iptables设置后怎么保存 iptables保存配置

转载

mob6454cc70cb6b 2024-06-27 21:21:26

文章标签 iptables设置后怎么保存 linux IP Ethernet 文章分类 云原生云计算

iptables nat表应用

nat表应用案例：

A机器两块网卡ens33(192.168.141.128)、ens37(192.168.100.1)，ens33可以上外网，ens37仅仅是内部网络，B机器只有ens37（192.168.100.100），和A机器ens37可以通信互联。

需求：可以让B机器连接外网

解决方法：
1.我们那虚拟机来做实验，机器A需要两块网卡ens33(192.168.141.128)、ens37(192.168.100.1)，机器B是一块网卡ens37（192.168.100.100），那我们把之前设置好的虚拟机，两个都增加一块网卡，机器B把原有的网卡给停止掉，使其开机不启动。
2.两台机器启动后，我们需要重新配置添加网卡的IP地址，A为192.168.100.1，B为192.168.100.100，设置网关为192.168.100.1。
3. A机器上打开路由转发 echo “1”>/proc/sys/net/ipv4/ip_forward
4. A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

iptables设置后怎么保存 iptables保存配置_iptables设置后怎么保存

iptables设置后怎么保存 iptables保存配置_IP_02

iptables设置后怎么保存 iptables保存配置_IP_03

iptables设置后怎么保存 iptables保存配置_Ethernet_04

iptables设置后怎么保存 iptables保存配置_linux_05

iptables设置后怎么保存 iptables保存配置_iptables设置后怎么保存_06

iptables设置后怎么保存 iptables保存配置_iptables设置后怎么保存_07

iptables设置后怎么保存 iptables保存配置_linux_08

## 机器A可以远程登录，设置ip地址 ##
[root@linux-001 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.141.128  netmask 255.255.255.0  broadcast 192.168.141.255
        inet6 fe80::8db4:d867:92de:d2d1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6d:81:cc  txqueuelen 1000  (Ethernet)
        RX packets 39  bytes 5433 (5.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 55  bytes 7209 (7.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.141.122  netmask 255.255.255.0  broadcast 192.168.141.255
        ether 00:0c:29:6d:81:cc  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::2ee7:f618:cdee:fad6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6d:81:d6  txqueuelen 1000  (Ethernet)
        RX packets 7  bytes 2394 (2.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 4478 (4.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@linux-001 ~]# cd /etc/sysconfig/network-scripts/
[root@linux-001 network-scripts]# ls
ifcfg-ens33    ifdown-ippp    ifdown-sit       ifup-bnep  ifup-plusb   ifup-TeamPort
ifcfg-ens33:0  ifdown-ipv6    ifdown-Team      ifup-eth   ifup-post    ifup-tunnel
ifcfg-lo       ifdown-isdn    ifdown-TeamPort  ifup-ippp  ifup-ppp     ifup-wireless
ifdown         ifdown-post    ifdown-tunnel    ifup-ipv6  ifup-routes  init.ipv6-global
ifdown-bnep    ifdown-ppp     ifup             ifup-isdn  ifup-sit     network-functions
ifdown-eth     ifdown-routes  ifup-aliases     ifup-plip  ifup-Team    network-functions-ipv6
[root@linux-001 network-scripts]# cp ifcfg-ens33  ifcfg-ens37
[root@linux-001 network-scripts]#  uuidgen   ens37  //获取ens37的uuid
f2651078-2dd6-47ca-9d22-194c71129072
[root@linux-001 network-scripts]# vim ifcfg-ens37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
UUID=f2651078-2dd6-47ca-9d22-194c71129072
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.100.1
NETMASK=255.255.255.0

[root@linux-001 ~]# ifdown ens37 && ifup ens37
成功断开设备 'ens37'。
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/4）
[root@linux-001 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.141.128  netmask 255.255.255.0  broadcast 192.168.141.255
        inet6 fe80::20c:29ff:fe6d:81cc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6d:81:cc  txqueuelen 1000  (Ethernet)
        RX packets 521  bytes 49218 (48.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 373  bytes 53642 (52.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::1bd9:6a99:3db1:3ce6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6d:81:d6  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 2290 (2.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

