安裝前
里面有iptables的命令 [root@mcw01 ~]$ rpm -qa|grep iptables iptables-1.4.21-18.0.1.el7.centos.x86_64 [root@mcw01 ~]$ rpm -ql iptables /etc/sysconfig/ip6tables-config /etc/sysconfig/iptables-config /usr/bin/iptables-xml 。.......... /usr/sbin/ip6tables /usr/sbin/ip6tables-restore /usr/sbin/ip6tables-save /usr/sbin/iptables #iptables管理命令 /usr/sbin/iptables-restore /usr/sbin/iptables-save /usr/sbin/xtables-multi ..... [root@mcw01 ~]$
我們需要安裝iptables-services,用來啟動和停止iptables服務
[root@mcw01 ~]$ yum list all|grep iptables-services iptables-services.x86_64 1.4.21-35.el7 base [root@mcw01 ~]$ yum install -y iptables-services [root@mcw01 ~]$ rpm -ql iptables-services /etc/sysconfig/ip6tables /etc/sysconfig/iptables #防火牆配置就是這個 /usr/lib/systemd/system/ip6tables.service /usr/lib/systemd/system/iptables.service #服務啟動停止文件 /usr/libexec/initscripts/legacy-actions/ip6tables /usr/libexec/initscripts/legacy-actions/ip6tables/panic /usr/libexec/initscripts/legacy-actions/ip6tables/save /usr/libexec/initscripts/legacy-actions/iptables /usr/libexec/initscripts/legacy-actions/iptables/panic /usr/libexec/initscripts/legacy-actions/iptables/save /usr/libexec/iptables /usr/libexec/iptables/ip6tables.init /usr/libexec/iptables/iptables.init [root@mcw01 ~]$ modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' #默認是沒有開啟這些內核模塊的 [root@mcw01 ~]$ [root@mcw01 ~]$ modprobe ip_tables #加載這些模塊,應該寫進配置,即使重啟了也加載,永久性修改生效。 [root@mcw01 ~]$ modprobe iptable_filter [root@mcw01 ~]$ modprobe iptable_nat [root@mcw01 ~]$ modprobe ip_conntrack [root@mcw01 ~]$ modprobe ip_conntrack_ftp [root@mcw01 ~]$ modprobe ip_nat_ftp [root@mcw01 ~]$ modprobe ipt_state 加載內核模塊的配置在/etc/modprobe.d/目錄下 [root@mcw01 ~]$ ls /etc/modprobe.d/ tuned.conf [root@mcw01 ~]$ [root@mcw01 ~]$ tail -7 /etc/rc.local #也可以直接加到開機自啟動文件里 modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ 然后再檢查下,現在有這些內核模塊了 [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' nf_nat_ftp 12770 0 nf_conntrack_ftp 18638 1 nf_nat_ftp iptable_nat 12875 0 nf_nat_ipv4 14115 1 iptable_nat nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4 nf_conntrack 133387 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4 iptable_filter 12810 0 ip_tables 27115 2 iptable_filter,iptable_nat libcrc32c 12644 4 xfs,sctp,nf_nat,nf_conntrack [root@mcw01 ~]$
關閉firewalld,開啟iptables
關閉firewalld systemctl stop firewalld systemctl disable firewalld systemctl is-active firewalld.service systemctl is-enabled firewalld.service [root@mcw01 ~]$ systemctl stop firewalld [root@mcw01 ~]$ systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@mcw01 ~]$ systemctl is-active firewalld.service #只有不活躍,就關閉了,只有禁用了就不會開機自啟了 unknown [root@mcw01 ~]$ systemctl is-enabled firewalld.service disabled [root@mcw01 ~]$ 開啟iptables systemctl start iptables.service systemctl enable iptables.service [root@mcw01 ~]$ systemctl start iptables.service [root@mcw01 ~]$ systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -Ln #寫反了什么都沒有 iptables: No chain/target/match by that name. [root@mcw01 ~]$ iptables -nL #這里默認顯示的是filter表的。這里有filter表的input鏈,forword鏈,和output鏈 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #用戶請求來的時候,默認先從input鏈這里一行一行規則往下匹配,如果都沒有匹配上了,就走input鏈后面的小括號里面的規則, #這里是(policy ACCEPT),小括號里面表示默認規則 Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
