当前位置:网站首页>iptables的使用简单测试
iptables的使用简单测试
2022-08-01 20:29:00 【daydayup9527】
iptables
四表五链
配直iptables时,不指定表,默认使用filter表。配置时不指定规则链,则配置所有链;
数据包进入该链时,从上向下匹配,匹配即停止,开始应用规则。如果全都不匹配,则应用默认规则;
命令规则:
选项大写:-L、-P、-A、-I、 -D、 -F
链名大写:INPUT、OUTPUT、FORWARD
目标操作大写:DROP、 ACCEPT、 REJECT..
其他小写: -s -p --sport --deport...
一般配置nat表跟filter表
INPUT:数据包的目标地址是自己,则进入INPUT链
OUTPUT:数据包的源地址是自己,则进入OUTPUT链
FORWARD:数据包穿过自己,则进入FORWARD链
[[email protected] ~]# iptables -t filter -L # -t指定表名
[[email protected] ~]# iptables -nL #默认filter表,所有规则链都是空的
Chain INPUT (policy ACCEPT) #INPUT链默认规则是接受
target prot opt source destination
Chain FORWARD (policy ACCEPT) #FORWARD链默认规则是接受
target prot opt source destination
Chain OUTPUT (policy ACCEPT) #OUTPUT链默认规则是接受,一般不限制
target prot opt source destination
iptables [-t表名] 选项 [链名] [条件] [-j满足条件的操作]
web服务只允许ssh http 访问,其他都不许
iptables匹配规则:自上到下,匹配即停止。默认规则最后。
[[email protected] ~]# iptables -A INPUT -s 192.168.1.1 -j ACCEPT
#-A是追加规则(最后面),-s是匹配源地址,-j为jump,采取的行为,ACCEPT是接受
master 192.168.1.11 node1 192.168.1.12 本机 192.168.1.1
-P 设置默认规则
[[email protected] ~]# iptables -P INPUT DROP #注意先执行,会断开ssh
#将INPUT链的默认规则改为DROP丢弃。-P 设置默认规则,默认规则最后检查
[[email protected] ~]# iptables -nL
Chain INPUT (policy DROP) #默认drop,最后检查
target prot opt source destination
ACCEPT all -- 192.168.1.1 0.0.0.0/0 #代表anywhere
[[email protected] ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.12 netmask 255.255.255.0 broadcast 192.168.1.255
[[email protected] ~]# ping 192.168.1.11 #不通
#node1 ip 192.168.1.12,只有192.168.1.1accept一个规则,没匹配到走默认drop
允许192.168.1.0网络的主机ssh连接master
-I 插入规则
[[email protected] ~]# iptables -I INPUT 1 -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
#-I是插入到INPUT链的 1 第1个位置。-p指定协议 --dport指定目标端口号 -j是执行的操作
#查看规则
[[email protected] ~]# iptables -nL #n是指用数字来表示端口号、主机等
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 192.168.1.1 0.0.0.0/0
-A 追加规则
[[email protected] ~]# iptables -A INPUT -s 192.168.1.12 -j DROP
[[email protected] ~]# iptables -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 192.168.1.1 0.0.0.0/0
DROP all -- 192.168.1.12 0.0.0.0/0
-D 删除规则
[[email protected] ~]# iptables -D INPUT 3
[[email protected] ~]# iptables -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 192.168.1.1 0.0.0.0/0
举例
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# systemctl start httpd
默认规则是drop,所以访问会卡主,注意状态 SYN-SENT
[[email protected] ~]# curl 192.168.1.11 #卡住,
[[email protected] ~]# ss | grep SENT #再开个终端执行,看到http一直处于SYN-SENT状态,防火墙不通
tcp SYN-SENT 0 1 192.168.1.12:50846 192.168.1.11:http
[[email protected] ~]# curl 192.168.1.11
curl: (7) Failed connect to 192.168.1.11:80; Connection timed out
[[email protected] ~]# ss | grep SENT #curl超时后,再次查看SYN-SENT的连接。发现没了
[[email protected] ~]# iptables -I INPUT 1 -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
[[email protected] ~]# iptables -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 192.168.1.1 0.0.0.0/0
此时访问是同的
[[email protected] ~]# curl 192.168.1.11
ping ICMP协议
应用层 ssh http ftp (后新增表示层、会话层)
传输层 tcp / udp端口号
网络层 icmp (ping) #icmp不放开,就不用考虑上面两层的的传输了
数据链路层
物理层
1、不设置规则(配置了默认drop),卡主
[[email protected] ~]# ping 192.168.1.11 #此时规则如上,显示卡主
PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.
