iptables基礎信息介紹

本文轉載自查看原文 2016-01-14 16:02 1578 技術/ Network

在linux系統下，網絡安全，除了有SElinux，另外就是iptables防火牆了，這個是用的最多也是功能非常強大的一個工具，今天就對其簡單的架構上技術進行概要描述。讓自己后續能夠邏輯清晰的處理雲環境下的網絡安全。至少作為一個支撐吧。

首先，要知道，計算機上網的過程，數據包從internet到我們的PC，最后被PC上的應用程序所處理，並且給予遠端來自internet的用戶程序一個響應，數據包在防火牆層面上是如何traverse的。

Destination local host (our own machine)

Step	Table	Chain	Comment
1			On the wire (e.g., Internet)
2			Comes in on the interface (e.g., eth0)
3	mangle	PREROUTING	This chain is normally used for mangling packets, i.e., changing `TOS` and so on.
4	nat	PREROUTING	This chain is used for `DNAT` mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
5			Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
6	mangle	INPUT	At this point, the mangle `INPUT` chain is hit. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.
7	filter	INPUT	This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
8			Local process/application (i.e., server/client program)

這個表，描述了數據從Internet到Local host的流程。

Source local host (our own machine)

Step	Table	Chain	Comment
1			Local process/application (i.e., server/client program)
2			Routing decision. What source address to use, what outgoing interface to use, and other necessary information that needs to be gathered.
3	mangle	OUTPUT	This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects.
4	nat	OUTPUT	This chain can be used to NAT outgoing packets from the firewall itself.
5	filter	OUTPUT	This is where we filter packets going out from the local host.
6	mangle	POSTROUTING	The `POSTROUTING` chain in the mangle table is mainly used when we want to do mangling on packets before they leave our host, but after the actual routing decisions. This chain will be hit by both packets just traversing the firewall, as well as packets created by the firewall itself.
7	nat	POSTROUTING	This is where we do `SNAT` as described earlier. It is suggested that you don't do filtering here since it can have side effects, and certain packets might slip through even though you set a default policy of DROP.
8			Goes out on some interface (e.g., eth0)
9			On the wire (e.g., Internet)

這個表描述了數據從Local host返回響應給Internet的客戶這么一個數據流程。也許有經驗的人會說，internet到達我們的PC網卡的數據包不一定就是給你這個機器的，說的沒錯，有可能需要通過你這個機器做轉發，發給其他的機器。這個過程就是IP forwarding，當然，這個需要Linux系統打開這個服務。

下面說說如何檢查並打開自己機器的IP forwarding服務。下面就拿我的機器(CentOS)來說，從命令返回值可以看到，這個feature是打開了的。

1 [root@CloudGame mytool]# sysctl net.ipv4.ip_forward 
2 net.ipv4.ip_forward = 1

若是沒有開，可以通過下面的操作打開：

1 [root@CloudGame mytool]# sysctl -w net.ipv4.ip_forward=1
2 net.ipv4.ip_forward = 1

或者這么打開也可以：

打開/etc/sysctl.conf文件，修改里面的net.ipv4.ip_forward的值，改為1.

既然有轉發，就有對應的轉發的iptables的chain及相關細節.如下：

Forwarded packets

Step	Table	Chain	Comment
1			On the wire (i.e., Internet)
2			Comes in on the interface (i.e., eth0)
3	mangle	PREROUTING	This chain is normally used for mangling packets, i.e., changing `TOS` and so on.
4	nat	PREROUTING	This chain is used for `DNAT` mainly. `SNAT` is done further on. Avoid filtering in this chain since it will be bypassed in certain cases.
5			Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
6	mangle	FORWARD	The packet is then sent on to the `FORWARD` chain of the mangle table. This can be used for very specific needs, where we want to mangle the packets after the initial routing decision, but before the last routing decision made just before the packet is sent out.
7	filter	FORWARD	The packet gets routed onto the `FORWARD` chain. Only forwarded packets go through here, and here we do all the filtering. Note that all traffic that's forwarded goes through here (not only in one direction), so you need to think about it when writing your rule-set.
8	mangle	POSTROUTING	This chain is used for specific types of packet mangling that we wish to take place after all kinds of routing decisions has been done, but still on this machine.
9	nat	POSTROUTING	This chain should first and foremost be used for `SNAT`. Avoid doing filtering here, since certain packets might pass this chain without ever hitting it. This is also where Masquerading is done.
10			Goes out on the outgoing interface (i.e., eth1).
11			Out on the wire again (i.e., LAN).

