iptables 防火墙
运行源地址为192.168.10.10-192.168.10.50 这个网段的机器访问本机的20-25还有80、443、6379端口进来的流量
iptables -A INPUT -p tcp -m iprange --src-range 192.168.10.10-192.168.10.50 -m multiport --dports 20:25,80.443,6379 -j ACCEPT
开放出去的端口
iptables -A OUTPUT -p tcp -m iprange --dst-range 192.168.10.10-192.168.10.50 -m multiport --ports 20:25,80,443,6379 -j ACCEPT
保存防火墙规则与读入防火墙规则
root@chenxi ~]# iptables-save > /etc/iptables-test [root@chenxi ~]# iptables-restore < /etc/iptables-test [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.10.10-192.168.10.50 multiport ports 20:25,80,443,6379
| 192.168.10.17 | 外主机 |
| 192.168.10.40 | 防火墙 |
| 192.168.8.5 | 防火墙 |
| 192.168.8.12 | 内主机 |
防火墙打开转发功能
[root@chenxi ~]# vi /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1 [root@chenxi ~]# sysctl -p net.ipv4.ip_forward = 1
机器网关
[root@mail ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 0.0.0.0 192.168.10.40 0.0.0.0 UG 0 0 0 eth0 [root@chenxi ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1 0.0.0.0 192.168.8.5 0.0.0.0 UG 0 0 0 eth1
拒绝192.168.10.17ping192.168.8.12
[root@chenxi ~]# iptables -A FORWARD -p icmp -s 192.168.10.17 -d 192.168.8.12 -j REJECT [root@mail ~]# ping 192.168.8.12 PING 192.168.8.12 (192.168.8.12) 56(84) bytes of data. From 192.168.10.40 icmp_seq=1 Destination Port Unreachable From 192.168.10.40 icmp_seq=2 Destination Port Unreachable From 192.168.10.40 icmp_seq=3 Destination Port Unreachable ^C [root@chenxi ~]# ping -c 3 192.168.10.17 PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data. --- 192.168.10.17 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 12002ms [root@mail ~]# tcpdump -i eth0 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:19:20.308225 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 1, length 64 18:19:20.308285 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 1, length 64 18:19:20.348839 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 40546 unreachable, length 92 18:19:21.308164 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 2, length 64 18:19:21.308222 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 2, length 64 18:19:21.308543 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 13920 unreachable, length 92 18:19:22.308205 IP 192.168.8.12 > 192.168.10.17: ICMP echo request, id 26634, seq 3, length 64 18:19:22.308258 IP 192.168.10.17 > 192.168.8.12: ICMP echo reply, id 26634, seq 3, length 64 18:19:22.308781 IP 192.168.10.40 > 192.168.10.17: ICMP 192.168.8.12 protocol 1 port 6751 unreachable, length 92
SNAT源地址转换,内网访问外网;将192.168.8.12内部主机访问外网是,转换成192.168.10.40这个地址,路由后
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.12 -j SNAT --to-source 192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问外网时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.10.40
查看规则
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 6 packets, 770 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成192.168.10.40这个地址
[root@chenxi ~]# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.40
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 124 SNAT all -- * * 192.168.8.12 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 0.0.0.0/0 to:192.168.10.40
0 0 SNAT all -- * * 192.168.8.0/24 192.168.10.0/24 to:192.168.10.40
SNAT源地址转换,内网访问外网;将192.168.8.0网段主机访问192.168.10.0网段时,转换成由外网卡决定使用哪个IP地址,使用与拨号上网
[root@chenxi ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.8.0/24 -j MASQUERADE 替换第一条
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# ping 192.168.10.17
PING 192.168.10.17 (192.168.10.17) 56(84) bytes of data.
64 bytes from 192.168.10.17: icmp_seq=1 ttl=63 time=51.8 ms
64 bytes from 192.168.10.17: icmp_seq=2 ttl=63 time=1.03 ms
64 bytes from 192.168.10.17: icmp_seq=3 ttl=63 time=1.55 ms
DNAT 目标地址转换,外网访问内网;路由前,源地址为所有主机的IP访问本机的tcp22端口,都转发到192.168.8.12
[root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:22 to:192.168.8.12
Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 212 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# ssh 192.168.10.40
The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established.
RSA key fingerprint is 3a:17:29:f8:f9:c5:a5:67:db:cd:c4:ab:5a:3d:c2:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts.
root@192.168.10.40's password:
Last login: Fri Mar 22 18:22:15 2019 from 192.168.8.1
[root@chenxi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ad:a3:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.12/24 brd 192.168.8.255 scope global eth1
inet6 fe80::20c:29ff:fead:a372/64 scope link
valid_lft forever preferred_lft forever
将源地址为192.168.10.17的地址访问本机22端口替将目标地址换成成192.168.8.12的22端口 -R替换规则
[root@chenxi ~]# iptables -t nat -R PREROUTING 1 -s 192.168.10.17/24 -d 192.168.10.40 -p tcp --dport 22 -j DNAT --to-destination 192.168.8.12
将源地址为所有主机的地址访问本机80端口替将目标地址换成成192.168.8.12的8080端口
[root@chenxi ~]# service httpd restart
停止 httpd: [确定]
正在启动 httpd:httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[确定]
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::8080 :::*
users:(("httpd",2842,4),("httpd",2844,4),("httpd",2845,4),("httpd",2846,4),("httpd",2847,4),("httpd",2848,4),("httpd",2849,4),("httpd",2850,4),("httpd",2851,4))LISTEN 0 128 :::22 :::*
users:(("sshd",1266,4))LISTEN 0 128 *:22 *:*
users:(("sshd",1266,3))LISTEN 0 100 ::1:25 :::*
users:(("master",1345,13))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",1345,12))[root@chenxi ~]# echo chenxi > /var/www/html/index.html
[root@chenxi ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.10.40 -p tcp --dport 80 -j DNAT --to-destination 192.168.8.12:8080
[root@chenxi ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080
Chain INPUT (policy ACCEPT 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
2 156 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
[root@mail ~]# curl 192.168.10.40
chenxi
端口转发将访问本机的90端口转发到,本机80端口上
[root@chenxi ~]# iptables -t nat -A PREROUTING -d 192.168.10.40 -p tcp --dport 90 -j REDIRECT --to-ports 80
[root@chenxi ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.10.0/24 192.168.10.40 tcp dpt:22 to:192.168.8.12
DNAT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:80 to:192.168.8.12:8080
REDIRECT tcp -- 0.0.0.0/0 192.168.10.40 tcp dpt:90 redir ports 80
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.8.0/24 0.0.0.0/0
[root@chenxi ~]# echo "fhq" > /var/www/html/index.html
[root@chenxi ~]# service httpd start
Redirecting to /bin/systemctl start httpd.service
[root@chenxi ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
users:(("sshd",pid=1052,fd=3))LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1146,fd=13))LISTEN 0 128 :::80 :::*
users:(("httpd",pid=3825,fd=4),("httpd",pid=3824,fd=4),("httpd",pid=3823,fd=4),("httpd",pid=3822,fd=4),("httpd",pid=3821,fd=4),("httpd",pid=3820,fd=4))LISTEN 0 128 :::22 :::*
users:(("sshd",pid=1052,fd=4))LISTEN 0 100 ::1:25 :::*
users:(("master",pid=1146,fd=14))
[root@chenxi ~]# setenforce 0
[root@mail ~]# curl 192.168.10.40:90
fhq
草都可以从石头缝隙中长出来更可况你呢
