基于主机的防火墙
#卸载虚拟网卡,以防干扰
rpm -q libvirt-daemon &> /dev/null && yum remove libvirt-daemon -y && reboot
#生成环境建议做好安全措施以免发生意外
iptables -F | at now+10 minutes #10分钟后清空规则
1、准备好环境
[root@Centos7 ~]# systemctl start httpd mariadb
[root@Centos7 ~]# mysql -e "grant all on *.* to test@'192.168.37.%' identified by 'centos'"
[root@Centos7 ~]# mysql -e "flush privileges;"
[root@Centos7 ~]# iptables -A INPUT -s 192.168.37.1,127.0.0.1 -j ACCEPT #允许37.1访问(防止自个连不上)
[root@Centos7 ~]# iptables -A INPUT -j REJECT #拒绝所有
[root@Centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 1844 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
2、开放本机端口
[root@Centos7 ~]# iptables -I INPUT -s 192.168.37.27 -p tcp --dport 80 -j ACCEPT
[root@Centos7 ~]# iptables -I INPUT -s 192.168.37.27 -p tcp --dport 3306 -j ACCEPT
[root@Centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:80
424 29341 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
#37.27上测试
[root@localhost ~]# curl 192.168.37.7
welcome
[root@localhost ~]# mysql -utest -pcentos -h192.168.37.7
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
3、禁协议
[root@Centos7 ~]# iptables -I INPUT 5 -s 192.168.37.17 -j ACCEPT
[root@Centos7 ~]# iptables -I INPUT 5 -s 192.168.37.17 -p tcp --syn -j REJECT #拒绝TCP握手
[root@Centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:80
424 29341 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 REJECT tcp -- * * 192.168.37.17 0.0.0.0/0 tcp flags:0x17/0x02 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 192.168.37.17 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
#37.17上测试
[root@Centos7 ~]# curl 192.168.37.7
curl: (7) Failed connect to 192.168.37.7:80; Connection refused
[root@Centos7 ~]# mysql -utest -pcentos -h192.168.37.7
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.37.7' (111)
#允许本机能ping通其他主机,不允许别的主机ping本机
[root@Centos7 ~]# iptables -D INPUT 5
[root@Centos7 ~]# iptables -D INPUT 5
[root@Centos7 ~]# iptables -I INPUT 5 -p icmp --icmp-type 0 -j ACCEPT #允许应答报文
[root@Centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 602 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:3306
6 396 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:80
767 52614 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
26 1920 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
#本机测试
[root@Centos7 ~]# ping -c3 192.168.37.17
PING 192.168.37.17 (192.168.37.17) 56(84) bytes of data.
64 bytes from 192.168.37.17: icmp_seq=1 ttl=64 time=0.409 ms
64 bytes from 192.168.37.17: icmp_seq=2 ttl=64 time=0.348 ms
64 bytes from 192.168.37.17: icmp_seq=3 ttl=64 time=0.328 ms
--- 192.168.37.17 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.328/0.361/0.409/0.040 ms
[root@Centos7 ~]# ping -c3 192.168.37.27
PING 192.168.37.27 (192.168.37.27) 56(84) bytes of data.
64 bytes from 192.168.37.27: icmp_seq=1 ttl=64 time=0.229 ms
64 bytes from 192.168.37.27: icmp_seq=2 ttl=64 time=0.251 ms
64 bytes from 192.168.37.27: icmp_seq=3 ttl=64 time=0.248 ms
--- 192.168.37.27 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.229/0.242/0.251/0.020 ms
#其他机器测试
[root@Centos7 ~]# ping -c3 192.168.37.7
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
From 192.168.37.7 icmp_seq=1 Destination Port Unreachable
From 192.168.37.7 icmp_seq=2 Destination Port Unreachable
From 192.168.37.7 icmp_seq=3 Destination Port Unreachable
--- 192.168.37.7 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms
4、模块
#multiport模块
[root@Centos7 ~]# yum install samba -y
[root@Centos7 ~]# systemctl start smb
[root@Centos7 ~]# useradd -s /sbin/nologin smb1; smbpasswd -a smb1
[root@Centos7 ~]# iptables -D INPUT 5
[root@Centos7 ~]# iptables -I INPUT 5 -p tcp -m multiport --dports 139,445 -j ACCEPT #不连续端口使用模块multiport
[root@Centos7 ~]# iptables -I INPUT 5 -p udp --dport 137:138 -j ACCEPT #连续端口
