iptables练习

系统的INPUT和OUTPUT默认策略为DROP；

1、限制本地主机的web服务器在周一不允许访问；新请求的速率不能超过100个每秒；web服务器包含了admin字符串的页面不允许访问；web服务器仅允许响应报文离开本机；

系统默认策略设定：

~]# iptables -P INPUT DROP

~]# iptables -P OUPUT DROP

网络说明：

本地主机网段为192.168.150.0/24

web服务器IP为192.168.150.137

INPUT

~]# iptables -A INPUT -s 192.168.150.0/24 -d 192.168.150.137 -p tcp –dport 80 -m time –weekdays Mon –kerneltz -j DROP

~]# iptables -A INPUT -d 192.168.150.137 -p tcp –dport80 -m limit –limit 100/second -m state –state NEW -j ACCEPT

~]# iptables -A INPUT -s 192.168.150.0/24 -d 192.168.150.137 -p tcp –dport 80 -j ACCEPT

OUTPUT

~]# iptables -A OUTPUT -s 192.168.150.137 -d 0/0 -p tcp –sport 80 -m string –algo bm –string "admin" -j REJECT

~]# iptables -A OUTPUT -s 192.168.150.137 -d 0/0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

2、在工作时间，即周一到周五的8:30-18:00，开放本机的ftp服务给172.16.0.0网络中的主机访问；数据下载请求的次数每分钟不得超过5个；

INPUT:

#iptables -A INPUT -s 172.16.0.0/16 -p tcp –dport 21 -m time –timestart 08:30 –timestop 18:00 –weekdays Mon,Tue,Wed,Thu,Fri -m limit –limit-burst 5 –limit 5/minute -j ACCEPT

#iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

OUTPUT

#iptables -A OUTPUT -p tcp -m multiport –sport 20,21 -m state –state ESTABLISHED,RELATED -j ACCEPT

3、开放本机的ssh服务给172.16.x.1-172.16.x.100中的主机，x为你的座位号，新请求建立的速率一分钟不得超过2个；仅允许响应报文通过其服务端口离开本机；

INPUT:

#iptables -A INPUT -d 172.16.100.6 -p tcp –dport 22 -m iprange –src-range 172.16.100.1-172.16.100.100 -m limit –limit 2/minute -j ACCEPT

OUTPUT:

# iptables -A OUTPUT -s 172.16.100.6 -p tcp –sport 22 -m iprange –dst-range 172.16.100.1-172.16.100.100 -m state –state ESTABLISHED -j ACCEPT

4、拒绝TCP标志位全部为1及全部为0的报文访问本机；

# iptabels -A INPUT -d 192.168.150.137 -p tcp –tcp-flags ALL ALL -j DROP

# iptables -A INPUT -d 192.168.150.137 -p tcp –tcp-flags ALL NONE -j DROP

5、允许本机ping别的主机；但不开放别的主机ping本机；

# iptables -A OUTPUT -s 192.168.150.138 -p icmp –icmp-type 8 -j ACCEPT     请求包

# iptables -A INPUT -d 192.168.150.138 -p icmp –icmp-type 0 -j ACCEPT     回包

6、判断下述规则的意义：

# iptables -N clean_in

     创建自定义链clean_in

  # iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP     丢弃不定向广播ping包

  # iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP     丢弃定向广播ping包

     禁止广播探测本网络主机在线情况

  # iptables -A clean_in -p tcp ! –syn -m state –state NEW -j DROPQ      丢弃syn标志不为1的包和追踪状态为新连接的包

  # iptables -A clean_in -p tcp –tcp-flags ALL ALL -j DROP     标志位全1的丢弃，全1肯定是不正常的包

  # iptables -A clean_in -p tcp –tcp-flags ALL NONE -j DROP     标志位全0的丢弃，全0肯定是不正常的包

  # iptables -A clean_in -d 172.16.100.7 -j RETURN     正常的报文RETURN

     定义一个清理链

  # iptables -A INPUT -d 172.16.100.7 -j clean_in     到目的主机的报文过来转给自定义链clean_in

  # iptables -A INPUT  -i lo -j ACCEPT     允许数据报文流入环回口

  # iptables -A OUTPUT -o lo -j ACCEPT     允许数据报文流出环回口

     开放本地环回口

  # iptables -A INPUT  -i eth0 -m multiport -p tcp –dports 53,113,135,137,139,445 -j DROP     指定流入报文接口为eth0，协议为tcp，目标端口为53,113,135,137,139,445，报文丢弃

  # iptables -A INPUT  -i eth0 -m multiport -p udp –dports 53,113,135,137,139,445 -j DROP     指定流入报文接口为eth0，协议为udp，目标端口为53,113,135,137,139,445，报文丢弃

  # iptables -A INPUT  -i eth0 -p udp –dport 1026 -j DROP     流入eth0的udp，端口为1026报文丢弃

  # iptables -A INPUT  -i eth0 -m multiport -p tcp –dports 1433,4899 -j DROP     流入eth0的tcp，端口为1433,4899报文丢弃

  # iptables -A INPUT  -p icmp -m limit –limit 10/second -j ACCEPT     限制ping包个数每秒最多10个

7、通过tcp_wrapper控制vsftpd仅允许172.16.0.0/255.255.0.0网络中的主机访问，但172.16.100.3除外；对所被被拒绝的访问尝试都记录在/var/log/tcp_wrapper.log日志文件中；

~]# vim /etc/hosts.allow

#

# hosts.allow    This file contains access rules which are used to

#        allow or deny connections to network services that

#        either use the tcp_wrappers library or that have been

#        started through a tcp_wrappers-enabled xinetd.

#

#        See 'man 5 hosts_options' and 'man 5 hosts_access'

#        for information on rule syntax.

#        See 'man tcpd' for information on tcp_wrappers

#

vsftpd:192.168.150.0/255.255.255.0 EXCEPT 192.168.150.138

~]# vim /etc/hosts.deny

[root@localhost ~]# cat /etc/hosts.deny

#

# hosts.deny    This file contains access rules which are used to

#        deny connections to network services that either use

#        the tcp_wrappers library or that have been

#        started through a tcp_wrappers-enabled xinetd.

#

#        The rules in this file can also be set up in

#        /etc/hosts.allow with a 'deny' option instead.

#

#        See 'man 5 hosts_options' and 'man 5 hosts_access'

#        for information on rule syntax.

#        See 'man tcpd' for information on tcp_wrappers

#

vsftpd:ALL :spawn /bin/echo `date` login attempt from %c to %s, %d >> /var/log/tcp_wrapper.log

执行结果

192.168.150.136主机

[root@localhost ~]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root):

192.168.150.138主机

~]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

421 Service not available.

日志信息：

~]# cat /var/log/tcp_wrapper.log

2016年 12月 25日 星期日 16:41:17 CST login attempt from 192.168.150.138 to vsftpd@192.168.150.137, vsft

pd2016年 12月 25日 星期日 16:44:10 CST login attempt from 192.168.150.138 to vsftpd@192.168.150.137, vsft

pd