安裝前
裡面有iptables的指令
[root@mcw01 ~]$ rpm -qa|grep iptables
iptables-1.4.21-18.0.1.el7.centos.x86_64
[root@mcw01 ~]$ rpm -ql iptables
/etc/sysconfig/ip6tables-config
/etc/sysconfig/iptables-config
/usr/bin/iptables-xml
。..........
/usr/sbin/ip6tables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/iptables #iptables管理指令
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/xtables-multi
.....
[root@mcw01 ~]$
我們需要安裝iptables-services,用來啟動和停止iptables服務
[root@mcw01 ~]$ yum list all|grep iptables-services
iptables-services.x86_64 1.4.21-35.el7 base
[root@mcw01 ~]$ yum install -y iptables-services
[root@mcw01 ~]$ rpm -ql iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables #防火牆配置就是這個
/usr/lib/systemd/system/ip6tables.service
/usr/lib/systemd/system/iptables.service #服務啟動停止檔案
/usr/libexec/initscripts/legacy-actions/ip6tables
/usr/libexec/initscripts/legacy-actions/ip6tables/panic
/usr/libexec/initscripts/legacy-actions/ip6tables/save
/usr/libexec/initscripts/legacy-actions/iptables
/usr/libexec/initscripts/legacy-actions/iptables/panic
/usr/libexec/initscripts/legacy-actions/iptables/save
/usr/libexec/iptables
/usr/libexec/iptables/ip6tables.init
/usr/libexec/iptables/iptables.init
[root@mcw01 ~]$
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
[root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' #預設是沒有開啟這些核心子產品的
[root@mcw01 ~]$
[root@mcw01 ~]$ modprobe ip_tables #加載這些子產品,應該寫進配置,即使重新開機了也加載,永久性修改生效。
[root@mcw01 ~]$ modprobe iptable_filter
[root@mcw01 ~]$ modprobe iptable_nat
[root@mcw01 ~]$ modprobe ip_conntrack
[root@mcw01 ~]$ modprobe ip_conntrack_ftp
[root@mcw01 ~]$ modprobe ip_nat_ftp
[root@mcw01 ~]$ modprobe ipt_state
加載核心子產品的配置在/etc/modprobe.d/目錄下
[root@mcw01 ~]$ ls /etc/modprobe.d/
tuned.conf
[root@mcw01 ~]$
[root@mcw01 ~]$ tail -7 /etc/rc.local #也可以直接加到開機自啟動檔案裡
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
[root@mcw01 ~]$
然後再檢查下,現在有這些核心子產品了
[root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable'
nf_nat_ftp 12770 0
nf_conntrack_ftp 18638 1 nf_nat_ftp
iptable_nat 12875 0
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4
nf_conntrack 133387 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter 12810 0
ip_tables 27115 2 iptable_filter,iptable_nat
libcrc32c 12644 4 xfs,sctp,nf_nat,nf_conntrack
[root@mcw01 ~]$
關閉firewalld,開啟iptables
關閉firewalld
systemctl stop firewalld
systemctl disable firewalld
systemctl is-active firewalld.service
systemctl is-enabled firewalld.service
[root@mcw01 ~]$ systemctl stop firewalld
[root@mcw01 ~]$ systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@mcw01 ~]$ systemctl is-active firewalld.service #隻有不活躍,就關閉了,隻有禁用了就不會開機自啟了
unknown
[root@mcw01 ~]$ systemctl is-enabled firewalld.service
disabled
[root@mcw01 ~]$
開啟iptables
systemctl start iptables.service
systemctl enable iptables.service
[root@mcw01 ~]$ systemctl start iptables.service
[root@mcw01 ~]$ systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -Ln #寫反了什麼都沒有
iptables: No chain/target/match by that name.
