iptables使用详解(centos7)
安装前
里面有iptables的命令 [root@mcw01 ~]$ rpm -qa|grep iptables iptables-1.4.21-18.0.1.el7.centos.x86_64 [root@mcw01 ~]$ rpm -ql iptables /etc/sysconfig/ip6tables-config /etc/sysconfig/iptables-config /usr/bin/iptables-xml 。.......... /usr/sbin/ip6tables /usr/sbin/ip6tables-restore /usr/sbin/ip6tables-save /usr/sbin/iptables #iptables管理命令 /usr/sbin/iptables-restore /usr/sbin/iptables-save /usr/sbin/xtables-multi ..... [root@mcw01 ~]$
我们需要安装iptables-services,用来启动和停止iptables服务
[root@mcw01 ~]$ yum list all|grep iptables-services iptables-services.x86_64 1.4.21-35.el7 base [root@mcw01 ~]$ yum install -y iptables-services [root@mcw01 ~]$ rpm -ql iptables-services /etc/sysconfig/ip6tables /etc/sysconfig/iptables #防火墙配置就是这个 /usr/lib/systemd/system/ip6tables.service /usr/lib/systemd/system/iptables.service #服务启动停止文件 /usr/libexec/initscripts/legacy-actions/ip6tables /usr/libexec/initscripts/legacy-actions/ip6tables/panic /usr/libexec/initscripts/legacy-actions/ip6tables/save /usr/libexec/initscripts/legacy-actions/iptables /usr/libexec/initscripts/legacy-actions/iptables/panic /usr/libexec/initscripts/legacy-actions/iptables/save /usr/libexec/iptables /usr/libexec/iptables/ip6tables.init /usr/libexec/iptables/iptables.init [root@mcw01 ~]$ modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' #默认是没有开启这些内核模块的 [root@mcw01 ~]$ [root@mcw01 ~]$ modprobe ip_tables #加载这些模块,应该写进配置,即使重启了也加载,永久性修改生效。 [root@mcw01 ~]$ modprobe iptable_filter [root@mcw01 ~]$ modprobe iptable_nat [root@mcw01 ~]$ modprobe ip_conntrack [root@mcw01 ~]$ modprobe ip_conntrack_ftp [root@mcw01 ~]$ modprobe ip_nat_ftp [root@mcw01 ~]$ modprobe ipt_state 加载内核模块的配置在/etc/modprobe.d/目录下 [root@mcw01 ~]$ ls /etc/modprobe.d/ tuned.conf [root@mcw01 ~]$ [root@mcw01 ~]$ tail -7 /etc/rc.local #也可以直接加到开机自启动文件里 modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ 然后再检查下,现在有这些内核模块了 [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' nf_nat_ftp 12770 0 nf_conntrack_ftp 18638 1 nf_nat_ftp iptable_nat 12875 0 nf_nat_ipv4 14115 1 iptable_nat nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4 nf_conntrack 133387 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4 iptable_filter 12810 0 ip_tables 27115 2 iptable_filter,iptable_nat libcrc32c 12644 4 xfs,sctp,nf_nat,nf_conntrack [root@mcw01 ~]$
关闭firewalld,开启iptables
关闭firewalld systemctl stop firewalld systemctl disable firewalld systemctl is-active firewalld.service systemctl is-enabled firewalld.service [root@mcw01 ~]$ systemctl stop firewalld [root@mcw01 ~]$ systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@mcw01 ~]$ systemctl is-active firewalld.service #只有不活跃,就关闭了,只有禁用了就不会开机自启了 unknown [root@mcw01 ~]$ systemctl is-enabled firewalld.service disabled [root@mcw01 ~]$ 开启iptables systemctl start iptables.service systemctl enable iptables.service [root@mcw01 ~]$ systemctl start iptables.service [root@mcw01 ~]$ systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -Ln #写反了什么都没有 iptables: No chain/target/match by that name. [root@mcw01 ~]$ iptables -nL #这里默认显示的是filter表的。这里有filter表的input链,forword链,和output链 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #用户请求来的时候,默认先从input链这里一行一行规则往下匹配,如果都没有匹配上了,就走input链后面的小括号里面的规则, #这里是(policy ACCEPT),小括号里面表示默认规则 Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
