10.15 iptables filter表小案例
Iptables相关参数:
-F 清空规则
-t 指定表,默认不加-t则为filter表
-Z 计数器清零
-A 在链的末尾添加规则
-I 在链的行首添加规则
-D 删除规则
-P 设置默认规则
-nvL 查看iptables表
service iptables save 保存规则(将内存中的规则保存到/etc/sysconfig/iptables文件下),重启后会被调用
--line-numbers 在iptables –nvL中显示规则对应的编号(显示编号后在删除规则时可以指定编号删除,不用详细规则语法)
iptables小案例
需求:
1 放行80/21端口
2 只有指定ip段访问22端口时才能访问到,其余拒绝
操作:
[root@hyc-01-01 ~]# vim /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables" 由于后续会经常用到所以专门定义成变量(定义变量时为避免问题尽量写全局变量)
$ipt –F 清空filter表的规则
$ipt -P INPUT DROP 指定filter表默认规则为DROP
$ipt -P OUTPUT ACCEPT 指定output和forward默认规则ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
放行RELATED和ESTABLISHED两个状态的数据包,否则放行的数据也可能通信不正常
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT
指定放行基于tcp协议,源ip为192.168.133.0/24网段,目标端口22的数据包
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT 放行基于tcp协议,目标端口80/21的数据包
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
[root@hyc-01-01 ~]# sh /usr/local/sbin/iptables.sh 执行脚本
[root@hyc-01-01 ~]# iptables -nvL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 66 4548 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- * * 192.168.31.0/24 0.0.0.0/0 tcp dpt:22
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 41 packets, 7392 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
icmp案例
[root@hyc-01-01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
本机ping外部机器可以通,外部机器ping本机不通
10.16 iptables nat表应用(上)
需求:B机器可以通过A机器上外网
步骤:
hyc-01-01作为A机器
为hyc-01-01新增内网网卡:
在VMWare中选中虚拟机hyc-01-01,右键属性->
点添加按钮选择网络适配器,点下一步->
保持默认,点击完成即可->
选中新网卡,在网络连接中选择LAN区段->
点击下方的LAN区段按钮添加新的LAN区段->
在LAN区段的下拉列表中选中刚建的LAN区段->
确定
hyc-01作为B机器
选中hyc-01右键属性->
选中网络适配器,将网络连接改为LAN区段,下拉列表中选择刚建的LAN区段
此时hyc-01应该从xshell中掉线
为机器A的内网网卡设置ip
1 永久有效
复制ifcfg-ens33配置文件改名为ifcfg-ens37;
ifcfg-ens37文件中不用设置网关、DNS;
修改时要注意修改mac地址,可以直接删掉(mac不能重复);
需要修改文件中的网卡名称、ip地址等信息;
2 重启失效
手工命令行设置
[root@hyc-01-01 ~]# ifconfig ens37 192.168.100.1/24
[root@hyc-01-01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.129 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::d46b:4589:4da1:2f34 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:9d:95 txqueuelen 1000 (Ethernet)
RX packets 320 bytes 30767 (30.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 324 bytes 31408 (30.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::375d:175d:e671:f6ad prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:9d:9f txqueuelen 1000 (Ethernet)
RX packets 42 bytes 2520 (2.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 101 bytes 17646 (17.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5736 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5736 (5.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
为hyc-01的内网网卡设置与hyc-01-01相同的网段的ip
此处必须在虚拟机上操作
[root@hyc-01-01 ~]# ifconfig ens33 192.168.100.2/24
A与B内网网卡连接测试
[root@hyc-01-01 ~]# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=5.80 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=0.597 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=64 time=0.664 ms
10.17 iptables nat表应用(中)
A机器
NAT网卡:192.168.31.129/24
内网网卡:192.168.100.1/24
B机器
内网网卡:192.168.100.2/24
此时100.1和100.2可以互通,windows主机无法ping通所有内网网卡,所有内网网卡均无法上网
操作:
打开端口转发:
改写配置文件,开启机器的端口转发功能
[root@hyc-01-01 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@hyc-01-01 ~]# echo "1"> !$
echo "1"> /proc/sys/net/ipv4/ip_forward
[root@hyc-01-01 ~]# cat /proc/sys/net/ipv4/ip_forward
1
以上文件参数为0则机器未开启端口转发,修改为1则端口转发功能开启
新加规则,实现上网:
[root@hyc-01-01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@hyc-01-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 2646 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
188 14240 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
188 14240 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
187 14156 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
1 84 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
188 14240 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
12 2646 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
12 2646 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
将A机器的内网网卡地址设为B机器的网关地址
[root@hyc-01 ~]# route add default gw 192.168.100.1
[root@hyc-01-01 ~]# route –n 检查网关
设置DNS测试网络连通性
ping网关地址31.1发现通信正常;
设置DNS后ping DNS地址通信正常;
ping域名解析DNS出错?
10.18 iptables nat表应用(下)
需求2:可以远程登录hyc-01
步骤:
打开端口转发
[root@hyc-01-01 ~]# echo "1"> /proc/sys/net/ipv4/ip_forward
增加nat规则(增加新规则前先删除原有的nat规则)
[root@hyc-01-01 ~]# iptables -t nat -A PREROUTING -d 192.168.31.129 -p tcp --dport 1122 -j DNAT --to 192.168.100.2:22
在PREROUTING链添加规则将目标地址192.168.133.130,目标端口1122的数据转换为目标地址192.168.100.100,目标端口22的数据
[root@hyc-01-01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to 192.168.31.129
在POSTROUTING链添加规则将源地址192.168.100.100的地址转换为192.168.133.130
为hyc-01配网关
[root@hyc-01 ~]# route add default gw 192.168.100.1
测试
确定à连接
