iptables

Evernote Export

基于本机服务器的iptables：

创建、重命名、删除自定义chain

~]# iptables -N testchain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain testchain (0 references)

target prot opt source destination

~]# iptables -E testchain mychain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain mychain (0 references)

target prot opt source destination

~]# iptables -X mychain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@localhost ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-P：Policy，设置默认策略；对filter表中的链而言，其默认策略有：

ACCEPT：接受

DROP：丢弃

REJECT：拒绝

默认table为filter，如对filter进行操作时可以不写

~]#iptables -t filter -P FORWARD DROP

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

iptables查看：

-S:seletced，以iptables-save命令的格式显示链上的规则

-L：list, 列出指定鏈上的所有规则；

-n：numberic，以数字格式显示地址和端口号；

-v：verbose，详细信息；

-vv, -vvv

-x：exactly，显示计数器结果的精确值；

–line-numbers：显示规则的序号；

~]# iptables -nvxL –line-numbers

Chain INPUT (policy ACCEPT 275 packets, 18823 bytes)

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 154 packets, 24528 bytes)

[root@localhost ~]# iptables -nvvxL –line-numbers

Chain INPUT (policy ACCEPT 300 packets, 20863 bytes)

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 175 packets, 26988 bytes)

libiptc vlibxtables.so.10. 632 bytes.

Table `filter'

Hooks: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff

Underflows: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff

Entry 0 (0):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 300 packets, 20863 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_ACCEPT

Entry 1 (152):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_DROP

Entry 2 (304):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 175 packets, 26988 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_ACCEPT

Entry 3 (456):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

Target name: `ERROR' [64]

error=`ERROR'

