iptables、共享上网SNAT、端口转发DNAT
1.防火墙概述
封端⼝,封ip
实现NAT功能
共享上⽹
端⼝映射(端⼝转发),ip映射
2.防火墙
2.1防火墙种类以及使用说明
硬件:整个企业入口
软件:开源软件 网站内部 封ip
iptables
云防火墙
安全组
NAT网关
waf应用防火墙
2.2专有名词
容器、表、链、规则
2.3iptables执行过程
1.防⽕墙是层层过滤的,实际是按照配置规则的顺序从上到下,从前到后进⾏过滤的。
2.如果匹配成功规则,即明确表示是拒绝(DROP)还是接收(ACCEPT),数据包就不再向下匹配新的规则。
3.如果规则中没有明确表明是阻⽌还是通过的,也就是没有匹配规则,向下进⾏匹配,直到匹配默认规则得到明确的阻⽌还是通过。
4.防⽕墙的默认规则是所有规则都匹配完才会匹配的。
2.4表与链
iptables 是 4表伍链
4表: filter 表 nat表 raw表 mangle表
伍链: INPUT OUTPUT FORWARD PREROUTING POSTROUTING
1.filter表
实现防火墙功能:屏蔽或准许端口ip
2.nat表
实现nat功能:实现共享上网 端口映射和ip映射
2.5环境准备及命令
先关闭防火墙
systmectl stop firewalld
systemctl disable firewalld
1.安装并启动
yum install iptables-services
systemctl enable iptables
systemctl start iptables
2.设置开机自启防火墙相关模块
cat >>/etc/rc.local<<EOF
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
EOF
lsmod | egrep 'filter|nat|ipt'
3.查看规则
iptables -nL 默认filter -n不要把端⼝ 或ip反向解析为名字 -L 列出规则
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
查看指定表的规则 iptables -t nat -nL
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
配置filter表规则
| -A | 添加防火墙规则(尾部追加) |
|---|---|
| -D | 删除防火墙规则 |
| -I | 插入防火墙规则(首部插入) |
| -F | 清空防火墙规则 |
| -X | 删除用户自定义的链 |
| -L | 列出添加防火墙规则 |
| -R | 替换防火墙规则 |
| -Z | 清空防火墙数据表统计信息 |
| -P | 设置链默认规则 |
| -p | 协议 protocal tcp/udp/icmp/all 指定端口的时候需要用到指定协议 |
| --dport | 目标端口 |
| -j | 满足条件后的动作 DROP/ACCEPT/REJECT drop 把数据丢掉不会返回给用户 reject 返回拒绝信息 |
| -s | --source 源ip |
| -d | --destination ⽬标ip |
1.先清空规则
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -X
[root@localhost ~]# iptables -Z
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.添加规则
iptables -t filter -I INPUT -p tcp --dport 22122 -j drop
3.删除规则
iptables -t filter -D INPUT 1 //1是行号 上述添加的规则的行号
1:封ip
1.192.168.70.133机器 ping 192.168.70.136机器
[root@web2 ~]# ping 192.168.70.136
PING 192.168.70.136 (192.168.70.136) 56(84) bytes of data.
64 bytes from 192.168.70.136: icmp_seq=1 ttl=64 time=0.937 ms
2.136机器添加规则
iptables -t filter -I INPUT -s 192.168.70.134 -j DROP
3.删除规则
iptables -D INPUT 1 //删除后可以发现又继续ping了
2:禁止网段访问指定端口
iptables -t filter -I INPUT -s 192.168.70.0/24 -p tcp --dport 8888 -j DROP
3:只允许指定网段连入
iptables -I INPUT ! -S 192.168.70.0/24 -j DROP
4:指定多端口
iptables -I INPUT -m multiport -p tcp --dport 80,433 -j DROP //禁止80和433端口
iptables -I INPUT -p tcp --dport 1:10 -j DROP //禁止1-10端口
5:控制是否能ping
iptables -I INPUT -p icmp -j DROP
另一种方法
vim /etc/sysctl.conf //添加如下一条指令
net.ipv4.icmp_echo_ignore_all = 1
sysctl -p //生效
6:匹配⽹络状态(TCP/IP连接状态)
NEW:已经或将启动新的连接
ESTABLISHED:已建⽴的连接
RELATED:正在启动的新连接INVALID:⾮法或⽆法识别的
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
7:限制并发及速率
-m limit --limit 10/minute #每分钟只能有10个数据包 每6秒⽣成
8:防⽕墙规则的保存与恢复
iptables-save 默认输出到屏幕
iptables-restore 加上⽂件
写⼊到/etc/sysconfig/iptables
iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
3.实际⽣产⽤法
iptables -F
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 允许的IP地址 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables-save
4.共享上网SNAT
实现:内部网络的服务器通过可访问外网的机器访问到外网
环境准备
server01设置为VMnet2 192.168.100.18
server02设置为NAT 192.168.70.134 网络再添加一个网卡VMnet2 192.168.100.16
1.设置好server01的ip
[root@server01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO="none"
IPADDR=192.168.100.18
NETMASK=255.255.255.0
NAME="ens33"
DEVICE="ens33"
DNS1=114.114.114.114
2.设置好server02的ip
[root@server02 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:13:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.70.134/24 brd 192.168.70.255 scope global noprefixroute dynamic ens33
valid_lft 5270229sec preferred_lft 5270229sec
inet6 fe80::725c:49ee:6f78:42a0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:29:eb:13:92 brd ff:ff:ff:ff:ff:ff
[root@server02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens37
BOOTPROTO="none"
IPADDR=192.168.100.16
NETMASK=255.255.255.0
NAME="ens37"
DEVICE="ens37"
DNS1=114.114.114.114
[root@server02 ~]# systemctl restart network
[root@server02 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:13:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.70.134/24 brd 192.168.70.255 scope global noprefixroute dynamic ens33
valid_lft 5269237sec preferred_lft 5269237sec
inet6 fe80::725c:49ee:6f78:42a0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:13:92 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.16/24 brd 192.168.100.255 scope global noprefixroute ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feeb:1392/64 scope link
valid_lft forever preferred_lft forever
3.测试ping相互下一
[root@server01 ~]# ping 192.168.100.16
4.server02开启转发功能
[root@serve02 ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@serve02 ~]# sysctl -p
5.server02设置iptables
[root@serve02 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 192.168.70.134
6.测试
[root@server01 ~]# ping baidu.com //能通则成功了
[root@server02 ~]# iptables -t nat -D POSTROUTING 1 //再试着关闭规则 再试试ping
5.端口转发DNAT
在上述snat基础上增加一台机器server03
1.server02添加prerouting规则文章来源:https://www.toymoban.com/news/detail-692561.html
iptables -t nat -A PREROUTING -d 192.168.70.134 -p tcp --dport 9000 -j DNAT --to-destination 192.168.100.18:22
2.server03测试文章来源地址https://www.toymoban.com/news/detail-692561.html
[root@localhost ~]# ssh 192.168.70.134 -p 9000
root@192.168.70.134's password:
Last login: Fri Sep 1 20:37:06 2023
[root@localhost ~]# ip a //查看端口可以发现连上的是server01
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:18:39:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.18/24 brd 192.168.100.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::725c:49ee:6f78:42a0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
到了这里,关于iptables、共享上网SNAT、端口转发DNAT的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
