10.15 iptables filter表案例 10.16/10.17/10.18 iptables nat表应用
10.15 iptables filter表小案例
iptables扩展选项(了解)
其实匹配扩展中,还有须要加-m引用模块的显示扩展,默认是隐含扩展,不要使用-m。linux
状态检测的包过滤:算法
-
-m state --state {NEW,ESTATBLISHED,INVALID,RELATED} 指定检测那种状态shell
-
-m multiport 指定多端口号
--sport
--dport
--portsvim -
-m iprange 指定IP段
--src-range ip-ip
--dst-range ip-ipbash -
-m connlimit 链接限定
--comlimit-above # 限定大链接个数网络 -
-m limit 如今链接速率,也就是限定匹配数据包的个数
--limit 指定速率
--limit-burst # 峰值速率,最大限定tcp -
-m string 按字符串限定
--algo bm|kmp 指定算法bm或kmp
--string "STRING" 指定字符串自己oop
规则:放行指定端口
使用脚本设定规则:spa
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1501 116K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 240 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
301 37516 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 446 packets, 35731 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables" # 定义一个变量——iptables命令(定义变量时尽可能使用绝对路径,避免环境变量的影响)
$ipt -F # 清空原有规则
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
# 上面三行是定义其默认策略
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# -m是指定检测状态,--state指定数据包状态(配合-m使用),该命令行的目的是使数据处理(通讯
)更顺畅
$ipt -A INPUT -s 192.168.230.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
# 上面三行命令是指定放行的包的类型
[root@cham002 ~]# vim !$
vim /usr/local/sbin/iptables.sh
[root@cham002 ~]# w
16:38:06 up 2 days, 2:06, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 三15 25:20m 0.11s 0.11s -bash
root pts/0 192.168.230.1 16:25 6.00s 0.47s 0.36s w
[root@cham002 ~]# vim /usr/local/sbin/iptables.sh
[root@cham002 ~]# w
16:38:45 up 2 days, 2:07, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 三15 25:21m 0.11s 0.11s -bash
root pts/0 192.168.230.1 16:25 5.00s 0.11s 0.00s w
[root@cham002 ~]# ls
1.txt 2.txt anaconda-ks.cfg a.txt awk chamlinux grep sed
[root@cham002 ~]# sh /usr/local/sbin/iptables.sh
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.230.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33 2168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.230.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 2708 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# ls /usr/local/sbin/iptables.sh
/usr/local/sbin/iptables.sh
[root@cham002 ~]# ls /usr/local/sbin/
iptables.sh
[root@cham002 ~]# cat /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.230.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
注意: 脚本中指定的IP若是和本主机IP不一样时不要在远程端口直接运行该脚本!!!!
icmp示例#################################################################################################
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
该规则的含义是:只容许本机访问外网,不容许外网访问本机!
[root@cham002 ~]# ping www.qq.com
PING www.qq.com (59.37.96.63) 56(84) bytes of data.
^C
--- www.qq.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
ping外网能够ping通,外网ping过来是Ping不通的!!
[root@cham002 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 60 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
75 5260 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 25 packets, 3136 bytes)
pkts bytes target prot opt in out source destination
[root@cham002 ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP
10.16-10.18 iptables nat表应用
应用1
环境:
A(cham2)机器两块网卡ens33(192.168.230.135)、ens37(192.168.100.10),ens33能够上外网,ens37仅仅是内部网络,Bcham2(2)机器只有ens37(192.168.100.100),和A机器ens37能够通讯互联。命令行
准备工做:
- 准备两台虚拟机
- A机器添加一块网卡ens37,ens37的网络链接方式选择‘VLAN1’(内网交换机链接,该模式下Windows没法与该客户端链接),开机后并设定IP为192.168.100.1
- B机器关闭原有网卡链接,新增网卡ens37,开机后设定IP为192.168.100.100(网络链接模式选择VLAN1区段,并和A机器中的ens37网卡选择相同区段)
设置ens37的IP:
- 方法1:
直接在命令行使用ifconfig命令
[root@cham002 ~]# ifconfig ens37 192.168.100.10/24
[root@cham002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.230.135 netmask 255.255.255.0 broadcast 192.168.230.255
inet6 fe80::6f15:52d3:ebeb:e193 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b6:9f:e3 txqueuelen 1000 (Ethernet)
RX packets 118107 bytes 59389847 (56.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 120509 bytes 41188215 (39.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.230.150 netmask 255.255.255.0 broadcast 192.168.230.255
ether 00:0c:29:b6:9f:e3 txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:feb6:9fed prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b6:9f:ed txqueuelen 1000 (Ethernet)
RX packets 17 bytes 5814 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 9472 (9.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 164 bytes 13656 (13.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 164 bytes 13656 (13.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
注: 该方法只是临时设定IP,重启后会丢失
- 方法2: 复制ens33的配置文件,而后在配置文件内进行设置!