学习前环境准备
清除所有的iptables规则 --flush -F [chain] Delete all rules in chain or all chains 清除所有规则 --delete-chain -X [chain] Delete a user-defined chain 删除用户自定义的规则 --zero -Z [chain [rulenum]] Zero counters in chain or all chains 清除链的计数器 清除所有规则,但不会清除默认规则 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F #清除所有的iptables规则 [root@mcw01 ~]$ iptables -nL #再次查看,安装好后默认设置的规则都清除掉了 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
禁止访问22端口(指定端口)
--append -A chain Append to chain #追加链,追加是放到最下面,如果是拒绝的规则,那么应该放到最上面才防止未匹配到而失效。 --delete -D chain Delete matching rule from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) #把规则放到前面,插入,一般拒绝的规则放到前面 --jump -j target target for rule (may load target extension) #匹配到规则需要做的动作,满足条件后的动作,比如:DROP/ACCEPT/REJECT 拒绝,接受,拒绝 --dport 目标端口, -d 目标ip --sport源端口 -A添加规则;INPUT,我要在INPUT链中添加规则。是需要指定端口还是ip呢,这里是22端口,指定端口的话一般要先指定协议(协议一般这里有tcp,udp,icmp,all就是所有),端口在网络中一般有两种情况,ip也是有两种情况,就是目标端口,源端口,目标ip,源ip,我这里是禁止访问22端口,也就是端口是目标端口,所以--dport 22;需要禁止访问,那就是 -j DROP ,这个DROP要大写 iptables -A INPUT -p tcp --dport 22 -j DROP iptables -t filter -A INPUT -p tcp --dport 22 -j DROP 需要谨慎,看清了。这里是演示,如果真的把22端口禁了,就连不上了。我这里是虚拟机,可以在VMware上把这条规则清除掉重新远程连接 如果我们只是想清除一条规则,可以先执行 iptables -nL --line-numbers 查看到是第几条链,防止眼睛数错行。这里是在INPUT链上的第一条规则,然后执行删除这条规则.清除之后,22端口就能重新连接了 iptables -D INPUT 1 如下,我禁用23端口和解除23端口的过程 [root@mcw01 ~]$ iptables -A INPUT -p tcp --dport 23 -j DROP #未指定默认是filter表了;添加;在input链上;tcp协议,目标端口23;来访问了就drop丢掉 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 #禁用23端口 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -nL --line-numbers #查看规则是第几个,删除可以用到 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@mcw01 ~]$ iptables -D INPUT 1 #删除,指定是INPUT链,第一个规则 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
禁止指定ip,访问本服务器指定端口
禁止指定ip,访问本服务器指定端口 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 防火墙四表五链,我们常用的是filter,nat表。我们常用的是filter表的INPUT,FORWARD,OUTPUT链;nat表的PREROUTING,POSTROUTING链,OUTPUT链 禁止10.0.0.12访问10.0.0.11服务器的22端口 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 一开始12能访问11的22端口 [root@mcw02 ~]$ ssh 10.0.0.11 hostname root@10.0.0.11's password: mcw01 [root@mcw02 ~]$ [root@mcw01 ~]$ iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP [root@mcw01 ~]$ iptables -nL #禁止10.0.0.12访问10.0.0.11服务器的22端口 Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22 #来自10.0.0.12的IP,访问本机的22端口被drop Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 再次从12上访问11的22端口,发现是连接超时的 [root@mcw02 ~]$ ssh 10.0.0.11 hostname ssh: connect to host 10.0.0.11 port 22: Connection timed out [root@mcw02 ~]$ [root@mcw02 ~]$ ssh 172.16.0.11 hostname #如果使用内网ip,还是可以访问的,因为只是禁用10.0.0.12访问 root@172.16.0.11's password: mcw01 [root@mcw02 ~]$ ping 10.0.0.11 -c 1 #访问icmp协议的还是不影响的 PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data. 64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=0.682 ms --- 10.0.0.11 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms [root@mcw02 ~]$ [root@mcw02 ~]$ nc 10.0.0.11 22 #使用nc查看端口是否能连上 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw02 ~]$ telnet 10.0.0.11 22 #telnet查看是否能连上 Trying 10.0.0.11... telnet: connect to address 10.0.0.11: Connection timed out [root@mcw02 ~]$ 正常能连的显示 [root@mcw03 ~]$ nc 10.0.0.11 22 SSH-2.0-OpenSSH_7.4 #夯住