[root@mcw01 ~]$ iptables -nL #這裡預設顯示的是filter表的。這裡有filter表的input鍊,forword鍊,和output鍊
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
#使用者請求來的時候,預設先從input鍊這裡一行一行規則往下比對,如果都沒有比對上了,就走input鍊後面的小括号裡面的規則,
#這裡是(policy ACCEPT),小括号裡面表示預設規則
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
學習前環境準備
清除所有的iptables規則
--flush -F [chain] Delete all rules in chain or all chains 清除所有規則
--delete-chain -X [chain] Delete a user-defined chain 删除使用者自定義的規則
--zero -Z [chain [rulenum]] Zero counters in chain or all chains 清除鍊的計數器
清除所有規則,但不會清除預設規則
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables -F #清除所有的iptables規則
[root@mcw01 ~]$ iptables -nL #再次檢視,安裝好後預設設定的規則都清除掉了
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
禁止通路22端口(指定端口)
--append -A chain Append to chain #追加鍊,追加是放到最下面,如果是拒絕的規則,那麼應該放到最上面才防止未比對到而失效。
--delete -D chain Delete matching rule from chain
--insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) #把規則放到前面,插入,一般拒絕的規則放到前面
--jump -j target target for rule (may load target extension) #比對到規則需要做的動作,滿足條件後的動作,比如:DROP/ACCEPT/REJECT 拒絕,接受,拒絕
--dport 目标端口, -d 目标ip --sport源端口
-A添加規則;INPUT,我要在INPUT鍊中添加規則。是需要指定端口還是ip呢,這裡是22端口,指定端口的話一般要先指定協定(協定一般這裡有tcp,udp,icmp,all就是所有),端口在網絡中一般有兩種情況,ip也是有兩種情況,就是目标端口,源端口,目标ip,源ip,我這裡是禁止通路22端口,也就是端口是目标端口,是以--dport 22;需要禁止通路,那就是 -j DROP ,這個DROP要大寫
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -t filter -A INPUT -p tcp --dport 22 -j DROP
需要謹慎,看清了。這裡是示範,如果真的把22端口禁了,就連不上了。我這裡是虛拟機,可以在VMware上把這條規則清除掉重新遠端連接配接
如果我們隻是想清除一條規則,可以先執行
iptables -nL --line-numbers
檢視到是第幾條鍊,防止眼睛數錯行。這裡是在INPUT鍊上的第一條規則,然後執行删除這條規則.清除之後,22端口就能重新連接配接了
iptables -D INPUT 1
如下,我禁用23端口和解除23端口的過程
[root@mcw01 ~]$ iptables -A INPUT -p tcp --dport 23 -j DROP #未指定預設是filter表了;添加;在input鍊上;tcp協定,目标端口23;來通路了就drop丢掉
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 #禁用23端口
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables -nL --line-numbers #檢視規則是第幾個,删除可以用到
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@mcw01 ~]$ iptables -D INPUT 1 #删除,指定是INPUT鍊,第一個規則
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
禁止指定ip,通路本伺服器指定端口
禁止指定ip,通路本伺服器指定端口
iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP
防火牆四表五鍊,我們常用的是filter,nat表。我們常用的是filter表的INPUT,FORWARD,OUTPUT鍊;nat表的PREROUTING,POSTROUTING鍊,OUTPUT鍊
禁止10.0.0.12通路10.0.0.11伺服器的22端口
10.0.0.11 172.16.0.11 mcw01
10.0.0.12 172.16.0.12 mcw02
iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP
一開始12能通路11的22端口
[root@mcw02 ~]$ ssh 10.0.0.11 hostname
[email protected]'s password:
mcw01
[root@mcw02 ~]$
[root@mcw01 ~]$ iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP
[root@mcw01 ~]$ iptables -nL #禁止10.0.0.12通路10.0.0.11伺服器的22端口
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22
#來自10.0.0.12的IP,通路本機的22端口被drop
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
再次從12上通路11的22端口,發現是連接配接逾時的
[root@mcw02 ~]$ ssh 10.0.0.11 hostname
ssh: connect to host 10.0.0.11 port 22: Connection timed out
[root@mcw02 ~]$
[root@mcw02 ~]$ ssh 172.16.0.11 hostname #如果使用内網ip,還是可以通路的,因為隻是禁用10.0.0.12通路
[email protected]'s password:
mcw01
[root@mcw02 ~]$ ping 10.0.0.11 -c 1 #通路icmp協定的還是不影響的
PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data.
64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=0.682 ms
--- 10.0.0.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms
[root@mcw02 ~]$
[root@mcw02 ~]$ nc 10.0.0.11 22 #使用nc檢視端口是否能連上
Ncat: Connection timed out.