需求:
-
需求1: 可让B机器链接外网
- 步骤一:A机器打开路由转发
[root@cham002 ~]# cat /proc/sys/net/ipv4/ip_forward 0 [root@cham002 ~]# echo "1" > !$ echo "1" > /proc/sys/net/ipv4/ip_forward [root@cham002 ~]# cat /proc/sys/net/ipv4/ip_forward 1
- 步骤二:在A机器的nat表中增长一条规则
-
[root@cham002 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@cham002 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0说明: -o 选项后面跟设备名称,表示出口网卡,MASQUERADE是假装、冒充的意思。
- 步骤三:为B设置网关为A机器ens37的IP:
- 而后使用ping命令检测,网络通畅!
注: 此时B机器能够连通外网,可是外网机器没法访问B机器,A机器的做用就相似于一个路由器!
- 步骤一:A机器打开路由转发
-
需求2: C机器只能和A通讯,让C机器能够直接连通B机器的22端口(端口映射)
- 步骤一:A机器打开路由转发
[root@cham002 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward 该命令是更改内核设置,打开路由转发功能,默认值是0.
- 步骤二:在A机器的nat表中增长2条规则(执行该步骤前先清除nat表原有规则)
[root@cham002 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
规则1: [root@cham002 ~]# iptables -t nat -A PREROUTING -d 192.168.230.135 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 规则2: [root@cham002 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.230.135
- 步骤三:为B设置网关为A机器ens37的IP:
-
[root@cham002 ~]# route add default gw 192.168.100.10
finishi 打开xshell链接1122端口
10.19 iptables规则备份和恢复
备份(另存为)
命令:iptables-save
[root@cham002 ~]# iptables-save > /tmp/ipt.txt
恢复
[root@cham002 ~]# iptables-restore < /tmp/ipt.txt
© 著做权
相关文章
- 1. iptables filter表案例、iptables nat表应用
- 2. iptables filter表案例/iptables nat表应用
- 3. iptables filter表案例,iptables nat表应用
- 4. iptables filter表案例 iptables nat表应用
- 5. 10.15 iptables filter表案例, iptables nat表应用
- 6. 10.12firewalld和netfilter 10.15 iptables filter表案例 10.16 iptables nat表应用
- 7. 10.15 iptables filter表案例 10.16/10.17/10.18 iptables nat表应用
- 8. 32.filter表案例 nat表应用 (iptables)
- 9. 10.15 iptables filter表案例
- 10. 10.15 iptables filter表小案例
- 更多相关文章...
- • PHP 完整表单实例 - PHP教程
- • Maven Web 应用 - Maven教程
- • TiDB 在摩拜单车在线数据业务的应用和实践
- • 常用的分布式事务解决方案
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. iptables filter表案例、iptables nat表应用
- 2. iptables filter表案例/iptables nat表应用
- 3. iptables filter表案例,iptables nat表应用
- 4. iptables filter表案例 iptables nat表应用
- 5. 10.15 iptables filter表案例, iptables nat表应用
- 6. 10.12firewalld和netfilter 10.15 iptables filter表案例 10.16 iptables nat表应用
- 7. 10.15 iptables filter表案例 10.16/10.17/10.18 iptables nat表应用
- 8. 32.filter表案例 nat表应用 (iptables)
- 9. 10.15 iptables filter表案例
- 10. 10.15 iptables filter表小案例