地址转换,内网访问外网;将192.168.8.12内部主机访问外网是,转换成192.168.10.40这个地址,路由后
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.12 -j SNAT --to-source 192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问外网时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.10.40
查看规则
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.40
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 192.168.10.0/24 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成由外网卡决定使用哪个IP地址,使用与拨号上网
[root@chenxi ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.8.0/24 -j MASQUERADE 替换第一条
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# ping 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data.
64 bytes from 192.168.10.17: icmp_seq=1 ttl=63 time=51.8 ms
64 bytes from 192.168.10.17: icmp_seq=2 ttl=63 time=1.03 ms
64 bytes from 192.168.10.17: icmp_seq=3 ttl=63 time=1.55 ms
DNAT 目标地址转换,外网访问内网;路由前,源地址为所有主机的IP访问本机的tcp22端口,都转发到192.168.8.12
[root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:22 to:192.168.8.12 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3 packets, 212 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# ssh 192.168.10.40
The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established.
RSA key fingerprint is 3a:17:29:f8:f9:c5:a5:67:db:cd:c4:ab:5a:3d:c2:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts.
root@192.168.10.40's password:
Last login: Fri Mar 22 18:22:15 2019 from 192.168.8.1
[root@chenxi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ad:a3:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.12/24 brd 192.168.8.255 scope global eth1
inet6 fe80::20c:29ff:fead:a372/64 scope link
valid_lft forever preferred_lft forever
将源地址为192.168.10.17的地址访问本机22端口替将目标地址换成成192.168.8.12的22端口 -R替换规则
[root@chenxi ~]# iptables -t nat -R PREROUTING 1 -s 192.168.10.17/24 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
将源地址为所有主机的地址访问本机80端口替将目标地址换成成192.168.8.12的8080端口
[root@chenxi ~]# service httpd restart
停止 httpd: [确定]
正在启动 httpd:httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[确定]
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::8080 :::*
users:(("httpd",2842,4),("httpd",2844,4),("httpd",2845,4),("httpd",2846,4),("httpd",2847,4),("httpd",2848,4),("httpd",2849,4),("httpd",2850,4),("httpd",2851,4))LISTEN 0 128 :::22 :::*
users:(("sshd",1266,4))LISTEN 0 128 *:22 *:*
users:(("sshd",1266,3))LISTEN 0 100 ::1:25 :::*
users:(("master",1345,13))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",1345,12))[root@chenxi ~]# echo chenxi > /var/www/html/index.html [root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 80 -j DNAT --to-destination 192.168.8.12:8080
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# curl 192.168.10.40
chenxi
端口转发将访问本机的90端口转发到,本机80端口上
[root@chenxi ~]# iptables -t nat -A PREROUTING -d 192.168.10.40 -p tcp --dport 90 -j REDIRECT --to-ports 80
[root@chenxi ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
DNAT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080
REDIRECT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:90 redir ports 80 Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# echo "fhq" > /var/www/html/index.html
[root@chenxi ~]# service httpd start
Redirecting to /bin/systemctl start httpd.service
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
users:(("sshd",pid=1052,fd=3))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1146,fd=13))LISTEN 0 128 :::80 :::*
users:(("httpd",pid=3825,fd=4),("httpd",pid=3824,fd=4),("httpd",pid=3823,fd=4),("httpd",pid=3822,fd=4),("httpd",pid=3821,fd=4),("httpd",pid=3820,fd=4))LISTEN 0 128 :::22 :::*
users:(("sshd",pid=1052,fd=4))LISTEN 0 100 ::1:25 :::*
users:(("master",pid=1146,fd=14))
[root@chenxi ~]# setenforce 0
[root@mail ~]# curl 192.168.10.40:90
fhq
iptables 防火墙的更多相关文章
- CentOS系统配置 iptables防火墙
阿里云CentOS系统配置iptables防火墙 虽说阿里云推出了云盾服务,但是自己再加一层防火墙总归是更安全些,下面是我在阿里云vps上配置防火墙的过程,目前只配置INPUT.OUTPUT和FO ...
- 关闭SELinux和iptables防火墙
1.关闭SELinux: 编辑SELinux配置文件: [root@Redis selinux]# vim /etc/selinux/config 修改SELINUX配置项为disable SELIN ...
- CentOS 7.0,启用iptables防火墙
CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop firewalld.service #停止fir ...
