iptable及visudoer详解

作者: dabule | 来源:发表于2018-05-10 21:46 被阅读28次

    详述iptables五链

    iptable有4表5链,4表分别为:filter,nat,mangle,raw.5链分别为:INPUT,OUTPUT,FORWORD,PREROUNTING,POSTROUNTING.

    4表:

    filter: 默认表,一般的过滤功能,对应的链有:INPUT, OUTPUT, FORWORD.

    nat: 用于网络功能(地址转换,映射等等),对应的链有:FORWORD,PREROUNTING,POSTROUNTING.

    mangle: 用于对特定数据包的修改功能,一般很少使用,对应的链有:INPUT, OUTPUT, FORWORD,PREROUNTING,POSTROUNTING.

    raw: 一般为防止iptable做数据包的连接跟踪处理,以提高性能,对应的链有: OUTPUT, PREROUNTING.

    5链:

    INPUT: 通过路由表判断为目的地为本机而进入本机内部资源的

    OUTPUT: 有本机产生的数据向外部转发的

    FORWORD:通过路由表判断目的地不是本机而他国路由器转发到其他地方的

    PREROUNTING:流入的数据包在进入路由表前

    POSTROUNTING:传出的数据包到达网卡出口之前

    从下图中可以连接的从四表五链的关系图:


    iptable的四表五链示意图.png

    举例实现iptables多端口匹配、连接追踪、字符串匹配、时间匹配、并发连接限制、速率匹配、报文状态匹配等应用

    • iptable的规则格式:

      iptables   [-t table]   COMMAND   chain   [-m matchname [per-match-options]]   -j targetname [per-target-options]
      
               -t table:raw, mangle, nat, filter(默认)
      
                COMMAND:
                    链管理:(PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING)
                        -N:new, 自定义一条新的规则链(默认链通过引用来生效自定义链)
                        -X: delete,删除自定义的规则空链,非空自定义链和内置链无法删除
                        -P:Policy,设置默认策略;无法匹配是做出的处理机制,对filter表中的链而言,
                                   其默认策略有:
                                           ACCEPT:接受
                                           DROP:丢弃
                                           REJECT:拒绝
      
                         -E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除
                         -F:flush,清空指定的规则链,忽略链名时,清空表中所有的链
                         -Z:zero,置零,将计数器置零
                                  iptables的每条规则都有两个计数器:
                                        (1) 匹配到的报文的个数
                                        (2) 匹配到的所有报文的大小之和   
                
                规则管理:
                        -A:append,追加
                        -I:insert, 插入,要指明位置,省略时表示第一条
                        -D:delete,删除
                                  (1) 指明规则序号
                                  (2) 指明规则本身
                        -R:replace,替换指定链上的指定规则
                            
                查看:
                        -L:list, 列出指定鏈上的所有规则
                            -n:numberic,以数字格式显示地址和端口号
                            -v:verbose,详细信息
                                -vv, -vvv: 更详细的消息
                            -x:exactly,显示计数器结果的精确值;
                            --line-numbers:显示规则的序号
                    
        匹配条件:
                基本匹配条件:无需加载任何模块,由iptables/netfilter自行提供.
      
                    [!] -s, --source  address[/mask][,...]:检查报文中的源IP地址是否符合此处指定的地址或范围
                    [!] -d, --destination address[/mask][,...]:检查报文中的目标IP地址是否符合此处指定的地址或范围
                    [!] -p, --protocol protocol,检查报文中的相关协议
                          protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or  "all"{tcp|udp|icmp}
                    [!] -i, --in-interface name:数据报文流入的接口;只能应用于数据报文流入的环节,只能应用于PREROUTING,INPUT和FORWARD链
                    [!] -o, --out-interface name:数据报文流出的接口;只能应用于数据报文流出的环节,只能应用于FORWARD、OUTPUT和POSTROUTING链          
                        
                扩展匹配条件: 需要加载扩展模块,方可生效
      
                        隐式扩展:不需要手动加载扩展模块;因为它们是对协议的扩展,所以,只使用-p指明了协议,就表示已经指明了要扩展的模块,对应的扩展模块如下:
                            tcp:
                                [!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围
                                [!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围
                                [!] --tcp-flags  mask  comp
                                    mask is the flags which we should examine,  written as a comma-separated list,例如 SYN,ACK,FIN,RST
                                    comp is a comma-separated list  of  flags  which must be set,例如SYN
                                    例如:“--tcp-flags  SYN,ACK,FIN,RST  SYN”表示,要检查的标志位为SYN,ACK,FIN,RST四个,其中SYN必须为1,余下的必须为0
                                [!] --syn:用于匹配第一次握手,相当于”--tcp-flags  SYN,ACK,FIN,RST  SYN“;                             
                            udp 
                                [!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围
                                [!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围
                                