## 机器B不可以远程登录，我们可以设置好B机器的ens37的ip地址，再把ens33给断开 ##
[root@linux-02 ~]# cd /etc/sysconfig/network-scripts/
[root@linux-02 network-scripts]# ls
ifcfg-ens33    ifdown-ippp    ifdown-sit       ifup-bnep  ifup-plusb   ifup-TeamPort
ifcfg-ens33:0  ifdown-ipv6    ifdown-Team      ifup-eth   ifup-post    ifup-tunnel
ifcfg-lo       ifdown-isdn    ifdown-TeamPort  ifup-ippp  ifup-ppp     ifup-wireless
ifdown         ifdown-post    ifdown-tunnel    ifup-ipv6  ifup-routes  init.ipv6-global
ifdown-bnep    ifdown-ppp     ifup             ifup-isdn  ifup-sit     network-functions
ifdown-eth     ifdown-routes  ifup-aliases     ifup-plip  ifup-Team    network-functions-ipv6
[root@linux-02 network-scripts]# cp ifcfg-ens33  ifcfg-ens37
[root@linux-02 ~]# uuidgen  ens37
40150849-ce69-46a7-ba52-e90c17019453
[root@linux-02 ~]# vim ifcfg-ens37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
DEVICE=ens37
UUID=40150849-ce69-46a7-ba52-e90c17019453
ONBOOT=yes
IPADDR=192.168.100.100
NETMASK=255.255.255.0
GATEWAY=192.168.100.1
[root@linux-02 network-scripts]# ifdown ens37 && ifup ens37
成功断开设备 'ens37'。
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/6）
[root@linux-02 network-scripts]# ifconfig     // 之后可以物理断开网卡ens33 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.141.129  netmask 255.255.255.0  broadcast 192.168.141.255
        inet6 fe80::86ff:d912:c144:4503  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:3a:cd:af  txqueuelen 1000  (Ethernet)
        RX packets 698  bytes 65240 (63.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 471  bytes 74272 (72.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.100  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::e3af:26e5:ac7b:b1f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:83:29:48  txqueuelen 1000  (Ethernet)
        RX packets 13  bytes 932 (932.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 47  bytes 3678 (3.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12  bytes 1152 (1.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 1152 (1.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
[root@linux-02 ~]# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.48 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.645 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.639 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=0.642 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=0.589 ms
64 bytes from 192.168.100.1: icmp_seq=6 ttl=64 time=0.707 ms
^C
--- 192.168.100.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 0.589/0.951/2.488/0.688 ms
[root@linux-02 ~]#

A机器上打开路由转发 echo “1”>/proc/sys/net/ipv4/ip_forward

Linux系统缺省并没有打开IP转发功能，要确认IP转发功能的状态，可以查看/proc文件系统，使用下面命令： cat /proc/sys/net/ipv4/ip_forward
如果上述文件中的值为0,说明禁止进行IP转发；如果是1,则说明IP转发功能已经打开。
要想打开IP转发功能，可以直接修改上述文件： echo 1 > /proc/sys/net/ipv4/ip_forward
把文件的内容由0修改为1。禁用IP转发则把1改为0。
上面的命令并没有保存对IP转发配置的更改，下次系统启动时仍会使用原来的值，要想永久修改IP转发，需要修改/etc/sysctl.conf文件，修改下面一行的值： net.ipv4.ip_forward = 1 修改后可以重启系统来使修改生效，也可以执行下面的命令来使修改生效： sysctl -p /etc/sysctl.conf 进行了上面的配置后，IP转发功能就永久使能了。

iptables设置后怎么保存 iptables保存配置_linux_09

A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

## 在机器A上执行上面的命令 ##
[root@linux-001 ~]# iptables -F
[root@linux-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@linux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 328 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
[root@linux-001 ~]#