[root@mcw02 ~]$
[root@mcw02 ~]$ telnet 10.0.0.11 22 #telnet檢視是否能連上
Trying 10.0.0.11...
telnet: connect to address 10.0.0.11: Connection timed out
[root@mcw02 ~]$
正常能連的顯示
[root@mcw03 ~]$ nc 10.0.0.11 22
SSH-2.0-OpenSSH_7.4 #夯住
指令有,但不知道是哪個包帶來的指令,兩種方式找到包
[root@mcw01 ~]$ rpm -qa nc
[root@mcw01 ~]$ rpm -qa ncat
[root@mcw01 ~]$ rpm -qa |grep nc
irqbalance-1.0.7-10.el7.x86_64
ncurses-base-5.9-14.20130511.el7_4.noarch
perl-Encode-2.51-7.el7.x86_64
qrencode-libs-3.4.1-3.el7.x86_64
ncurses-libs-5.9-14.20130511.el7_4.x86_64
ncurses-5.9-14.20130511.el7_4.x86_64
nmap-ncat-6.40-19.el7.x86_64
vim-enhanced-7.4.629-8.el7_9.x86_64
ncurses-devel-5.9-14.20130511.el7_4.x86_64
[root@mcw01 ~]$
[root@mcw01 ~]$ rpm -qa |grep ncat
nmap-ncat-6.40-19.el7.x86_64
[root@mcw01 ~]$ which nc
/usr/bin/nc
[root@mcw01 ~]$ yum provides nc #方式一:yum檢視指令是哪個包裡的
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
netcat-1.218-2.el7.x86_64 : OpenBSD netcat to read and write data across connections using TCP or UDP
Repo : epel
Matched from:
Provides : nc = 1.218-2.el7
2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement
Repo : base
Matched from:
Provides : nc
2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement
Repo : @base
Matched from:
Provides : nc
[root@mcw01 ~]$ rpm -qf `which nc` #方式二:rpm檢視指令是哪個包裡的
nmap-ncat-6.40-19.el7.x86_64
[root@mcw01 ~]$
使用nc指令進行端口間通信
當我使用nc連接配接本伺服器端口的時候
[root@mcw03 ~]$ nc -l 6381
#夯住
新開一個視窗,發現這個指令的程序
[root@mcw03 ~]$ ps -ef|grep -v grep |grep 6381
root 19421 19094 0 03:26 pts/0 00:00:00 nc -l 6381
[root@mcw03 ~]$
--
如下當我将mcw03上redis端口,使用nc指令夯住後
[root@mcw03 ~]$ nc -l 6381
wo shi machangwei
nihaoya
當我在其他機器,比如在mcw01上telnet mcw03的這個6381端口,也會夯住,然後這樣兩者間就可以互相寫字進行通信了,一行一行的發送,點選enter就發送。telnet如果是用戶端的話,那麼我斷開telnet,nc指令并不會終止
[root@mcw01 ~]$ telnet 10.0.0.13 6381
Trying 10.0.0.13...
Connected to 10.0.0.13.
Escape character is '^]'.
wo shi machangwei
nihaoya
當我在mcw03上使用nc之後,夯住
[root@mcw03 ~]$ nc -l 6381
然後
[root@mcw01 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@mcw01 ~]$ cat /etc/hosts |nc 10.0.0.13 6381 #然後在另一個主機上連接配接這個端口,就能發送檔案内容過去
[root@mcw03 ~]$ nc -l 6381 #接收到檔案内容,我們也可以将接收的檔案内容重定向到檔案裡,實作nc通過端口傳輸檔案
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@mcw03 ~]$
[root@mcw03 ~]$ nc -l 6381 >1.host
[root@mcw03 ~]$ cat 1.host
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@mcw03 ~]$
禁止指定網段通路本伺服器的指定端口
禁止指定網段通路本伺服器的指定端口
iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP
别人通路我,是進入的包,INPUT鍊。别人通路我的某個端口服務,我這個端口是對方通路的目标端口,是以是dport,禁止就得drop,-I拒絕的就往前面插入
我在mcw01上開啟了8080端口的監聽,然後通過兩個ip通路,都能通,接收到資訊
[root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080
[root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080
[root@mcw02 ~]$
[root@mcw01 ~]$ nc -l 8080
111
[root@mcw01 ~]$ nc -l 8080
111
[root@mcw01 ~]$
現在設定防火牆規則,禁止指定172.16.0.0/24網段通路本伺服器的指定端口8080
[root@mcw01 ~]$ iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 172.16.0.0/24 0.0.0.0/0 tcp dpt:8080
DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
然後再看,mcw02連接配接mcw01的nc開啟的連接配接服務,發現172.16.0.11隻有這個網段的不能連上服務了,說明禁止生效了
[root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080
[root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080
Ncat: Connection timed out.
