iptables使用详解(centos7)
安装前
里面有iptables的命令 [root@mcw01 ~]$ rpm -qa|grep iptables iptables-1.4.21-18.0.1.el7.centos.x86_64 [root@mcw01 ~]$ rpm -ql iptables /etc/sysconfig/ip6tables-config /etc/sysconfig/iptables-config /usr/bin/iptables-xml 。.......... /usr/sbin/ip6tables /usr/sbin/ip6tables-restore /usr/sbin/ip6tables-save /usr/sbin/iptables#iptables管理命令 /usr/sbin/iptables-restore /usr/sbin/iptables-save /usr/sbin/xtables-multi ..... [root@mcw01 ~]$
我们需要安装iptables-services,用来启动和停止iptables服务
[root@mcw01 ~]$ yum list all|grep iptables-services iptables-services.x86_641.4.21-35.el7base [root@mcw01 ~]$ yum install -y iptables-services [root@mcw01 ~]$rpm -ql iptables-services /etc/sysconfig/ip6tables /etc/sysconfig/iptables#防火墙配置就是这个 /usr/lib/systemd/system/ip6tables.service /usr/lib/systemd/system/iptables.service#服务启动停止文件 /usr/libexec/initscripts/legacy-actions/ip6tables /usr/libexec/initscripts/legacy-actions/ip6tables/panic /usr/libexec/initscripts/legacy-actions/ip6tables/save /usr/libexec/initscripts/legacy-actions/iptables /usr/libexec/initscripts/legacy-actions/iptables/panic /usr/libexec/initscripts/legacy-actions/iptables/save /usr/libexec/iptables /usr/libexec/iptables/ip6tables.init /usr/libexec/iptables/iptables.init [root@mcw01 ~]$ modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state[root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable'#默认是没有开启这些内核模块的 [root@mcw01 ~]$ [root@mcw01 ~]$ modprobe ip_tables#加载这些模块,应该写进配置,即使重启了也加载,永久性修改生效。 [root@mcw01 ~]$ modprobe iptable_filter [root@mcw01 ~]$ modprobe iptable_nat [root@mcw01 ~]$ modprobe ip_conntrack [root@mcw01 ~]$ modprobe ip_conntrack_ftp [root@mcw01 ~]$ modprobe ip_nat_ftp [root@mcw01 ~]$ modprobe ipt_state加载内核模块的配置在/etc/modprobe.d/目录下 [root@mcw01 ~]$ ls /etc/modprobe.d/ tuned.conf [root@mcw01 ~]$ [root@mcw01 ~]$ tail -7 /etc/rc.local #也可以直接加到开机自启动文件里 modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ 然后再检查下,现在有这些内核模块了 [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' nf_nat_ftp127700 nf_conntrack_ftp186381 nf_nat_ftp iptable_nat128750 nf_nat_ipv4141151 iptable_nat nf_nat267872 nf_nat_ftp,nf_nat_ipv4 nf_conntrack1333876 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4 iptable_filter128100 ip_tables271152 iptable_filter,iptable_nat libcrc32c126444 xfs,sctp,nf_nat,nf_conntrack [root@mcw01 ~]$
关闭firewalld,开启iptables
关闭firewalld systemctl stop firewalld systemctl disable firewalld systemctl is-active firewalld.service systemctl is-enabled firewalld.service[root@mcw01 ~]$ systemctl stop firewalld [root@mcw01 ~]$ systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@mcw01 ~]$ systemctl is-active firewalld.service#只有不活跃,就关闭了,只有禁用了就不会开机自启了 unknown [root@mcw01 ~]$ systemctl is-enabled firewalld.service disabled [root@mcw01 ~]$开启iptables systemctl start iptables.service systemctl enable iptables.service [root@mcw01 ~]$ systemctl start iptables.service [root@mcw01 ~]$ systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -Ln#写反了什么都没有 iptables: No chain/target/match by that name. [root@mcw01 ~]$ iptables -nL #这里默认显示的是filter表的。这里有filter表的input链,forword链,和output链 Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED ACCEPTicmp --0.0.0.0/00.0.0.0/0 ACCEPTall--0.0.0.0/00.0.0.0/0 ACCEPTtcp--0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited #用户请求来的时候,默认先从input链这里一行一行规则往下匹配,如果都没有匹配上了,就走input链后面的小括号里面的规则, #这里是(policy ACCEPT),小括号里面表示默认规则Chain FORWARD (policy ACCEPT) targetprot opt sourcedestination REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$