簡單總結一下上面的三個情景。這里可以看到，iptables有table和chain的概念。iptables有4種類型的table： raw，mangle，nat，filter。chain的類型有：PREROUTING，INPUT，OUTPUT, FORWARD, POSTROUTING. 這里，有個很重要的邏輯就是，table和chain之間的關系是怎么樣的。他們是兩個維度空間，共同作用在收到/發送/轉發的數據上。用下面的圖表做個形象的描述，反映這兩個維度之間的關系：

下面，再看看另外一種表述：

最后，看看不同的協議，在iptables的工作過程中，都影響到那些子環節：

上面三個圖，都有一個特點，就是可以看出各個table都有那些chain要經歷。每一個table都有自己對應的target。下面列舉一下主要的三個table對應的target，方便后續索引查找。

mangel 表：

TOS
TTL
MARK

nat 表：

DNAT
SNAT
MASQUERADE

filter表：

DROP
ACCEPT
REJECT
RETURN
LOG
QUEUE

由於iptables是在不同的table上依據對應chain的rule進行相對應的數據包的處理，那么接下來的篇幅，就簡單的說說比較常見的一些操作指令，來設置iptables對IP包的處理。

 1 [root@CloudGame mytool]# iptables -L --line-numbers　　　　#查看一個chain或者所有chain的rule。默認查看的是filter表，你也可以指定表，如：iptables -L -t nat  2 Chain INPUT (policy ACCEPT)
 3 num  target     prot opt source               destination         
 4 1    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 5 2    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 6 3    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 7 4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 8 
 9 Chain FORWARD (policy ACCEPT)
10 num  target     prot opt source               destination         
11 1    ACCEPT     all  --  anywhere             localhost/24        state RELATED,ESTABLISHED 
12 2    ACCEPT     all  --  localhost/24         anywhere            
13 3    ACCEPT     all  --  anywhere             anywhere            
14 4    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
15 5    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
16 6    DOCKER     all  --  anywhere             anywhere            
17 7    ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
18 8    ACCEPT     all  --  anywhere             anywhere            
19 9    ACCEPT     all  --  anywhere             anywhere            
20 
21 Chain OUTPUT (policy ACCEPT)
22 num  target     prot opt source               destination         
23 
24 Chain DOCKER (1 references)
25 num  target     prot opt source               destination

會看到上面的日志顯示的信息中，最后一列沒有名字。其實，這一列對應的就是iptables的-m選項的信息，即connection tracking，相關信息很多，可以google之。較常用的是-m tcp, -m state等等之類。

下面是一個給NAT表添加一個DNAT目標的規則：

1 [root@CloudGame mytool]# iptables -t nat -A PREROUTING -p tcp -d 202.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
2 [root@CloudGame mytool]# iptables -t nat -L
3 Chain PREROUTING (policy ACCEPT)
4 target     prot opt source               destination         
5 DOCKER     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL 
6 DNAT tcp -- anywhere 202.45.23.67 tcp dpt:http to:192.168.1.1-192.168.1.10

上面這個操作，實現的是NAT（網絡地址轉換），將從internet上的IP包目的地址為202.45.23.67，目的端口號為80的包，進行地址轉換，轉成目的地址為192.168.1.1至10的機器，隨機轉。這個可以用在負載均衡上喲，一種解決方案。對應的SNAT，是完成從源端地址向目標地址轉換的過程，比如，從內網的192.168.1.1的IP轉為防火牆的內部IP地址。這里有地址映射過程。