[root@mcw02 ~]$
[root@mcw01 ~]$ nc -l 8080
111
[root@mcw01 ~]$ nc -l 8080 #夯住,沒反應
指定隻能某個網段通路本伺服器。(不是指定網段的拒絕掉)
指定隻能某個網段通路本伺服器。(不是指定網段的拒絕掉)
iptables -I INPUT ! -s 10.0.0.0/24 -j DROP
當我清空是以防火牆配置之後,mcw02能通路mcw01上nc開啟的2222端口
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222
[root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222
[root@mcw02 ~]$
[root@mcw01 ~]$ nc -l 2222
2222
[root@mcw01 ~]$ nc -l 2222
2222
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -I INPUT ! -s 10.0.0.0/24 -j DROP
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
當我兩次在mcw01上nc開啟2222端口時,隻有通路10.0.0.11能通路到,通路172.16.0.11通路不到。是以防火牆配置生效
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222
[root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222
Ncat: Connection timed out.
[root@mcw02 ~]$
[root@mcw01 ~]$ nc -l 2222
2222
[root@mcw01 ~]$ nc -l 2222
禁止使用者通路本伺服器指定範圍或者指定多個的端口
禁止使用者通路本伺服器指定範圍或者指定多個的端口
iptables -I INPUT -p tcp --dport 1024:65535 -j DROP
iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP
執行指令前,nc開啟mcw01的端口,mcw02上都能通路到
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000
[root@mcw02 ~]$
[root@mcw01 ~]$ nc -l 444
2222
[root@mcw01 ~]$ nc -l 1024
2222
[root@mcw01 ~]$ nc -l 60000
2222
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 1024:65535 -j DROP
[root@mcw01 ~]$ iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
DROP all -- !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
執行指令後,無法通路到
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444
Ncat: Connection timed out.
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024
Ncat: Connection timed out.
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000
Ncat: Connection timed out.
[root@mcw02 ~]$
[root@mcw01 ~]$ nc -l 444
^C
[root@mcw01 ~]$ nc -l 1024
^C
[root@mcw01 ~]$ nc -l 60000
^C
[root@mcw01 ~]$
使用iptables實作禁止ping功能
使用iptables實作禁止ping功能
iptables -I INPUT -p icmp --icmp-type 8 -j DROP #實際上icmp協定的類型有很多,影響我們ping的類型是8,隻需禁止8就行
iptables -I INPUT -p icmp --icmp-type any -j DROP
當我給mcw01添加核心設定為1的時候,mcw02就無法ping通mcw01了,當我修改為0的時候,就能ping同mcw01了
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
加上這條指令後,裡面就不能ping通了 ,這裡是任意類型,好像寫成8也可以
[root@mcw01 ~]$ iptables -I INPUT -p icmp --icmp-type any -j DROP
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
DROP all -- !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
儲存和恢複規則
iptables-save儲存目前防火牆到配置檔案中,加上重定向,可以将防火牆規則導入到指定檔案中備份起來
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
DROP all -- !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables-save #會把所有的列印出來,*後面顯示表的名字;冒号後歐美是預設的規則,再往下就死我們自己配置的規則
# Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022
*nat
:PREROUTING ACCEPT [6543:408185]
:INPUT ACCEPT [76:11426]
:OUTPUT ACCEPT [358288:21886420]
:POSTROUTING ACCEPT [358288:21886420]
COMMIT
# Completed on Mon Mar 7 16:48:59 2022
# Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022
*filter
:INPUT ACCEPT [696:58996]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [653551:39668311] #*後面顯示表的名字;冒号後歐美是預設的規則,再往下就死我們自己配置的規則
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -p tcp -m multiport --dports 81,444 -j DROP
-A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP
-A INPUT ! -s 10.0.0.0/24 -j DROP
COMMIT
# Completed on Mon Mar 7 16:48:59 2022
[root@mcw01 ~]$
防火牆配置,實際儲存的是如下檔案中。可以看到和指令查詢出來的差不多
[root@mcw01 ~]$ cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@mcw01 ~]$
如下儲存防火牆規則
[root@mcw01 ~]$ iptables-save >iptRule.txt
[root@mcw01 ~]$ cat iptRule.txt
# Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022
*nat
:PREROUTING ACCEPT [6642:414294]
:INPUT ACCEPT [77:11655]
:OUTPUT ACCEPT [363901:22224847]
:POSTROUTING ACCEPT [363901:22224847]
COMMIT
# Completed on Mon Mar 7 16:53:44 2022
# Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022
*filter
