首页 iptables教程iptables网络防火墙详解

iptables规则保存

iptables实战案例:马哥教育原校区的防火墙配置设置

运维派隶属马哥教育旗下专业运维社区,是国内成立最早的IT运维技术社区,欢迎关注公众号:yunweipai
领取学习更多免费Linux云计算、Python、Docker、K8s教程关注公众号:马哥linux运维

网络防火墙

iptables/netfilter 利用filter表的FORWARD链,可以充当网络防火墙:
注意的问题:
(1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
(2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行

FORWARD 链实现内外网络的流量控制

范例:内部可以访问外部,外部禁止访问内部

[root@internet-host ~]#hostname -I
10.0.0.6 
[root@internet-host ~]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
0.0.0.0         10.0.0.8        0.0.0.0         UG    0      0        0 eth0

[root@firewall-host ~]#hostname -I
10.0.0.8 192.168.100.8 

[root@lan-host ~]#hostname -I
192.168.100.7 
[root@lan-host ~]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.8   0.0.0.0         UG    100    0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0

[root@firewall-host ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@firewall-host ~]#sysctl -p
[root@firewall-host ~]#iptables -A FORWARD -d 192.168.100.0/24  -m state --state NEW  -j REJECT

范例:针对内部的特定服务可以允许外部访问,其它服务禁止访问

[root@firewall-host ~]#iptables -I FORWARD -d 192.168.100.0/24 -p tcp --dport 80 -j ACCEPT
[root@firewall-host ~]#iptables -vnL  FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        6   486 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.100.0/24     tcp dpt:80
2        3   228 REJECT     all  --  *      *       0.0.0.0/0            192.168.100.0/24     state NEW reject-with icmp-port-unreachable
NAT 表

iptables网络防火墙详解插图

NAT: network address translation,支持PREROUTING,INPUT,OUTPUT,POSTROUTING四个链

请求报文:修改源/目标IP,由定义如何修改

响应报文:修改源/目标IP,根据跟踪机制自动实现

NAT的实现分为下面类型:

  • SNAT:source NAT ,支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装,请求报文:修改源IP
  • DNAT:destination NAT 支持PREROUTING , OUTPUT,把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
  • PNAT: port nat,端口和IP都进行修改

范例:查看本地主机访问公网时使用的IP

[root@centos8 ~]#curl http://ipinfo.io/ip/
111.199.191.204
[root@centos8 ~]#curl  http://ifconfig.me
111.199.191.204
[root@centos8 ~]#curl -L http://tool.lu/ip
当前IP: 111.199.191.204
归属地: 中国 北京 北京
SNAT

SNAT:基于nat表的target,适用于固定的公网IP

SNAT选项:

  • –to-source [ipaddr[-ipaddr]][:port[-port]]
  • –random
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP

范例:

iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! –d 10.0.1.0/24 -j SNAT --to-source 172.18.1.6-172.18.1.9

MASQUERADE:基于nat表的target,适用于动态的公网IP,如:拨号网络

MASQUERADE选项:

  • –to-ports port[-port]
  • –random
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE

范例:

iptables -t nat -A POSTROUTING -s 10.0.1.0/24  ! –d 10.0.1.0/24 -j MASQUERADE 

范例:实现SNAT

[root@internet-host ~]#hostname -I
10.0.0.6 
[root@internet-host ~]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0

[root@firewall-host ~]#hostname -I
10.0.0.8 192.168.100.8 
[root@firewall-host ~]#sysctl -a |grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

[root@lan-host ~]#hostname -I
192.168.100.7 
[root@lan-host ~]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.8   0.0.0.0         UG    100    0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0

[root@firewall-host ~]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 10.0.0.8
[root@firewall-host ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.100.0/24     0.0.0.0/0            to:10.0.0.8

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  

[root@lan-host ~]#curl 10.0.0.6
internet Server
[root@internet-host ~]#curl 192.168.100.7
curl: (7) Failed to connect to 192.168.100.7: Network is unreachable

[root@internet-host ~]#tail  /var/log/httpd/access_log 
10.0.0.8 - - [21/Mar/2020:16:31:35 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"

[root@lan-host ~]#ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=0.989 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=0.544 ms

[root@internet-host ~]#tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:30.171222 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 24718, seq 120, length 64
16:34:30.171255 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 24718, seq 120, length 64

[root@firewall-host ~]#iptables -t nat -R POSTROUTING 1  -s 192.168.100.0/24 -j MASQUERADE 
[root@firewall-host ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       192.168.100.0/24     0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

[root@firewall-host ~]#cat /proc/net/nf_conntrack
ipv4     2 tcp      6 32 TIME_WAIT src=192.168.100.7 dst=10.0.0.6 sport=39430 dport=80 src=10.0.0.6 dst=10.0.0.8 sport=80 dport=39430 [ASSURED] mark=0 zone=0 use=2
DNAT

