1、拒绝所有主机ping当前的主机。
#查看当前系统iptables规则
[root@centos8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
#添加规则
[root@centos8 ~]# iptables -A INPUT -p icmp -j REJECT
验证:
[root@centos7 ~]# ping 10.0.0.24
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
From 10.0.0.24 icmp_seq=1 Destination Port Unreachable
From 10.0.0.24 icmp_seq=2 Destination Port Unreachable
^C
--- 10.0.0.24 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 10ms
2、本机能够访问别的机器的HTTP服务,但是别的机器无法访问本机
#环境准备,本主机
[root@centos8 ~]# iptables -F
[root@centos8 ~]# dnf install -y httpd
[root@centos8 ~]# echo "This is a test page,`date`!" > /var/www/html/index.html
[root@centos8 ~]# systemctl start httpd
#环境准备,其他主机
[root@centos8-mini ~]# curl 10.0.0.24
This is a test page,Sat Sep 19 09:48:20 CST 2020!
#添加规则
[root@centos8-mini ~]# iptables -F
[root@centos8-mini ~]# dnf install -y httpd
[root@centos8-mini ~]# echo "Who travels for love finds a thousand miles not loger than one." > /var/www/html/index.html
[root@centos8-mini ~]# systemctl start httpd
[root@centos8 ~]# iptables -A INPUT -p tcp --dport 80 -j REJECT
#验证
[root@centos8 ~]# curl 10.0.0.23
Who travels for love finds a thousand miles not loger than one.
[root@centos8-mini ~]# curl 10.0.0.24
curl: (7) Failed to connect to 10.0.0.24 port 80: Connection refused
3、实现最大并发控制
当我们发现有 ip 恶意攻击我们得时候,我们可以通过对防火墙设定规则来进行控制。所以我们可以 添加connlimit模块来实现对最大并发的控制。
[root@centos8 ~]# iptables -F
[root@centos8 ~]# iptables -A INPUT -s 10.0.0.1 -j ACCEPT
[root@centos8 ~]# iptables -A INPUT -m connlimit --connlimit-above 8 -j REJECT
[root@centos8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
284 17472 ACCEPT all -- * * 10.0.0.1 0.0.0.0/0
282 23688 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 8 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
验证:
#客户端同时发起10个ping
[root@centos8-mini ~]# for i in {1..10}; do
> ping -c5 10.0.0.24 &
> done
[1] 1938
[2] 1939
[3] 1940
[4] 1941
[5] 1942
[6] 1943
[7] 1944
[8] 1945
[9] 1946
[10] 1947
[root@centos8-mini ~]# PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.355 ms
From 10.0.0.24 icmp_seq=1 Destination Port Unreachable
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.245 ms
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.408 ms
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=36.10 ms
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.673 ms
From 10.0.0.24 icmp_seq=1 Destination Port Unreachable
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=1.97 ms
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.274 ms
64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.302 ms
From 10.0.0.24 icmp_seq=2 Destination Port Unreachable
From 10.0.0.24 icmp_seq=2 Destination Port Unreachable
From 10.0.0.24 icmp_seq=2 Destination Port Unreachable
From 10.0.0.24 icmp_seq=2 Destination Port Unreachable
From 10.0.0.24 icmp_seq=2 Destination Port Unreachable
From 10.0.0.24 icmp_seq=3 Destination Port Unreachable
From 10.0.0.24 icmp_seq=4 Destination Port Unreachable
From 10.0.0.24 icmp_seq=5 Destination Port Unreachable
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 19ms
rtt min/avg/max/mdev = 36.962/36.962/36.962/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 15ms
rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 13ms
rtt min/avg/max/mdev = 0.408/0.408/0.408/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, 80% packet loss, time 11ms
rtt min/avg/max/mdev = 1.973/1.973/1.973/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 14ms
rtt min/avg/max/mdev = 0.673/0.673/0.673/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, 80% packet loss, time 15ms
rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, 80% packet loss, time 17ms