                            icmp 
                                [!] --icmp-type {type[/code]|typename}
                                    echo-request:8
                                    echo-reply:0
                                
                        显式扩展:必须要手动加载扩展模块, [-m matchname [per-match-options]]                    
                                    multiport扩展:以离散方式定义多端口匹配;最多指定15个端口
                                             [!] --source-ports,--sports port[,port|,port:port]...:指定多个源端口
                                             [!] --destination-ports,--dports port[,port|,port:port]...:指定多个目标端口
                                             [!] --ports port[,port|,port:port]...:指明多个端口
      
                                    iprange扩展:指明连续的ip地址范围(但一般不覆盖整个网络)
                                             [!] --src-range from[-to]:源IP地址
                                             [!] --dst-range from[-to]:目标IP地址
      
                                    string扩展:对报文中的应用层数据做字符串模式匹配检测
                                             --algo {bm|kmp}:字符串匹配检测算法,bm|kmp是两种字符串检测算法
                                             [!] --string pattern:要检测的字符串模式
                                             [!] --hex-string pattern:以16进制格式检测的字符串模式,
      
                                    time扩展:根据将报文到达的时间与指定的时间范围进行匹配
                                              --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
                                              --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
                                              --timestart hh:mm[:ss]
                                              --timestop hh:mm[:ss]
                                              [!] --monthdays day[,day...]
                                              [!] --weekdays day[,day...]
                                             --kerneltz:使用内核上的时区,而非默认的UTC
      
                                    connlimit扩展:根据每客户端IP做并发连接数数量匹配
                                               --connlimit-upto n:匹配连接的数量小于等于n的
                                               --connlimit-above n:匹配连接的数量大于n的
      
                                    limit扩展:基于收发报文的速率做匹配
                                                --limit rate[/second|/minute|/hour|/day] 速率
                                                --limit-burst number 限制连接的数量
      
                                   state扩展:根据”连接追踪机制“去检查连接的状态
                                                [!] --state state
      
                                         conntrack机制:追踪本机上的请求和响应之间的关系;状态有如下几种:
                                              NEW:新发出请求,连接追踪模板中不存在此连接的相关信息而将其识别为第一次发出的请求
                                              ESTABLISHED:NEW状态之后,连接追踪模板中为其建立的条目失效之前期间内所进行的通信状态
                                              RELATED:相关联的连接;如ftp协议中的数据连接与命令连接之间的关系
                                              INVALID:无效的连接
                                              UNTRACKED:未进行追踪的连接
      
                        处理动作:  -j targetname [per-target-options]
                                 ACCEPT:接受
                                 DROP:丢弃,不返回数据
                                 REJECT:拒绝,返回相应数据
                                 RETURN:返回调用链
                                 REDIRECT:端口重定向
                                 LOG:记录日志
                                 MARK:做防火墙标记
                                 DNAT:目标地址转换
                                 SNAT:源地址转换
                                 MASQUERADE:地址伪装
                                  ...
                                 自定义链:      
      

    在进行匹配之前先看看系统默认的iptable配置

    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 25 packets, 1804 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 14 packets, 1668 bytes)
     pkts bytes target     prot opt in     out     source               destination 
    
    • 多端口匹配:
    [root@localhost ~]# iptables -I INPUT 1 -d 192.168.1.107 -p tcp -m multiport --dports 21,22,80,8080,443 -j ACCEPT
    
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 4 packets, 624 bytes)
     pkts bytes target     prot opt in     out     source               destination  
    
    #在INPUT链中第一条位置插入一条规则:
    目标地址为192.168.1.107的协议为tcp
    并且目标端口号分别为:21,22,80,8080,443选择接受
    
    • 连接追踪:
    [root@localhost ~]# iptables -A INPUT -d 192.168.1.107 -p tcp -m multiport --dports 21,22,80 -m state --state INVALID -j REJECT
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 9 packets, 616 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
        0     0 DROP       tcp  --  *      *       192.0.0.0/8          192.168.1.107       tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       tcp dpt:21 #conn/32 > 2 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 4 packets, 736 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       192.168.1.107        192.0.0.0/8         tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 
    
    
    #在INPUT链中新增一条规则:
    目标IP为192.168.1.107,tcp协议,端口为21,22,80
    连接状态为无效的连接时选择拒绝.
    
