1. iptables案例
使用命令“vim /usr/local/sbin/iptables.sh”创建并编辑该文件,在该文件输入以下内容:
#! /bin/bash ipt="/usr/sbin/iptables" $ipt -F #清除规则 $ipt -P INPUT DROP #预设策略 $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT #把来自192.168.133.0/24且是TCO协议到本机22端口的数据包通过 $ipt -A INPUT -p tcp --dport 80 -j ACCEPT #TCP协议且到本机88端口的数据包通过 $ipt -A INPUT -p tcp --dport 21 -j ACCEPT #TCP协议且到本机21端口的数据包通过
执行该脚本;
[root@yuioplvlinux-128 ~]# sh /usr/local/sbin/iptables.sh [root@yuioplvlinux-128 ~]# iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 26 1768 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.133.0/24 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination
还有一种比较常用的用法,让本机可以ping通其他机器,而其他机器不能ping通本机;
[root@yuioplvlinux-128 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP [root@yuioplvlinux-128 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 75 8505 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 43 packets, 4660 bytes) pkts bytes target prot opt in out source destination [root@yuioplvlinux-128 ~]# ping www.qq.com PING news.qq.com (121.51.142.21) 56(84) bytes of data. 64 bytes from 121.51.142.21 (121.51.142.21): icmp_seq=1 ttl=53 time=7.25 ms 64 bytes from 121.51.142.21 (121.51.142.21): icmp_seq=2 ttl=53 time=8.39 ms 64 bytes from 121.51.142.21 (121.51.142.21): icmp_seq=6 ttl=53 time=6.42 ms ^C --- news.qq.com ping statistics --- 6 packets transmitted, 3 received, 50% packet loss, time 5004ms rtt min/avg/max/mdev = 6.429/7.361/8.396/0.806 ms
2. nat表的应用
2.1 添加网卡并分配内网IP
1)添加网卡,选择NAT模式添加;
2)自定义设置全局LAN区段,名称可自定义;
3)将新添加的网卡选择为LAN区段;
4)在另一台虚拟机上重复以上操作;
5)添加完成后启动两台虚拟机。
远程连接其中128虚拟机,查看IP地址,可以看到新添加的网卡ens37;
[root@yuioplvlinux-128 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.30.128 netmask 255.255.255.0 broadcast 192.168.30.255 inet6 fe80::9c36:c384:f224:23f4 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet) RX packets 89 bytes 10889 (10.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 90 bytes 10433 (10.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.30.136 netmask 255.255.255.0 broadcast 192.168.30.255 ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::5c27:9948:9b95:afdf prefixlen 64 scopeid 0x20<link> ether 00:0c:29:96:17:a4 txqueuelen 1000 (Ethernet) RX packets 15 bytes 5130 (5.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 51 bytes 8994 (8.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 72 bytes 5792 (5.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 72 bytes 5792 (5.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
129在VM中打开,也可以看到新添加的网卡ens37,禁用ens33网卡;
通过命令“ifconfig 网卡名称 IP地址”(重启后就不能用了,要想永久生效,需修改配置文件)分别设置它们的内网ip,并检查是否可以相互ping通;
[root@yuioplvlinux-128 ~]# ifconfig ens37 192.168.100.1/24 [root@yuioplvlinux-128 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.30.128 netmask 255.255.255.0 broadcast 192.168.30.255 inet6 fe80::9c36:c384:f224:23f4 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet) RX packets 194 bytes 20043 (19.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 145 bytes 18945 (18.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.30.136 netmask 255.255.255.0 broadcast 192.168.30.255 ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::20c:29ff:fe96:17a4 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:96:17:a4 txqueuelen 1000 (Ethernet) RX packets 17 bytes 5814 (5.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 62 bytes 10688 (10.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 72 bytes 5792 (5.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 72 bytes 5792 (5.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@yuioplvlinux-128 ~]# ping 192.168.100.100 PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data. 64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=1.88 ms 64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.811 ms 64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=0.877 ms ^C --- 192.168.100.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 0.811/1.191/1.887/0.494 ms
2.2 让129机器连接外网
/proc/sys/net/ipv4/ip_forward,这个文件为0时,表示没有打开路由转发,为1时,表示路由转发已经打开;
[root@yuioplvlinux-128 ~]# cat /proc/sys/net/ipv4/ip_forward 0 [root@yuioplvlinux-128 ~]# echo "1" > !$ echo "1" > /proc/sys/net/ipv4/ip_forward
对nat表做一个ip转发的操作,-o后面跟设备名,表示出口的网卡,MASQUERADE表示伪装;
[root@yuioplvlinux-128 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@yuioplvlinux-128 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 16 packets, 1072 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
在129机器上执行“route add default gw 192.168.100.1”,设置网关之后,可以直接ping通128机器的上网IP,表示129机器已经成功连接到了外网;
2.3 远程连接129机器
做一个端口映射,即可实现远程连接129机器;
为了排除干扰,先删除上一条规则;
[root@yuioplvlinux-128 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@yuioplvlinux-128 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
同样的,也要打开端口转发;
[root@yuioplvlinux-128 ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@yuioplvlinux-128 ~]# iptables -t nat -A PREROUTING -d 192.168.30.128 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 [root@yuioplvlinux-128 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.30.128 [root@yuioplvlinux-128 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.30.128 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.30.128
在129机器上设置网关为192.168.100.1后,就可以通过Xshell远程连接了。