:INPUT ACCEPT [781:65217]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [664961:40365111]
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -p tcp -m multiport --dports 81,444 -j DROP
-A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP
-A INPUT ! -s 10.0.0.0/24 -j DROP
COMMIT
# Completed on Mon Mar 7 16:53:44 2022
[root@mcw01 ~]$
不小心把防火牆都誤清除了,因為之前儲存到配置裡了,重新開機一下防火牆重新就出來了
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
DROP all -- !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ systemctl restart iptables.service
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
iptables-restore無需重新開機防火牆,可以将備份導出來的防火牆規則,再導入回去
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables-restore <iptRule.txt
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
DROP all -- !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
修改預設規則為drop,預設都不接受的做法
-i --input 資料進入的時候通過哪個網卡
-o --output 資料出去的時候通過哪個網卡
-P --policy -P chain target Change policy on chain to target 修改預設規則
修改預設規則前設定:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT
修改預設規則
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
修改預設規則後添加自己使用的網段為白名單
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT
清除好環境
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -X
[root@mcw01 ~]$ iptables -Z
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
在修改預設政策為拒絕時,首先要提前做些準備。比如接收22端口通路
[root@mcw01 ~]$ #準許連接配接 22端口
[root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
設定本地lo通訊規則
[root@mcw01 ~]$ iptables -A INPUT -i lo -j ACCEPT
[root@mcw01 ~]$ iptables -A OUTPUT -o lo -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@mcw01 ~]$
添加指定服務需要能被通路,比如80 443
[root@mcw01 ~]$ iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@mcw01 ~]$
修改預設規則
[root@mcw01 ~]$ #修改預設規則
[root@mcw01 ~]$ iptables -P INPUT DROP #進來的時候,預設是drop
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@mcw01 ~]$ iptables -P FORWARD DROP #這個也預設是drop
[root@mcw01 ~]$ iptables -P OUTPUT ACCEPT #出去的時候不管,都接受
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@mcw01 ~]$
添加兩個白名單
[root@mcw01 ~]$ iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
[root@mcw01 ~]$ iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
ACCEPT all -- 172.16.0.0/24 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
然後儲存下我們的配置
[root@mcw01 ~]$ iptables-save
# Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022
*nat
:PREROUTING ACCEPT [148:9218]
:INPUT ACCEPT [13:949]
:OUTPUT ACCEPT [2894:191439]
:POSTROUTING ACCEPT [2894:191439]
COMMIT
# Completed on Mon Mar 7 17:21:59 2022
# Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [195:20374]
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/24 -j ACCEPT
-A INPUT -s 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Mar 7 17:21:59 2022
[root@mcw01 ~]$ #其中預設是drop ,INPUT和OUTPUT鍊添加了規則
内網伺服器通過iptables轉發實作通路外網SNAT(共享上網)
内網伺服器通過iptables轉發實作通路外網(共享上網)
10.0.0.11是叢集中的外網ip,能通過這個ip通路外網的。這個ip所在伺服器可以做成網關,讓其它主機的網關設定成該主機的内網ip,然後通過ipv4核心源位址轉換實作通路外網
單個ip實作源位址轉換
iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf
sysctl -p
指定網段的位址實作源位址轉換
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11
當公網ip不固定時:更換。用如下指令
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
MASQUERADE
masquerade
英[ˌmæskəˈreɪd]
美[ˌmæskəˈreɪd]
n. 掩藏; 掩飾; 化裝舞會; 假面舞會;
vi. 假扮; 喬裝; 僞裝;
nat表(可以共享上網,端口映射,ip映射)
主機環境(将mcw02和mcw03的外網ip10網段的先停掉網卡,隻剩内網ip172網段的,純内網機子了):
10.0.0.11 172.16.0.11 mcw01
10.0.0.12 172.16.0.12 mcw02
10.0.0.13 172.16.0.13 mcw03
準備環境:
先把上面做的環境改回來,記得先改回預設政策為接受,然後再清空所有的規則。不然預設規則是拒絕,我把22接受服務的删除掉,那麼就連不上伺服器了,隻能去機房連接配接伺服器恢複了
[root@mcw01 ~]$ iptables -P INPUT ACCEPT
[root@mcw01 ~]$ iptables -P FORWARD ACCEPT
[root@mcw01 ~]$ iptables -P OUTPUT ACCEPT
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$
[root@mcw01 ~]$ ping www.baidu.com -c 1 #檢視百度的ip是110.242.68.4,我現在需要内網的機子能通路這個ip
PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data.