[root@localhost ~]# iptables -S

-P INPUT ACCEPT

-P FORWARD DROP

-P OUTPUT ACCEPT

[root@localhost ~]# iptables -S INPUT

-P INPUT ACCEPT

可以通过查看安装包的库文件看下相关对应的命令

~]# rpm -ql iptables

/etc/sysconfig/ip6tables-config

/etc/sysconfig/iptables-config

/usr/bin/iptables-xml

/usr/lib64/libip4tc.so.0

/usr/lib64/libip4tc.so.0.1.0

/usr/lib64/libip6tc.so.0

/usr/lib64/libip6tc.so.0.1.0

/usr/lib64/libiptc.so.0

/usr/lib64/libiptc.so.0.0.0

/usr/lib64/libxtables.so.10

/usr/lib64/libxtables.so.10.0.0

/usr/lib64/xtables

/usr/lib64/xtables/libip6t_DNAT.so

/usr/lib64/xtables/libip6t_DNPT.so

/usr/lib64/xtables/libip6t_HL.so

/usr/lib64/xtables/libip6t_LOG.so

/usr/lib64/xtables/libip6t_MASQUERADE.so

/usr/lib64/xtables/libip6t_NETMAP.so

/usr/lib64/xtables/libip6t_REDIRECT.so

/usr/lib64/xtables/libip6t_REJECT.so

/usr/lib64/xtables/libip6t_SNAT.so

/usr/lib64/xtables/libip6t_SNPT.so

/usr/lib64/xtables/libip6t_ah.so

/usr/lib64/xtables/libip6t_dst.so

/usr/lib64/xtables/libip6t_eui64.so

/usr/lib64/xtables/libip6t_frag.so

/usr/lib64/xtables/libip6t_hbh.so

/usr/lib64/xtables/libip6t_hl.so

/usr/lib64/xtables/libip6t_icmp6.so

/usr/lib64/xtables/libip6t_ipv6header.so

/usr/lib64/xtables/libip6t_mh.so

/usr/lib64/xtables/libip6t_rt.so

/usr/lib64/xtables/libipt_CLUSTERIP.so

/usr/lib64/xtables/libipt_DNAT.so

/usr/lib64/xtables/libipt_ECN.so

/usr/lib64/xtables/libipt_LOG.so

/usr/lib64/xtables/libipt_MASQUERADE.so

/usr/lib64/xtables/libipt_MIRROR.so

/usr/lib64/xtables/libipt_NETMAP.so

/usr/lib64/xtables/libipt_REDIRECT.so

/usr/lib64/xtables/libipt_REJECT.so

/usr/lib64/xtables/libipt_SAME.so

/usr/lib64/xtables/libipt_SNAT.so

/usr/lib64/xtables/libipt_TTL.so

/usr/lib64/xtables/libipt_ULOG.so

/usr/lib64/xtables/libipt_ah.so

/usr/lib64/xtables/libipt_icmp.so

/usr/lib64/xtables/libipt_realm.so

/usr/lib64/xtables/libipt_ttl.so

/usr/lib64/xtables/libipt_unclean.so

/usr/lib64/xtables/libxt_AUDIT.so

/usr/lib64/xtables/libxt_CHECKSUM.so

/usr/lib64/xtables/libxt_CLASSIFY.so

/usr/lib64/xtables/libxt_CONNMARK.so

/usr/lib64/xtables/libxt_CONNSECMARK.so

/usr/lib64/xtables/libxt_CT.so

/usr/lib64/xtables/libxt_DSCP.so

/usr/lib64/xtables/libxt_HMARK.so

/usr/lib64/xtables/libxt_IDLETIMER.so

/usr/lib64/xtables/libxt_LED.so

/usr/lib64/xtables/libxt_MARK.so

/usr/lib64/xtables/libxt_NFLOG.so

/usr/lib64/xtables/libxt_NFQUEUE.so

/usr/lib64/xtables/libxt_NOTRACK.so

/usr/lib64/xtables/libxt_RATEEST.so

/usr/lib64/xtables/libxt_SECMARK.so

/usr/lib64/xtables/libxt_SET.so

/usr/lib64/xtables/libxt_SYNPROXY.so

/usr/lib64/xtables/libxt_TCPMSS.so

/usr/lib64/xtables/libxt_TCPOPTSTRIP.so

/usr/lib64/xtables/libxt_TEE.so

/usr/lib64/xtables/libxt_TOS.so

/usr/lib64/xtables/libxt_TPROXY.so

/usr/lib64/xtables/libxt_TRACE.so

/usr/lib64/xtables/libxt_addrtype.so

/usr/lib64/xtables/libxt_bpf.so

/usr/lib64/xtables/libxt_cgroup.so

/usr/lib64/xtables/libxt_cluster.so

/usr/lib64/xtables/libxt_comment.so

/usr/lib64/xtables/libxt_connbytes.so

/usr/lib64/xtables/libxt_connlabel.so

/usr/lib64/xtables/libxt_connlimit.so

/usr/lib64/xtables/libxt_connmark.so

/usr/lib64/xtables/libxt_conntrack.so

/usr/lib64/xtables/libxt_cpu.so

/usr/lib64/xtables/libxt_dccp.so

/usr/lib64/xtables/libxt_devgroup.so

/usr/lib64/xtables/libxt_dscp.so

/usr/lib64/xtables/libxt_ecn.so

/usr/lib64/xtables/libxt_esp.so

/usr/lib64/xtables/libxt_hashlimit.so

/usr/lib64/xtables/libxt_helper.so

/usr/lib64/xtables/libxt_iprange.so

/usr/lib64/xtables/libxt_ipvs.so

/usr/lib64/xtables/libxt_length.so

/usr/lib64/xtables/libxt_limit.so

/usr/lib64/xtables/libxt_mac.so

/usr/lib64/xtables/libxt_mark.so

/usr/lib64/xtables/libxt_multiport.so

/usr/lib64/xtables/libxt_nfacct.so

/usr/lib64/xtables/libxt_osf.so

/usr/lib64/xtables/libxt_owner.so

/usr/lib64/xtables/libxt_physdev.so

/usr/lib64/xtables/libxt_pkttype.so

/usr/lib64/xtables/libxt_policy.so

/usr/lib64/xtables/libxt_quota.so

/usr/lib64/xtables/libxt_rateest.so

/usr/lib64/xtables/libxt_recent.so

/usr/lib64/xtables/libxt_rpfilter.so

/usr/lib64/xtables/libxt_sctp.so

/usr/lib64/xtables/libxt_set.so

/usr/lib64/xtables/libxt_socket.so

/usr/lib64/xtables/libxt_standard.so

/usr/lib64/xtables/libxt_state.so

/usr/lib64/xtables/libxt_statistic.so

/usr/lib64/xtables/libxt_string.so

/usr/lib64/xtables/libxt_tcp.so

/usr/lib64/xtables/libxt_tcpmss.so

/usr/lib64/xtables/libxt_time.so

/usr/lib64/xtables/libxt_tos.so

/usr/lib64/xtables/libxt_u32.so

/usr/lib64/xtables/libxt_udp.so

/usr/sbin/ip6tables

/usr/sbin/ip6tables-restore

/usr/sbin/ip6tables-save

/usr/sbin/iptables

/usr/sbin/iptables-restore

/usr/sbin/iptables-save

/usr/sbin/xtables-multi

/usr/share/doc/iptables-1.4.21

