iptables 防火墙
运行源地址为192.168.10.10-192.168.10.50 这个网段的机器访问本机的20-25还有80、443、6379端口进来的流量
iptables -A INPUT -p tcp -m iprange --src-range 192.168.10.10-192.168.10.50 -m multiport --dports 20:25,80.443,6379 -j ACCEPT
开放出去的端口
iptables -A OUTPUT -p tcp -m iprange --dst-range 192.168.10.10-192.168.10.50 -m multiport --ports 20:25,80,443,6379 -j ACCEPT
保存防火墙规则与读入防火墙规则
root@chenxi ~]# iptables-save > /etc/iptables-test
[root@chenxi ~]# iptables-restore < /etc/iptables-test
[root@chenxi ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.10.1
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.10.10-192.168.10.50 multiport ports 20:25,80,443,6379
| 192.168.10.17 | 外主机 |
| 192.168.10.40 | 防火墙 |
| 192.168.8.5 | 防火墙 |
| 192.168.8.12 | 内主机 |
防火墙打开转发功能
[root@chenxi ~]# vi /etc/sysctl.conf # sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@chenxi ~]# sysctl -p
net.ipv4.ip_forward = 1
机器网关
[root@mail ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.10.40 0.0.0.0 UG 0 0 0 eth0
[root@chenxi ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1
0.0.0.0 192.168.8.5 0.0.0.0 UG 0 0 0 eth1
拒绝192.168.10.17ping192.168.8.12
[root@chenxi ~]# iptables -A FORWARD -p icmp -s 192.168.10.17 -d 192.168.8.12 -j REJECT
[root@mail ~]# ping 192.168.8.12
PING 192.168.8.12 (192.168.8.12) 56(84) bytes of data.
From 192.168.10.40 icmp_seq=1 Destination Port Unreachable
From 192.168.10.40 icmp_seq=2 Destination Port Unreachable
From 192.168.10.40 icmp_seq=3 Destination Port Unreachable
^C
[root@chenxi ~]# ping -c 3 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data. --- 192.168.10.17 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12002ms
[root@mail ~]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:19:20.308225 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 1, length 64
18:19:20.308285 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 1, length 64
18:19:20.348839 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 40546 unreachable, length 92
18:19:21.308164 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 2, length 64
18:19:21.308222 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 2, length 64
18:19:21.308543 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 13920 unreachable, length 92
18:19:22.308205 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 3, length 64
18:19:22.308258 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 3, length 64
18:19:22.308781 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 6751 unreachable, length 92
SNAT源地址转换,内网访问外网;将192.168.8.12内部主机访问外网是,转换成192.168.10.40这个地址,路由后
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.12 -j SNAT --to-source 192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问外网时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.10.40
查看规则
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.40
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 192.168.10.0/24 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成由外网卡决定使用哪个IP地址,使用与拨号上网
[root@chenxi ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.8.0/24 -j MASQUERADE 替换第一条
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# ping 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data.
64 bytes from 192.168.10.17: icmp_seq=1 ttl=63 time=51.8 ms
64 bytes from 192.168.10.17: icmp_seq=2 ttl=63 time=1.03 ms
64 bytes from 192.168.10.17: icmp_seq=3 ttl=63 time=1.55 ms
DNAT 目标地址转换,外网访问内网;路由前,源地址为所有主机的IP访问本机的tcp22端口,都转发到192.168.8.12
[root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:22 to:192.168.8.12 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3 packets, 212 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# ssh 192.168.10.40
The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established.
RSA key fingerprint is 3a:17:29:f8:f9:c5:a5:67:db:cd:c4:ab:5a:3d:c2:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts.
root@192.168.10.40's password:
Last login: Fri Mar 22 18:22:15 2019 from 192.168.8.1
[root@chenxi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ad:a3:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.12/24 brd 192.168.8.255 scope global eth1
inet6 fe80::20c:29ff:fead:a372/64 scope link
valid_lft forever preferred_lft forever
将源地址为192.168.10.17的地址访问本机22端口替将目标地址换成成192.168.8.12的22端口 -R替换规则
[root@chenxi ~]# iptables -t nat -R PREROUTING 1 -s 192.168.10.17/24 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
将源地址为所有主机的地址访问本机80端口替将目标地址换成成192.168.8.12的8080端口
[root@chenxi ~]# service httpd restart
停止 httpd: [确定]
正在启动 httpd:httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[确定]
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::8080 :::*
users:(("httpd",2842,4),("httpd",2844,4),("httpd",2845,4),("httpd",2846,4),("httpd",2847,4),("httpd",2848,4),("httpd",2849,4),("httpd",2850,4),("httpd",2851,4))LISTEN 0 128 :::22 :::*
users:(("sshd",1266,4))LISTEN 0 128 *:22 *:*
users:(("sshd",1266,3))LISTEN 0 100 ::1:25 :::*
users:(("master",1345,13))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",1345,12))[root@chenxi ~]# echo chenxi > /var/www/html/index.html [root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 80 -j DNAT --to-destination 192.168.8.12:8080
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# curl 192.168.10.40
chenxi
端口转发将访问本机的90端口转发到,本机80端口上
[root@chenxi ~]# iptables -t nat -A PREROUTING -d 192.168.10.40 -p tcp --dport 90 -j REDIRECT --to-ports 80
[root@chenxi ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
DNAT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080
REDIRECT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:90 redir ports 80 Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# echo "fhq" > /var/www/html/index.html
[root@chenxi ~]# service httpd start
Redirecting to /bin/systemctl start httpd.service
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
users:(("sshd",pid=1052,fd=3))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1146,fd=13))LISTEN 0 128 :::80 :::*
users:(("httpd",pid=3825,fd=4),("httpd",pid=3824,fd=4),("httpd",pid=3823,fd=4),("httpd",pid=3822,fd=4),("httpd",pid=3821,fd=4),("httpd",pid=3820,fd=4))LISTEN 0 128 :::22 :::*
users:(("sshd",pid=1052,fd=4))LISTEN 0 100 ::1:25 :::*
users:(("master",pid=1146,fd=14))
[root@chenxi ~]# setenforce 0
[root@mail ~]# curl 192.168.10.40:90
fhq
iptables 防火墙的更多相关文章
- CentOS系统配置 iptables防火墙
阿里云CentOS系统配置iptables防火墙 虽说阿里云推出了云盾服务,但是自己再加一层防火墙总归是更安全些,下面是我在阿里云vps上配置防火墙的过程,目前只配置INPUT.OUTPUT和FO ...