^C
--- 192.168.1.11 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
2、设置REJECT,显示 不可达Destination Port Unreachable
[[email protected] ~]# iptables -A INPUT -s 192.168.1.12 -p icmp -j REJECT
[[email protected] ~]# iptables -nL INPUT
Chain INPUT (policy DROP)
REJECT icmp -- 192.168.1.12 0.0.0.0/0 reject-with icmp-port-unreachable
[[email protected] ~]# ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.
From 192.168.1.11 icmp_seq=1 Destination Port Unreachable
From 192.168.1.11 icmp_seq=2 Destination Port Unreachable
3、设置ACCEPT,显示ping通
[[email protected] ~]# iptables -I INPUT 1 -s 192.168.1.12 -p icmp -j ACCEPT
[[email protected] ~]# ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.
64 bytes from 192.168.1.11: icmp_seq=1 ttl=64 time=0.272 ms
64 bytes from 192.168.1.11: icmp_seq=2 ttl=64 time=0.677 ms
显示规则的行号 --line-numbers
[[email protected] ~]# iptables -nL INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT icmp -- 192.168.1.12 0.0.0.0/0
2 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:80
3 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22
4 ACCEPT all -- 192.168.1.1 0.0.0.0/0
不保存规则,重启iptables服务,自定义规则将消失
[[email protected] ~]# iptables-save >rule.txt
[[email protected] ~]# iptables–restore <rule.txt
FORWARD链测试
1)client主机配置IP、添加网关
[[email protected] ~]# nmcli connection modify ens33 ipv4.method manual \
ipv4.addresses 192.168.4.10/24 autoconnect yes
[[email protected] ~]# nmcli connection modify ens33 ipv4.gateway 192.168.4.5
[[email protected] ~]# nmcli connection up
[[email protected] ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.4.10
[[email protected] ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.4.5 0.0.0.0 UG 100 0 0 ens33
192.168.4.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
2)web1主机配置IP、添加网关
[[email protected] ~]# nmcli connection modify ens33 ipv4.method manual \
ipv4.addresses 192.168.1.12/24 autoconnect yes
[[email protected] ~]# nmcli connection modify ens33 ipv4.gateway 192.168.1.11
[[email protected] ~]# nmcli connection up eth0
[[email protected] ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.12
[[email protected] ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.11 0.0.0.0 UG 100 0 0 ens33
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
3)proxy主机配置IP、开启路由转发
[[email protected] ~]# nmcli connection modify ens33 ipv4.method manual \
ipv4.addresses 192.168.4.5/24 autoconnect yes
[[email protected] ~]# nmcli connection up ens33
[[email protected] ~]# nmcli connection modify ens37 ipv4.method manual \
ipv4.addresses 192.168.1.11/24 autoconnect yes
[[email protected] ~]# nmcli connection up ens37
[[email protected] ~]# ip a
...
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group
inet 192.168.1.11/24
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group
inet 192.168.4.5/24
[[email protected] ~]# ping 192.168.1.12
PING 192.168.1.12 (192.168.1.12) 56(84) bytes of data.
^C
--- 192.168.1.12 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1001ms
[[email protected] ~]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf #开启转发
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1
[[email protected] ~]# ping 192.168.1.12
PING 192.168.1.12 (192.168.1.12) 56(84) bytes of data.