學習前環境准備
清除所有的iptables規則 --flush -F [chain] Delete all rules in chain or all chains 清除所有規則 --delete-chain -X [chain] Delete a user-defined chain 刪除用戶自定義的規則 --zero -Z [chain [rulenum]] Zero counters in chain or all chains 清除鏈的計數器 清除所有規則,但不會清除默認規則 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F #清除所有的iptables規則 [root@mcw01 ~]$ iptables -nL #再次查看,安裝好后默認設置的規則都清除掉了 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
禁止訪問22端口(指定端口)
--append -A chain Append to chain #追加鏈,追加是放到最下面,如果是拒絕的規則,那么應該放到最上面才防止未匹配到而失效。 --delete -D chain Delete matching rule from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) #把規則放到前面,插入,一般拒絕的規則放到前面 --jump -j target target for rule (may load target extension) #匹配到規則需要做的動作,滿足條件后的動作,比如:DROP/ACCEPT/REJECT 拒絕,接受,拒絕 --dport 目標端口, -d 目標ip --sport源端口 -A添加規則;INPUT,我要在INPUT鏈中添加規則。是需要指定端口還是ip呢,這里是22端口,指定端口的話一般要先指定協議(協議一般這里有tcp,udp,icmp,all就是所有),端口在網絡中一般有兩種情況,ip也是有兩種情況,就是目標端口,源端口,目標ip,源ip,我這里是禁止訪問22端口,也就是端口是目標端口,所以--dport 22;需要禁止訪問,那就是 -j DROP ,這個DROP要大寫 iptables -A INPUT -p tcp --dport 22 -j DROP iptables -t filter -A INPUT -p tcp --dport 22 -j DROP 需要謹慎,看清了。這里是演示,如果真的把22端口禁了,就連不上了。我這里是虛擬機,可以在VMware上把這條規則清除掉重新遠程連接 如果我們只是想清除一條規則,可以先執行 iptables -nL --line-numbers 查看到是第幾條鏈,防止眼睛數錯行。這里是在INPUT鏈上的第一條規則,然后執行刪除這條規則.清除之后,22端口就能重新連接了 iptables -D INPUT 1 如下,我禁用23端口和解除23端口的過程 [root@mcw01 ~]$ iptables -A INPUT -p tcp --dport 23 -j DROP #未指定默認是filter表了;添加;在input鏈上;tcp協議,目標端口23;來訪問了就drop丟掉 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 #禁用23端口 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -nL --line-numbers #查看規則是第幾個,刪除可以用到 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@mcw01 ~]$ iptables -D INPUT 1 #刪除,指定是INPUT鏈,第一個規則 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
禁止指定ip,訪問本服務器指定端口
禁止指定ip,訪問本服務器指定端口 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 防火牆四表五鏈,我們常用的是filter,nat表。我們常用的是filter表的INPUT,FORWARD,OUTPUT鏈;nat表的PREROUTING,POSTROUTING鏈,OUTPUT鏈 禁止10.0.0.12訪問10.0.0.11服務器的22端口 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 一開始12能訪問11的22端口 [root@mcw02 ~]$ ssh 10.0.0.11 hostname root@10.0.0.11's password: mcw01 [root@mcw02 ~]$ [root@mcw01 ~]$ iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP [root@mcw01 ~]$ iptables -nL #禁止10.0.0.12訪問10.0.0.11服務器的22端口 Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22 #來自10.0.0.12的IP,訪問本機的22端口被drop Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 再次從12上訪問11的22端口,發現是連接超時的 [root@mcw02 ~]$ ssh 10.0.0.11 hostname ssh: connect to host 10.0.0.11 port 22: Connection timed out [root@mcw02 ~]$ [root@mcw02 ~]$ ssh 172.16.0.11 hostname #如果使用內網ip,還是可以訪問的,因為只是禁用10.0.0.12訪問 root@172.16.0.11's password: mcw01 [root@mcw02 ~]$ ping 10.0.0.11 -c 1 #訪問icmp協議的還是不影響的 PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data. 64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=0.682 ms --- 10.0.0.11 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms [root@mcw02 ~]$ [root@mcw02 ~]$ nc 10.0.0.11 22 #使用nc查看端口是否能連上 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw02 ~]$ telnet 10.0.0.11 22 #telnet查看是否能連上 Trying 10.0.0.11... telnet: connect to address 10.0.0.11: Connection timed out [root@mcw02 ~]$ 正常能連的顯示 [root@mcw03 ~]$ nc 10.0.0.11 22 SSH-2.0-OpenSSH_7.4 #夯住