命令有,但不知道是哪个包带来的命令,两种方式找到包
[root@mcw01 ~]$ rpm -qa nc [root@mcw01 ~]$ rpm -qa ncat [root@mcw01 ~]$ rpm -qa |grep nc irqbalance-1.0.7-10.el7.x86_64 ncurses-base-5.9-14.20130511.el7_4.noarch perl-Encode-2.51-7.el7.x86_64 qrencode-libs-3.4.1-3.el7.x86_64 ncurses-libs-5.9-14.20130511.el7_4.x86_64 ncurses-5.9-14.20130511.el7_4.x86_64 nmap-ncat-6.40-19.el7.x86_64 vim-enhanced-7.4.629-8.el7_9.x86_64 ncurses-devel-5.9-14.20130511.el7_4.x86_64 [root@mcw01 ~]$ [root@mcw01 ~]$ rpm -qa |grep ncat nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$ which nc /usr/bin/nc [root@mcw01 ~]$ yum provides nc #方式一:yum查看命令是哪个包里的 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile netcat-1.218-2.el7.x86_64 : OpenBSD netcat to read and write data across connections using TCP or UDP Repo : epel Matched from: Provides : nc = 1.218-2.el7 2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo : base Matched from: Provides : nc 2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo : @base Matched from: Provides : nc [root@mcw01 ~]$ rpm -qf `which nc` #方式二:rpm查看命令是哪个包里的 nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$
使用nc命令进行端口间通信
当我使用nc连接本服务器端口的时候 [root@mcw03 ~]$ nc -l 6381 #夯住 新开一个窗口,发现这个命令的进程 [root@mcw03 ~]$ ps -ef|grep -v grep |grep 6381 root 19421 19094 0 03:26 pts/0 00:00:00 nc -l 6381 [root@mcw03 ~]$ -- 如下当我将mcw03上redis端口,使用nc命令夯住后 [root@mcw03 ~]$ nc -l 6381 wo shi machangwei nihaoya 当我在其他机器,比如在mcw01上telnet mcw03的这个6381端口,也会夯住,然后这样两者间就可以互相写字进行通信了,一行一行的发送,点击enter就发送。telnet如果是客户端的话,那么我断开telnet,nc命令并不会终止 [root@mcw01 ~]$ telnet 10.0.0.13 6381 Trying 10.0.0.13... Connected to 10.0.0.13. Escape character is '^]'. wo shi machangwei nihaoya 当我在mcw03上使用nc之后,夯住 [root@mcw03 ~]$ nc -l 6381 然后 [root@mcw01 ~]$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw01 ~]$ cat /etc/hosts |nc 10.0.0.13 6381 #然后在另一个主机上连接这个端口,就能发送文件内容过去 [root@mcw03 ~]$ nc -l 6381 #接收到文件内容,我们也可以将接收的文件内容重定向到文件里,实现nc通过端口传输文件 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$ [root@mcw03 ~]$ nc -l 6381 >1.host [root@mcw03 ~]$ cat 1.host 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$
禁止指定网段访问本服务器的指定端口
禁止指定网段访问本服务器的指定端口 iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP 别人访问我,是进入的包,INPUT链。别人访问我的某个端口服务,我这个端口是对方访问的目标端口,所以是dport,禁止就得drop,-I拒绝的就往前面插入 我在mcw01上开启了8080端口的监听,然后通过两个ip访问,都能通,接收到信息 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ 现在设置防火墙规则,禁止指定172.16.0.0/24网段访问本服务器的指定端口8080 [root@mcw01 ~]$ iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 172.16.0.0/24 0.0.0.0/0 tcp dpt:8080 DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 然后再看,mcw02连接mcw01的nc开启的连接服务,发现172.16.0.11只有这个网段的不能连上服务了,说明禁止生效了 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 #夯住,没反应
指定只能某个网段访问本服务器。(不是指定网段的拒绝掉)
指定只能某个网段访问本服务器。(不是指定网段的拒绝掉) iptables -I INPUT ! -s 10.0.0.0/24 -j DROP 当我清空所以防火墙配置之后,mcw02能访问mcw01上nc开启的2222端口 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT ! -s 10.0.0.0/24 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 当我两次在mcw01上nc开启2222端口时,只有访问10.0.0.11能访问到,访问172.16.0.11访问不到。所以防火墙配置生效 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222
