iptables 防火墙
运行源地址为192.168.10.10-192.168.10.50 这个网段的机器访问本机的20-25还有80、443、6379端口进来的流量
iptables -A INPUT -p tcp -m iprange --src-range 192.168.10.10-192.168.10.50 -m multiport --dports 20:25,80.443,6379 -j ACCEPT
开放出去的端口
iptables -A OUTPUT -p tcp -m iprange --dst-range 192.168.10.10-192.168.10.50 -m multiport --ports 20:25,80,443,6379 -j ACCEPT
保存防火墙规则与读入防火墙规则
root@chenxi ~]# iptables-save > /etc/iptables-test
[root@chenxi ~]# iptables-restore < /etc/iptables-test
[root@chenxi ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.10.1
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.10.10-192.168.10.50 multiport ports 20:25,80,443,6379
| 192.168.10.17 | 外主机 |
| 192.168.10.40 | 防火墙 |
| 192.168.8.5 | 防火墙 |
| 192.168.8.12 | 内主机 |
防火墙打开转发功能
[root@chenxi ~]# vi /etc/sysctl.conf # sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@chenxi ~]# sysctl -p
net.ipv4.ip_forward = 1
机器网关
[root@mail ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.10.40 0.0.0.0 UG 0 0 0 eth0
[root@chenxi ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1
0.0.0.0 192.168.8.5 0.0.0.0 UG 0 0 0 eth1
拒绝192.168.10.17ping192.168.8.12
[root@chenxi ~]# iptables -A FORWARD -p icmp -s 192.168.10.17 -d 192.168.8.12 -j REJECT
[root@mail ~]# ping 192.168.8.12
PING 192.168.8.12 (192.168.8.12) 56(84) bytes of data.
From 192.168.10.40 icmp_seq=1 Destination Port Unreachable
From 192.168.10.40 icmp_seq=2 Destination Port Unreachable
From 192.168.10.40 icmp_seq=3 Destination Port Unreachable
^C
[root@chenxi ~]# ping -c 3 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data. --- 192.168.10.17 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12002ms
[root@mail ~]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:19:20.308225 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 1, length 64
18:19:20.308285 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 1, length 64
18:19:20.348839 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 40546 unreachable, length 92
18:19:21.308164 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 2, length 64
18:19:21.308222 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 2, length 64
18:19:21.308543 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 13920 unreachable, length 92
18:19:22.308205 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 3, length 64
18:19:22.308258 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 3, length 64
18:19:22.308781 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 6751 unreachable, length 92
SNAT源地址转换,内网访问外网;将192.168.8.12内部主机访问外网是,转换成192.168.10.40这个地址,路由后
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.12 -j SNAT --to-source 192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问外网时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.10.40
查看规则
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.40
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 192.168.10.0/24 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成由外网卡决定使用哪个IP地址,使用与拨号上网
[root@chenxi ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.8.0/24 -j MASQUERADE 替换第一条
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# ping 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data.
64 bytes from 192.168.10.17: icmp_seq=1 ttl=63 time=51.8 ms
64 bytes from 192.168.10.17: icmp_seq=2 ttl=63 time=1.03 ms
64 bytes from 192.168.10.17: icmp_seq=3 ttl=63 time=1.55 ms
DNAT 目标地址转换,外网访问内网;路由前,源地址为所有主机的IP访问本机的tcp22端口,都转发到192.168.8.12
[root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:22 to:192.168.8.12 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3 packets, 212 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# ssh 192.168.10.40
The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established.
RSA key fingerprint is 3a:17:29:f8:f9:c5:a5:67:db:cd:c4:ab:5a:3d:c2:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts.
root@192.168.10.40's password:
Last login: Fri Mar 22 18:22:15 2019 from 192.168.8.1
[root@chenxi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ad:a3:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.12/24 brd 192.168.8.255 scope global eth1
inet6 fe80::20c:29ff:fead:a372/64 scope link
valid_lft forever preferred_lft forever
将源地址为192.168.10.17的地址访问本机22端口替将目标地址换成成192.168.8.12的22端口 -R替换规则
[root@chenxi ~]# iptables -t nat -R PREROUTING 1 -s 192.168.10.17/24 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
将源地址为所有主机的地址访问本机80端口替将目标地址换成成192.168.8.12的8080端口
[root@chenxi ~]# service httpd restart
停止 httpd: [确定]
正在启动 httpd:httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[确定]
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::8080 :::*
users:(("httpd",2842,4),("httpd",2844,4),("httpd",2845,4),("httpd",2846,4),("httpd",2847,4),("httpd",2848,4),("httpd",2849,4),("httpd",2850,4),("httpd",2851,4))LISTEN 0 128 :::22 :::*
users:(("sshd",1266,4))LISTEN 0 128 *:22 *:*
users:(("sshd",1266,3))LISTEN 0 100 ::1:25 :::*
users:(("master",1345,13))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",1345,12))[root@chenxi ~]# echo chenxi > /var/www/html/index.html [root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 80 -j DNAT --to-destination 192.168.8.12:8080
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080 Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# curl 192.168.10.40
chenxi
端口转发将访问本机的90端口转发到,本机80端口上
[root@chenxi ~]# iptables -t nat -A PREROUTING -d 192.168.10.40 -p tcp --dport 90 -j REDIRECT --to-ports 80
[root@chenxi ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
DNAT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080
REDIRECT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:90 redir ports 80 Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# echo "fhq" > /var/www/html/index.html
[root@chenxi ~]# service httpd start
Redirecting to /bin/systemctl start httpd.service
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
users:(("sshd",pid=1052,fd=3))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1146,fd=13))LISTEN 0 128 :::80 :::*
users:(("httpd",pid=3825,fd=4),("httpd",pid=3824,fd=4),("httpd",pid=3823,fd=4),("httpd",pid=3822,fd=4),("httpd",pid=3821,fd=4),("httpd",pid=3820,fd=4))LISTEN 0 128 :::22 :::*
users:(("sshd",pid=1052,fd=4))LISTEN 0 100 ::1:25 :::*
users:(("master",pid=1146,fd=14))
[root@chenxi ~]# setenforce 0
[root@mail ~]# curl 192.168.10.40:90
fhq
iptables 防火墙的更多相关文章
- CentOS系统配置 iptables防火墙
阿里云CentOS系统配置iptables防火墙 虽说阿里云推出了云盾服务,但是自己再加一层防火墙总归是更安全些,下面是我在阿里云vps上配置防火墙的过程,目前只配置INPUT.OUTPUT和FO ...