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=17.1 ms
--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.186/17.186/17.186/0.000 ms
[root@mcw01 ~]$
我現在mcw03這個後端内網伺服器不能通路到外網,mcw01可以通路到外網。我想通過mcw01做轉發,實作mcw03通路外網
mcw03的ip是172.16.0.13,這時資料包通過mcw01通路110.242.68.4時,目标ip110.242.68.4不變,在mcw01上要将源ip172.16.0.13修改mcw01的ip即10.0.0.11。
是以,需要内網實作共享上網的時候,需要使用snat,源網絡位址轉換
這時我們的mcw03的資料包,是需要通過mcw01上出去,進而通路外網,是以我們需要修改的是以前畫的那張圖裡的nat表POSTROUTING
是以,需要設定防火牆指令如下:需要在nat表設定;需要在POSTROUTING鍊裡追加;目标ip是通路的外網ip,
需要指定源ip是mcw03内網ip位址需要轉換為可以通路的外網ip;動作是mcw03的内網ip,源ip轉換為能通路外網的mcw01上的外網ip,動作是源位址通路;将源位址改為mcw01上的外網ip10.0.0.11
mcw01配置了防火牆,還要開啟mcw01的ip轉發核心參數。将mcw03網關應該修改為mcw01的内網ip,内網網卡上給mcw03添加DNS伺服器的配置,不然無法解析了。
單個ip實作源位址轉換
iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf
sysctl -p
指定網段的位址實作源位址轉換
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11
操作前檢查情況
[root@mcw02 ~]$ ssh 172.16.0.13 #從mcw02上連接配接mcw03内網ip
[email protected]'s password:
Last login: Mon Mar 7 17:58:21 2022 from 172.16.0.12
[root@mcw03 ~]$ ip a #檢視網卡情況
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
inet 10.0.0.13/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::6782:98:f742:b0e8/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::6faf:5935:98b1:7f8d/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::cdd:d005:758:ad29/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
[root@mcw03 ~]$ ifdown ens33 #将mcw03的外網網卡關閉掉
Device 'ens33' successfully disconnected.
[root@mcw03 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$ ping www.baidu.com #檢視mcw03無法通路外網,隻有内網ip172.16.0.13可以通信
ping: www.baidu.com: Name or service not known
[root@mcw03 ~]$
[root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11
[root@mcw01 ~]$ echo 1 >/proc/sys/net/ipv4/ip_forward
[root@mcw01 ~]$ echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf
[root@mcw01 ~]$ sysctl -p
發現mcw03還是不通外網,是因為忘記修改網關了,網關應該修改為mcw01的内網ip.
[root@mcw03 ~]$ ping www.baidu.com
ping: www.baidu.com: Name or service not known
[root@mcw03 ~]$ ip r
default via 172.160.0.253 dev ens34 proto static metric 100
172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100
172.160.0.253 dev ens34 proto static scope link metric 100
這裡将内網網卡配置的網關設定為mcw01主機的内網ip。讓它onboot改為yes,不然重新開機就關閉網卡了
[root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens34
[root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens34
ONBOOT=yes
GATEWAY=172.16.0.11
[root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens33 #将外網網卡的onboot關閉掉,防止重新開機網絡,而重新開機網卡
[root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens33
ONBOOT="no"
GATEWAY="10.0.0.253"
[root@mcw03 ~]$ systemctl restart network
[root@mcw03 ~]$
檢查環境以及驗證内網通路外網
[root@mcw03 ~]$ ip a #檢視網絡,沒有問題,還是内網ip
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$
[root@mcw03 ~]$ ip r #檢視網關,已經變成了mcw01主機的内網ip
default via 172.16.0.11 dev ens34 proto static metric 100
172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100
[root@mcw03 ~]$
[root@mcw03 ~]$ ping www.baidu.com #成功通路外網
PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data.