 1 [root@CloudGame mytool]#  iptables -t nat -A POSTROUTING -p tcp --dst 192.168.1.1 --dport 80 -j SNAT  --to-source 192.168.1.21
 2 [root@CloudGame mytool]# iptables -t nat -L
 3 Chain PREROUTING (policy ACCEPT)
 4 target     prot opt source               destination         
 5 DOCKER     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL 
 6 DNAT       tcp  --  anywhere             202.45.23.67        tcp dpt:http to:192.168.1.1-192.168.1.10 
 7 
 8 Chain INPUT (policy ACCEPT)
 9 target     prot opt source               destination         
10 
11 Chain OUTPUT (policy ACCEPT)
12 target     prot opt source               destination         
13 DOCKER     all  --  anywhere            !loopback/8          ADDRTYPE match dst-type LOCAL 
14 
15 Chain POSTROUTING (policy ACCEPT)
16 target     prot opt source               destination         
17 MASQUERADE  tcp  --  localhost/24        !localhost/24        masq ports: 1024-65535 
18 MASQUERADE  udp  --  localhost/24        !localhost/24        masq ports: 1024-65535 
19 MASQUERADE  all  --  localhost/24        !localhost/24        
20 MASQUERADE  all  --  localhost/16         anywhere            
21 SNAT tcp -- anywhere localhost tcp dpt:http to:192.168.1.21

Appendix部分，我附上一些關於iptables的基本命令手冊的信息：

A1. 命令的基本格式：

iptables [ -t 表名] 命令選項 [鏈名] [條件匹配] [-j 目標動作或跳轉]

A2.命令的選項參數：

選項名	功能及特點
-A	在指定鏈的末尾添加（--append）一條新的規則
-D	刪除（--delete）指定鏈中的某一條規則，按規則序號或內容確定要刪除的規則
-I	在指定鏈中插入（--insert）一條新的規則，默認在鏈的開頭插入
-R	修改、替換（--replace）指定鏈中的一條規則，按規則序號或內容確定
-L	列出（--list）指定鏈中的所有的規則進行查看，默認列出表中所有鏈的內容
-F	清空（--flush）指定鏈中的所有規則，默認清空表中所有鏈的內容
-N	新建（--new-chain）一條用戶自己定義的規則鏈
-X	刪除指定表中用戶自定義的規則鏈（--delete-chain）
-P	設置指定鏈的默認策略（--policy）
-n	用數字形式（--numeric）顯示輸出結果，若顯示主機的 IP地址而不是主機名
-P	設置指定鏈的默認策略（--policy）
-v	查看規則列表時顯示詳細（--verbose）的信息
-V	查看iptables命令工具的版本（--Version）信息
-h	查看命令幫助信息（--help）
--line-number	查看規則列表時，同時顯示規則在鏈中的順序號

A3.條件匹配

條件匹配分為基本匹配和擴展匹配，拓展匹配又分為隱式擴展和顯示擴展。這些條件是用於給iptables添加規則的時候提供更加具體的匹配條件，便於精確的操作數據包的流向和去留。

a)基本匹配包括

匹配參數	說明
-p	指定規則協議，如tcp, udp,icmp等，可以使用all來指定所有協議
-s	指定數據包的源地址參數，可以使IP地址、網絡地址、主機名
-d	指定目的地址
-i	輸入接口
-o	輸出接口

b)隱式擴展包括

c)顯式擴展

更深的東西，繼續研究中，期待交流和拍磚！

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 iptables介紹iptables和netfilter iptables 命令介紹防火牆iptables介紹信息安全實驗2：iptables 和 netfilter Linux基礎命令---防火牆iptables iptables iptables 什么是iptables？基礎信息論（復習） Hive[2] 基礎介紹