rtt min/avg/max/mdev = 0.245/0.245/0.245/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 1 received, +3 errors, 80% packet loss, time 18ms
rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 0 received, +2 errors, 100% packet loss, time 14ms
--- 10.0.0.24 ping statistics ---
5 packets transmitted, 0 received, +1 errors, 100% packet loss, time 24ms
^C
[1] Exit 1 ping -c5 10.0.0.24
[2] Done ping -c5 10.0.0.24
[3] Done ping -c5 10.0.0.24
[4] Done ping -c5 10.0.0.24
[5] Exit 1 ping -c5 10.0.0.24
[6] Done ping -c5 10.0.0.24
[7] Done ping -c5 10.0.0.24
[8] Done ping -c5 10.0.0.24
[9]- Done ping -c5 10.0.0.24
[10]+ Done ping -c5 10.0.0.24
4、实践题
实验前提需求:
| 主机名 | IP地址 | 充当角色 |
|---|---|---|
| A7 | 192.168.72.130(仅主机)eth0 | 互联网服务器 |
| A8 | 192.168.72.128(仅主机)/eth1 10.0.0.13(NAT)/eth0 NAT设备他有一个是链接外网的ip有一个是链接内网的ip | 防火墙NAT设备 |
| B8 | 10.0.0.24(NAT)eth0 | 局域网服务器 |
业务需求:
现在我在外地出差使用A7互联网主机,但是现在由于公司有业务需要我 ssh 链接到内网、这时候 我就联系我们公司同事在防火墙上配置相关规则让我链接进公司内网
4.1 模拟业务场景环境
#A7主机
[root@iA7 ~]# hostname -I
192.168.72.130
[root@A7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTOPROTO=static
IPADDR=192.168.72.130
PREFIX=24
GATEWAY=192.168.72.128
ONBOOT=yes
[root@A7 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.72.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.72.128 0.0.0.0 UG 0 0 0 eth0
#A8主机
[root@A8 ~]# hostname -I
10.0.0.13 192.168.72.128
[root@A8 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
NAME=eth1
BOOTPROTO=static
IPADDR=192.168.72.128
PREFIX=24
GATEWAY=
ONBOOT=yes
[root@A8 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.2 0.0.0.0 UG 102 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
192.168.72.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
#B8主机
[root@B8 ~]# hostname -I
10.0.0.24
[root@B8 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.24
PREFIX=24
GATEWAY=10.0.0.13
DNS1=10.0.0.13
DNS2=114.114.114.114
ONBOOT=yes
4.2 测试三台主机是否互通
#A7
[root@A7]# ping 10.0.0.24 -c1
PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.
64 bytes from 10.0.0.24: icmp_seq=1 ttl=63 time=1.21 ms
--- 10.0.0.24 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 1.219/1.219/1.219/0.000 ms
#B8
[root@B8 ~]# ping baidu.com -c1
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=128 time=16.10 ms
--- baidu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 16.994/16.994/16.994/0.000 ms
[root@B8 ~]# ping 192.168.72.130 -c1
PING 192.168.72.130 (192.168.72.130) 56(84) bytes of data.
64 bytes from 192.168.72.130: icmp_seq=1 ttl=63 time=0.475 ms
--- 192.168.72.130 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.475/0.475/0.475/0.000 ms
4.3 相关配置实现业务需要
#A8开启数据转发功能
[root@A8 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@A8 ~]# sysctl -p
net.ipv4.ip_forward = 1
#A8设置相关防火墙,只允许A7 ssh连接B8
[root@A8 ~]# iptables -A FORWARD -j REJECT
[root@A8 ~]# iptables -I FORWARD -s 192.168.72.0/24 -p tcp --dport 22 -j ACCEPT
[root@A8 ~]# iptables -I FORWARD 2 -d 192.168.72.0/24 -p tcp --sport 22 -j ACCEPT
[root@A8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 30 packets, 1776 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 3573 ACCEPT tcp -- * * 192.168.72.0/24 0.0.0.0/0 tcp dpt:22
17 4569 ACCEPT tcp -- * * 0.0.0.0/0 192.168.72.0/24 tcp spt:22
30 2104 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 26 packets, 2148 bytes)
pkts bytes target prot opt in out source destination
验证:
[root@A7 ~]# ssh 10.0.0.24
ssh: connect to host 10.0.0.24 port 22: Connection timed out
[root@A7]# ssh 10.0.0.24
The authenticity of host '10.0.0.24 (10.0.0.24)' can't be established.
RSA key fingerprint is 23:cf:76:41:d8:73:dc:36:e5:2e:70:b2:ef:f3:36:3a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.24' (RSA) to the list of known hosts.
root@10.0.0.24's password:
Last login: Sat Sep 19 15:45:12 2020 from 10.0.0.1
[root@B8 ~]# hostname -I
10.0.0.24
