iptables
iptables 是包过滤防火墙
只能过滤地址和传输层
地址(目标IP,源IP) 协议 (IP,ICMP,arp/rarp)
传输层(协议) TCP UDP
input匹配目标IP是本机的数据包,入口流量
output 出口数据包 , 一般不在此链上做配置
forward匹配流经本机的数据包,
prerouting用来修改目的地址,用来做DNAT(目的NAT -- 所以修改目的IP -- 服务接受-内部集群分发处理) 。如:把内网中的80端口映射到路由器外网端口上
postrouting用来修改源地址用来做SNAT(源NAT -- 修改的源IP -- 家用共享上网SNAT)。 如:内网通过路由器NAT转换功能实现内网PC机通过一个公网IP地址上网。
iptables语法总结
选项 参数
来源
- -s
- 地址 192.168.1.2
- 子网 192.168.1.32/27
- 网段 192.168.1.0/24
- -i 进口
- 网卡名称 ens33
目标
- -d
- 地址 192.168.1.2
- 子网 192.168.1.32/27
- 网段 192.168.1.0/24
- -o 出口
- 网卡名称 ens33
这里注意,不能指定网段比如 192.168.1.11---192.168.2.2
协议
- -p
- tcp
- --dport 目的端口
- --cport 来源端口
- udp
- --dport 目的端口
- --cport 来源端口
- icmp
- --icmp-type
- echo-request ping出去
- echo-reply 回应
- --icmp-type
- tcp
- -j
- SNAT
- DNAT
- MASQUERADE (伪装)
因为,网卡IP可能随着动态分配发生变化,所有使用MASQUERAD绑定网卡,ip地址会自动同步网卡的ip
[root@master01 ~]# iptables -t nat -L -n Chain POSTROUTING (policy ACCEPT) target prot opt source destination RETURN all -- 192.168.122.0/24 224.0.0.0/24 RETURN all -- 192.168.122.0/24 255.255.255.255 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
[root@master01 ~]# iptables -t nat -A POSTROUTING -s 172.168.1.0/24 -o ens33 -j MASQUERADE
[root@master01 ~]# iptables -t nat -L -n -v
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 183 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
0 0 MASQUERADE all -- * ens33 172.168.1.0/24 0.0.0.0/0- ACCEPT (容许通过)
- REJECT (拒绝通过,会做解释)
- DROP (拒绝通过,不做任何解释)
- REDIRECT (重定向)
- MARK (打标签数据流)
修改nat规则
-R 修改,但是要指定哪个链路的第几个规则
[root@master01 ~]# iptables -t nat -R PREROUTING 1 -d 192.168.1.2 -p tcp --dport 3000 -i ens33 -j DNAT --to 172.168.1.1
-I 插入,但是要指定哪个链路的第几个规则
[root@master01 ~]# iptables -t nat -R PREROUTING 1 -d 192.168.1.2 -p tcp --dport 3000 -i ens33 -j DNAT --to 172.168.1.1
-D 删除,但是要指定哪个链路的第几个规则
[root@master01 ~]# iptables -t nat -D PREROUTING 1
-F 清空表规则
[root@master01 ~]# iptables -t filter -F [root@master01 ~]# iptables -t filter -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
-P 修改默认规则
这样设置你就连接不进去了
[root@master01 ~]# iptables -P INPUT DROP
[root@master01 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
[root@master01 ~]# iptables -P OUTPUT DROP
[root@master01 ~]# iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
[root@master01 ~]# iptables -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT
OUTPUT 需要设置一来一回
-N 定义新的链路
-X 删除自定义链路
NAT转发
需求一:使用内网主机通过外网网卡进行上网
开启数据转发功能
[root@master01 ~]# sysctl -a|grep -i forward net.ipv4.ip_forward = 0 [root@master01 ~]# vim /etc/sysctl.conf [root@master01 ~]# sysctl -p net.ipv4.ip_forward = 1
设置ens37地址转发到ens33
[root@master01 ~]# iptables -t nat -A POSTROUTING -s 172.168.1.0/24 -o ens33 -j SNAT --to 192.168.1.2 [root@master01 ~]# iptables -t nat -L POSTROUTING -n Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.168.1.0/24 0.0.0.0/0 to:192.168.1.2
清除filter 包过滤规则
内网主机访问www.baidu.com
[root@iptables01 ~]# ping www.baidu.com PING www.a.shifen.com (220.181.38.149) 56(84) bytes of data. 64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=1 ttl=127 time=53.3 ms 64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=2 ttl=127 time=50.9 ms ^C
查看nat规则对不对,看是否有流量匹配
需求二:外部想连接登录内网服务器
[root@master01 ~]# iptables -t nat -R PREROUTING 1 -d 192.168.1.2 -p tcp --dport 3389 -i ens33 -j DNAT --to 172.168.1.2
[root@master01 ~]# iptables -t nat -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ens33 * 0.0.0.0/0 192.168.1.2 tcp dpt:3389 to:172.168.1.2端口转发
因为内网地址的网关设置为,nat转换的一个ens36的IP地址,省略的很多东西,现在内网主机不适用网关,进行端口转发