/usr/share/doc/iptables-1.4.21/COPYING

/usr/share/doc/iptables-1.4.21/INCOMPATIBILITIES

/usr/share/man/man1/iptables-xml.1.gz

/usr/share/man/man8/ip6tables-restore.8.gz

/usr/share/man/man8/ip6tables-save.8.gz

/usr/share/man/man8/ip6tables.8.gz

/usr/share/man/man8/iptables-extensions.8.gz

/usr/share/man/man8/iptables-restore.8.gz

/usr/share/man/man8/iptables-save.8.gz

/usr/share/man/man8/iptables.8.gz

创建iptables规则

规则格式：iptables [-t table] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]

[root@localhost ~]# iptables -A INPUT -s 192.168.150.0/24 -j ACCEPT

[root@localhost ~]# iptables -A OUTPUT -d 192.168.150.0/24 -j ACCEPT

[root@localhost ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all — 192.168.150.0/24 0.0.0.0/0

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all — 0.0.0.0/0 192.168.150.0/24

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

146 10462 ACCEPT all — * * 192.168.150.0/24 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

21 2308 ACCEPT all — * * 0.0.0.0/0 192.168.150.0/24

[root@localhost ~]#

[root@localhost ~]#

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -A INPUT -s 192.168.150.1 -d 192.168.150.137 -j ACCEPT

[root@localhost ~]# iptables -A OUTPUT -d 192.168.150.1 -s 192.168.150.137 -j ACCEPT

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 8 packets, 817 bytes)

pkts bytes target prot opt in out source destination

214 16156 ACCEPT all — * * 192.168.150.1 192.168.150.137

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7 packets, 588 bytes)

pkts bytes target prot opt in out source destination

24 2136 ACCEPT all — * * 192.168.150.137 192.168.150.1

[root@localhost ~]# iptables -P INPUT DROP

[root@localhost ~]# iptables -P OUTPUT DROP

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

483 34060 ACCEPT all — * * 192.168.150.1 192.168.150.137

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

176 26324 ACCEPT all — * * 192.168.150.137 192.168.150.1

[root@localhost ~]# iptables -P INPUT ACCEPT

[root@localhost ~]# iptables -P FORWARD ACCEPT

[root@localhost ~]# iptables -P OUTPUT ACCEPT

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 73 packets, 4880 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 40 packets, 3608 bytes)

pkts bytes target prot opt in out source destination

iptabels之http

~]# vim /var/www/html/index.html

~]# more /var/www/html/index.html

<h1>192.168.150.137</h1>

~]# systemctl start httpd

~]# ss -tn;

State Recv-Q Send-Q Local Address:Port Peer Address:Port

ESTAB 0 0 192.168.150.137:22 192.168.150.1:63850

ESTAB 0 0 192.168.150.137:22 192.168.150.1:59463

~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

~]# iptables -P INPUT DROP^C

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 22 -j ACCEPT

~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

32 2112 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 17 packets, 1596 bytes)

pkts bytes target prot opt in out source destination

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –dport 22 -j ACCEPT

~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

221 15948 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp dpt:22

[root@localhost ~]# iptables -P INPUT DROP

[root@localhost ~]# iptables -P OUTPUT DROP

Connection closed by foreign host.

~]# iptables -nvL

Chain INPUT (policy DROP 5 packets, 378 bytes)

pkts bytes target prot opt in out source destination

486 40089 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 136 packets, 14751 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp dpt:22

~]# iptables -nvL –line-number

Chain INPUT (policy DROP 5 packets, 378 bytes)

num pkts bytes target prot opt in out source destination

1 592 47177 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 200 packets, 21999 bytes)

num pkts bytes target prot opt in out source destination

1 0 0 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp dpt:22

~]# iptables -D OUTPUT 1

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –sport 22 -j ACCEPT

~]# iptables -P OUTPUT DROP

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

1027 76713 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

74 7144 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:22

~]# iptables -nvL

Chain INPUT (policy DROP 8 packets, 472 bytes)

pkts bytes target prot opt in out source destination

1037 77393 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

82 8380 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:22

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 80 -j ACCEPT

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –sport 80 -j ACCEPT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