- 编译内核实现iptables防火墙layer7应用层过滤 (三)
在前面的两篇文章中我们主要讲解了Linux防火墙iptables的原理及配置规则,想博友们也都知道iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙.以 ...
- [CentOs7]iptables防火墙安装与设置
摘要 CentOS 7.0默认使用的是firewall作为防火墙,如果改为iptables防火墙,如何操作? 关闭firewall: systemctl stop firewalld.service ...
- iptables防火墙作为基本需求的配置
企业中使用iptables防火墙:(一般不要在命令中输入规则) # Firewall configuration written by system-config-firewall# Manual c ...
- [moka同学摘录]iptables防火墙规则的添加、删除、修改、保存
文章来源:http://www.splaybow.com/post/iptables-rule-add-delete-modify-save.html 本文介绍iptables这个Linux下最强大的 ...
- linux 的iptables防火墙
.a文件就是*.o文件的集合, 是object文件的归档文件, 所以, 用nm -A ???.a看到的 symbolic符合名称都是 相应的, 包含的 .o文件.... linux 2.4内核中 ...
- 使用iptables防火墙限制web的访问PV
使用iptables防火墙限制web的访问PV #!/bin/bash while true;do awk '{print $1}' /tmp/test/access.log| grep -v &qu ...
- Netfilter/iptables防火墙
http://os.51cto.com/art/201107/273443.htm [51CTO独家特稿]Linux系统管理员们都接触过Netfilter/iptables,这是Linux系统自带的免 ...
随机推荐
- Linux系统之文件传输的几种方式
Linux系统安装好以后以及能上网.能进行软件安装后,接下来可能就需要从其它机器复制一些文件或者把文件复制到其它机器,那么就涉及到文件的传输和共享,下面介绍一下常规的一些文件传输和共享方案. 1.传统 ...
- JAVA RTTI
基础类可接收我们发给派生类的任何消息,因为两者拥有完全一致的接口.我们要做的全部事情就是从派生上溯造型,而且永远不需要回过头来检查对象的准确类型是什么.所有细节都已通过多态性获得了完美的控制. 但经过 ...
- 廖雪峰python3练习题二
字符串和编码 题目: 答案: #!/usr/bin/env python3 #-*- coding:utf-8 -*- s1 = 72 s2 = 85 print('小明的成绩提高了%.1f%%个百分 ...
- vue-resourse 提交表单 使用formData
通过formData对象可以组装一组用XMLHttpRequest发送请求的键/值对.它可以更灵活方便的发送表单数据,因为可以独立于表单使用.如果把表单的编码类型设置为multipart/form-d ...
- 网络爬虫之requests模块的使用+Github自动登入认证
本篇博客将带领大家梳理爬虫中的requests模块,并结合Github的自动登入验证具体讲解requests模块的参数. 一.引入: 我们先来看如下的例子,初步体验下requests模块的使用: ...
- ASP.NET Core Web API + Angular 仿B站(一) 目的分析以及创建 WebAPI + Angular7 项目
前言: 本系列文章主要为对所学 Angular 框架的一次微小的实践,对 b站页面作简单的模仿. 本系列文章主要参考资料: 微软文档: https://docs.microsoft.com/zh-cn ...
- ACM-ICPC 中可能会使用到的库
sort(v.first(),v.end(),cmp())unique(v.first(),v.end(),cmp()) 第三个参数可以传入一个bool型,用来判断是不是相等,返回unique后的超尾 ...
- hdoj1596【spfa,松弛】
积压很久的一道...一看直接spfa水过..但是看那个safest怎么求得?松弛的时候取大. #include <bits/stdc++.h> using namespace std; t ...
- bzoj 4622: [NOI 2003] 智破连环阵【dfs+匈牙利算法】
一个炸弹炸一个区间的武器,想到二分图匹配 但是直接dfs断点显然不行,预处理出dis[i]为i到m的至多值来最优性剪枝,并且标记ok[i][j]为炸弹i可以炸到j武器,mx[i][j]为i炸弹从j武器 ...
- Centos6.8 搭建Lvs+Keepalived
Keepalived keepalived是一个类似于layer3, 4 & 7交换机制的软件,也就是我们平时说的第3层.第4层和第7层交换.Keepalived是自动完成,不需人工干涉. 简 ...