命令有,但不知道是哪個包帶來的命令,兩種方式找到包
[root@mcw01 ~]$ rpm -qa nc [root@mcw01 ~]$ rpm -qa ncat [root@mcw01 ~]$ rpm -qa |grep nc irqbalance-1.0.7-10.el7.x86_64 ncurses-base-5.9-14.20130511.el7_4.noarch perl-Encode-2.51-7.el7.x86_64 qrencode-libs-3.4.1-3.el7.x86_64 ncurses-libs-5.9-14.20130511.el7_4.x86_64 ncurses-5.9-14.20130511.el7_4.x86_64 nmap-ncat-6.40-19.el7.x86_64 vim-enhanced-7.4.629-8.el7_9.x86_64 ncurses-devel-5.9-14.20130511.el7_4.x86_64 [root@mcw01 ~]$ [root@mcw01 ~]$ rpm -qa |grep ncat nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$ which nc /usr/bin/nc [root@mcw01 ~]$ yum provides nc #方式一:yum查看命令是哪個包里的 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile netcat-1.218-2.el7.x86_64 : OpenBSD netcat to read and write data across connections using TCP or UDP Repo : epel Matched from: Provides : nc = 1.218-2.el7 2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo : base Matched from: Provides : nc 2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo : @base Matched from: Provides : nc [root@mcw01 ~]$ rpm -qf `which nc` #方式二:rpm查看命令是哪個包里的 nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$
使用nc命令進行端口間通信
當我使用nc連接本服務器端口的時候 [root@mcw03 ~]$ nc -l 6381 #夯住 新開一個窗口,發現這個命令的進程 [root@mcw03 ~]$ ps -ef|grep -v grep |grep 6381 root 19421 19094 0 03:26 pts/0 00:00:00 nc -l 6381 [root@mcw03 ~]$ -- 如下當我將mcw03上redis端口,使用nc命令夯住后 [root@mcw03 ~]$ nc -l 6381 wo shi machangwei nihaoya 當我在其他機器,比如在mcw01上telnet mcw03的這個6381端口,也會夯住,然后這樣兩者間就可以互相寫字進行通信了,一行一行的發送,點擊enter就發送。telnet如果是客戶端的話,那么我斷開telnet,nc命令並不會終止 [root@mcw01 ~]$ telnet 10.0.0.13 6381 Trying 10.0.0.13... Connected to 10.0.0.13. Escape character is '^]'. wo shi machangwei nihaoya 當我在mcw03上使用nc之后,夯住 [root@mcw03 ~]$ nc -l 6381 然后 [root@mcw01 ~]$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw01 ~]$ cat /etc/hosts |nc 10.0.0.13 6381 #然后在另一個主機上連接這個端口,就能發送文件內容過去 [root@mcw03 ~]$ nc -l 6381 #接收到文件內容,我們也可以將接收的文件內容重定向到文件里,實現nc通過端口傳輸文件 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$ [root@mcw03 ~]$ nc -l 6381 >1.host [root@mcw03 ~]$ cat 1.host 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$
禁止指定網段訪問本服務器的指定端口
禁止指定網段訪問本服務器的指定端口 iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP 別人訪問我,是進入的包,INPUT鏈。別人訪問我的某個端口服務,我這個端口是對方訪問的目標端口,所以是dport,禁止就得drop,-I拒絕的就往前面插入 我在mcw01上開啟了8080端口的監聽,然后通過兩個ip訪問,都能通,接收到信息 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ 現在設置防火牆規則,禁止指定172.16.0.0/24網段訪問本服務器的指定端口8080 [root@mcw01 ~]$ iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 172.16.0.0/24 0.0.0.0/0 tcp dpt:8080 DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 然后再看,mcw02連接mcw01的nc開啟的連接服務,發現172.16.0.11只有這個網段的不能連上服務了,說明禁止生效了 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 #夯住,沒反應
指定只能某個網段訪問本服務器。(不是指定網段的拒絕掉)
指定只能某個網段訪問本服務器。(不是指定網段的拒絕掉) iptables -I INPUT ! -s 10.0.0.0/24 -j DROP 當我清空所以防火牆配置之后,mcw02能訪問mcw01上nc開啟的2222端口 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT ! -s 10.0.0.0/24 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 當我兩次在mcw01上nc開啟2222端口時,只有訪問10.0.0.11能訪問到,訪問172.16.0.11訪問不到。所以防火牆配置生效 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222