学习前环境准备
清除所有的iptables规则 --flush-F [chain]Delete all rules inchain or all chains清除所有规则 --delete-chain-X [chain]Delete a user-defined chain删除用户自定义的规则 --zero-Z [chain [rulenum]]Zero counters in chain or all chains清除链的计数器清除所有规则,但不会清除默认规则 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED ACCEPTicmp --0.0.0.0/00.0.0.0/0 ACCEPTall--0.0.0.0/00.0.0.0/0 ACCEPTtcp--0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT) targetprot opt sourcedestination REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables -F#清除所有的iptables规则 [root@mcw01 ~]$ iptables -nL#再次查看,安装好后默认设置的规则都清除掉了 Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$
禁止访问22端口(指定端口)
--append-A chainAppend to chain#追加链,追加是放到最下面,如果是拒绝的规则,那么应该放到最上面才防止未匹配到而失效。 --delete-D chainDelete matching rule from chain --insert-I chain [rulenum]Insert in chain as rulenum (default 1=first)#把规则放到前面,插入,一般拒绝的规则放到前面 --jump-j targettarget for rule (may load target extension)#匹配到规则需要做的动作,满足条件后的动作,比如:DROP/ACCEPT/REJECT 拒绝,接受,拒绝--dport 目标端口, -d 目标ip--sport源端口 -A添加规则; INPUT,我要在INPUT链中添加规则。是需要指定端口还是ip呢,这里是22端口,指定端口的话一般要先指定协议(协议一般这里有tcp,udp,icmp,all就是所有),端口在网络中一般有两种情况,ip也是有两种情况,就是目标端口,源端口,目标ip,源ip,我这里是禁止访问22端口,也就是端口是目标端口,所以--dport 22;需要禁止访问,那就是 -j DROP ,这个DROP要大写iptables-A INPUT -p tcp --dport 22 -j DROP iptables-t filter -A INPUT -p tcp --dport 22 -j DROP需要谨慎,看清了。这里是演示,如果真的把22端口禁了,就连不上了。我这里是虚拟机,可以在VMware上把这条规则清除掉重新远程连接如果我们只是想清除一条规则,可以先执行 iptables -nL --line-numbers 查看到是第几条链,防止眼睛数错行。这里是在INPUT链上的第一条规则,然后执行删除这条规则.清除之后,22端口就能重新连接了 iptables -D INPUT 1 如下,我禁用23端口和解除23端口的过程 [root@mcw01 ~]$ iptables-A INPUT -p tcp --dport 23 -j DROP#未指定默认是filter表了;添加;在input链上; tcp协议,目标端口23;来访问了就drop丢掉 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPtcp--0.0.0.0/00.0.0.0/0tcp dpt:23#禁用23端口Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables -nL --line-numbers#查看规则是第几个,删除可以用到 Chain INPUT (policy ACCEPT) numtargetprot opt sourcedestination 1DROPtcp--0.0.0.0/00.0.0.0/0tcp dpt:23Chain FORWARD (policy ACCEPT) numtargetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) numtargetprot opt sourcedestination [root@mcw01 ~]$ iptables -D INPUT 1#删除,指定是INPUT链,第一个规则 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$
禁止指定ip,访问本服务器指定端口
禁止指定ip,访问本服务器指定端口 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 防火墙四表五链,我们常用的是filter,nat表。我们常用的是filter表的INPUT,FORWARD,OUTPUT链;nat表的PREROUTING,POSTROUTING链,OUTPUT链禁止10.0.0.12访问10.0.0.11服务器的22端口 10.0.0.11172.16.0.11mcw01 10.0.0.12172.16.0.12mcw02 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 一开始12能访问11的22端口 [root@mcw02 ~]$ ssh 10.0.0.11 hostname root@10.0.0.11's password: mcw01 [root@mcw02 ~]$ [root@mcw01 ~]$ iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP [root@mcw01 ~]$ iptables -nL#禁止10.0.0.12访问10.0.0.11服务器的22端口 Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPtcp--10.0.0.120.0.0.0/0tcp dpt:22 #来自10.0.0.12的IP,访问本机的22端口被drop Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination再次从12上访问11的22端口,发现是连接超时的 [root@mcw02 ~]$ ssh 10.0.0.11 hostname ssh: connect to host 10.0.0.11 port 22: Connection timed out [root@mcw02 ~]$ [root@mcw02 ~]$ ssh 172.16.0.11 hostname#如果使用内网ip,还是可以访问的,因为只是禁用10.0.0.12访问 root@172.16.0.11's password: mcw01 [root@mcw02 ~]$ ping 10.0.0.11 -c 1 #访问icmp协议的还是不影响的 PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data. 64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=0.682 ms--- 10.0.0.11 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms [root@mcw02 ~]$ [root@mcw02 ~]$ nc 10.0.0.11 22#使用nc查看端口是否能连上 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw02 ~]$ telnet 10.0.0.11 22#telnet查看是否能连上 Trying 10.0.0.11... telnet: connect to address 10.0.0.11: Connection timed out [root@mcw02 ~]$ 正常能连的显示 [root@mcw03 ~]$ nc 10.0.0.11 22 SSH-2.0-OpenSSH_7.4 #夯住