[root@Centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1204 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:3306
12 792 ACCEPT tcp -- * * 192.168.37.27 0.0.0.0/0 tcp dpt:80
1476 102K ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 139,445
32 2424 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
#客户端测试
[root@localhost ~]# smbclient -L 192.168.37.7 -U smb1%centos
Sharename Type Comment
--------- ---- -------
smb1 Disk smbuser1_share
IPC$ IPC IPC Service (Samba 4.8.3)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
CENTOS7 Samba 4.8.3
Workgroup Master
--------- -------
SAMBA CENTOS7
WORKGROUP LJC
#mac模块
[root@Centos7 ~]# iptables -D INPUT 5;iptables -D INPUT 5;iptables -D INPUT 5;
[root@Centos7 ~]# iptables -I INPUT 5 -m mac --mac 00:0C:29:4D:01:E3 -j REJECT #拒绝此MAC连接
#srting模块
[root@Centos7 ~]# iptables -D INPUT 5;
[root@Centos7 ~]# iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --string "google" -j REJECT #禁止访问带有google的网页
#time模块定时上网
[root@Centos7 ~]# iptables -F OUTPUT
#centos使用UTC时间,北京时间-8
[root@Centos7 ~]# iptables -I INPUT 5 -m time --timestart 1:00 --timestop 10:00 -j ACCEPT #早上9点到晚上18点允许上网
#并发限制
[root@Centos7 ~]# iptables -D INPUT 5;
[root@Centos7 ~]# iptables -R INPUT 5 -d 192.168.37.27 -p tcp --dport 22 -m connlimit --connlimit-above 2 -j REJECT #禁允许37.27,2个ssh链接,原有的全拒绝与它冲突
#state模块
[root@Centos7 ~]# iptables -D INPUT 5;
[root@Centos7 ~]# iptables -I INPUT 5 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT #正在连接的不受影响
#并发数
[root@Centos7 ~]# cat /proc/sys/net/nf_conntrack_max
65536
[root@Centos7 ~]# sysctl -w net.nf_conntrack_max=666666 #修改并发数
#ftp跟踪模块
[root@Centos7 ~]# yum install vsftpd -y
[root@Centos7 ~]# systemctl start vsftpd
[root@Centos7 ~]# iptables -D INPUT 5
[root@Centos7 ~]# iptables -I INPUT 5 -p tcp --dport 21 -j ACCEPT
[root@Centos7 ~]# modprobe nf_conntrack_ftp #被动模式需要加载跟踪模块
[root@Centos7 ~]# iptables -I INPUT 5 -m state --state ESTABLISHED,RELATED -j ACCEPT
#记录日志
[root@Centos7 ~]# iptables -I INPUT 3 -s 192.168.37.6 -j LOG --log-prefix "from 37.6 access:"
[root@Centos7 ~]# tial /var/log/message
#规则保存
[root@Centos7 ~]# iptables-save > iptables_rule.save
#规则还原
[root@Centos7 ~]# iptables-restore < iptables_rule.save
基于网络防火墙
#环境,3台机器 A(内网主机):192.168.37.6 B(firewall):192.168.37.7,172.16.0.7 C(外网主机):172.16.0.17
#假设:A与B是内网(NAT模式),B与C是外网(vmnet4)
#内网
[root@centos6 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
NAME="eth0"
IPADDR=192.168.37.6
PREFIX=24
GATEWAY=192.168.37.7
[root@centos6 ~]$ service network restart
[root@Centos6 ~]# yum install httpd mod_ssl
[root@centos6 ~]$ echo centos6 > /var/www/html/index.html
[root@centos6 ~]$ service httpd start
#firewall
[root@firewall ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@firewall ~]# sysctl -p
1、第一种添加方法:
[root@firewall ~]# iptables -A FORWARD -j REJECT #禁止转发
[root@firewall ~]# iptables -I FORWARD -s 192.168.37.0/24 -p icmp --icmp-type 8 -j ACCEPT #转发此网段请求报文
[root@firewall ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #已建立连接的放行
[root@firewall ~]# iptables -I FORWARD 3 -s 192.168.37.0/24 -p tcp -m multiport --dport 80,443 -j ACCEPT #允许访问外网80,443
[root@firewall ~]# iptables -I FORWARD 4 -d 192.168.37.6 -p tcp -m multiport --dport 80,443 -j ACCEPT
#内网端口映射
[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 221 packets, 16400 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
88 16511 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 1008 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
17 1020 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
161 11508 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 231 packets, 19225 bytes)
pkts bytes target prot opt in out source destination
Chain TO_INTERNET (0 references)
pkts bytes target prot opt in out source destination
2、第二种添加方法:
[root@firewall ~]# iptables -F