禁止用戶訪問本服務器指定范圍或者指定多個的端口
禁止用戶訪問本服務器指定范圍或者指定多個的端口 iptables -I INPUT -p tcp --dport 1024:65535 -j DROP iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP 執行命令前,nc開啟mcw01的端口,mcw02上都能訪問到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 2222 [root@mcw01 ~]$ nc -l 1024 2222 [root@mcw01 ~]$ nc -l 60000 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 1024:65535 -j DROP [root@mcw01 ~]$ iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 執行命令后,無法訪問到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 ^C [root@mcw01 ~]$ nc -l 1024 ^C [root@mcw01 ~]$ nc -l 60000 ^C [root@mcw01 ~]$
使用iptables實現禁止ping功能
使用iptables實現禁止ping功能 iptables -I INPUT -p icmp --icmp-type 8 -j DROP #實際上icmp協議的類型有很多,影響我們ping的類型是8,只需禁止8就行 iptables -I INPUT -p icmp --icmp-type any -j DROP 當我給mcw01添加內核設置為1的時候,mcw02就無法ping通mcw01了,當我修改為0的時候,就能ping同mcw01了 echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all 加上這條命令后,里面就不能ping通了 ,這里是任意類型,好像寫成8也可以 [root@mcw01 ~]$ iptables -I INPUT -p icmp --icmp-type any -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
保存和恢復規則
iptables-save保存當前防火牆到配置文件中,加上重定向,可以將防火牆規則導入到指定文件中備份起來 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-save #會把所有的打印出來,*后面顯示表的名字;冒號后歐美是默認的規則,再往下就死我們自己配置的規則 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022 *nat :PREROUTING ACCEPT [6543:408185] :INPUT ACCEPT [76:11426] :OUTPUT ACCEPT [358288:21886420] :POSTROUTING ACCEPT [358288:21886420] COMMIT # Completed on Mon Mar 7 16:48:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022 *filter :INPUT ACCEPT [696:58996] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [653551:39668311] #*后面顯示表的名字;冒號后歐美是默認的規則,再往下就死我們自己配置的規則 -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar 7 16:48:59 2022 [root@mcw01 ~]$ 防火牆配置,實際保存的是如下文件中。可以看到和命令查詢出來的差不多 [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ 如下保存防火牆規則 [root@mcw01 ~]$ iptables-save >iptRule.txt [root@mcw01 ~]$ cat iptRule.txt # Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022 *nat :PREROUTING ACCEPT [6642:414294] :INPUT ACCEPT [77:11655] :OUTPUT ACCEPT [363901:22224847] :POSTROUTING ACCEPT [363901:22224847] COMMIT # Completed on Mon Mar 7 16:53:44 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022 *filter :INPUT ACCEPT [781:65217] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [664961:40365111] -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar 7 16:53:44 2022 [root@mcw01 ~]$ 不小心把防火牆都誤清除了,因為之前保存到配置里了,重啟一下防火牆重新就出來了 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ systemctl restart iptables.service [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-restore無需重啟防火牆,可以將備份導出來的防火牆規則,再導入回去 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-restore <iptRule.txt [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
修改默認規則為drop,默認都不接受的做法