命令有,但不知道是哪个包带来的命令,两种方式找到包
[root@mcw01 ~]$ rpm -qa nc [root@mcw01 ~]$ rpm -qa ncat [root@mcw01 ~]$ rpm -qa |grep nc irqbalance-1.0.7-10.el7.x86_64 ncurses-base-5.9-14.20130511.el7_4.noarch perl-Encode-2.51-7.el7.x86_64 qrencode-libs-3.4.1-3.el7.x86_64 ncurses-libs-5.9-14.20130511.el7_4.x86_64 ncurses-5.9-14.20130511.el7_4.x86_64 nmap-ncat-6.40-19.el7.x86_64 vim-enhanced-7.4.629-8.el7_9.x86_64 ncurses-devel-5.9-14.20130511.el7_4.x86_64 [root@mcw01 ~]$ [root@mcw01 ~]$ rpm -qa |grep ncat nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$ which nc /usr/bin/nc [root@mcw01 ~]$ yum provides nc#方式一:yum查看命令是哪个包里的 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile netcat-1.218-2.el7.x86_64 : OpenBSD netcat to read and write data across connections using TCP or UDP Repo: epel Matched from: Provides: nc = 1.218-2.el72:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo: base Matched from: Provides: nc2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo: @base Matched from: Provides: nc[root@mcw01 ~]$ rpm -qf `which nc`#方式二:rpm查看命令是哪个包里的 nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$
使用nc命令进行端口间通信
当我使用nc连接本服务器端口的时候 [root@mcw03 ~]$ nc -l6381 #夯住新开一个窗口,发现这个命令的进程 [root@mcw03 ~]$ ps -ef|grep -v grep |grep 6381 root19421190940 03:26 pts/000:00:00 nc -l 6381 [root@mcw03 ~]$ -- 如下当我将mcw03上redis端口,使用nc命令夯住后 [root@mcw03 ~]$ nc -l6381 wo shi machangwei nihaoya当我在其他机器,比如在mcw01上telnet mcw03的这个6381端口,也会夯住,然后这样两者间就可以互相写字进行通信了,一行一行的发送,点击enter就发送。telnet如果是客户端的话,那么我断开telnet,nc命令并不会终止 [root@mcw01 ~]$ telnet 10.0.0.13 6381 Trying 10.0.0.13... Connected to 10.0.0.13. Escape character is '^]'. wo shi machangwei nihaoya当我在mcw03上使用nc之后,夯住 [root@mcw03 ~]$ nc -l6381然后 [root@mcw01 ~]$ cat /etc/hosts 127.0.0.1localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw01 ~]$ cat /etc/hosts |nc 10.0.0.13 6381#然后在另一个主机上连接这个端口,就能发送文件内容过去[root@mcw03 ~]$ nc -l6381#接收到文件内容,我们也可以将接收的文件内容重定向到文件里,实现nc通过端口传输文件 127.0.0.1localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$ [root@mcw03 ~]$ nc -l6381 >1.host [root@mcw03 ~]$ cat 1.host 127.0.0.1localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$
禁止指定网段访问本服务器的指定端口
禁止指定网段访问本服务器的指定端口 iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP别人访问我,是进入的包,INPUT链。别人访问我的某个端口服务,我这个端口是对方访问的目标端口,所以是dport,禁止就得drop,-I拒绝的就往前面插入我在mcw01上开启了8080端口的监听,然后通过两个ip访问,都能通,接收到信息 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ 现在设置防火墙规则,禁止指定172.16.0.0/24网段访问本服务器的指定端口8080 [root@mcw01 ~]$ iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPtcp--172.16.0.0/240.0.0.0/0tcp dpt:8080 DROPtcp--10.0.0.120.0.0.0/0tcp dpt:22Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ 然后再看,mcw02连接mcw01的nc开启的连接服务,发现172.16.0.11只有这个网段的不能连上服务了,说明禁止生效了 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 #夯住,没反应
指定只能某个网段访问本服务器。(不是指定网段的拒绝掉)
指定只能某个网段访问本服务器。(不是指定网段的拒绝掉) iptables -I INPUT ! -s 10.0.0.0/24 -j DROP当我清空所以防火墙配置之后,mcw02能访问mcw01上nc开启的2222端口 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT ! -s 10.0.0.0/24 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPall-- !10.0.0.0/240.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ 当我两次在mcw01上nc开启2222端口时,只有访问10.0.0.11能访问到,访问172.16.0.11访问不到。所以防火墙配置生效 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222