## 在机器B上添加dns ##
[root@linux-02 ~]#  vim /etc/resolv.conf
nameserver  114.29.29.29

iptables设置后怎么保存 iptables保存配置_IP_10

端口映射

需求：A机器是windows，B和C机器是centos7；A机器和B机器可以通信，B机器和C机器可以通信，A和C暂时不可以通信。让C机器只能和A通信，让C机器可以直接连通B机器的22端口。

解决办法：

1.B 机器打开路由转发，echo “1”>/ proc/sys/net/ipv4/ip_forward , 同时需要把iptables规则清除。
2.B 机器上执行 iptables -t nat -A PREROUTING -d 192.168.141.128 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
3. B上执行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.141.128
4. C 上设置网关为192.168.100.1

[root@linux-001 ~]# iptables -t nat -D  POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@linux-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 896 packets, 107K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 32 packets, 2746 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 592 packets, 55276 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@linux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@linux-001 ~]#  echo "1">/ proc/sys/net/ipv4/ip_forward

[root@linux-001 ~]# iptables -t nat -A PREROUTING -d 192.168.141.128 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@linux-001 ~]# iptables -t nat  -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.141.128      tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@linux-001 ~]#

[root@linux-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130
[root@linux-001 ~]# iptables -t nat  -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.133.130      tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.100.100      0.0.0.0/0            to:192.168.133.130
[root@linux-001 ~]#

[root@linux-02 ~]#  route add default gw 192.168.100.1

我们使用A机器的windows xshell去链接B机器的ip地址，端口1122。

[C:\~]$ ssh 192.168.141.128 1122

Connecting to 192.168.141.128:1122...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Tue Apr 16 18:50:47 2019
[root@linux-02 ~]# ifconfig
ens33: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:50:56:3a:cd:af  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.100  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::e3af:26e5:ac7b:b1f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:83:29:48  txqueuelen 1000  (Ethernet)
        RX packets 135  bytes 14397 (14.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 174  bytes 17477 (17.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 13  bytes 1264 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 1264 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@linux-02 ~]#

纠正前面课中关于防火墙的一些错误认识

纠正前面问题，netfilter表是基于内核的，它是用来抓包的，包里面包含来源IP、端口以及目的ip和端口，内核它是自带iptables的命令。在centos7以下版本的时候，我们所说的防火墙是指iptables，它是一个服务，iptables服务是用来管理加载、调用iptables命令设置好的规则。在centos7版本，这个防火墙不叫iptable了，它叫firewalld，它比iptables更加丰富，同样也可以管理iptables命令设置好的规则。如下图：

iptables设置后怎么保存 iptables保存配置_linux_11

iptables规则备份和恢复

iptables备份数据到配置文件/etc/sysconfig/iptables，使用如下命令

[root@linux-001 ~]# service  iptables  save

iptables备份规则到另外一个文件，而不是配置文件

[root@linux-001 ~]# iptables-save  > my.ipt
[root@linux-001 ~]# cat my.tpt 
# Generated by iptables-save v1.4.21 on Wed Apr 17 03:35:23 2019
*nat
:PREROUTING ACCEPT [267:82430]
:INPUT ACCEPT [260:81921]
:OUTPUT ACCEPT [25:8200]
:POSTROUTING ACCEPT [26:8252]
-A PREROUTING -d 192.168.141.128/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.141.128
COMMIT
# Completed on Wed Apr 17 03:35:23 2019
# Generated by iptables-save v1.4.21 on Wed Apr 17 03:35:23 2019
*filter
:INPUT ACCEPT [2610:326613]
:FORWARD ACCEPT [827:68276]
:OUTPUT ACCEPT [1817:173008]
COMMIT
# Completed on Wed Apr 17 03:35:23 2019
[root@linux-001 ~]#

iptables恢复文件数据

[root@linux-001 ~]# iptables -t nat -F 
[root@linux-001 ~]# iptables -t nat
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@linux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@linux-001 ~]# 
[root@linux-001 ~]# iptables-restore < my.tpt 
[root@linux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.141.128      tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.100.100      0.0.0.0/0            to:192.168.141.128
[root@linux-001 ~]#

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。