禁止用户访问本服务器指定范围或者指定多个的端口
禁止用户访问本服务器指定范围或者指定多个的端口 iptables -I INPUT -p tcp --dport 1024:65535 -j DROP iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP 执行命令前,nc开启mcw01的端口,mcw02上都能访问到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 2222 [root@mcw01 ~]$ nc -l 1024 2222 [root@mcw01 ~]$ nc -l 60000 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 1024:65535 -j DROP [root@mcw01 ~]$ iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 执行命令后,无法访问到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 ^C [root@mcw01 ~]$ nc -l 1024 ^C [root@mcw01 ~]$ nc -l 60000 ^C [root@mcw01 ~]$
使用iptables实现禁止ping功能
使用iptables实现禁止ping功能 iptables -I INPUT -p icmp --icmp-type 8 -j DROP #实际上icmp协议的类型有很多,影响我们ping的类型是8,只需禁止8就行 iptables -I INPUT -p icmp --icmp-type any -j DROP 当我给mcw01添加内核设置为1的时候,mcw02就无法ping通mcw01了,当我修改为0的时候,就能ping同mcw01了 echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all 加上这条命令后,里面就不能ping通了 ,这里是任意类型,好像写成8也可以 [root@mcw01 ~]$ iptables -I INPUT -p icmp --icmp-type any -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
保存和恢复规则
iptables-save保存当前防火墙到配置文件中,加上重定向,可以将防火墙规则导入到指定文件中备份起来 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-save #会把所有的打印出来,*后面显示表的名字;冒号后欧美是默认的规则,再往下就死我们自己配置的规则 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022 *nat :PREROUTING ACCEPT [6543:408185] :INPUT ACCEPT [76:11426] :OUTPUT ACCEPT [358288:21886420] :POSTROUTING ACCEPT [358288:21886420] COMMIT # Completed on Mon Mar 7 16:48:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022 *filter :INPUT ACCEPT [696:58996] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [653551:39668311] #*后面显示表的名字;冒号后欧美是默认的规则,再往下就死我们自己配置的规则 -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar 7 16:48:59 2022 [root@mcw01 ~]$ 防火墙配置,实际保存的是如下文件中。可以看到和命令查询出来的差不多 [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ 如下保存防火墙规则 [root@mcw01 ~]$ iptables-save >iptRule.txt [root@mcw01 ~]$ cat iptRule.txt # Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022 *nat :PREROUTING ACCEPT [6642:414294] :INPUT ACCEPT [77:11655] :OUTPUT ACCEPT [363901:22224847] :POSTROUTING ACCEPT [363901:22224847] COMMIT # Completed on Mon Mar 7 16:53:44 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022 *filter :INPUT ACCEPT [781:65217] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [664961:40365111] -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar 7 16:53:44 2022 [root@mcw01 ~]$ 不小心把防火墙都误清除了,因为之前保存到配置里了,重启一下防火墙重新就出来了 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ systemctl restart iptables.service [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-restore无需重启防火墙,可以将备份导出来的防火墙规则,再导入回去 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-restore <iptRule.txt [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
修改默认规则为drop,默认都不接受的做法