    • 字符串匹配:
    [root@localhost ~]# iptables -A OUTPUT -s 192.168.1.107 -d 192.168.1.0/8 -p tcp --sport 80 -m string --algo bm --string "sex" -j REJECT
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
        0     0 DROP       tcp  --  *      *       192.0.0.0/8          192.168.1.107       tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 3 packets, 552 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       192.168.1.107        192.0.0.0/8         tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 
    
    #在OUTPUT链中新增一条规则:
    来源IP为192.168.1.107,目标IP为192.168.1.0/8网段.tcp协议,80端口
    匹配的字符串包含"sex"则选择拒绝
    
    • 时间匹配:
    [root@localhost ~]# iptables -A INPUT -s 192.168.1.0/8 -d 192.168.1.107 -p tcp --dport 80 -m time --timestart 00:30 --timestop 12:30 --weekdays Mon,Sun  -j DROP
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 18 packets, 1337 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
        0     0 DROP       tcp  --  *      *       192.0.0.0/8          192.168.1.107       tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 9 packets, 2328 bytes)
     pkts bytes target     prot opt in     out     source               destination  
    
    #在INPUT链中新增一条规则:
    来源IP为192.168.1.0网段,目标IP为192.168.1.107,tcp协议80端口
    星期一和星期日的00:30-12:30时间段内选择丢弃
    
    • 并发连接限制:
    [root@localhost ~]# iptables -A INPUT -d 192.168.1.107 -p tcp --dport 21 -m connlimit --connlimit-above 2 -j REJECT
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 7 packets, 520 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
        0     0 DROP       tcp  --  *      *       192.0.0.0/8          192.168.1.107       tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       tcp dpt:21 #conn/32 > 2 reject-with icmp-port-unreachable 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 5 packets, 648 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       192.168.1.107        192.0.0.0/8         tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 
    
    #在INPUT新增一条规则:
    目标IP为192.168.1.107,tcp协议,端口21
    并发连接数大于2时选择拒绝
    
    • 速率匹配:
    [root@localhost ~]# iptables -I INPUT -d 192.168.1.107 -p icmp --icmp-type 8 -m limit --limit 5/minute --limit-burst 3 -j ACCEPT
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 10 packets, 845 bytes)
    pkts bytes target     prot opt in     out     source               destination         
       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.107       icmp type 8 limit: avg 5/min burst 3 
       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
       0     0 DROP       tcp  --  *      *       192.0.0.0/8          192.168.1.107       tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun 
       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       tcp dpt:21 #conn/32 > 2 reject-with icmp-port-unreachable 
       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 4 packets, 848 bytes)
    pkts bytes target     prot opt in     out     source               destination         
       0     0 REJECT     tcp  --  *      *       192.168.1.107        192.0.0.0/8         tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 
    
    #在INPUT链插入一条规则:
    目标IP为192.168.1.107 ICMP协议,类型是8,
    链接速率5/min,最大连接数(在5/min速率下的连接数)为3,选择接受
    
    • 报文状态匹配:
    [root@localhost ~]# iptables -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT
    [root@localhost ~]# iptables -L -nv
    Chain INPUT (policy ACCEPT 8 packets, 576 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x3F/0x02 reject-with icmp-port-unreachable 
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.107       icmp type 8 limit: avg 5/min burst 3 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80,8080,443 
        0     0 DROP       tcp  --  *      *       192.0.0.0/8          192.168.1.107       tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       tcp dpt:21 #conn/32 > 2 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 5 packets, 744 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REJECT     tcp  --  *      *       192.168.1.107        192.0.0.0/8         tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 
    
    # -m tcp使用tcp扩展模块,
    --tcp-flags:要匹配的报文
    SYN,ACK,FIN,RST,URG,PSH:报文状态的列表,可以写成ALL.
    SYN :列表中的SYN标志必须为1其余的必须全部为0
    

    举例实现iptables之SNAT源地址修改及DNAT目标地址修改和PNAT端口修改等应用

    要实现nat,要打开内核的路由功能。将文件/proc/sys/net/ipv4/ip_forward内的值改为1,(默认是0)