- 关闭SELinux和iptables防火墙
1.关闭SELinux: 编辑SELinux配置文件: [root@Redis selinux]# vim /etc/selinux/config 修改SELINUX配置项为disable SELIN ...
- CentOS 7.0,启用iptables防火墙
CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop firewalld.service #停止fir ...
- 编译内核实现iptables防火墙layer7应用层过滤 (三)
在前面的两篇文章中我们主要讲解了Linux防火墙iptables的原理及配置规则,想博友们也都知道iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙.以 ...
- [CentOs7]iptables防火墙安装与设置
摘要 CentOS 7.0默认使用的是firewall作为防火墙,如果改为iptables防火墙,如何操作? 关闭firewall: systemctl stop firewalld.service ...
- iptables防火墙作为基本需求的配置
企业中使用iptables防火墙:(一般不要在命令中输入规则) # Firewall configuration written by system-config-firewall# Manual c ...
- [moka同学摘录]iptables防火墙规则的添加、删除、修改、保存
文章来源:http://www.splaybow.com/post/iptables-rule-add-delete-modify-save.html 本文介绍iptables这个Linux下最强大的 ...
- linux 的iptables防火墙
.a文件就是*.o文件的集合, 是object文件的归档文件, 所以, 用nm -A ???.a看到的 symbolic符合名称都是 相应的, 包含的 .o文件.... linux 2.4内核中 ...
- 使用iptables防火墙限制web的访问PV
使用iptables防火墙限制web的访问PV #!/bin/bash while true;do awk '{print $1}' /tmp/test/access.log| grep -v &qu ...
- Netfilter/iptables防火墙
http://os.51cto.com/art/201107/273443.htm [51CTO独家特稿]Linux系统管理员们都接触过Netfilter/iptables,这是Linux系统自带的免 ...
随机推荐
- ul下的li浮动,如何是ul有li的高度
此时ul展示的界面为: ①给ul加上一个样式,display:inline-block; <html> <head> <title>float</title& ...
- 仿照 QQ 的 cell 的左滑删除、置顶、标记未读效果
侧滑删除.置顶.取消关注,在iOS8之前需要我们自定义,iOS8时苹果公司推出了新的API,UITableViewRowAction类,我们可以使用该类方便的制作出如下图的效果. 下面是实现的主要代码 ...
- Epoll简介以及例子
第一部分:Epoll简介 问题 : Select,Poll和Epoll的区别 答案 : Epoll和Select的区别 1. 遍历方式的区别.select判断是否有事件发生是遍历的,而epoll是事 ...
- jqGrid 编辑完数据后能返回到当前位置的方法
jqGrid 是一个js的jquery组件,虽然不轻便,但功能还是蛮强大的,也比较方便使用.在数据加载后,经常需要对其中的记录进行编辑,修改完后再返回时需要看到修改后的数据,一般采取重新加载的方法re ...
- Ant Design Vue项目解析-前言
源码系列文章很长时间没有更新,一是在考虑文章用什么方式写质量会更高,用什么方式总结更易于扩展和总结知识点,加上工作.看书.健身占用的时间比较多所以也没时间去整理.最近在网上看到一篇文章感觉这种方式不错 ...
- python 元类 type metaclass
python中一切皆对象,类对象创建实例对象,元类创建类对象,元类创建元类. 元类创建类对象有2中方式: 一.type方法 type(类名, 由父类名称组成的元组(针对继承的情况,可以为空),包含属性 ...
- bzoj 3365: [Usaco2004 Feb]Distance Statistics 路程统计【容斥原理+点分治】
统计在一个root下的两个子树,每个子树都和前面的运算一下再加进去对于这种需要排序的运算很麻烦,所以考虑先不去同子树内点对的算出合法点对个数,然后减去每一棵子树内的合法点对(它们实际上是不合法的,相当 ...
- AspectCore的AOP操作
AOP实现缓存的一个例子 using AspectCore.DynamicProxy; using Microsoft.Extensions.Caching.Memory; [AttributeUsa ...
- 用CSS绘制三角形
其实用HTML CSS绘制三角行 是非常简单的 ,我在网上看了不少人写的博客,里面写的好复杂样子,反正我是看的云里雾里的,说实话是挺简单的. 首先提出一段代码: <!DOCTYPE html&g ...
- 2-zakoo使用
source:http://kazoo.readthedocs.io/en/latest/basic_usage.html 1 基本使用 1.1 连接处理 要使用zakoo,需要创建一个KazooCl ...