禁止用户访问本服务器指定范围或者指定多个的端口
禁止用户访问本服务器指定范围或者指定多个的端口 iptables -I INPUT -p tcp --dport 1024:65535 -j DROP iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP执行命令前,nc开启mcw01的端口,mcw02上都能访问到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 2222 [root@mcw01 ~]$ nc -l 1024 2222 [root@mcw01 ~]$ nc -l 60000 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 1024:65535 -j DROP [root@mcw01 ~]$ iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPtcp--0.0.0.0/00.0.0.0/0multiport dports 81,444 DROPtcp--0.0.0.0/00.0.0.0/0tcp dpts:1024:65535 DROPall-- !10.0.0.0/240.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination执行命令后,无法访问到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 ^C [root@mcw01 ~]$ nc -l 1024 ^C [root@mcw01 ~]$ nc -l 60000 ^C [root@mcw01 ~]$
使用iptables实现禁止ping功能
使用iptables实现禁止ping功能 iptables -I INPUT -p icmp --icmp-type 8 -j DROP#实际上icmp协议的类型有很多,影响我们ping的类型是8,只需禁止8就行 iptables -I INPUT -p icmp --icmp-type any -j DROP当我给mcw01添加内核设置为1的时候,mcw02就无法ping通mcw01了,当我修改为0的时候,就能ping同mcw01了 echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all加上这条命令后,里面就不能ping通了 ,这里是任意类型,好像写成8也可以 [root@mcw01 ~]$ iptables -I INPUT -p icmp --icmp-type any -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPicmp --0.0.0.0/00.0.0.0/0icmptype 255 DROPtcp--0.0.0.0/00.0.0.0/0multiport dports 81,444 DROPtcp--0.0.0.0/00.0.0.0/0tcp dpts:1024:65535 DROPall-- !10.0.0.0/240.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$
保存和恢复规则
iptables-save保存当前防火墙到配置文件中,加上重定向,可以将防火墙规则导入到指定文件中备份起来 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPicmp --0.0.0.0/00.0.0.0/0icmptype 255 DROPtcp--0.0.0.0/00.0.0.0/0multiport dports 81,444 DROPtcp--0.0.0.0/00.0.0.0/0tcp dpts:1024:65535 DROPall-- !10.0.0.0/240.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables-save#会把所有的打印出来,*后面显示表的名字;冒号后欧美是默认的规则,再往下就死我们自己配置的规则 # Generated by iptables-save v1.4.21 on Mon Mar7 16:48:59 2022 *nat :PREROUTING ACCEPT [6543:408185] :INPUT ACCEPT [76:11426] :OUTPUT ACCEPT [358288:21886420] :POSTROUTING ACCEPT [358288:21886420] COMMIT # Completed on Mon Mar7 16:48:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar7 16:48:59 2022 *filter :INPUT ACCEPT [696:58996] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [653551:39668311] #*后面显示表的名字;冒号后欧美是默认的规则,再往下就死我们自己配置的规则 -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar7 16:48:59 2022 [root@mcw01 ~]$ 防火墙配置,实际保存的是如下文件中。可以看到和命令查询出来的差不多 [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ 如下保存防火墙规则[root@mcw01 ~]$ iptables-save >iptRule.txt [root@mcw01 ~]$ cat iptRule.txt # Generated by iptables-save v1.4.21 on Mon Mar7 16:53:44 2022 *nat :PREROUTING ACCEPT [6642:414294] :INPUT ACCEPT [77:11655] :OUTPUT ACCEPT [363901:22224847] :POSTROUTING ACCEPT [363901:22224847] COMMIT # Completed on Mon Mar7 16:53:44 2022 # Generated by iptables-save v1.4.21 on Mon Mar7 16:53:44 2022 *filter :INPUT ACCEPT [781:65217] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [664961:40365111] -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar7 16:53:44 2022 [root@mcw01 ~]$ 不小心把防火墙都误清除了,因为之前保存到配置里了,重启一下防火墙重新就出来了 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination DROPicmp --0.0.0.0/00.0.0.0/0icmptype 255 DROPtcp--0.0.0.0/00.0.0.0/0multiport dports 81,444 DROPtcp--0.0.0.0/00.0.0.0/0tcp dpts:1024:65535 DROPall-- !10.0.0.0/240.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ systemctl restart iptables.service [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED ACCEPTicmp --0.0.0.0/00.0.0.0/0 ACCEPTall--0.0.0.0/00.0.0.0/0 ACCEPTtcp--0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT) targetprot opt sourcedestination REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables-restore无需重启防火墙,可以将备份导出来的防火墙规则,再导入回去 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED ACCEPTicmp --0.0.0.0/00.0.0.0/0 ACCEPTall--0.0.0.0/00.0.0.0/0 ACCEPTtcp--0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT) targetprot opt sourcedestination REJECTall--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables-restore