64 bytes from 192.168.1.12: icmp_seq=7 ttl=63 time=2.48 ms
64 bytes from 192.168.1.12: icmp_seq=8 ttl=63 time=5.92 ms
4)在web主机上启动http服务
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# echo "test page" > /var/www/html/index.html
[[email protected] ~]# systemctl restart httpd
[[email protected] ~]# curl http://192.168.1.12 #成功
5)设置proxy规则,保护防火墙后面的Web服务器
[[email protected] ~]# iptables -I FORWARD -s 192.168.4.10 -p tcp --dport 80 -j DROP
设置完防火墙规则后,再次使用client客户端访问测试效果
[[email protected] ~]# curl http://192.168.2.100 #失败
配置SNAT实现共享上网
[[email protected] ~]# tail -n1 /var/log/httpd/access_log #这里显示的是client机的ip
192.168.4.10 - - [01/Aug/2022:10:43:58 +0800] "GET / HTTP/1.1" 200 10 "-" "curl/7.29.0"
client访问服务时,相当于公网访问web(服务器内网服务)时,并不是直连到内网。必须伪装成192.168.1.0网段才可以访问192.168.1.12,也即是需要伪装成网卡IP为192.168.1.11时,才能完成公网访问
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -p tcp --dport 80 -j SNAT --to-source 192.168.1.11
[[email protected] ~]# iptables -t nat -nL POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 192.168.4.0/24 0.0.0.0/0 tcp dpt:80 to:192.168.1.11
#192.168.4.0/24网段到这个地方内网的任何地方,都要伪装成192.168.1.11进行访问。(192.168.1.11似乎可以理解成提供服方服务绑定的公网ip)
[[email protected] ~]# tail -n1 /var/log/httpd/access_log
192.168.1.11 - - [01/Aug/2022:10:50:22 +0800] "GET / HTTP/1.1" 200 10 "-" "curl/7.29.0"
#此时的web日志,正好说明了这一点
对于proxy外网IP不固定的情况可以执行下面的地址伪装
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -p tcp --dport 80 -j MASQUERADE
所有iptables规则都是临时规则,如果需要永久保留iptables规则
[[email protected] ~]# service iptables save #保存防火墙规则
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
防火墙扩展规则使用-m参数来启动这些扩展功能
根据MAC地址过滤
[[email protected] ~]# iptables -I INPUT -s 192.168.4.10 -p tcp --dport 22 -j DROP
#设置规则禁止192.168.4.10使用ssh远程本机。当client主机修改IP地址后,该规则就会失效
根据MAC地址过滤,可以防止这种情况的发生。
[[email protected] ~]# nmap -sF -n 192.168.2.100 #扫描mac地址
[[email protected] ~]# ip link show eth0 #查看client的MAC地址
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:00:00:0b brd ff:ff:ff:ff:ff:ff
[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -m mac --mac-source 52:54:00:00:00:0b -j DROP
#拒绝52:54:00:00:00:0b这台主机远程本机
基于多端口设置过滤规则
[[email protected] ~]# iptables -A INPUT -p tcp -m multiport --dports 20,25,80,110,143,16501:16800 -j ACCEPT
#一次性开启20,25,80,110,143,16501到16800所有的端口
基于IP地址范围设置规则
1)允许从 192.168.4.10-192.168.4.20 主机ssh远程登录本机
[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.4.10-192.168.4.20 -j ACCEPT
#这里也可以限制多个目标IP的范围,参数是--dst-range,用法与--src-range一致。
2)禁止从 192.168.4.0/24 网段其他的主机ssh远程登录本机
[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -s 192.168.4.0/24 -j DROP
扩展规则的帮助手册
[[email protected] -l# man iptables-extensions
边栏推荐
- [Energy Conservation Institute] Comparative analysis of smart small busbar and column head cabinet solutions in data room
- 密码学的基础:X.690和对应的BER CER DER编码
- 【无标题】
- 小数据如何学习?吉大最新《小数据学习》综述,26页pdf涵盖269页文献阐述小数据学习理论、方法与应用
- [Multi-task learning] Modeling Task Relationships in Multi-task Learning with Multi-gate Mixture-of-Experts KDD18
- 为什么限制了Oracle的SGA和PGA,OS仍然会用到SWAP?
- 我的驾照考试笔记(2)
- 环境变量,进程地址空间
- 【Untitled】
- idea插件generateAllSetMethod一键生成set/get方法以及bean对象转换
猜你喜欢
![[Personal Work] Remember - Serial Logging Tool](/img/8c/56639e234ec3472f4133342eec96d6.png)
随机推荐
57: Chapter 5: Develop admin management services: 10: Develop [get files from MongoDB's GridFS, interface]; (from GridFS, get the SOP of files) (Do not use MongoDB's service, you can exclude its autom
C语言实现-直接插入排序(带图详解)
【个人作品】无线网络图传模块
Use WeChat official account to send information to designated WeChat users
Fork/Join线程池
An implementation of an ordered doubly linked list.
油猴hook小脚本
大整数相加,相减,相乘,大整数与普通整数的相乘,相除
【多任务优化】DWA、DTP、Gradnorm(CVPR 2019、ECCV 2018、 ICML 2018)
Application of Acrel-5010 online monitoring system for key energy consumption unit energy consumption in Hunan Sanli Group
瀚高数据导入
Arthas 常用命令
用户体验好的Button,在手机上不应该有Hover态
Redis 做签到统计
Get started quickly with MongoDB
Convolutional Neural Network (CNN) mnist Digit Recognition - Tensorflow
Greenplum Database Source Code Analysis - Analysis of Standby Master Operation Tools
任务调度线程池基本介绍
【节能学院】推进农业水价综合改革的意见解读
密码学的基础:X.690和对应的BER CER DER编码