-i --input 数据进入的时候通过哪个网卡 -o --output 数据出去的时候通过哪个网卡 -P --policy -P chain target Change policy on chain to target 修改默认规则 修改默认规则前设置: iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT 修改默认规则 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT 修改默认规则后添加自己使用的网段为白名单 iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT 清除好环境 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 在修改默认策略为拒绝时,首先要提前做些准备。比如接收22端口访问 [root@mcw01 ~]$ #准许连接 22端口 [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 设置本地lo通讯规则 [root@mcw01 ~]$ iptables -A INPUT -i lo -j ACCEPT [root@mcw01 ~]$ iptables -A OUTPUT -o lo -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 添加指定服务需要能被访问,比如80 443 [root@mcw01 ~]$ iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 修改默认规则 [root@mcw01 ~]$ #修改默认规则 [root@mcw01 ~]$ iptables -P INPUT DROP #进来的时候,默认是drop [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ iptables -P FORWARD DROP #这个也默认是drop [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT #出去的时候不管,都接受 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 添加两个白名单 [root@mcw01 ~]$ iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 ACCEPT all -- 172.16.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 然后保存下我们的配置 [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022 *nat :PREROUTING ACCEPT [148:9218] :INPUT ACCEPT [13:949] :OUTPUT ACCEPT [2894:191439] :POSTROUTING ACCEPT [2894:191439] COMMIT # Completed on Mon Mar 7 17:21:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [195:20374] -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/24 -j ACCEPT -A INPUT -s 172.16.0.0/24 -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Mon Mar 7 17:21:59 2022 [root@mcw01 ~]$ #其中默认是drop ,INPUT和OUTPUT链添加了规则
内网服务器通过iptables转发实现访问外网SNAT(共享上网)
内网服务器通过iptables转发实现访问外网(共享上网) 10.0.0.11是集群中的外网ip,能通过这个ip访问外网的。这个ip所在服务器可以做成网关,让其它主机的网关设置成该主机的内网ip,然后通过ipv4内核源地址转换实现访问外网 单个ip实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p 指定网段的地址实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 当公网ip不固定时:更换。用如下命令 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE MASQUERADE masquerade 英[ˌmæskəˈreɪd] 美[ˌmæskəˈreɪd] n. 掩藏; 掩饰; 化装舞会; 假面舞会; vi. 假扮; 乔装; 伪装; nat表(可以共享上网,端口映射,ip映射) 主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 准备环境: 先把上面做的环境改回来,记得先改回默认策略为接受,然后再清空所有的规则。不然默认规则是拒绝,我把22接受服务的删除掉,那么就连不上服务器了,只能去机房连接服务器恢复了 [root@mcw01 ~]$ iptables -P INPUT ACCEPT [root@mcw01 ~]$ iptables -P FORWARD ACCEPT [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ [root@mcw01 ~]$ ping www.baidu.com -c 1 #查看百度的ip是110.242.68.4,我现在需要内网的机子能访问这个ip PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=17.1 ms --- www.a.shifen.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.186/17.186/17.186/0.000 ms [root@mcw01 ~]$ 我现在mcw03这个后端内网服务器不能访问到外网,mcw01可以访问到外网。我想通过mcw01做转发,实现mcw03访问外网 mcw03的ip是172.16.0.13,这时数据包通过mcw01访问110.242.68.4时,目标ip110.242.68.4不变,在mcw01上要将源ip172.16.0.13修改mcw01的ip即10.0.0.11。 所以,需要内网实现共享上网的时候,需要使用snat,源网络地址转换 这时我们的mcw03的数据包,是需要通过mcw01上出去,进而访问外网,所以我们需要修改的是以前画的那张图里的nat表POSTROUTING 所以,需要设置防火墙命令如下:需要在nat表设置;需要在POSTROUTING链里追加;目标ip是访问的外网ip, 需要指定源ip是mcw03内网ip地址需要转换为可以访问的外网ip;动作是mcw03的内网ip,源ip转换为能访问外网的mcw01上的外网ip,动作是源地址访问;将源地址改为mcw01上的外网ip10.0.0.11 mcw01配置了防火墙,还要开启mcw01的ip转发内核参数。将mcw03网关应该修改为mcw01的内网ip,内网网卡上给mcw03添加DNS服务器的配置,不然无法解析了。 