Linux防火墙基础试题

1、iptables有几个表以及几个链

4个表:filter,nat,mangle,raw，默认表是filter（没有指定表的时候就是filter表）。表的处理优先级：raw>mangle>nat>filter。
5个链：PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING。

2、iptables的几个表以及每个表对应链的作用，对应企业应用场景。

Filter 是默认的主机防火墙，过滤流入流出主机的数据包。里边包含INPUT,OUTPUT,FOWARD三个链　　
INPUT 过滤进入主机的数据包　　
OUTPUT 处理从本机发出去的数据包　　
FOWARD 处理流经本主机的数据包，与NAT有关系
Filter表是企业实现防火墙功能的重要手段

NAT 负责网络地址转换（来源于目的地址的IP与端口的转换），一般用于局域网的共享上网，与网络交换机acl类似，包含OUTPUT,PREROUTING,POSTROUTING三条链
OUTPUT 改变主机发出去的数据包的目标地址　　
PREROUTING 数据包到达防火墙时进行分路由判断之前执行的规则，改变数据包的目的地址，目的端口
POSTROUTING 数据包离开防火墙时进行分路由判断之前执行的规则，改变数据包的源的地址，源的端口

Mangle 在企业中应用比较少

3、请写出查看iptables当前所有规则的命令
iptables -nL （查看filter表）
iptables -nL -t nat (查看NAT表)

4、禁止来自192.168.100.20 ip地址访问80端口的请求

[root@localhost ~]# iptables -A INPUT -p tcp -s 192.168.100.20 --dport 80 -j DROP
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
DROP       tcp  --  192.168.100.20       0.0.0.0/0            tcp dpt:80

5、实现把访问192.168.100.20:80的请求转到192.168.100.30:80

[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.100.20 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.30:80 
[root@localhost ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PREROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            192.168.100.20       tcp dpt:80 to:192.168.100.30:80

6、写一个防火墙配置脚本，只允许远程主机访问本机的80端口。

[root@localhost ~]# vi /usr/local/sbin/iptables.sh 
#!/bin/bash
iptables -F
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp  -j DROP

执行脚本后
在这里插入图片描述

7、限制客户端对本机telnet服务并发连接数小于等于3

[root@localhost ~]# iptables -A INPUT -p tcp --dport 23 -m connlimit --connlimit-upto 2 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 23 -j DROP
[root@localhost ~]# iptables -nL 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23 #conn src/32 <= 2
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23

8、仅允许周2、4、6，9点到18点访问本机telnet

[root@localhost ~]# iptables -I INPUT -d 192.168.88.84 -p tcp --dport 23 -m time --timestart 09:00:00 --timestop 18:00:00 --weekdays Tue,Thu,Sat -j ACCEPT      
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.88.84        tcp dpt:23 TIME from 09:00:00 to 18:00:00 on Tue,Thu,Sat UTC
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

9、iptables只开启ssh、web、telnet访问

[root@localhost ~]# iptables -A INPUT -d 192.168.88.84 -p tcp -m multiport --dports 22:23,80 -j ACCEPT  
[root@localhost ~]# iptables -A OUTPUT -s 192.168.88.84 -p tcp -m multiport --sports 22:23,80 -j ACCEPT          
[root@localhost ~]# iptables -A INPUT -d 192.168.88.84 -j DROP           
[root@localhost ~]# iptables -A OUTPUT -s 192.168.88.84 -j DROP      
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
ACCEPT     tcp  --  0.0.0.0/0            192.168.88.84        multiport dports 22:23,80
DROP       all  --  0.0.0.0/0            192.168.88.84       
``
``
``
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  192.168.88.84        0.0.0.0/0            multiport sports 22:23,80
DROP       all  --  192.168.88.84        0.0.0.0/0

10、指定ip地址范围可以访问本机mysql

[root@localhost ~]# iptables -I INPUT 2 -d 192.168.88.84 -p tcp --dport 3306 -m iprange --src-range 192.168.88.80-192.168.88.100 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT 2 -d 192.168.88.84 -p tcp --dport 3306 -m iprange --dst-range 192.168.88.80-192.168.88.100 -j ACCEPT
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.88.84        tcp dpt:mysql source IP range 192.168.88.80-192.168.88.100
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             192.168.88.84        tcp dpt:mysql destination IP range 192.168.88.80-192.168.88.100

Tranquility,

发布了29 篇原创文章 · 获赞 15 · 访问量 2492

私信关注

Linux防火墙基础试题

猜你喜欢