-i --input 數據進入的時候通過哪個網卡 -o --output 數據出去的時候通過哪個網卡 -P --policy -P chain target Change policy on chain to target 修改默認規則 修改默認規則前設置: iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT 修改默認規則 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT 修改默認規則后添加自己使用的網段為白名單 iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT 清除好環境 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 在修改默認策略為拒絕時,首先要提前做些准備。比如接收22端口訪問 [root@mcw01 ~]$ #准許連接 22端口 [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 設置本地lo通訊規則 [root@mcw01 ~]$ iptables -A INPUT -i lo -j ACCEPT [root@mcw01 ~]$ iptables -A OUTPUT -o lo -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 添加指定服務需要能被訪問,比如80 443 [root@mcw01 ~]$ iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 修改默認規則 [root@mcw01 ~]$ #修改默認規則 [root@mcw01 ~]$ iptables -P INPUT DROP #進來的時候,默認是drop [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ iptables -P FORWARD DROP #這個也默認是drop [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT #出去的時候不管,都接受 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 添加兩個白名單 [root@mcw01 ~]$ iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 ACCEPT all -- 172.16.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 然后保存下我們的配置 [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022 *nat :PREROUTING ACCEPT [148:9218] :INPUT ACCEPT [13:949] :OUTPUT ACCEPT [2894:191439] :POSTROUTING ACCEPT [2894:191439] COMMIT # Completed on Mon Mar 7 17:21:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [195:20374] -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/24 -j ACCEPT -A INPUT -s 172.16.0.0/24 -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Mon Mar 7 17:21:59 2022 [root@mcw01 ~]$ #其中默認是drop ,INPUT和OUTPUT鏈添加了規則
內網服務器通過iptables轉發實現訪問外網SNAT(共享上網)
內網服務器通過iptables轉發實現訪問外網(共享上網) 10.0.0.11是集群中的外網ip,能通過這個ip訪問外網的。這個ip所在服務器可以做成網關,讓其它主機的網關設置成該主機的內網ip,然后通過ipv4內核源地址轉換實現訪問外網 單個ip實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p 指定網段的地址實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 當公網ip不固定時:更換。用如下命令 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE MASQUERADE masquerade 英[ˌmæskəˈreɪd] 美[ˌmæskəˈreɪd] n. 掩藏; 掩飾; 化裝舞會; 假面舞會; vi. 假扮; 喬裝; 偽裝; nat表(可以共享上網,端口映射,ip映射) 主機環境(將mcw02和mcw03的外網ip10網段的先停掉網卡,只剩內網ip172網段的,純內網機子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 准備環境: 先把上面做的環境改回來,記得先改回默認策略為接受,然后再清空所有的規則。不然默認規則是拒絕,我把22接受服務的刪除掉,那么就連不上服務器了,只能去機房連接服務器恢復了 [root@mcw01 ~]$ iptables -P INPUT ACCEPT [root@mcw01 ~]$ iptables -P FORWARD ACCEPT [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ [root@mcw01 ~]$ ping www.baidu.com -c 1 #查看百度的ip是110.242.68.4,我現在需要內網的機子能訪問這個ip PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=17.1 ms --- www.a.shifen.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.186/17.186/17.186/0.000 ms [root@mcw01 ~]$ 我現在mcw03這個后端內網服務器不能訪問到外網,mcw01可以訪問到外網。我想通過mcw01做轉發,實現mcw03訪問外網 mcw03的ip是172.16.0.13,這時數據包通過mcw01訪問110.242.68.4時,目標ip110.242.68.4不變,在mcw01上要將源ip172.16.0.13修改mcw01的ip即10.0.0.11。 所以,需要內網實現共享上網的時候,需要使用snat,源網絡地址轉換 這時我們的mcw03的數據包,是需要通過mcw01上出去,進而訪問外網,所以我們需要修改的是以前畫的那張圖里的nat表POSTROUTING 所以,需要設置防火牆命令如下:需要在nat表設置;需要在POSTROUTING鏈里追加;目標ip是訪問的外網ip, 需要指定源ip是mcw03內網ip地址需要轉換為可以訪問的外網ip;動作是mcw03的內網ip,源ip轉換為能訪問外網的mcw01上的外網ip,動作是源地址訪問;將源地址改為mcw01上的外網ip10.0.0.11 mcw01配置了防火牆,還要開啟mcw01的ip轉發內核參數。將mcw03網關應該修改為mcw01的內網ip,內網網卡上給mcw03添加DNS服務器的配置,不然無法解析了。 