1474 110K ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

10 1004 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

386 37764 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:22

8 954 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:80

iptables之ICMP

icmp

[!] –icmp-type {type[/code]|typename}

echo-request：8

echo-reply：0

服务器开通ping ip功能，此时服务器的OUTPUT发送request至外部ip，并reply至服务器的INPUT口

~]# iptables -A OUTPUT -s 192.168.150.137 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

~]# ping 192.168.150.136

PING 192.168.150.136 (192.168.150.136) 56(84) bytes of data.

64 bytes from 192.168.150.136: icmp_seq=1 ttl=64 time=1.68 ms

64 bytes from 192.168.150.136: icmp_seq=2 ttl=64 time=0.750 ms

^C

— 192.168.150.136 ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 0.750/1.216/1.682/0.466 ms

服务器开通被ping功能，此时外部ip发送request至服务器INPUT，服务器发送reply至OUTPUT

~]# iptables -A INPUT -d 192.168.150.137 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A OUTPUT -s 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

iptables之multiport

以离散方式定义多端口匹配；最多指定15个端口；

[!] –source-ports,–sports port[,port|,port:port]…：指定多个源端口；

[!] –destination-ports,–dports port[,port|,port:port]…：指定多个目标端口；

[!] –ports port[,port|,port:port]…：指明多个端口；

~]# iptables -I INPUT -s 0/0 -d 192.168.150.137 -p tcp -m multiport –dports 22,80 -j ACCEPT

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

tcp dpt:22

tcp dpt:80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

tcp spt:22

tcp spt:80

icmptype 8

icmptype 0

~]# iptables -D INPUT 2

~]# iptables -D INPUT 2

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

tcp spt:22

tcp spt:80

icmptype 8

icmptype 0

~]# iptables -D OUTPUT 2

~]# iptables -D OUTPUT 2

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

icmptype 8

icmptype 0

iptables至iprange

指明连续的（但一般不是整个网络）ip地址范围；

[!] –src-range from[-to]：源IP地址；

[!] –dst-range from[-to]：目标IP地址；

~]# iptables -A OUTPUT -s 192.168.150.137 -p tcp –sport 23 -m iprange –dst-range 192.168.150.130-192.168.150.140 -j ACCEPT

~]# iptables -A INPUT -d 192.168.150.137 -p tcp –sport 23 -m iprange –src-range 192.168.150.130-192.168.150.140 -j ACCEPT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

ports 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

ports 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

estination IP range 192.168.150.130-192.168.150.140

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 10 packets, 931 bytes)

pkts bytes target prot opt in out source destination

orts 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

ource IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

orts 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

estination IP range 192.168.150.130-192.168.150.140

[root@localhost ~]# systemctl start telnet.socket

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 128 :::23 :::*

LISTEN 0 100 ::1:25 :::*

[root@localhost ~]# useradd centos

useradd：用户“centos”已存在

[root@localhost ~]# echo "oracleadmin" | passwd –stdin centos

更改用户 centos 的密码。

passwd：所有的身份验证令牌已经成功更新。

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

4277 289K ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 multiport dports 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

164 8892 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:23 source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 6 packets, 440 bytes)

pkts bytes target prot opt in out source destination

2516 790K ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 multiport sports 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

113 6638 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:23 destination IP range 192.168.150.130-192.168.150.140

iptables之string

对报文中的应用层数据做字符串模式匹配检测；

–algo {bm|kmp}：字符串匹配检测算法；

bm：Boyer-Moore

kmp：Knuth-Pratt-Morris

[!] –string pattern：要检测的字符串模式；

[!] –hex-string pattern：要检测的字符串模式，16进制格式；

~]# vim /var/www/html/test.html

~]#iptables -I OUTPUT -s 192.168.150.137 -d 0/0 -p tcp –sport 80 -m string –algo bm –string "old" -j REJECT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

4894 332K ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 multiport dports 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

263 14230 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:23 source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 REJECT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:80 STRING match "old" ALGO name bm TO 65535 reject-with icmp-port-unreachable

2907 839K ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 multiport sports 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

174 10487 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:23 destination IP range 192.168.150.130-192.168.150.140