    [root@localhost ~]# sysctl -w net.ipv4.ip_forward=1
    net.ipv4.ip_forward = 1
    
    
    • SNAT:主要实现内网客户端访问外网主机,在POSTROUTING和OUTPUT上使用
    [root@localhost ~]# iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 56 packets, 9787 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain POSTROUTING (policy ACCEPT 123 packets, 9800 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 123 packets, 9800 bytes)
     pkts bytes target     prot opt in     out     source               destination   
    [root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.1.0/8 -j SNAT --to-source 172.16.1.105
    [root@localhost ~]# iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 SNAT       all  --  *      *       192.0.0.0/8          0.0.0.0/0           to:172.16.1.105 
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination  
    
    #在nat表的POSTROUTING链中添加一条规则:
    将内网的192.168.1.0/8这个网段的数据包源地址改为
    172.16.1.105这个IP地址
    
    
    • DNAT:主要实现内网中的服务器能被外网客户端访问到,定义在PREROUTING链上.
    [root@localhost ~]# iptables -t nat -A PREROUTING -d 172.16.1.105 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.107 
    [root@localhost ~]# iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.1.105        tcp dpt:80 to:192.168.1.107 
    
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
       17  1540 SNAT       all  --  *      *       192.0.0.0/8          0.0.0.0/0           to:172.16.1.105 
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination 
    
    #在nat表PREROUTING链中添加一条规则:
    将目标IP为172.16.1.105的协议为tcp,
    80端口的数据都发送到192.168.1.107 这个内网服务器上
    
    
    • PNAT:将封包重新导向到另一个端口(PNAT),这个功能可以用来实作透明代理或用来保护web服务器。
    [root@localhost ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8083
    [root@localhost ~]# iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.1.105        tcp dpt:80 to:192.168.1.107 
        0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8083 
    
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
       38  3120 SNAT       all  --  *      *       192.0.0.0/8          0.0.0.0/0           to:172.16.1.105 
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination 
    
    
    #在nat表PREROUTING链中添加一条规则:
    将tcp协议80端口的数据重导向到8083这个端口上来
    
    

    简述sudo安全切换工具,及详细讲解visudoer

    • sudo:能够让获得授权的用户以另外一个用户的身份运行指定的命令,成功认证默认时长为5分钟,5分钟内再次操作不需要再输入用户密码确认身份,这样可以限制root的

      sudo  [options]  COMMAND
                -l[l]  command 列出用户能执行的命令
                -k     清除此前缓存用户成功认证结果
      
    [linuxprobe@localhost ~]$ sudo -l
    [sudo] password for linuxprobe: 
    Sorry, user linuxprobe may not run sudo on localhost.
    
    #查看用户能执行的sudo命令,这里没有指定
    
    
        授权机制:授权文件 /etc/sudoers
            root    ALL=(ALL)   ALL 
              允许root用户执行任意路径下的任意命令,可以
            %wheel  ALL=(ALL)   ALL 
              允许wheel用户组中的用户执行所有命令
    
                who     where=(whom)    commands
        哪个用户(who)在哪个来源主机上(where)以谁的身份(whom) 可以执行哪些命令(commands)
    
    magedu ALL=(root)  /usr/bin/ifconfig
    #magedu这个用户在任何的主机上可以以root的身份执行/usr/bin/ifconfig命令
    
    
    • 注意:

    • 代表所有的ALL必须大写

    • 后面的命令必须的绝对路径,如果不想执行某个命令则为 ! commands

    • 用户可以是一个组,当时组时表示为: %GROUP_NAME

    • 如果不想执行sudo时输入密码则用: NOPASSWD: COMMAND,强制用密码验证时则用: PASSWD:COMMAND

                users   hosts=(runas)       commands
                    
                    users:
                        username  用户名
                        #uid   uid号
                        %groupname   用户组
                        %#gid   gid号
                        user_alias   用户别名 (支持将多个用户定义为一组用户,称之为用户别名,即user_alias)
      
                    hosts:
                        ip  IP地址
                        hostname  主机名
                        NetAddr   网络地址
                        host_alias  主机别名
                        
                    runas:
                        ...
                        runas_alias   用来定义runas别名,即sudo允许切换至的用户
                        
                    commands:
                        command  命令
                        directory  目录
                        sudoedit:特殊权限,可用于向其它用户授予sudo权限
                        cmnd_alias  命令别名
      