單個ip實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p 指定網段的地址實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 操作前檢查情況 [root@mcw02 ~]$ ssh 172.16.0.13 #從mcw02上連接mcw03內網ip root@172.16.0.13's password: Last login: Mon Mar 7 17:58:21 2022 from 172.16.0.12 [root@mcw03 ~]$ ip a #查看網卡情況 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff inet 10.0.0.13/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::6782:98:f742:b0e8/64 scope link valid_lft forever preferred_lft forever inet6 fe80::6faf:5935:98b1:7f8d/64 scope link tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link tentative dadfailed valid_lft forever preferred_lft forever [root@mcw03 ~]$ ifdown ens33 #將mcw03的外網網卡關閉掉 Device 'ens33' successfully disconnected. [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ ping www.baidu.com #查看mcw03無法訪問外網,只有內網ip172.16.0.13可以通信 ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ echo 1 >/proc/sys/net/ipv4/ip_forward [root@mcw01 ~]$ echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf [root@mcw01 ~]$ sysctl -p 發現mcw03還是不通外網,是因為忘記修改網關了,網關應該修改為mcw01的內網ip. [root@mcw03 ~]$ ping www.baidu.com ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ ip r default via 172.160.0.253 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 172.160.0.253 dev ens34 proto static scope link metric 100 這里將內網網卡配置的網關設置為mcw01主機的內網ip。讓它onboot改為yes,不然重啟就關閉網卡了 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens34 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens34 ONBOOT=yes GATEWAY=172.16.0.11 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens33 #將外網網卡的onboot關閉掉,防止重啟網絡,而重啟網卡 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens33 ONBOOT="no" GATEWAY="10.0.0.253" [root@mcw03 ~]$ systemctl restart network [root@mcw03 ~]$
檢查環境以及驗證內網訪問外網 [root@mcw03 ~]$ ip a #查看網絡,沒有問題,還是內網ip 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ [root@mcw03 ~]$ ip r #查看網關,已經變成了mcw01主機的內網ip default via 172.16.0.11 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 [root@mcw03 ~]$ [root@mcw03 ~]$ ping www.baidu.com #成功訪問外網 PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=127 time=14.8 ms 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=2 ttl=127 time=13.6 ms ^C --- www.a.shifen.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 13.674/14.261/14.848/0.587 ms [root@mcw03 ~]$ 附上mcw01的內網ip查詢 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ 執行完后,記得保存一下配置 iptables -t nat -nL 查看nat表的轉發規則 [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022 *nat :PREROUTING ACCEPT [143:9307] :INPUT ACCEPT [1:229] :OUTPUT ACCEPT [80:6466] :POSTROUTING ACCEPT [80:6466] -A POSTROUTING -s 172.16.0.13/32 -j SNAT --to-source 10.0.0.11 -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 COMMIT # Completed on Mon Mar 7 18:52:42 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022 *filter :INPUT ACCEPT [698927:234693305] :FORWARD ACCEPT [5426:390414] :OUTPUT ACCEPT [704597:225964959] COMMIT # Completed on Mon Mar 7 18:52:42 2022 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
如何刪除nat表的規則:
[root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.61 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -D POSTROUTING 2 #刪除nat表的規則,需要指定nat表 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
DNAT端口轉發(內網服務器不暴露在公網上,但是它上面的服務可以通過某台服務器的端口轉發提供給外網)
