iptables 端口映射
0.系统初始化脚本
#!/bin/sh iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT iptables -A INPUT -p tcp -m tcp -m state --state NEW --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT #iptables -A INPUT -p tcp -m multiport --dport 22,80 -j ACCEPT /etc/init.d/iptables save
1.端口映射(目的地址转换)
[root@iZ23ko95boxZ ~]# echo “1” >/proc/sys/net/ipv4/ip_forward # 开启转发 [root@iZ23ko95boxZ ~]# iptables -t filter -A FORWARD -j ACCEPT [root@iZ23ko95boxZ ~]# iptables -t nat -A PREROUTING -d 183.x.x.x -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.132.35.1:22 # 本机公网IP端口2222,转发到10.132.35.1的22号端口上 [root@iZ23ko95boxZ ~]# iptables -t nat -A POSTROUTING -d 10.132.35.1 -p tcp -m tcp --dport 22 -j SNAT --to-source 183.x.x.x # 内网10.132.32.1端口22转发出去,回源 [root@iZ23ko95boxZ ~]# iptables -t nat -A POSTROUTING -d 10.132.35.1 -p tcp -m tcp --dport 22 -j MASQUERADE # 无公网地址转发
2.路由上网(原地址转换)
[root@iZ23ko95boxZ ~]# echo 1 >/proc/sys/net/ipv4/ip_forward # 开启转发 [root@iZ23ko95boxZ ~]# iptables -t filter -A FORWARD -j ACCEPT [root@iZ23ko95boxZ ~]# iptables -t nat -A POSTROUTING -s 10.1.8.0/24 -o eth1 -j SNAT --to-source 10.1.8.1 [root@iZ23ko95boxZ ~]# iptables -t nat -A POSTROUTING -s 10.1.8.0/24 -j MASQUERADE
3.其他应用服务配置
# http iptables -A INPUT -p tcp --dport 80 -j ACCEPT #iptables -A INPUT -s 192.168.1.0/24 -p tcp -m multiport --dport 8080,8081,8082 -j ACCEPT #iptables -A INPUT -p tcp --dport 22000:22030 -j ACCEPT # db iptables -A INPUT -s 10.1.8.0/24 -p tcp --dport 3306 -j ACCEPT # snmp iptables -A INPUT -s 10.1.8.0/24 -p UDP --dport 161 -j ACCEPT # rsync iptables -A INPUT -s 10.1.8.0/24 -p tcp -m tcp --dport 873 -j ACCEPT # nfs 2049,portmap 111 iptables -A INPUT -s 10.1.8.0/24 -p udp -m multiport --dport 111,892,2049 -j ACCEPT iptables -A INPUT -s 10.1.8.0/24 -p tcp -m multiport --dport 111,892,2049 -j ACCEPT # icmp iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT iptables -A INPUT -s 10.1.8.0/24 -p icmp -m icmp --icmp-type any -j ACCEPT # keepalived vrr -A INPUT -s 183.2.191.211 -p vrrp -j ACCEPT # zabbix端口开放 -A INPUT -p tcp -m tcp --dport 10050:10051 -j ACCEPT -A INPUT -p tcp -m udp --dport 10050:10051 -j ACCEPT
4.iptable安全配置
iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 100 -j ACCEPT #没秒ping不超过10个 iptables -A FORWAD -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCPET #将SYN及ACK SYN限制为每秒不超过200 iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT #防范 SYN-Flood 碎片攻击 iptables -N syn-flood iptables -A INPUT -syn -j syn-flood iptables -A syn-flood -m limit --limit 5000/s --limit-burst 200 -j RETURN iptables -A syn-flood -j DROP # prevent all Stealth Scans and TCP State Flags #iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # All of the bits are cleared #iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #SYN and RST are both set #iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN and FIN are both set #iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # FIN and RST are both set #iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK #iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK #iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK #iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
5. 安全配置1
# 防止DOS -A INPUT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # 新请求速率不能超过100个每秒, 限制ping包个数每秒最多10个 -A INPUT -p icmp -m limit --limit 100/s --limit-burst 10 -j ACCEPT -A FORWARD -p icmp -m limit --limit 2/s --limit-burst 10 -j ACCEPT # Drop syn -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP # Drop Fragments,拒绝TCP标志位全部为1及全部为0的报文访问本机 -A INPUT -i eth1 -f -j DROP -A INPUT -i eth1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -A INPUT -i eth1 -p tcp --tcp-flags ALL ALL -j DROP # Drop NULL packets -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets" -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # Drop XMAS -A INPUT -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets" -A INPUT -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # Drop FIN packet scans -A INPUT -i eth1 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan" -A INPUT -i eth1 -p tcp --tcp-flags FIN,ACK FIN -j DROP -A INPUT -i eth1 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Log and get rid of broadcast/multicast and invalid -A INPUT -i eth1 -m pkttype --pkt-type broadcast -j LOG --log-prefix "Broadcast" -A INPUT -i eth1 -m pkttype --pkt-type broadcast -j DROP -A INPUT -i eth1 -m pkttype --pkt-type multicast -j LOG --log-prefix "Multicast" -A INPUT -i eth1 -m pkttype --pkt-type multicast -j DROP -A INPUT -i eth1 -m state --state INVALID -j LOG --log-prefix " Invalid " -A INPUT -i eth1 -m state --state INVALID -j DROP ============================================= # iptables四个表(tables): filter: 过滤,防火墙; nat: 网络地址转换; mangle: 拆解报文,做出修改,并重新封装; raw: 关闭nat表上启用的连接追踪机制; ================================================ # iptables四个表的优先级顺序(由高到低): raw -> mangle -> nat -> filte ================================================ iptables四个表各自所对应的链: raw: PREROUTING,OUTPUT mangle: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING nat: PREROUTING,INPUT,OUTPUT,POSTROUTING filter: INPUT,FORWARD,OUTPUT
浙公网安备 33010602011771号