修改默认规则为drop,默认都不接受的做法-i --input 数据进入的时候通过哪个网卡 -o --output数据出去的时候通过哪个网卡 -P--policy-P chain targetChange policy on chain to target 修改默认规则修改默认规则前设置: iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT修改默认规则 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT修改默认规则后添加自己使用的网段为白名单 iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT清除好环境 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ 在修改默认策略为拒绝时,首先要提前做些准备。比如接收22端口访问 [root@mcw01 ~]$ #准许连接 22端口 [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTtcp--0.0.0.0/00.0.0.0/0tcp dpt:22Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ 设置本地lo通讯规则 [root@mcw01 ~]$ iptables -A INPUT -i lo -j ACCEPT [root@mcw01 ~]$ iptables -A OUTPUT -o lo -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTtcp--0.0.0.0/00.0.0.0/0tcp dpt:22 ACCEPTall--0.0.0.0/00.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0 [root@mcw01 ~]$ 添加指定服务需要能被访问,比如80 443 [root@mcw01 ~]$ iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTtcp--0.0.0.0/00.0.0.0/0multiport dports 80,443 ACCEPTtcp--0.0.0.0/00.0.0.0/0tcp dpt:22 ACCEPTall--0.0.0.0/00.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0 [root@mcw01 ~]$ 修改默认规则 [root@mcw01 ~]$ #修改默认规则 [root@mcw01 ~]$ iptables -P INPUT DROP#进来的时候,默认是drop [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) targetprot opt sourcedestination ACCEPTtcp--0.0.0.0/00.0.0.0/0multiport dports 80,443 ACCEPTtcp--0.0.0.0/00.0.0.0/0tcp dpt:22 ACCEPTall--0.0.0.0/00.0.0.0/0Chain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0 [root@mcw01 ~]$ iptables -P FORWARD DROP#这个也默认是drop [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT#出去的时候不管,都接受 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) targetprot opt sourcedestination ACCEPTtcp--0.0.0.0/00.0.0.0/0multiport dports 80,443 ACCEPTtcp--0.0.0.0/00.0.0.0/0tcp dpt:22 ACCEPTall--0.0.0.0/00.0.0.0/0Chain FORWARD (policy DROP) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0 [root@mcw01 ~]$ 添加两个白名单 [root@mcw01 ~]$ iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) targetprot opt sourcedestination ACCEPTtcp--0.0.0.0/00.0.0.0/0multiport dports 80,443 ACCEPTtcp--0.0.0.0/00.0.0.0/0tcp dpt:22 ACCEPTall--0.0.0.0/00.0.0.0/0 ACCEPTall--10.0.0.0/240.0.0.0/0 ACCEPTall--172.16.0.0/240.0.0.0/0Chain FORWARD (policy DROP) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination ACCEPTall--0.0.0.0/00.0.0.0/0然后保存下我们的配置 [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar7 17:21:59 2022 *nat :PREROUTING ACCEPT [148:9218] :INPUT ACCEPT [13:949] :OUTPUT ACCEPT [2894:191439] :POSTROUTING ACCEPT [2894:191439] COMMIT # Completed on Mon Mar7 17:21:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar7 17:21:59 2022 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [195:20374] -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/24 -j ACCEPT -A INPUT -s 172.16.0.0/24 -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Mon Mar7 17:21:59 2022 [root@mcw01 ~]$#其中默认是drop ,INPUT和OUTPUT链添加了规则