我个人理解,DNAT进行转换地址到nat,然后由SNAT将地址再次进行转换,才能实现端口转发,在nat机器上部署httpd,在server服务器上部署nginx,通过nat访问80端口,跳转到后端的nginx,实现端口转发
[root@master01 ~]# iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp --dport 80 -i ens33 -j DNAT --to 172.168.1.2:80 [root@master01 ~]# iptables -t nat -A POSTROUTING -d 172.168.1.2 -p tcp --dport 80 -j SNAT --to-source 172.168.1.1
[root@master01 ~]# iptables-save |grep 172 -A PREROUTING -d 192.168.1.2/32 -i ens33 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.168.1.2 -A POSTROUTING -d 172.168.1.2/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 172.168.1.1 -A FORWARD -s 172.168.1.0/24 -o ens33 -m string --string "baidu" --algo kmp --to 65535 --icase -j DROP
进行测试
[root@node1 ~]# curl -I 192.168.1.2 HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 19 Aug 2020 14:58:03 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 21 Apr 2020 15:07:31 GMT Connection: keep-alive ETag: "5e9f0c33-264" Accept-Ranges: bytes
[root@master01 ~]# curl -I 192.168.1.2 HTTP/1.1 403 Forbidden Date: Wed, 19 Aug 2020 17:07:24 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT ETag: "1321-5058a1e728280" Accept-Ranges: bytes Content-Length: 4897 Content-Type: text/html; charset=UTF-8
filter表
INPUT (输入)【别人来访问你】
下载httpd,iptables-services,分别开启服务
游览器访问地址,访问不得,在iptables没有开启80端口访问权限
[root@master01 ~]# iptables -t filter -L -n -v
Chain INPUT (policy ACCEPT 807 packets, 59771 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
[root@master01 ~]# iptables -t filter -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@master01 ~]# iptables -t filter -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
禁ping
[root@master01 ~]# iptables -t filter -A INPUT -p icmp --icmp-type echo-request -j DROP
[root@iptables01 ~]# ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. ^C
[root@iptables01 ~]# ping 172.168.1.1 PING 172.168.1.1 (172.168.1.1) 56(84) bytes of data. ^C
[root@iptables01 ~]# ping www.baidu.com PING www.a.shifen.com (220.181.38.150) 56(84) bytes of data. 64 bytes from 220.181.38.150 (220.181.38.150): icmp_seq=1 ttl=127 time=60.8 ms 64 bytes from 220.181.38.150 (220.181.38.150): icmp_seq=2 ttl=127 time=51.5 ms ^C
FORWARD (转发)【过滤经过防火墙的流量】
NAT转换路过的流量
禁止某个地址使用域名解析
[root@iptables01 ~]# ping www.baidu.com PING www.a.shifen.com (220.181.38.149) 56(84) bytes of data. 64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=1 ttl=127 time=50.4 ms ^C
[root@master01 ~]# iptables -t filter -A FORWARD -s 172.168.1.2 -p udp --dport 53 -j DROP
[root@master01 ~]# iptables -t filter -L -n Chain FORWARD (policy ACCEPT) target prot opt source destination DROP udp -- 172.168.1.2 0.0.0.0/0 udp dpt:53
[root@iptables01 ~]# ping www.baidu.com ^C
禁止某个地址访问80端口
OUTPUT (输出)【你访问别人】
禁ping【自己不能ping别人】
[root@master01 ~]# iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request -j DROP [root@master01 ~]# iptables -t filter -L OUTPUT -n Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
[root@master01 ~]# ping 172.168.1.1 PING 172.168.1.1 (172.168.1.1) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C --- 172.168.1.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1001ms [root@master01 ~]# ping 172.168.1.2 PING 172.168.1.2 (172.168.1.2) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C
mangle【对数据包的属性进行修改】
常用模块
MASQUERADE 地址伪装模块
mac 过滤mac地址模块
- 在过滤的时候一般是基于IP地址过滤的,但是IP地址是逻辑地址,你限定了某个地址,他把地址改了就又能来了,所有要使用这个mac模块
1.阻止mac地址为00:0c:29:13:db:31的所有通讯