~]# vim /var/www/html/test2.html

iptables之time

根据将报文到达的时间与指定的时间范围进行匹配；

–datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

–datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

–timestart hh:mm[:ss]

–timestop hh:mm[:ss]

[!] –monthdays day[,day…]

[!] –weekdays day[,day…]

–kerneltz：使用内核上的时区，而非默认的UTC；

~]# iptables -R INPUT 4 -d 192.168.150.137 -p tcp –dport 23 -m iprange –src-range 192.168.150.130-192.168.150.140 -m time –timestart 09:00:00 –timestop 18:00:00 -j ACCEPT

iptabels之connlimit

根据每客户端IP做并发连接数数量匹配；

–connlimit-upto n：连接的数量小于等于n时匹配；

–connlimit-above n：连接的数量大于n时匹配；

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 23 -m connlimit –connlimit-upto 2 -j ACCEPT

iptable之limit

基于收发报文的速率做匹配；

令牌桶过滤器；

–limit rate[/second|/minute|/hour|/day]

–limit-burst number 突发速率

~]# iptables -R INPUT 3 -d 192.168.150.137 -p icmp –icmp-type 8 -m limit –limit 20/minute –limit-burst 3 -j ACCEPT

~]# iptables -A OUTPUT -s 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

iptables之state

根据”连接追踪机制“去检查连接的状态；

conntrack机制：追踪本机上的请求和响应之间的关系；状态有如下几种：

NEW：新发出请求；连接追踪模板中不存在此连接的相关信息条目，因此，将其识别为第一次发出的请求；

ESTABLISHED：NEW状态之后，连接追踪模板中为其建立的条目失效之前期间内所进行的通信状态；

RELATED：相关联的连接；如ftp协议中的数据连接与命令连接之间的关系；

INVALID：无效的连接；

UNTRACKED：未进行追踪的连接；

[!] –state state

~]# iptables -A INPUT -d 172.16.100.67 -p tcp -m multiport –dports 22,80 -m state –state NEW,ESTABLISHED -j ACCEPT

~]# iptables -A OUTPUT -s 172.16.100.67 -p tcp -m multiport –sports 22,80 -m state –state ESTABLISHED -j ACCEPT

调整连接追踪功能所能够容纳的最大连接数量：

/proc/sys/net/nf_contrack_max

sysctl -w net.nf_conntrack_max=300000

echo 300000>/proc/sys/net/nf_conntrack_max

已经追踪到到的并记录下来的连接：

/proc/net/nf_conntrack

不同的协议的连接追踪时长：

/proc/sys/net/netfilter/

iptables的链接跟踪表最大容量为/proc/sys/net/nf_contrack_max，链接碰到各种状态的超时后就会从表中删除；当模板满载时，后续的连接可能会超时

解決方法一般有两个：

(1) 加大nf_conntrack_max 值

vi /etc/sysctl.conf

net.ipv4.nf_conntrack_max = 393216

net.ipv4.netfilter.nf_conntrack_max = 393216

(2) 降低 nf_conntrack timeout时间

vi /etc/sysctl.conf

net.ipv4.netfilter.nf_conntrack_tcp_timeout_established = 300

net.ipv4.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.ipv4.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.ipv4.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

~]# watch -n1 'iptables -nvL'

规则的检查次序：规则在链接上的次序即为其检查时的生效次序；因此，其优化使用有一定法则；

(1)同类规则(访问同一应用)，匹配范围小的放前面；用于特殊处理；

(2)不同类的规则(访问不同应用)，匹配范围大的放前面；

(3)应该将那些可由一条规则描述的多个规则合并为一；

(4)设置默认策略；

如何开放被动模式的ftp服务？

(1) 装载ftp连接追踪的专用模块：

~]# modproble nf_conntrack_ftp

(2) 放行命令连接(假设Server地址为172.16.100.67)：

~]# iptables -A INPUT -d 172.16.100.67 -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT

~]# iptables -A OUTPUT -s 172.16.100.67 -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT

(3) 放行数据连接(假设Server地址为172.16.100.67)：

~]# iptables -A INPUT -d 172.16.100.67 -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT

~]# iptables -I OUTPUT -s 172.16.100.67 -m state –state ESTABLISHED -j ACCEPT

规则优化：

服务器端规则设定：任何不允许的访问，应该在请求到达时给予拒绝；

(1) 可安全放行所有入站的状态为ESTABLISHED状态的连接；

(2) 可安全放行所有出站的状态为ESTABLISHED状态的连接；

(3) 谨慎放行入站的新请求

(4) 有特殊目的限制访问功能，要于放行规则之前加以拒绝；

iptables之save

~]# iptables-save

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:49:53 2016

*nat

:PREROUTING ACCEPT [569:58999]

:INPUT ACCEPT [95:11029]

:OUTPUT ACCEPT [512:34919]

:POSTROUTING ACCEPT [153:9591]

COMMIT

# Completed on Thu Nov 17 19:49:53 2016

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:49:53 2016

*filter

:INPUT DROP [11:1438]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -d 192.168.150.137/32 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m multiport –dports 22,23,80 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m tcp –dport 21 -m state –state NEW -j ACCEPT

-A OUTPUT -m state –state ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Nov 17 19:49:53 2016

~]# iptables-save > /etc/sysconfig/iptables.v1

~]# cat /etc/sysconfig/iptables.v1

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:51:01 2016

*nat

:PREROUTING ACCEPT [572:59233]

:INPUT ACCEPT [95:11029]

:OUTPUT ACCEPT [512:34919]

:POSTROUTING ACCEPT [153:9591]

COMMIT

# Completed on Thu Nov 17 19:51:01 2016

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:51:01 2016

*filter

:INPUT DROP [14:1672]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -d 192.168.150.137/32 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m multiport –dports 22,23,80 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m tcp –dport 21 -m state –state NEW -j ACCEPT

-A OUTPUT -m state –state ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Nov 17 19:51:01 2016

~]# iptables -P INPUT ACCEPT

~]# iptables -P OUTPUT ACCEPT

~]# iptables -F

~]# iptables -nvL

Chain INPUT (policy ACCEPT 33 packets, 2188 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 18 packets, 1636 bytes)

pkts bytes target prot opt in out source destination

~]# iptables-restore < /etc/sysconfig/iptables.v1

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

D,ESTABLISHED

orts 22,23,80 state NEW

tate NEW

tate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

ISHED

通过iptables做Firewall（FORWARD）

实验拓扑图

内部服务器 1.1.1.2 默认网关设置为1.1.1.100

Firewall 1.1.1.100，192.168.31.120

外部服务器 192.168.31.32 添加路由指向route add -net 1.1.1.0/24 gw 192.168.31.120

防火墙默认的ip forward是关闭的，手动进行开启

~]# cat /proc/sys/net/ipv4/ip_forward

0

~]# echo 1 > /proc/sys/net/ipv4/ip_forward

1.1.1.2和192.168.31.32网络通

通过iptables将FORWARD DROP，并添加策略使两台机子可以ping通

~]# iptables -P FORWARD DROP

~]# iptables -A FORWARD -s 1.1.1.0/24 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A FORWARD -s 0/0 -d 1.1.1.0/24 -p icmp –icmp-type 0 -j ACCEPT

通过tcpdump工具可以查看结果

~]# tcpdump -i eno33554976 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno33554976, link-type EN10MB (Ethernet), capture size 65535 bytes

21:26:59.297765 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 54, length 64

21:27:00.298340 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 55, length 64

21:27:01.298184 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 56, length 64

21:27:02.298255 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 57, length 64

21:27:03.298343 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 58, length 64

21:27:04.298548 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 59, length 64

^C

6 packets captured

6 packets received by filter

0 packets dropped by kernel

通过state设定防火墙规则

~]# iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p icmp –icmp-type 8 -m state –state NEW

开启80和21 ftp开启设定

~]# iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p tcp –dport 80 -m state –state NEW -j

CCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p tcp –dport 21 -m state –state NEW -j A

CCEPT

~]# modprobe nf_conntrack_ftp

~]# iptables -R FORWARD 1 -m state –state ESTABLISHED,RELATED -j ACCEPT

设定策略开启自动生成

~]# iptables-save >/etc/sysconfig/iptables.v2

~]# vim /etc/rc.local

~]# cat /etc/rc.local

#!/bin/bash

# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES

#

# It is highly advisable to create own systemd services or udev rules

# to run scripts during boot instead of using this file.

#

# In contrast to previous versions due to parallel execution during boot

# this script will NOT be run after all other services.

#

# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure

# that this script will be executed during boot.

touch /var/lock/subsys/local

iptables-restore < /etc/sysconfig/iptables.v2

[END] 2016/11/18 21:57:53

iptables之NAT

默认情况下内部服务器发送http访问，外部服务器记录的是内部主机ip

1.1.1.2

[root@localhost ~]# curl http://192.168.31.32

<h1>remote </h1>

192.168.31.32

[root@MiWiFi-R3-srv ~]# tail /var/log/httpd/access_log

192.168.31.32 – – [08/Nov/2016:14:23:20 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.19.7 (x86