内网服务器通过iptables转发实现访问外网SNAT(共享上网)内网服务器通过iptables转发实现访问外网(共享上网)10.0.0.11是集群中的外网ip,能通过这个ip访问外网的。这个ip所在服务器可以做成网关,让其它主机的网关设置成该主机的内网ip,然后通过ipv4内核源地址转换实现访问外网单个ip实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p指定网段的地址实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11当公网ip不固定时:更换。用如下命令 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADEMASQUERADEmasquerade 英[?m?sk??re?d] 美[?m?sk??re?d] n.掩藏; 掩饰; 化装舞会; 假面舞会; vi.假扮; 乔装; 伪装; nat表(可以共享上网,端口映射,ip映射)主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了): 10.0.0.11172.16.0.11 mcw01 10.0.0.12172.16.0.12 mcw02 10.0.0.13172.16.0.13 mcw03准备环境: 先把上面做的环境改回来,记得先改回默认策略为接受,然后再清空所有的规则。不然默认规则是拒绝,我把22接受服务的删除掉,那么就连不上服务器了,只能去机房连接服务器恢复了 [root@mcw01 ~]$ iptables -P INPUT ACCEPT [root@mcw01 ~]$ iptables -P FORWARD ACCEPT [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ [root@mcw01 ~]$ ping www.baidu.com -c 1#查看百度的ip是110.242.68.4,我现在需要内网的机子能访问这个ip PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=17.1 ms--- www.a.shifen.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.186/17.186/17.186/0.000 ms [root@mcw01 ~]$ 我现在mcw03这个后端内网服务器不能访问到外网,mcw01可以访问到外网。我想通过mcw01做转发,实现mcw03访问外网mcw03的ip是172.16.0.13,这时数据包通过mcw01访问110.242.68.4时,目标ip110.242.68.4不变,在mcw01上要将源ip172.16.0.13修改mcw01的ip即10.0.0.11。 所以,需要内网实现共享上网的时候,需要使用snat,源网络地址转换这时我们的mcw03的数据包,是需要通过mcw01上出去,进而访问外网,所以我们需要修改的是以前画的那张图里的nat表POSTROUTING所以,需要设置防火墙命令如下:需要在nat表设置;需要在POSTROUTING链里追加;目标ip是访问的外网ip, 需要指定源ip是mcw03内网ip地址需要转换为可以访问的外网ip;动作是mcw03的内网ip,源ip转换为能访问外网的mcw01上的外网ip,动作是源地址访问; 将源地址改为mcw01上的外网ip10.0.0.11 mcw01配置了防火墙,还要开启mcw01的ip转发内核参数。将mcw03网关应该修改为mcw01的内网ip,内网网卡上给mcw03添加DNS服务器的配置,不然无法解析了。单个ip实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p指定网段的地址实现源地址转换 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11操作前检查情况 [root@mcw02 ~]$ ssh 172.16.0.13#从mcw02上连接mcw03内网ip root@172.16.0.13's password: Last login: Mon Mar7 17:58:21 2022 from 172.16.0.12 [root@mcw03 ~]$ ip a#查看网卡情况 1: lo:mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff inet 10.0.0.13/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::6782:98:f742:b0e8/64 scope link valid_lft forever preferred_lft forever inet6 fe80::6faf:5935:98b1:7f8d/64 scope link tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link tentative dadfailed valid_lft forever preferred_lft forever [root@mcw03 ~]$ ifdown ens33#将mcw03的外网网卡关闭掉 Device 'ens33' successfully disconnected. [root@mcw03 ~]$ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ ping www.baidu.com#查看mcw03无法访问外网,只有内网ip172.16.0.13可以通信 ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ echo 1 >/proc/sys/net/ipv4/ip_forward [root@mcw01 ~]$ echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf [root@mcw01 ~]$ sysctl -p发现mcw03还是不通外网,是因为忘记修改网关了,网关应该修改为mcw01的内网ip. [root@mcw03 ~]$ ping www.baidu.com ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ ip r default via 172.160.0.253 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 172.160.0.253 dev ens34 proto static scope link metric 100 这里将内网网卡配置的网关设置为mcw01主机的内网ip。让它onboot改为yes,不然重启就关闭网卡了 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens34 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens34 ONBOOT=yes GATEWAY=172.16.0.11 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens33#将外网网卡的onboot关闭掉,防止重启网络,而重启网卡 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens33 ONBOOT="no" GATEWAY="10.0.0.253" [root@mcw03 ~]$ systemctl restart network [root@mcw03 ~]$