    
    
                定义别名的方法:
                    ALIAS_TYPE  NAME=item1, item2, item3, ...
                        NAME:别名名称,必须使用全大写字符
                    ALIAS_TYPE:
                        User_Alias  用户别名
                        Host_Alias  主机别名
                        Runas_Alias  用户以什么身份执行(例如root,magedu)的列表
                        Cmnd_Alias  命令别名
    
    
    User_Alias  NETADMIN=jeck,magedu
    
    #用NETADMIN来表示jeck,magedu这些用户
    
    -----------分割线-----------
    
    Cmnd_Alias NETCMND=ip, ifconfig, route
    
    #用NETCMND这个别名去代表ip, ifconfig, route
    
    -----------分割线-----------
                            
    NETADMIN    localhost=(root)    NETCMND
    
    #这个NETADMIN用户别名里的用户在本地主机中可以root的身份执行NETCMND这个命令别名里面的命令
    

    因为sudo的配置文件很重要,配置格式出错时将无法使用sudo命令,所以禁止所有用户包括root使用vim对该文件进行编辑,而用专用命令visudo来配置/etc/sudoers文件格式如下:

    [root@localhost ~]# cat /etc/sudoers
    ## Sudoers allows particular users to run various commands as
    ## the root user, without needing the root password.
    ##
    ## Examples are provided at the bottom of the file for collections
    ## of related commands, which can then be delegated out to particular
    ## users or groups.
    ## 
    ## This file must be edited with the 'visudo' command.
    
    ## Host Aliases
    ## Groups of machines. You may prefer to use hostnames (perhaps using 
    ## wildcards for entire domains) or IP addresses instead.
    # Host_Alias     FILESERVERS = fs1, fs2
    # Host_Alias     MAILSERVERS = smtp, smtp2
    
    ## User Aliases
    ## These aren't often necessary, as you can use regular groups
    ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
    ## rather than USERALIAS
    # User_Alias ADMINS = jsmith, mikem
    
    
    ## Command Aliases
    ## These are groups of related commands...
    
    ## Networking
    # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
    
    ## Installation and management of software
    # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
    
    ## Services
    # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
    
    ## Updating the locate database
    # Cmnd_Alias LOCATE = /usr/bin/updatedb
    
    ## Storage
    # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
    
    ## Delegating permissions
    # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
    
    ## Processes
    # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
    
    ## Drivers
    # Cmnd_Alias DRIVERS = /sbin/modprobe
    
    # Defaults specification
    
    #
    # Refuse to run if unable to disable echo on the tty.
    #
    Defaults   !visiblepw
    
    #
    # Preserving HOME has security implications since many programs
    # use it when searching for configuration files. Note that HOME
    # is already set when the the env_reset option is enabled, so
    # this option is only effective for configurations where either
    # env_reset is disabled or HOME is present in the env_keep list.
    #
    Defaults    always_set_home
    Defaults    match_group_by_gid
    
    Defaults    env_reset
    Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
    Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
    Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
    Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
    Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
    
    #
    # Adding HOME to env_keep may enable a user to run unrestricted
    # commands via sudo.
    #
    # Defaults   env_keep += "HOME"
    
    Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
    
    ## Next comes the main part: which users can run what software on 
    ## which machines (the sudoers file can be shared between multiple
    ## systems).
    ## Syntax:
    ##
    ##  user    MACHINE=COMMANDS
    ##
    ## The COMMANDS section may have other options added to it.
    ##
    ## Allow root to run any commands anywhere 
    root    ALL=(ALL)   ALL
    
    ## Allows members of the 'sys' group to run networking, software, 
    ## service management apps and more.
    # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
    
    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)   ALL
    
    ## Same thing without a password
    # %wheel    ALL=(ALL)   NOPASSWD: ALL
    
    ## Allows members of the users group to mount and unmount the 
    ## cdrom as root
    # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
    
    ## Allows members of the users group to shutdown this system
    # %users  localhost=/sbin/shutdown -h now
    
    ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
    #includedir /etc/sudoers.d
    
    

    相关文章

      网友评论

        本文标题:iptable及visudoer详解

        本文链接:https://www.haomeiwen.com/subject/rfmzlftx.html