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=127 time=14.8 ms
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=2 ttl=127 time=13.6 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 13.674/14.261/14.848/0.587 ms
[root@mcw03 ~]$
附上mcw01的内網ip查詢
[root@mcw01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff
inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::9910:d66a:5b4d:7102/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::cdd:d005:758:ad29/64 scope link
valid_lft forever preferred_lft forever
[root@mcw01 ~]$
執行完後,記得儲存一下配置
iptables -t nat -nL 檢視nat表的轉發規則
[root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11
[root@mcw01 ~]$
[root@mcw01 ~]$
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$
[root@mcw01 ~]$ cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@mcw01 ~]$
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables-save
# Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022
*nat
:PREROUTING ACCEPT [143:9307]
:INPUT ACCEPT [1:229]
:OUTPUT ACCEPT [80:6466]
:POSTROUTING ACCEPT [80:6466]
-A POSTROUTING -s 172.16.0.13/32 -j SNAT --to-source 10.0.0.11
-A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11
COMMIT
# Completed on Mon Mar 7 18:52:42 2022
# Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022
*filter
:INPUT ACCEPT [698927:234693305]
:FORWARD ACCEPT [5426:390414]
:OUTPUT ACCEPT [704597:225964959]
COMMIT
# Completed on Mon Mar 7 18:52:42 2022
[root@mcw01 ~]$
[root@mcw01 ~]$ cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
如何删除nat表的規則:
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.61
[root@mcw01 ~]$
[root@mcw01 ~]$
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -t nat -D POSTROUTING 2 #删除nat表的規則,需要指定nat表
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
DNAT端口轉發(内網伺服器不暴露在公網上,但是它上面的服務可以通過某台伺服器的端口轉發提供給外網)
DNAT端口轉發(内網伺服器不暴露在公網上,但是它上面的服務可以通過某台伺服器的端口轉發提供給外網)
iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22
有點像Nginx的端口轉發
當外網需要通路内網某個主機的某個服務時,服務無法提供。我們可以使用端口轉發,mcw01有外網ip,當外網通路mcw01的外網時,我們可以根據端口來将請求轉發給内網某個伺服器如mcw03,mcw03上是沒有外網ip的。
主機環境(将mcw02和mcw03的外網ip10網段的先停掉網卡,隻剩内網ip172網段的,純内網機子了):
10.0.0.11 172.16.0.11 mcw01
10.0.0.12 172.16.0.12 mcw02
10.0.0.13 172.16.0.13 mcw03
例如:當使用者通路我們的mcw01主機上的9000端口(10.0.0.11:9000)時,我們将它轉發到我們内網伺服器mcw03上的22端口(172.16.0.13:22)。使用者通路時,源位址是他們自己,
他們的目标是通路我們的10.0.0.11:9000,我們要實作轉發,需要将這個目标位址改成172.16.0.13:22。是以這裡是目标位址轉換DNAT。
這裡是目标位址轉換,是nat表;這是使用者來通路的資料包,也就是使用者要進來,是以是PREROUTING 鍊;目标通路的是10.0.0.11;對方通路的是9000端口;動作我就用DNAT,目标位址轉換,轉換成我們内網的位址;這裡是轉換成目标位址172.16.0.13:22
注意:此時這裡的mcw03的網卡上配置的網關,要設定成mcw01上内網的ip。因為資料包是轉發給mcw03了,但是我要回包的話,得發給mcw01的内網ip,然後mcw01内網ip再發給mcw01的公網ip10.0.0.11,這樣才能給客戶傳回響應資料。這裡之前已經配置了,詳情見上面的SNAT共享上網
iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport -j DNAT --to-destination 172.16.0.13:22
然後還需要開啟ipv4轉發。之前我已經配置好了
[root@mcw01 ~]$ tail -1 /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@mcw01 ~]$
操作前檢查情況
mcw03和mcw01的9000端口目前都不能連接配接
[c:\~]$ ssh [email protected]
Connecting to 172.16.0.13:22...