检查环境以及验证内网访问外网 [root@mcw03 ~]$ ip a#查看网络,没有问题,还是内网ip 1: lo:mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ [root@mcw03 ~]$ ip r#查看网关,已经变成了mcw01主机的内网ip default via 172.16.0.11 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 [root@mcw03 ~]$ [root@mcw03 ~]$ ping www.baidu.com#成功访问外网 PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=127 time=14.8 ms 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=2 ttl=127 time=13.6 ms ^C --- www.a.shifen.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 13.674/14.261/14.848/0.587 ms [root@mcw03 ~]$ 附上mcw01的内网ip查询 [root@mcw01 ~]$ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ 执行完后,记得保存一下配置 iptables -t nat -nL 查看nat表的转发规则 [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables-nL Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain FORWARD (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) targetprot opt sourcedestinationChain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestinationChain POSTROUTING (policy ACCEPT) targetprot opt sourcedestination SNATall--172.16.0.130.0.0.0/0to:10.0.0.11 SNATall--172.16.0.0/240.0.0.0/0to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar7 18:52:42 2022 *nat :PREROUTING ACCEPT [143:9307] :INPUT ACCEPT [1:229] :OUTPUT ACCEPT [80:6466] :POSTROUTING ACCEPT [80:6466] -A POSTROUTING -s 172.16.0.13/32 -j SNAT --to-source 10.0.0.11 -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 COMMIT # Completed on Mon Mar7 18:52:42 2022 # Generated by iptables-save v1.4.21 on Mon Mar7 18:52:42 2022 *filter :INPUT ACCEPT [698927:234693305] :FORWARD ACCEPT [5426:390414] :OUTPUT ACCEPT [704597:225964959] COMMIT # Completed on Mon Mar7 18:52:42 2022 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
如何删除nat表的规则:[root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) targetprot opt sourcedestinationChain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestinationChain POSTROUTING (policy ACCEPT) targetprot opt sourcedestination SNATall--172.16.0.130.0.0.0/0to:10.0.0.11 SNATall--172.16.0.0/240.0.0.0/0to:10.0.0.61 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -DPOSTROUTING 2 #删除nat表的规则,需要指定nat表 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) targetprot opt sourcedestinationChain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestinationChain POSTROUTING (policy ACCEPT) targetprot opt sourcedestination SNATall--172.16.0.130.0.0.0/0to:10.0.0.11
DNAT端口转发(内网服务器不暴露在公网上,但是它上面的服务可以通过某台服务器的端口转发提供给外网)DNAT端口转发(内网服务器不暴露在公网上,但是它上面的服务可以通过某台服务器的端口转发提供给外网)iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22有点像Nginx的端口转发当外网需要访问内网某个主机的某个服务时,服务无法提供。我们可以使用端口转发,mcw01有外网ip,当外网访问mcw01的外网时,我们可以根据端口来将请求转发给内网某个服务器如mcw03,mcw03上是没有外网ip的。主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了): 10.0.0.11172.16.0.11 mcw01 10.0.0.12172.16.0.12 mcw02 10.0.0.13172.16.0.13 mcw03例如:当用户访问我们的mcw01主机上的9000端口(10.0.0.11:9000)时,我们将它转发到我们内网服务器mcw03上的22端口(172.16.0.13:22)。用户访问时,源地址是他们自己, 他们的目标是访问我们的10.0.0.11:9000,我们要实现转发,需要将这个目标地址改成172.16.0.13:22。所以这里是目标地址转换DNAT。这里是目标地址转换,是nat表;这是用户来访问的数据包,也就是用户要进来,所以是PREROUTING 链;目标访问的是10.0.0.11; 对方访问的是9000端口;动作我就用DNAT,目标地址转换,转换成我们内网的地址;这里是转换成目标地址172.16.0.13:22 注意:此时这里的mcw03的网卡上配置的网关,要设置成mcw01上内网的ip。因为数据包是转发给mcw03了,但是我要回包的话,得发给mcw01的内网ip,然后mcw01内网ip再发给mcw01的公网ip10.0.0.11,这样才能给客户返回响应数据。这里之前已经配置了,详情见上面的SNAT共享上网iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport-j DNAT --to-destination 172.16.0.13:22然后还需要开启ipv4转发。