[root@master01 ~]# iptables -t filter -A INPUT -m mac --mac-source 00:0c:29:13:db:31 -j DROP
2.禁止mac地址为00:0c:29:13:db:31访问22端口
[root@master01 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -m mac --mac-source 00:0c:29:13:db:31 -j DROP
3.允许IP地址为192.168.1.21,MAC地址为XX:XX:XX:XX:XX:XX的主机通信,拒绝多有其他主机:
iptables -A INPUT -s 192.168.1.21 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -P INPUT DROP
4.拒绝某mac地址使用DNS服务
[root@iptables01 ~]# ping www.baidu.com PING www.a.shifen.com (220.181.38.150) 56(84) bytes of data. 64 bytes from 220.181.38.150 (220.181.38.150): icmp_seq=1 ttl=127 time=49.9 ms ^C
iprange IP范围模块
[root@master01 ~]# iptables -m iprange --help iprange match options: [!] --src-range ip[-ip] Match source IP in the specified range [!] --dst-range ip[-ip] Match destination IP in the specified range
[root@iptables01 ~]# ping 114.114.114.114 PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=69.5 ms ^C
[root@master01 ~]# iptables -t filter -A FORWARD -m iprange --src-range 172.168.1.1-172.168.1.8 -o ens33 -j DROP
[root@iptables01 ~]# ping 114.114.114.114 PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data. ^C
string 字符串模块
用于过滤域名中,的特定字符串
[root@master01 ~]# iptables -m string --help string match options: --from Offset to start searching from --to Offset to stop searching --algo Algorithm --icase Ignore case (default: 0) [!] --string string Match a string in a packet [!] --hex-string string Match a hex string in a packet
--algo 算法
--icase 忽略大小写
--string 匹配的字符串
1.只要访问域名中字符串带有baidu的,都不容许访问
[root@iptables01 ~]# ping www.baidu.com PING www.a.shifen.com (220.181.38.150) 56(84) bytes of data. 64 bytes from 220.181.38.150 (220.181.38.150): icmp_seq=1 ttl=127 time=50.5 ms ^C
[root@master01 ~]# iptables -t filter -A FORWARD -s 172.168.1.0/24 -o ens33 -m string --string baidu --algo kmp --icase -j DROP
[root@master01 ~]# iptables -t filter -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- 172.168.1.0/24 0.0.0.0/0 STRING match "baidu" ALGO name kmp TO 65535 ICASE
[root@iptables01 ~]# ping www.baidu.com ^C
time 时间模块
[root@iptables01 ~]# iptables -m time --help
time match options:
--datestart time Start and stop time, to be given in ISO 8601
--datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])
--timestart time Start and stop daytime (hh:mm[:ss])
--timestop time (between 00:00:00 and 23:59:59)
[!] --monthdays value List of days on which to match, separated by comma
(Possible days: 1 to 31; defaults to all)
[!] --weekdays value List of weekdays on which to match, sep. by comma
(Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7
Defaults to all weekdays.)
--kerneltz Work with the kernel timezone instead of UTC
1.week1-5,每天8:00-18:00不能上网
[root@iptables01 ~]# iptables -t filter -A FORWARD -s 172.168.1.0/24 -m time --timestart 08:00 --timestop 18:00 --weekdays 1,2,3,4,5 -o ens33 -j DROP
[root@iptables01 ~]# iptables -t filter -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- 172.168.1.0/24 0.0.0.0/0 TIME from 08:00:00 to 18:00:00 on Mon,Tue,Wed,Thu,Fri UTC
[root@iptables01 ~]# ping www.baidu.com PING www.a.shifen.com (220.181.38.150) 56(84) bytes of data. 64 bytes from 220.181.38.150 (220.181.38.150): icmp_seq=1 ttl=127 time=50.8 ms 64 bytes from 220.181.38.150 (220.181.38.150): icmp_seq=2 ttl=127 time=53.2 ms
发现还是能够上网,原因出在,时间
state 状态模块
[root@master01 ~]# iptables -m state --help state match options: [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...] State(s) to match
继续阅读
我的微信
这是我的微信扫一扫
评论