单个ip实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p 指定网段的地址实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 操作前检查情况 [root@mcw02 ~]$ ssh 172.16.0.13 #从mcw02上连接mcw03内网ip root@172.16.0.13's password: Last login: Mon Mar 7 17:58:21 2022 from 172.16.0.12 [root@mcw03 ~]$ ip a #查看网卡情况 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff inet 10.0.0.13/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::6782:98:f742:b0e8/64 scope link valid_lft forever preferred_lft forever inet6 fe80::6faf:5935:98b1:7f8d/64 scope link tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link tentative dadfailed valid_lft forever preferred_lft forever [root@mcw03 ~]$ ifdown ens33 #将mcw03的外网网卡关闭掉 Device 'ens33' successfully disconnected. [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ ping www.baidu.com #查看mcw03无法访问外网,只有内网ip172.16.0.13可以通信 ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ echo 1 >/proc/sys/net/ipv4/ip_forward [root@mcw01 ~]$ echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf [root@mcw01 ~]$ sysctl -p 发现mcw03还是不通外网,是因为忘记修改网关了,网关应该修改为mcw01的内网ip. [root@mcw03 ~]$ ping www.baidu.com ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ ip r default via 172.160.0.253 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 172.160.0.253 dev ens34 proto static scope link metric 100 这里将内网网卡配置的网关设置为mcw01主机的内网ip。让它onboot改为yes,不然重启就关闭网卡了 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens34 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens34 ONBOOT=yes GATEWAY=172.16.0.11 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens33 #将外网网卡的onboot关闭掉,防止重启网络,而重启网卡 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens33 ONBOOT="no" GATEWAY="10.0.0.253" [root@mcw03 ~]$ systemctl restart network [root@mcw03 ~]$
检查环境以及验证内网访问外网 [root@mcw03 ~]$ ip a #查看网络,没有问题,还是内网ip 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ [root@mcw03 ~]$ ip r #查看网关,已经变成了mcw01主机的内网ip default via 172.16.0.11 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 [root@mcw03 ~]$ [root@mcw03 ~]$ ping www.baidu.com #成功访问外网 PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=127 time=14.8 ms 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=2 ttl=127 time=13.6 ms ^C --- www.a.shifen.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 13.674/14.261/14.848/0.587 ms [root@mcw03 ~]$ 附上mcw01的内网ip查询 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ 执行完后,记得保存一下配置 iptables -t nat -nL 查看nat表的转发规则 [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022 *nat :PREROUTING ACCEPT [143:9307] :INPUT ACCEPT [1:229] :OUTPUT ACCEPT [80:6466] :POSTROUTING ACCEPT [80:6466] -A POSTROUTING -s 172.16.0.13/32 -j SNAT --to-source 10.0.0.11 -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 COMMIT # Completed on Mon Mar 7 18:52:42 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022 *filter :INPUT ACCEPT [698927:234693305] :FORWARD ACCEPT [5426:390414] :OUTPUT ACCEPT [704597:225964959] COMMIT # Completed on Mon Mar 7 18:52:42 2022 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
如何删除nat表的规则:
[root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.61 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -D POSTROUTING 2 #删除nat表的规则,需要指定nat表 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
