|NO.Z.00050|——————————|Applications|——|防火墙.V4|——|3台server|
一、实验专题.DNAT转换
### --- 实验环境
~~~ HA-server1:10.10.10.11:内网的web服务器
~~~ HA-server2:10.10.10.12:两块网卡,第一块网卡:10.10.10.12和10.10.10.11相连,第二块网卡:20.20.20.12模拟的是公网IP;公网的路由器。
~~~ HA-server3:10.10.10.13:内网用户 // 所有网络均为仅主机模式。### --- 在HA-server1下开启Apache服务
[root@server11 ~]# service httpd start
[root@server11 ~]# chkconfig httpd on
[root@server11 ~]# echo "this is the HA-server1:10.10.10.11 DNAT" >>/var/www/html/index.html
[root@server11 ~]# curl localhost
this is the HA-server1:10.10.10.11 DNAT ### --- 并且把路由指向HA-server2:10.10.10.12
[root@server11 ~]# echo "GATEWAY=10.10.10.12" >>/etc/sysconfig/network-scripts/ifcfg-eth0
[root@server11 ~]# service network restart
[root@server11 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
0.0.0.0 10.10.10.12 0.0.0.0 UG 0 0 0 eth0### --- 在HA-server2上开启路由转发
[root@server12 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@server12 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@server12 ~]# service iptables start
[root@server12 ~]# chkconfig iptables on
[root@server12 ~]# iptables -L
[root@server12 ~]# iptables -F### --- 添加一条DNAT规则
[root@server12 ~]# iptables -t nat -A PREROUTING -i eth1 -d 20.20.20.12 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.11 //-t nat:nat表 -A PREROUTING:路由前 -i eth1:eth1网卡;原因是这边的客户端方向是从公网网卡访问进来的,所以写的是公网ip地址 -d 20.20.20.12:目标的访问地址是,也就是这台服务器的公网地址 -p tcp:tcp协议 --dport 80:80端口 -j DNAT:动作转化DNAT --to-destination 10.10.10.11转换的内网地址
~~~ 当入站网卡是eth1并这找的是20.20.20.12这个地址的话并且目标端口是80端口的话直接把它的IP地址改写为内网10.10.10.11这个服务的IP上。
[root@server12 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 20.20.20.12 tcp dpt:http to:10.10.10.11
[root@server12 ~]# service iptables save### --- 配置eth1网卡为20.20.20.12
[root@server12 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=20.20.20.12
NETMASK=255.255.255.0
[root@server12 ~]# service network restart### --- HA-server13下配置网卡
[root@server13 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=20.20.20.13
NETMASK=255.255.255.0
[root@server13 ~]# service network restart### --- 验证:在HA-server3客户端下发起访问正常可以获取数据。DNA转换可以暴露一些内网的服务
[root@server13 ~]# curl 20.20.20.12 // 可以正常访问获取数据。
this is the HA-server1:10.10.10.11 DNAT二、防火墙脚本
### --- 防火墙脚本
~~~ 导出(备份)规则:iptables-save工具:可结合重定向输出保存到指定文件
~~~ 导入(还原)规则:iptables-restore工具:可结合重定向输入指定规则来源
~~~ iptables服务:
~~~ 脚本位置:/etc/init.d/iptables
~~~ 规则文件位置:/etc/sysconfig/iptables### --- Centos7更改
~~~ rpm -e --nodeps firewalld
~~~ yum -y install iptables-services
~~~ systemctl start iptables
~~~ systemctl enable iptables三、实验专题:iptables规则备份还原操作
### --- iptables规则备份还原操作
### --- 添加一条规则
[root@server11 ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server11 ~]# iptables -L
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http ~~~ 持久化生效
[root@server11 ~]# service iptables save
### --- iptables规则备份操作:若是想把这条规则导出且导出到其它设备的操作。
[root@server11 ~]# iptables-save >1.iptables
[root@server11 ~]# cat 1.iptables // 该文件和 cat /etc/sysconfig/iptables文件是一样的。
[root@server11 ~]# iptables -F### --- iptables规则还原操作
[root@server11 ~]# iptables-restore < 1.iptables
[root@server11 ~]# iptables -L
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http 四、把Centos7.x的firewalld.service改为iptables
### --- centos7.x下默认的防火墙是firewalld.service
[root@server11 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@server11 ~]# systemctl start firewalld.service
[root@server11 ~]# systemctl status firewalld.service### --- 停止firewalld.service服务或者写在firewalld.service