- 关闭SELinux和iptables防火墙
1.关闭SELinux: 编辑SELinux配置文件: [root@Redis selinux]# vim /etc/selinux/config 修改SELINUX配置项为disable SELIN ...
- CentOS 7.0,启用iptables防火墙
CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop firewalld.service #停止fir ...
- 编译内核实现iptables防火墙layer7应用层过滤 (三)
在前面的两篇文章中我们主要讲解了Linux防火墙iptables的原理及配置规则,想博友们也都知道iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙.以 ...
- [CentOs7]iptables防火墙安装与设置
摘要 CentOS 7.0默认使用的是firewall作为防火墙,如果改为iptables防火墙,如何操作? 关闭firewall: systemctl stop firewalld.service ...
- iptables防火墙作为基本需求的配置
企业中使用iptables防火墙:(一般不要在命令中输入规则) # Firewall configuration written by system-config-firewall# Manual c ...
- [moka同学摘录]iptables防火墙规则的添加、删除、修改、保存
文章来源:http://www.splaybow.com/post/iptables-rule-add-delete-modify-save.html 本文介绍iptables这个Linux下最强大的 ...
- linux 的iptables防火墙
.a文件就是*.o文件的集合, 是object文件的归档文件, 所以, 用nm -A ???.a看到的 symbolic符合名称都是 相应的, 包含的 .o文件.... linux 2.4内核中 ...
- 使用iptables防火墙限制web的访问PV
使用iptables防火墙限制web的访问PV #!/bin/bash while true;do awk '{print $1}' /tmp/test/access.log| grep -v &qu ...
- Netfilter/iptables防火墙
http://os.51cto.com/art/201107/273443.htm [51CTO独家特稿]Linux系统管理员们都接触过Netfilter/iptables,这是Linux系统自带的免 ...
随机推荐
- PYTHON路线图
路线图: 第一部分:Python语言基础 第二部分:数据库开发 第三部分:web前端 第四部分:Python web开发 第五部分:Python web项目 第六部分:Linux 第七部分:NoSQL ...
- 重新安装VMware10提示"The Msi '' Failed"问题解决方案
想把虚拟机软件升级以下,没想到卸载的时候不干净,再安装的时候总提示让我先卸载旧版本但实际上旧版本已经卸载过了,这里又没法再卸载一次,所以就提示”The MSI '' failed“ 显然,安装程序还是 ...
- 【WIP】swift3的timer的用法
创建: 2017/10/14 更新: 2017/10/14 标题加上[WIP],补充创建时间 回家再写
- (2)javascript的基本语法、数据结构、变量
本篇学习资料主要讲解javascript的基本语法.数据结构.变量 无论是传统的编程语言,还是脚本语言,都具有数据类型.常量和变量.运算符.表达式.注释语句.流程控制语句等基本元素构成,这些 ...
- YCOJ黑熊过河
Description 有一只黑熊想过河,但河很宽,黑熊不会游泳,只能借助河面上的石墩跳过去,他可以一次跳一墩,也可以一次跳两墩,但是每起跳一次都会耗费一定的能量,黑熊最终可能因能量不够而掉入水中,所 ...
- 怎么让普通用户达到root用户也可以拥有权限修改文件(CentOS系统)
为什么会提出这个问题呢? 答:因为啊,比如我们在大数据集群搭建的时候,经常会需要配置环境变量,如/etc/profile.那么,问题来了,每次必须得都切换到root用户才能,但是呢,如何可以在普通用户 ...
- 最短路之Dijkstra(迪杰斯特拉)
一般用法: Dijkstra(迪杰斯特拉)算法是典型的单源最短路径算法,用于计算一个节点到其他所有节点的最短路径.主要特点是以起始点为中心向外层层扩展,直到扩展到终点为止.Dijkstra算法是很有代 ...
- sql server 获取数据字段(表的字段和类型信息)
获取数据字段(表的字段和类型信息) SELECT 表名= then d.name else '' end, 表说明= then isnull(f.value,'') else '' end, 字段序号 ...
- 用python编写的excel拆分小工具
from datetime import date,datetime from openpyxl import Workbook from openpyxl import load_workbook ...
- getAttribute()方法的第二个参数
对于一个img元素,我们想获取它的src属性时可以有两种方式: 1.xxx.getAttribute("src") 2.直接通过xxx.src获取属性值 在src的属性值为相对路径 ...