iptables案例及nat表的应用

1. iptables案例

使用命令“vim /usr/local/sbin/iptables.sh”创建并编辑该文件，在该文件输入以下内容：

#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F   #清除规则
$ipt -P INPUT DROP   #预设策略
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT    
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT    #把来自192.168.133.0/24且是TCO协议到本机22端口的数据包通过
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT   #TCP协议且到本机88端口的数据包通过
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT   #TCP协议且到本机21端口的数据包通过

执行该脚本；

[root@yuioplvlinux-128 ~]# sh /usr/local/sbin/iptables.sh
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   26  1768 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.133.0/24     0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes)
 pkts bytes target     prot opt in     out     source               destination

还有一种比较常用的用法，让本机可以ping通其他机器，而其他机器不能ping通本机；

[root@yuioplvlinux-128 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   75  8505 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 43 packets, 4660 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@yuioplvlinux-128 ~]# ping www.qq.com
PING news.qq.com (121.51.142.21) 56(84) bytes of data.
64 bytes from 121.51.142.21 (121.51.142.21): icmp_seq=1 ttl=53 time=7.25 ms
64 bytes from 121.51.142.21 (121.51.142.21): icmp_seq=2 ttl=53 time=8.39 ms
64 bytes from 121.51.142.21 (121.51.142.21): icmp_seq=6 ttl=53 time=6.42 ms
^C
--- news.qq.com ping statistics ---
6 packets transmitted, 3 received, 50% packet loss, time 5004ms
rtt min/avg/max/mdev = 6.429/7.361/8.396/0.806 ms

2. nat表的应用

2.1 添加网卡并分配内网IP

1）添加网卡，选择NAT模式添加；

2）自定义设置全局LAN区段，名称可自定义；

3）将新添加的网卡选择为LAN区段；

4）在另一台虚拟机上重复以上操作；

5）添加完成后启动两台虚拟机。

远程连接其中128虚拟机，查看IP地址，可以看到新添加的网卡ens37；

[root@yuioplvlinux-128 ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.30.128  netmask 255.255.255.0  broadcast 192.168.30.255
        inet6 fe80::9c36:c384:f224:23f4  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:96:17:9a  txqueuelen 1000  (Ethernet)
        RX packets 89  bytes 10889 (10.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 90  bytes 10433 (10.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.30.136  netmask 255.255.255.0  broadcast 192.168.30.255
        ether 00:0c:29:96:17:9a  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5c27:9948:9b95:afdf  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:96:17:a4  txqueuelen 1000  (Ethernet)
        RX packets 15  bytes 5130 (5.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 51  bytes 8994 (8.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 72  bytes 5792 (5.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 72  bytes 5792 (5.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

129在VM中打开，也可以看到新添加的网卡ens37，禁用ens33网卡；

通过命令“ifconfig 网卡名称 IP地址”（重启后就不能用了，要想永久生效，需修改配置文件）分别设置它们的内网ip，并检查是否可以相互ping通；

[root@yuioplvlinux-128 ~]# ifconfig ens37 192.168.100.1/24
[root@yuioplvlinux-128 ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.30.128  netmask 255.255.255.0  broadcast 192.168.30.255
        inet6 fe80::9c36:c384:f224:23f4  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:96:17:9a  txqueuelen 1000  (Ethernet)
        RX packets 194  bytes 20043 (19.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 145  bytes 18945 (18.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.30.136  netmask 255.255.255.0  broadcast 192.168.30.255
        ether 00:0c:29:96:17:9a  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:fe96:17a4  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:96:17:a4  txqueuelen 1000  (Ethernet)
        RX packets 17  bytes 5814 (5.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62  bytes 10688 (10.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 72  bytes 5792 (5.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 72  bytes 5792 (5.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@yuioplvlinux-128 ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=1.88 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.811 ms
64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=0.877 ms
^C
--- 192.168.100.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.811/1.191/1.887/0.494 ms

2.2 让129机器连接外网

/proc/sys/net/ipv4/ip_forward，这个文件为0时，表示没有打开路由转发，为1时，表示路由转发已经打开；

[root@yuioplvlinux-128 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@yuioplvlinux-128 ~]# echo "1" > !$
echo "1" > /proc/sys/net/ipv4/ip_forward

对nat表做一个ip转发的操作，-o后面跟设备名，表示出口的网卡，MASQUERADE表示伪装；

[root@yuioplvlinux-128 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@yuioplvlinux-128 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 16 packets, 1072 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0  

在129机器上执行“route add default gw 192.168.100.1”，设置网关之后，可以直接ping通128机器的上网IP，表示129机器已经成功连接到了外网；

2.3 远程连接129机器

做一个端口映射，即可实现远程连接129机器；

为了排除干扰，先删除上一条规则；

[root@yuioplvlinux-128 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@yuioplvlinux-128 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   

同样的，也要打开端口转发；

[root@yuioplvlinux-128 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@yuioplvlinux-128 ~]# iptables -t nat -A PREROUTING -d 192.168.30.128 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@yuioplvlinux-128 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.30.128
[root@yuioplvlinux-128 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.30.128       tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.100.100      0.0.0.0/0            to:192.168.30.128

在129机器上设置网关为192.168.100.1后，就可以通过Xshell远程连接了。