[root@server11 ~]# systemctl stop firewalld.service
[root@server11 ~]# systemctl disable firewalld.service
[root@server11 ~]# rpm -e --nodeps firewalld // 写在firewalld服务### --- 安装iptables服务
[root@server11 ~]# yum install -y iptables-services
[root@server11 ~]# systemctl start iptables
[root@server11 ~]# systemctl enable iptables
[root@server11 ~]# iptables -L
[root@server11 ~]# iptables -F### --- 添加一条新的规则
[root@server11 ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server11 ~]# service iptables save // 持久化保存
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@server11 ~]# systemctl restart iptables // 重启iptables后规则还是存在
[root@server11 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http### --- 重要错误;慎重使用。
[root@server11 ~]# iptables -P INPUT DROP // 22端口不是在80里面,所以断掉,是需要登录到服务器重新放行。五、iptables生产环境脚本(云计算-安全防御-57)
1、编写iptables执行脚本:生产环境慎重使用:建议修改为适应自己的系统,非标准版。
### --- 编写iptables执行脚本:生产环境慎重使用:建议修改为适应自己的系统,非标准版。
[root@localhost ~]# vim iptables.sh
#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
function support_distro(){
if [ -z "`egrep -i "centos" /etc/issue`" ];then
echo "Sorry,iptables script only support centos system now."
exit 1
fi
}
support_distro
echo "==================================iptables configure===================================================================="
# Only support CentOS system
# 获取SSH端口
if grep "^Port" /etc/ssh/sshd_config>/dev/null;then
sshdport=`grep "^Port" /etc/ssh/sshd_config | sed "s/Port\s//g" `
else
sshdport=22
fi
# 获取DNS服务器IP
if [ -s /etc/resolv.conf ];then
nameserver1=`cat /etc/resolv.conf |grep nameserver |awk 'NR==1{print $2 }'`
nameserver2=`cat /etc/resolv.conf |grep nameserver |awk 'NR==1{print $2 }'`
fi
IPT="/sbin/iptables"
# 删除已有规则
$IPT --delete-chain
$IPT --flush
# 禁止进,允许出,允许回环网卡
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# 允许已建立的或相关连接的通行
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 限制80端口单个IP的最大连接数为10
$IPT -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP
# 允许80(HTTP)/873(RSYNC)/443(HTTPS)/20,21(FTP)/25(SMTP)端口连接
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# 允许SSH端口的连接,脚本自动侦测目前的SSH端口,否认默认为22端口
$IPT -A INPUT -p tcp -m tcp --dport $sshdport -j ACCEPT
# 允许ping
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# 允许DNS
[ ! -z "$nameserver1" ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver1 --dport 53 -j ACCEPT
[ ! -z "$nameserver2" ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver2 --dport 53 -j ACCEPT
# 保存规则并重启IPTABLES
service iptables save
service iptables restart
echo "==================================iptables configure completed=========================================================="2、执行脚本
[root@localhost ~]# chmod a+x iptables.sh
[root@localhost ~]# bash iptables.sh
==================================iptables configure====================================================================
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Redirecting to /bin/systemctl restart iptables.service
==================================iptables configure completed==========================================================[root@localhost ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:http #conn src/32 > 10
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:rsync
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere gateway udp dpt:domain
ACCEPT udp -- anywhere gateway udp dpt:domainWalter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart
——W.S.Landor
分类:
cdv001-lbchac
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」