一、防火墙filter表
1、准许或禁止ping
1.1 添加防火墙规则:
[root@m01 ~]# iptables -I INPUT -p icmp --icmp-type any -j DROP
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
1.2 ping检测:
[root@m01 ~]# ping 172.16.1.61
PING 172.16.1.61 (172.16.1.61) 56(84) bytes of data.
--- 172.16.1.61 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
[root@m01 ~]# ping 10.0.0.61
PING 10.0.0.61 (10.0.0.61) 56(84) bytes of data.
--- 10.0.0.61 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[root@m01 ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
>发现网卡ip和自身127网段ip均无法ping通
2、匹配网络状态(tcp/ip连接状态):
NEW:已经或将启动新的连接
ESTABLISHED:已建立的连接
RELATED:正在启动的新连接
INVALID:非法或无法识别的
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3、匹配网络限制策略(限制并发,访问频率)
-m limit
-m limit --limit n/{second/minute/hour}:
解释:指定时间内的请求速率”n”为速率,后面为时间分别为:秒 分 时
--limit-burst [n]
解释:在同一时间内允许通过的请求”n”为数字,不指定默认为5
iptables -I INPUT -s 10.0.1.0/24 -p icmp --icmp-type 8 -m limit --limit 6/min
--limit-burst 5 -j ACCEPT
允许10.0.1.0/24网段的ip进入防火墙访问,但是要求是ping的时候的频率是每分钟6次,最大并发(最多几个人)是5个人ping。
4、保存防火墙规则:
4.1 保存防火墙的规则:
注意事项:
iptables-save >/etc/sysconfig/iptables
iptables 是关闭状态 stop/disable
不要使用iptables -nL 查看状态,如果使用防火墙自动打开
查看防火墙状态: systemctl is-active iptables
[root@m01 ~]# iptables-save //默认显示倒屏幕
# Generated by iptables-save v1.4.21 on Wed Jul 3 09:27:35 2019
*filter
:INPUT ACCEPT [276:20776]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [296:27334]
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
COMMIT
# Completed on Wed Jul 3 09:27:35 2019
# Generated by iptables-save v1.4.21 on Wed Jul 3 09:27:35 2019
*nat
:PREROUTING ACCEPT [8:1767]
:INPUT ACCEPT [3:542]
:OUTPUT ACCEPT [63:3947]
:POSTROUTING ACCEPT [63:3947]
4.2 定向到一个文件中:
[root@m01 ~]# iptables-save >/etc/sysconfig/iptables
4.3 清空规则:
[root@m01 ~]# iptables -F
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
4.4 倒入规则(导入规则或重启iptables后,保存的规则会恢复):
[root@m01 ~]# iptables-restore < /etc/sysconfig/iptables
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
二、生产环境防火墙配置方案:
1.逛公园: 防火墙默认的规则 默认规则都是准许 ACCEPT
2.电影院:默认规则是 拒绝DROP 凭票进入(一般情况下使用第二种方案)
2.1 生产环境下使用第二种防火墙配置方案(配置默认方案前,必须先把先决条件配置好,不要把自己关门外)先决条件如下:
2.2 配置允许SSH登陆端口进入
[root@m01 ~]# iptables -A INPUT -p tcp --1 dport 22 -j ACCEPT
2.3 允许本机回环lo接口数据流量流出与流入:
[root@m01 ~]#iptables -A INPUT -i lo -j ACCEPT
[root@m01 ~]#iptables -A OUTPUT -o lo -j ACCEPT
-i input 与 INPUT链一起使用
-o output 与 OUTPUT 链一起使用
2.4 准许icmp协议通过(可以ping设备ip) :
[root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
2.5 准许用户使用的端口通过 80,443 :
[root@m01 ~]#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@m01 ~]#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
2.6 允许用户与服务器建立连接:
[root@m01 ~]#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@m01 ~]#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
2.7 开启信任的IP网段**:
[root@m01 ~]#iptables -A INPUT -s 10.0.0.0/24 -p all -j ACCEPT
[root@m01 ~]#iptables -A INPUT -s 172.16.1.0/24 -p all -j ACCEPT
2.8 修改默认规则:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
三、NAT表
nat表的3个链的含义与作用.png
3.1 PREROUTING链(转发,更改目标ip和端口):
3.1.1 添加防火墙规则:
[root@m01 ~]# iptables -t nat -A PREROUTING -p tcp -d 10.0.0.61 --dport 9000 -j DNAT --to-destination 172.16.1.51:22
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000 to:172.16.1.51:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
3.1.2 修改内核转发参数(启用prerouting链的话,必须添加内核转发):
临时修改内核转发参数:
[root@m01 ~]# cat /proc/sys/net/ipv4/ip_forward