DNAT端口轉發(內網服務器不暴露在公網上,但是它上面的服務可以通過某台服務器的端口轉發提供給外網) iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 有點像Nginx的端口轉發 當外網需要訪問內網某個主機的某個服務時,服務無法提供。我們可以使用端口轉發,mcw01有外網ip,當外網訪問mcw01的外網時,我們可以根據端口來將請求轉發給內網某個服務器如mcw03,mcw03上是沒有外網ip的。 主機環境(將mcw02和mcw03的外網ip10網段的先停掉網卡,只剩內網ip172網段的,純內網機子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 例如:當用戶訪問我們的mcw01主機上的9000端口(10.0.0.11:9000)時,我們將它轉發到我們內網服務器mcw03上的22端口(172.16.0.13:22)。用戶訪問時,源地址是他們自己, 他們的目標是訪問我們的10.0.0.11:9000,我們要實現轉發,需要將這個目標地址改成172.16.0.13:22。所以這里是目標地址轉換DNAT。 這里是目標地址轉換,是nat表;這是用戶來訪問的數據包,也就是用戶要進來,所以是PREROUTING 鏈;目標訪問的是10.0.0.11;對方訪問的是9000端口;動作我就用DNAT,目標地址轉換,轉換成我們內網的地址;這里是轉換成目標地址172.16.0.13:22 注意:此時這里的mcw03的網卡上配置的網關,要設置成mcw01上內網的ip。因為數據包是轉發給mcw03了,但是我要回包的話,得發給mcw01的內網ip,然后mcw01內網ip再發給mcw01的公網ip10.0.0.11,這樣才能給客戶返回響應數據。這里之前已經配置了,詳情見上面的SNAT共享上網 iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport -j DNAT --to-destination 172.16.0.13:22 然后還需要開啟ipv4轉發。之前我已經配置好了 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 操作前檢查情況 mcw03和mcw01的9000端口目前都不能連接 [c:\~]$ ssh root@172.16.0.13 Connecting to 172.16.0.13:22... Could not connect to '172.16.0.13' (port 22): Connection failed. Type `help' to learn how to use Xshell prompt. [c:\~]$ [c:\~]$ [c:\~]$ [c:\~]$ ssh root@10.0.0.11 9000 Connecting to 10.0.0.11:9000... Could not connect to '10.0.0.11' (port 9000): Connection failed. Type `help' to learn how to use Xshell prompt. [c:\~]$ 執行操作:配置目標地址轉發,查看配置的規則,查看ipv4轉發是否開啟 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 檢驗配置的效果:發現當我們外網上連接mcw01的9000端口時,實際上我們是訪問到了沒有外網ip,不通外網的mcw03主機上。也就是在mcw01上成功實現端口轉發。這樣當我們內網的主機上某個服務要提供給外網訪問時,可以使用端口轉發的方式提供服務,這也能保證了內網服務器的安全性。 [c:\~]$ ssh root@10.0.0.11 9000 Connecting to 10.0.0.11:9000... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Mon Mar 7 18:06:33 2022 from 172.16.0.12 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$
ip地址轉發(DNAT實現ip地址轉發,ip映射)
主機環境(將mcw02和mcw03的外網ip10網段的先停掉網卡,只剩內網ip172網段的,純內網機子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 配置過程中需要注意的事項請參考上面的snat和dnat配置過程 查看環境,將之前已有的端口轉發配置去掉 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ iptables -t nat -D PREROUTING 1 #刪除之前配置的端口轉發,防止收到影響 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ 在mcw01上添加一個新的公網ip,當訪問這個公網ip10.0.0.111時,將它轉發到內網服務器mcw03的內網ip172.16.0.13 然后可以給這個公網ip,在網關mcw01上加上標簽,這樣在mcw01上就能看到這個ip了。 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.111 -j DNAT --to-destination 172.16.0.13 [root@mcw01 ~]$ ip a a 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet 10.0.0.111/24 scope global secondary ens33:0 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ ^C 驗證: 當我在外網連接剛剛在mcw01上添加的公網ip10.0.0.111時,實際上連上了內網服務器mcw03上。 也就是當用戶訪問mcw01上的外網ip10.0.0.111的某個端口服務時,它就會轉發給內網服務器mcw03上對應的端口。 這樣就成功實現了ip地址轉發。缺點是,只要某個服務器某個端口需要外網訪問,就要對應一個外網ip,而一般情況下,不需要訪問這么多端口,所以浪費公網ip資源 [c:\~]$ [c:\~]$ ssh root@10.0.0.111 Connecting to 10.0.0.111:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Mon Mar 7 19:30:16 2022 from 10.0.0.1 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ 當刪除這個標簽后,就不能通過這個ip訪問內網指定服務器了 [root@mcw01 ~]$ ip a del 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$
-F不能清除nat表的規則
[root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$