DNAT端口转发(内网服务器不暴露在公网上,但是它上面的服务可以通过某台服务器的端口转发提供给外网)
DNAT端口转发(内网服务器不暴露在公网上,但是它上面的服务可以通过某台服务器的端口转发提供给外网) iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 有点像Nginx的端口转发 当外网需要访问内网某个主机的某个服务时,服务无法提供。我们可以使用端口转发,mcw01有外网ip,当外网访问mcw01的外网时,我们可以根据端口来将请求转发给内网某个服务器如mcw03,mcw03上是没有外网ip的。 主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 例如:当用户访问我们的mcw01主机上的9000端口(10.0.0.11:9000)时,我们将它转发到我们内网服务器mcw03上的22端口(172.16.0.13:22)。用户访问时,源地址是他们自己, 他们的目标是访问我们的10.0.0.11:9000,我们要实现转发,需要将这个目标地址改成172.16.0.13:22。所以这里是目标地址转换DNAT。 这里是目标地址转换,是nat表;这是用户来访问的数据包,也就是用户要进来,所以是PREROUTING 链;目标访问的是10.0.0.11;对方访问的是9000端口;动作我就用DNAT,目标地址转换,转换成我们内网的地址;这里是转换成目标地址172.16.0.13:22 注意:此时这里的mcw03的网卡上配置的网关,要设置成mcw01上内网的ip。因为数据包是转发给mcw03了,但是我要回包的话,得发给mcw01的内网ip,然后mcw01内网ip再发给mcw01的公网ip10.0.0.11,这样才能给客户返回响应数据。这里之前已经配置了,详情见上面的SNAT共享上网 iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport -j DNAT --to-destination 172.16.0.13:22 然后还需要开启ipv4转发。之前我已经配置好了 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 操作前检查情况 mcw03和mcw01的9000端口目前都不能连接 [c:\~]$ ssh root@172.16.0.13 Connecting to 172.16.0.13:22... Could not connect to '172.16.0.13' (port 22): Connection failed. Type `help' to learn how to use Xshell prompt. [c:\~]$ [c:\~]$ [c:\~]$ [c:\~]$ ssh root@10.0.0.11 9000 Connecting to 10.0.0.11:9000... Could not connect to '10.0.0.11' (port 9000): Connection failed. Type `help' to learn how to use Xshell prompt. [c:\~]$ 执行操作:配置目标地址转发,查看配置的规则,查看ipv4转发是否开启 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 检验配置的效果:发现当我们外网上连接mcw01的9000端口时,实际上我们是访问到了没有外网ip,不通外网的mcw03主机上。也就是在mcw01上成功实现端口转发。这样当我们内网的主机上某个服务要提供给外网访问时,可以使用端口转发的方式提供服务,这也能保证了内网服务器的安全性。 [c:\~]$ ssh root@10.0.0.11 9000 Connecting to 10.0.0.11:9000... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Mon Mar 7 18:06:33 2022 from 172.16.0.12 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$
ip地址转发(DNAT实现ip地址转发,ip映射)
主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 配置过程中需要注意的事项请参考上面的snat和dnat配置过程 查看环境,将之前已有的端口转发配置去掉 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ iptables -t nat -D PREROUTING 1 #删除之前配置的端口转发,防止收到影响 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ 在mcw01上添加一个新的公网ip,当访问这个公网ip10.0.0.111时,将它转发到内网服务器mcw03的内网ip172.16.0.13 然后可以给这个公网ip,在网关mcw01上加上标签,这样在mcw01上就能看到这个ip了。 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.111 -j DNAT --to-destination 172.16.0.13 [root@mcw01 ~]$ ip a a 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet 10.0.0.111/24 scope global secondary ens33:0 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ ^C 验证: 当我在外网连接刚刚在mcw01上添加的公网ip10.0.0.111时,实际上连上了内网服务器mcw03上。 也就是当用户访问mcw01上的外网ip10.0.0.111的某个端口服务时,它就会转发给内网服务器mcw03上对应的端口。 这样就成功实现了ip地址转发。缺点是,只要某个服务器某个端口需要外网访问,就要对应一个外网ip,而一般情况下,不需要访问这么多端口,所以浪费公网ip资源 [c:\~]$ [c:\~]$ ssh root@10.0.0.111 Connecting to 10.0.0.111:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Mon Mar 7 19:30:16 2022 from 10.0.0.1 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ 当删除这个标签后,就不能通过这个ip访问内网指定服务器了 [root@mcw01 ~]$ ip a del 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$
-F不能清除nat表的规则
[root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$