_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"1.1.1.2 – – [08/Nov/2016:14:27:00 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

1.1.1.2 – – [08/Nov/2016:15:12:41 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

1.1.1.2 – – [08/Nov/2016:15:24:40 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

nat: network address translation

snat: source nat

修改IP报文中的源IP地址

让本地网络中的主机可使用统一地址与外部主机通信，从而实现地址伪装；

请求：修改源IP,如何修改则由管理员定义；

相应：修改目标IP，由nat自动根据会话表中追踪机制实现相应修改；

dnat: destination nat

修改IP报文中的目标IP地址

让本地网络中的服务器使用统一的地址向外提供服务（发布服务），但隐藏了自己的真实地址；

请求：由外网主机发起，修改其目标地址，由管理员定义；

相应：修改源地址，但由nat自动根据会话表中的追踪机制实现对应修改；

pnat: port nat

SNAT示例：

~]# iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j SNAT –to-source 172.16.100.67

[root@MiWiFi-R3-srv ~]# iptables -t nat -A POSTROUTING -s 1.1.1.0/24 -j SNAT –to-source 192.168.31.1 20

可以添加一个范围

[root@MiWiFi-R3-srv ~]# iptables -t nat -A POSTROUTING -s 1.1.1.0/24 -j SNAT –to-source 192.168.31.120-192.168.31.255

示例验证

1、ping验证

1.1.1.2上进行ping操作

[root@localhost ~]# ping 192.168.31.32

PING 192.168.31.32 (192.168.31.32) 56(84) bytes of data.

64 bytes from 192.168.31.32: icmp_seq=1 ttl=63 time=2.79 ms

64 bytes from 192.168.31.32: icmp_seq=2 ttl=63 time=0.502 ms

64 bytes from 192.168.31.32: icmp_seq=3 ttl=63 time=0.689 ms

64 bytes from 192.168.31.32: icmp_seq=4 ttl=63 time=0.451 ms

192.168.31.32上抓包看，原地址已经转换

[root@MiWiFi-R3-srv ~]# tcpdump -i eth0 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:54:07.722067 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 73, length 64

16:54:07.722106 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 73, length 64

16:54:08.722394 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 74, length 64

16:54:08.722429 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 74, length 64

16:54:09.722782 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 75, length 64

16:54:09.722817 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 75, length 64

16:54:10.723160 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 76, length 64

16:54:10.723196 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 76, length 64

nat服务器上的抓包

内网网卡：

[root@MiWiFi-R3-srv ~]# tcpdump -i eno16777736 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes

13:53:29.354768 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 8, length 64

13:53:29.355038 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 8, length 64

13:53:30.355449 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 9, length 64

13:53:30.355803 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 9, length 64

13:53:31.357455 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 10, length 64

13:53:31.357842 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 10, length 64

外网网卡：

[root@MiWiFi-R3-srv ~]# tcpdump -i eno33554976 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno33554976, link-type EN10MB (Ethernet), capture size 65535 bytes

13:53:57.372568 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2702, seq 36, length 64

13:53:57.372842 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2702, seq 36, length 64

13:53:58.373001 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2702, seq 37, length 64

13:53:58.373249 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2702, seq 37, length 64

2、http验证

1.1.1.2主机上进行http请求

[root@localhost ~]# curl http://192.168.31.32

<h1>remote </h1>

192.168.31.32查看日志

~]# tail /var/log/httpd/access_log

192.168.31.120 – – [08/Nov/2016:16:58:47 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

NAT服务和filter结合，禁用22端口

~]# iptables -t filter -A FORWARD -s 1.1.1.0/24 -p tcp –dport 22 -j REJECT

1.1.1.2主机上进行ssh请求

~]# ssh 192.168.31.32

ssh: connect to host 192.168.31.32 port 22: Connection refused

MASQUERADE:

源地址转换：当源地址为动态获取的地址时，MASQUERADE可自行判断要转换为的地址；

~]# iptables -t nat -A POSTROUTING -s 1.1.10.24 -j MASQUERADE

DNAT

测试环境

1.1.1.2作为网http服务器

[root@localhost ~]# systemctl start httpd.service

[root@localhost ~]# vim /var/www/html/index.html

[root@localhost ~]# cat /var/www/html/index.html

<h1>INTERAL SERVER</h1>

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

DNAT规则添加

1.1.1.100主机，外网ip192.168.31.120

自己的对外80端口没有被监听

[root@MiWiFi-R3-srv ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 5 192.168.122.1:53 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 128 127.0.0.1:631 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 127.0.0.1:6010 *:*

LISTEN 0 128 :::22 :::*

LISTEN 0 128 ::1:631 :::*

LISTEN 0 100 ::1:25 :::*

LISTEN 0 128 ::1:6010 :::*

~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 80 -j D

NAT –to-destination 1.1.1.2

[root@MiWiFi-R3-srv ~]# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 1 packets, 246 bytes)

pkts bytes target prot opt in out source destination

0 0 DNAT tcp — * * 0.0.0.0/0 192.168.31.120 tcp dpt:80 t

o:1.1.1.2

使用外网主机192.168.31.31访问192.168.31.120，实际指向1.1.1.2

[root@MiWiFi-R3-srv ~]# curl http://192.168.31.120

<h1>INTERAL SERVER</h1>

端口映射测试：

首先修改1.1.1.2主机的http端口

~]# vim /etc/httpd/conf/httpd.conf

Listen 8090

[root@localhost ~]# systemctl restart httpd.service

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

LISTEN 0 128 :::8090 :::*

dnat主机设定

~]# iptables -t nat -F

[root@MiWiFi-R3-srv ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 80 -j D

NAT –to-destination 1.1.1.2:8090[root@MiWiFi-R3-srv ~]# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 DNAT tcp — * * 0.0.0.0/0 192.168.31.120 tcp dpt:80 t

o:1.1.1.2:8090

外网访问

[root@MiWiFi-R3-srv ~]# curl http://192.168.31.120

<h1>INTERAL SERVER</h1>

此时在1.1.1.2上面查看访问指向为源地址的192.168.31.32

[root@localhost ~]# tail /var/log/httpd/access_log

192.168.31.32 – – [20/Nov/2016:13:17:46 +0800] "GET / HTTP/1.1" 200 24 "-" "curl/7.19.7 (x86_64-redha

t-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"192.168.31.32 – – [20/Nov/2016:13:22:08 +0800] "GET / HTTP/1.1" 200 24 "-" "curl/7.19.7 (x86_64-redha

t-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

也可以通过tcpdump抓包查看

tcpdump – eno33554976 -nn tcp port 8090

ssh转换

~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 22 -j D

NAT –to-destination 1.1.1.2

外网主机连接ssh会变成1.1.1.2

[root@MiWiFi-R3-srv ~]# ssh 192.168.31.120

The authenticity of host '192.168.31.120 (192.168.31.120)' can't be established.

RSA key fingerprint is 22:fc:db:5b:e5:26:8a:35:96:9f:2d:c4:4f:07:d1:e8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.31.120' (RSA) to the list of known hosts.

root@192.168.31.120's password:

Last login: Sun Nov 20 11:51:47 2016 from 1.1.1.1

[root@localhost ~]# ifconfig

eno33554976: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 1.1.1.2 netmask 255.255.255.0 broadcast 1.1.1.255

inet6 fe80::20c:29ff:fe87:41fd prefixlen 64 scopeid 0x20<link>

ether 00:0c:29:87:41:fd txqueuelen 1000 (Ethernet)

RX packets 2298 bytes 203573 (198.8 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1307 bytes 168590 (164.6 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 0 (Local Loopback)

RX packets 620 bytes 52990 (51.7 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 620 bytes 52990 (51.7 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

原创文章，作者：N23-苏州-void，如若转载，请注明出处：http://www.178linux.com/60128

iptables

相关推荐

文本编辑sed

虚拟网卡实验:网卡别名 与 bond多网卡模式

定时任务应用示例

GRUB启动故障排除和内核编译

文本编辑器：vim 基础篇

linux入门学习动手部分

评论列表（2条）

虚拟网卡实验:网卡别名与 bond多网卡模式