Could not connect to '172.16.0.13' (port 22): Connection failed.
Type `help' to learn how to use Xshell prompt.
[c:\~]$
[c:\~]$
[c:\~]$
[c:\~]$ ssh [email protected] 9000
Connecting to 10.0.0.11:9000...
Could not connect to '10.0.0.11' (port 9000): Connection failed.
Type `help' to learn how to use Xshell prompt.
[c:\~]$
執行操作:配置目标位址轉發,檢視配置的規則,檢視ipv4轉發是否開啟
[root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$ tail -1 /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@mcw01 ~]$
檢驗配置的效果:發現當我們外網上連接配接mcw01的9000端口時,實際上我們是通路到了沒有外網ip,不通外網的mcw03主機上。也就是在mcw01上成功實作端口轉發。這樣當我們内網的主機上某個服務要提供給外網通路時,可以使用端口轉發的方式提供服務,這也能保證了内網伺服器的安全性。
[c:\~]$ ssh [email protected] 9000
Connecting to 10.0.0.11:9000...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Mon Mar 7 18:06:33 2022 from 172.16.0.12
[root@mcw03 ~]$ hostname -I
172.16.0.13
[root@mcw03 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$
ip位址轉發(DNAT實作ip位址轉發,ip映射)
主機環境(将mcw02和mcw03的外網ip10網段的先停掉網卡,隻剩内網ip172網段的,純内網機子了):
10.0.0.11 172.16.0.11 mcw01
10.0.0.12 172.16.0.12 mcw02
10.0.0.13 172.16.0.13 mcw03
配置過程中需要注意的事項請參考上面的snat和dnat配置過程
檢視環境,将之前已有的端口轉發配置去掉
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$ iptables -t nat -D PREROUTING 1 #删除之前配置的端口轉發,防止收到影響
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$
在mcw01上添加一個新的公網ip,當通路這個公網ip10.0.0.111時,将它轉發到内網伺服器mcw03的内網ip172.16.0.13
然後可以給這個公網ip,在網關mcw01上加上标簽,這樣在mcw01上就能看到這個ip了。
[root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.111 -j DNAT --to-destination 172.16.0.13
[root@mcw01 ~]$ ip a a 10.0.0.111/24 dev ens33 label ens33:0
[root@mcw01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff
inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::9910:d66a:5b4d:7102/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet 10.0.0.111/24 scope global secondary ens33:0
valid_lft forever preferred_lft forever
inet6 fe80::cdd:d005:758:ad29/64 scope link
valid_lft forever preferred_lft forever
[root@mcw01 ~]$ ^C
驗證:
當我在外網連接配接剛剛在mcw01上添加的公網ip10.0.0.111時,實際上連上了内網伺服器mcw03上。
也就是當使用者通路mcw01上的外網ip10.0.0.111的某個端口服務時,它就會轉發給内網伺服器mcw03上對應的端口。
這樣就成功實作了ip位址轉發。缺點是,隻要某個伺服器某個端口需要外網通路,就要對應一個外網ip,而一般情況下,不需要通路這麼多端口,是以浪費公網ip資源
[c:\~]$
[c:\~]$ ssh [email protected]
Connecting to 10.0.0.111:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Mon Mar 7 19:30:16 2022 from 10.0.0.1
[root@mcw03 ~]$ hostname -I
172.16.0.13
[root@mcw03 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$
當删除這個标簽後,就不能通過這個ip通路内網指定伺服器了
[root@mcw01 ~]$ ip a del 10.0.0.111/24 dev ens33 label ens33:0
[root@mcw01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff
inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::9910:d66a:5b4d:7102/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::cdd:d005:758:ad29/64 scope link
valid_lft forever preferred_lft forever
[root@mcw01 ~]$
-F不能清除nat表的規則
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -X
[root@mcw01 ~]$ iptables -Z
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11
[root@mcw01 ~]$
原文位址:https://www.cnblogs.com/machangwei-8/p/15978257.html
![DataTable..::.ToString 方法[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)