之前我已经配置好了 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 操作前检查情况 mcw03和mcw01的9000端口目前都不能连接 [c:\~]$ ssh root@172.16.0.13Connecting to 172.16.0.13:22... Could not connect to '172.16.0.13' (port 22): Connection failed.Type `help' to learn how to use Xshell prompt. [c:\~]$ [c:\~]$ [c:\~]$ [c:\~]$ ssh root@10.0.0.11 9000Connecting to 10.0.0.11:9000... Could not connect to '10.0.0.11' (port 9000): Connection failed.Type `help' to learn how to use Xshell prompt. [c:\~]$ 执行操作:配置目标地址转发,查看配置的规则,查看ipv4转发是否开启 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) targetprot opt sourcedestination DNATtcp--0.0.0.0/010.0.0.11tcp dpt:9000 to:172.16.0.13:22Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestinationChain POSTROUTING (policy ACCEPT) targetprot opt sourcedestination SNATall--172.16.0.130.0.0.0/0to:10.0.0.11 SNATall--172.16.0.0/240.0.0.0/0to:10.0.0.11 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 检验配置的效果:发现当我们外网上连接mcw01的9000端口时,实际上我们是访问到了没有外网ip,不通外网的mcw03主机上。也就是在mcw01上成功实现端口转发。这样当我们内网的主机上某个服务要提供给外网访问时,可以使用端口转发的方式提供服务,这也能保证了内网服务器的安全性。 [c:\~]$ ssh root@10.0.0.11 9000Connecting to 10.0.0.11:9000... Connection established. To escape to local shell, press 'Ctrl+Alt+]'.Last login: Mon Mar7 18:06:33 2022 from 172.16.0.12 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo:mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$
ip地址转发(DNAT实现ip地址转发,ip映射)主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了): 10.0.0.11172.16.0.11 mcw01 10.0.0.12172.16.0.12 mcw02 10.0.0.13172.16.0.13 mcw03配置过程中需要注意的事项请参考上面的snat和dnat配置过程查看环境,将之前已有的端口转发配置去掉 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) targetprot opt sourcedestination DNATtcp--0.0.0.0/010.0.0.11tcp dpt:9000 to:172.16.0.13:22Chain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestinationChain POSTROUTING (policy ACCEPT) targetprot opt sourcedestination SNATall--172.16.0.130.0.0.0/0to:10.0.0.11 SNATall--172.16.0.0/240.0.0.0/0to:10.0.0.11 [root@mcw01 ~]$ iptables -t nat -D PREROUTING 1#删除之前配置的端口转发,防止收到影响 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) targetprot opt sourcedestinationChain INPUT (policy ACCEPT) targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT) targetprot opt sourcedestinationChain POSTROUTING (policy ACCEPT) targetprot opt sourcedestination SNATall--172.16.0.130.0.0.0/0to:10.0.0.11 SNATall--172.16.0.0/240.0.0.0/0to:10.0.0.11 [root@mcw01 ~]$在mcw01上添加一个新的公网ip,当访问这个公网ip10.0.0.111时,将它转发到内网服务器mcw03的内网ip172.16.0.13 然后可以给这个公网ip,在网关mcw01上加上标签,这样在mcw01上就能看到这个ip了。 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.111 -j DNAT --to-destination 172.16.0.13 [root@mcw01 ~]$ ip a a 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo:mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet 10.0.0.111/24 scope global secondary ens33:0 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ ^C验证: 当我在外网连接刚刚在mcw01上添加的公网ip10.0.0.111时,实际上连上了内网服务器mcw03上。 也就是当用户访问mcw01上的外网ip10.0.0.111的某个端口服务时,它就会转发给内网服务器mcw03上对应的端口。 这样就成功实现了ip地址转发。缺点是,只要某个服务器某个端口需要外网访问,就要对应一个外网ip,而一般情况下,不需要访问这么多端口,所以浪费公网ip资源[c:\~]$ [c:\~]$ ssh root@10.0.0.111Connecting to 10.0.0.111:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'.Last login: Mon Mar7 19:30:16 2022 from 10.0.0.1 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ 当删除这个标签后,就不能通过这个ip访问内网指定服务器了 [root@mcw01 ~]$ ip a del 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$
【iptables使用详解(centos7)】
推荐阅读
- 版本管理工具|Git使用(Git安装、建立Git仓库、克隆Git仓库、提交代码至Git仓库)
- oauth2.0授权码模式详解
- Mysql高级操作学习笔记:索引结构、树的区别、索引优缺点、创建索引原则(我们对哪种数据创建索引)、索引分类、Sql性能分析、索引使用、索引失效、索引
- 使用二分法来解决的问题
- Java中实现List分隔成子List详解
- 详解python日期时间处理
- Spring的IOC控制反转详解
- 使用java的milo框架访问OPCUA服务的过程
- resty的缓存技术设计及使用
- spring|spring IOC控制反转原理详解