1
永久修改内核参数:
[root@m01 ~]# tail /etc/sysctl.conf
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
3.1.3 关闭物理网卡eth0,然后在eth1网卡上添加网关,网关指向m01的ip172.16.1.61):
[root@db01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no
IPADDR=10.0.0.51
PREFIX=24
GATEWAY=10.0.0.254
DNS1=10.0.0.254
[root@db01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=172.16.1.51
PREFIX=24
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.61
重启网卡:systemctl restart network
3.1.4 测试:
微信图片_20190707211903.png
3.2 添加特殊ip,用来转发访问防火墙规则:
3.2.1 添加特殊ip命令:
[root@m01 ~]# ip addr add 10.0.0.66/24 dev eth0 label eth0:0
3.2.2 添加防火墙规则:
[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.66 -j DNAT --to-destination 172.16.1.51
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000 to:172.16.1.51:22
DNAT all -- 0.0.0.0/0 10.0.0.66 to:172.16.1.51
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
3.2.3 修改内核转发参数(启用prerouting链的话,必须添加内核转发):
临时修改内核转发参数:
[root@m01 ~]# cat /proc/sys/net/ipv4/ip_forward
1
永久修改内核参数:
[root@m01 ~]# tail /etc/sysctl.conf
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
3.2.4 关闭物理网卡eth0,然后在eth1网卡上添加网关,网关指向m01的ip172.16.1.61):
[root@db01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no
IPADDR=10.0.0.51
PREFIX=24
GATEWAY=10.0.0.254
DNS1=10.0.0.254
[root@db01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=172.16.1.51
PREFIX=24
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.61
重启网卡:systemctl restart network
3.2.5 测试:
测试.png
3.3 POSTROUTING链(生产环境中实现内网上外网):
防火墙配置POSTROUTING规则
开启内核转发
检查iptable nat模块是否加载 lsmod
3.3.1 添加防火墙规则:
[root@m01 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j
SNAT --to-source 10.0.0.61
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61
3.3.2 添加内核转发参数,并重启:
[root@m01 ~]# cat /proc/sys/net/ipv4/ip_forward
[root@m01 ~]# tail /etc/sysctl.conf
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@m01 ~]# sysctl -p
net.ipv4.ip_forward = 1
3.3.3 检查iptable nat模块是否加载 lsmod
[root@m01 ~]# lsmod |egrep 'ipt|nat|filter'
ipt_REJECT 12541 0
nf_reject_ipv4 13373 1 ipt_REJECT
iptable_filter 12810 0
xt_nat 12681 1
iptable_nat 12875 1
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26787 2 nf_nat_ipv4,xt_nat
nf_conntrack 133095 4
nf_nat,nf_nat_ipv4,xt_conntrack,nf_conntrack_ipv4
ip_tables 27126 2 iptable_filter,iptable_nat
libcrc32c 12644 3 xfs,nf_nat,nf_conntrack
3.3.4 在db01服务器上面关闭物理网卡eth0,并给网卡eth1添加转发ip(网关设置成m01的ip)
[root@db01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no
IPADDR=10.0.0.51
PREFIX=24
GATEWAY=10.0.0.254
DNS1=10.0.0.254
[root@db01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=172.16.1.51
PREFIX=24
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.61
重启网卡:systemctl restart network
3.3.5 ping网站是否能ping通:
[root@db01 ~]# ping baidu.com
PING baidu.com (123.125.114.144) 56(84) bytes of data.
64 bytes from 123.125.114.144 (123.125.114.144): icmp_seq=1 ttl=127
time=7.60 ms
64 bytes from 123.125.114.144 (123.125.114.144): icmp_seq=2 ttl=127
time=5.87 ms
64 bytes from 123.125.114.144 (123.125.114.144): icmp_seq=3 ttl=127
time=6.25 ms
64 bytes from 123.125.114.144 (123.125.114.144): icmp_seq=4 ttl=127
time=4.12 ms
64 bytes from 123.125.114.144 (123.125.114.144): icmp_seq=5 ttl=127
time=6.55 ms
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61 #公网ip固定的时候常常使用此规则
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source
MASQUERADE #伪装(公网ip无法确定的时候,常常使用此规则)
网友评论