[root@firewall ~]# iptables -N TO_INTERNET
[root@firewall ~]# iptables -N TO_LAN
[root@firewall ~]# iptables -A FORWARD -j TO_LAN
[root@firewall ~]# iptables -A FORWARD -j TO_INTERNET
[root@firewall ~]# iptables -A FORWARD -j REJECT
[root@firewall ~]# iptables -I TO_INTERNET -s 192.168.37.0/24 -p icmp --icmp-type 8 -j ACCEPT
[root@firewall ~]# iptables -I TO_INTERNET 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@firewall ~]# iptables -I TO_INTERNET 2 -s 192.168.37.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
[root@firewall ~]# iptables -I TO_LAN -d 192.168.37.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 20 packets, 1196 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TO_LAN all -- * * 0.0.0.0/0 0.0.0.0/0
23 3785 TO_INTERNET all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 12 packets, 952 bytes)
pkts bytes target prot opt in out source destination
Chain TO_INTERNET (1 references)
pkts bytes target prot opt in out source destination
20 3581 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
1 84 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
Chain TO_LAN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.0/24 multiport dports 80,443
#外网
[root@Centos7 ~]# nmcli connection modify eth0 ipv4.addresses 172.16.0.17/24 ipv4.gateway 172.16.0.7 ipv4.method manual
[root@Centos7 ~]# nmcli connection down eth0 ; nmcli connection up eth0
[root@Centos7 ~]# yum install httpd mod_ssl
[root@Centos7 ~]# echo centos7 > /var/www/html/index.html
[root@Centos7 ~]# systemctl start httpd
#测试
[root@centos6 ~]$ ping -c3 172.16.0.17
PING 172.16.0.17 (172.16.0.17) 56(84) bytes of data.
64 bytes from 172.16.0.17: icmp_seq=1 ttl=63 time=0.642 ms
64 bytes from 172.16.0.17: icmp_seq=2 ttl=63 time=0.527 ms
64 bytes from 172.16.0.17: icmp_seq=3 ttl=63 time=0.475 ms
--- 172.16.0.17 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.475/0.548/0.642/0.069 ms
[root@centos6 ~]$ curl 172.16.0.17
centos7
[root@centos6 ~]$ curl -kL https://172.16.0.17
centos7
[root@Centos7 ~]# curl 192.168.37.6
centos6
[root@Centos7 ~]# curl -kL https://192.168.37.6
centos6
SNAT
#环境跟上面一样
[root@firewall ~]# iptables -F
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 192.168.37.0/24 -j SNAT --to-source 172.16.0.7 #静态IP
[root@firewall ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.37.0/24 -j MASQUERADE #动态IP
#测试
[root@centos6 ~]$ curl -kL https://172.16.0.17
centos7
[root@centos6 ~]$ curl http://172.16.0.17
centos7
DNAT
#相当于端口映射
[root@firewall ~]# iptables -t nat -A PREROUTING -d 172.16.0.7 -p tcp --dport 8080 -j DNAT --to-destination 192.168.37.6:80
[root@firewall ~]# iptables -t nat -A PREROUTING -d 172.16.0.7 -p tcp --dport 9527 -j DNAT --to-destination 192.168.37.6:443
#测试
[root@Centos7 ~]# curl http://172.16.0.7:8080
centos6
[root@Centos7 ~]# curl -kL https://172.16.0.7:9527
centos6
REDIRECT(转发)
[root@centos6 ~]$ iptables -t nat -A PREROUTING -d 192.168.37.6 -p tcp --dport 80 -j REDIRECT --to-port 8080 #本机转发
#远程主机访问
[root@Centos7 ~]# curl http://172.16.0.7:8080
centos6
1 实现主机防火墙
放行telnet, ftp, web服务
放行samba服务
放行dns服务(查询和区域传送)
iptables -A INPUT -s 192.168.37.17 -p udp -m multiport --dports 137,138,53 -j ACCEPT
iptables -A INPUT -s 192.168.37.17 -p tcp -m multiport --dports 21,23,80,139,445,53 -j ACCEPT
modprobe nf_conntrack_ftp #ftp跟踪模块
iptables -A INPUT -s 192.168.37.17 -m state --state ESTABLISHED,RELATED -j ACCEPT #ftp被动模式连接
iptables -A -j REJECT
2 实现网络防火墙
放行telnet, ftp, web服务
放行samba服务
放行dns服务(查询和区域传送)
iptables -A INPUT -s 192.168.37.0/24 -p udp -m multiport --dports 137,138,53 -j ACCEPT
iptables -A INPUT -s 192.168.37.0/24 -p tcp -m multiport --dports 21,23,80,139,445,53 -j ACCEPT
modprobe nf_conntrack_ftp #ftp跟踪模块
iptables -A INPUT -s 192.168.37.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT #ftp被动模式连接
iptables -A -j REJECT
网友评论