DNAT:nat表的target,适用于端口映射,即可重定向到本机,也可以支持重定向至不同主机的不同端口,但不支持多目标,即不支持负载均衡功能

DNAT选项:

  • –to-destination [ipaddr[-ipaddr]][:port[-port]]
[root@firewall-host ~]#man iptables-extensions
--to-destination [ipaddr[-ipaddr]][:port[-port]]
    which  can  specify  a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: tcp, udp, dccp  or  sctp.  If no port range is specified, then the destination port will never be modi‐fied. If no IP address is specified then only the destination port will be modified.  In Ker‐nels  up  to  2.6.10  you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple  --to-des‐tination  options,  a  simple  round-robin  (one after another in cycle) load balancing takes place between these addresses.  Later Kernels (>= 2.6.11-rc1) don't have the ability  to  NAT to multiple ranges anymore.
iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]

范例:

iptables -t nat -A PREROUTING -s 0/0 -d 172.18.100.6 -p tcp --dport 22 -j DNAT --to-destination 10.0.1.22

iptables -t nat -A PREROUTING -s 0/0 -d 172.18.100.6 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.22:8080

范例:

[root@firewall-host ~]#iptables -t nat -A PREROUTING -d 10.0.0.8 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.7 
[root@firewall-host ~]#iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.0.0.8             tcp dpt:80 to:192.168.100.7
[root@firewall-host ~]#ss -ntl
State        Recv-Q        Send-Q                 Local Address:Port                 Peer Address:Port        
LISTEN       0             128                          0.0.0.0:22                        0.0.0.0:*           
LISTEN       0             128                             [::]:22                           [::]:* 

[root@internet-host ~]#curl 10.0.0.8
lan server
[root@internet-host ~]#telnet 10.0.0.8
Trying 10.0.0.8...
telnet: connect to address 10.0.0.8: Connection refused

[root@lan-host ~]#tail -f /var/log/httpd/access_log 
10.0.0.6 - - [21/Mar/2020:17:32:37 +0800] "GET / HTTP/1.1" 200 11 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

[root@firewall-host ~]#tail -f /proc/net/nf_conntrack
ipv4     2 tcp      6 81 TIME_WAIT src=10.0.0.6 dst=10.0.0.8 sport=59426 dport=80 src=192.168.100.7 dst=10.0.0.6 sport=80 dport=59426 [ASSURED] mark=0 zone=0 use=2

[root@lan-host ~]#vim /etc/httpd/conf/httpd.conf 
listen 8000

[root@lan-host ~]#systemctl restart httpd
[root@lan-host ~]#ss -ntl
State      Recv-Q Send-Q          Local Address:Port                         Peer Address:Port              
LISTEN     0      100                 127.0.0.1:25                                      *:*                  
LISTEN     0      128                         *:22                                      *:*                  
LISTEN     0      128                      [::]:23                                   [::]:*                  
LISTEN     0      100                     [::1]:25                                   [::]:*                  
LISTEN     0      128                      [::]:8000                                 [::]:*                  
LISTEN     0      128                      [::]:22                                   [::]:*                  

[root@firewall-host ~]#iptables -t nat -R PREROUTING 1 -d 10.0.0.8 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.7:8000 
[root@firewall-host ~]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.0.0.8             tcp dpt:80 to:192.168.100.7:8000

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   816 MASQUERADE  all  --  *      *       192.168.100.0/24     0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
REDIRECT 转发

REDIRECT,是NAT表的 target,通过改变目标IP和端口,将接受的包转发至同一个主机的不同端口,可用于PREROUTING OUTPUT链
REDIRECT选项:

—to-ports port[-port]

范例:

iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080

范例:

[root@lan-host ~]#ss -ntl
State      Recv-Q Send-Q          Local Address:Port                         Peer Address:Port              
LISTEN     0      100                 127.0.0.1:25                                      *:*                  
LISTEN     0      128                         *:22                                      *:*                  
LISTEN     0      128                      [::]:23                                   [::]:*                  
LISTEN     0      100                     [::1]:25                                   [::]:*                  
LISTEN     0      128                      [::]:80                                   [::]:*                  
LISTEN     0      128                      [::]:22                                   [::]:*                  
[root@lan-host ~]#iptables -t nat -A PREROUTING  -p tcp --dport 8000 -j REDIRECT --to-ports 80

[root@lan-host ~]#iptables -vnL  -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000 redir ports 80

Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 120 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 120 bytes)
 pkts bytes target     prot opt in     out     source               destination  

本文链接:http://www.yunweipai.com/35068.html

iptables规则保存

iptables实战案例:马哥教育原校区的防火墙配置设置

网友评论comments

发表评论

邮箱地址不会被公开。

暂无评论

Copyright © 2012-2021 YUNWEIPAI.COM - 运维派 京ICP备16064699号-6
扫二维码
扫二维码
返回顶部