一、firewalld和netfilter
1、关闭防火墙
[root@ma-1 ~]# vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled (更改配置为disabled) # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted (切记下边的配置不能更改,否则无法启动) [root@ma-1 ~]# getenforce Enforcing [root@ma-1 ~]# setenforce 0 (临时关闭防火墙) [root@ma-1 ~]# getenforce Permissive
2、iptables工具
netfilter服务是CentOS7之前版本中使用的防火墙,firewalld服务是CentOS7版本之后的使用的防火墙,但是两者的iptable工具用法相同
[root@ma-1 ~]# systemctl disable firewalld (关闭firewalld服务,有两个步骤,分别是:disable表示开机不启动和stop停止) Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@ma-1 ~]# systemctl stop firewalld [root@ma-1 ~]# yum install -y iptables-services (要使用iptables工具,需要安装iptables-services软件包) 已加载插件:fastestmirror base .......(中间省略) 作为依赖被升级: iptables.x86_64 0:1.4.21-24.1.el7_5 完毕! [root@ma-1 ~]# systemctl enable iptables (此安装包会产生iptable服务) Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@ma-1 ~]# systemctl start iptables (开启iptable服务) [root@ma-1 ~]# iptables -nvL (此命令可以查看iptable的默认规则) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 31 2144 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 20 packets, 1752 bytes) pkts bytes target prot opt in out source destination
3、iptable的表和链接
iptables只是Linux防火墙的管理工具而已。真正实现防火墙功能的是netfilter(CentOS7之后是firewalld),它是Linux内核中实现包过滤的内部结构
1)iptable的五表五链
五表 filter表: 过滤数据包 Nat表: 用于网络地址转换(IP、端口) Mangle表: 修改数据包的服务类型、TTL、并且可以配置路由实现QOS Raw表: 决定数据包是否被状态跟踪机制处理 Security表: 用于强制访问控制(MAC)的网络规则 五链 INPUT链: 进来的数据包应用此规则链中的策略 OUTPUT链: 外出的数据包应用此规则链中的策略 FORWARD链: 转发数据包时应用此规则链中的策略 PREROUTING链: 对数据包作路由选择前应用此链中的规则(所有的数据包进来的时侯都先由这个链处理) POSTROUTING链:对数据包作路由选择后应用此链中的规则(所有的数据包出来的时侯都先由这个链处理)
2)iptable基本用法
一.基本格式 1. iptable [-t 表] 命令选项 [连名] 匹配条件 [-j 动作] 2.常用命令选项如下: -A (append) 在指定的连的结尾添加规则 -D (delete)删除指定连中的规则,可以按规则号或规则内容匹配 -I (insert)插入一条新规则,默认是在最前面 -R (replace) 替换某一条规则 -L (list)列出所有规则 -F (flush)清空所有规则 -N (new)自定义一条规则连 -X (--delete-chain) 删除用户自定义规则连 -P (policy)设置默认策略 -n (numeric)以数字方式显示,如:显示ip,但不显示主机名 -v (verbose)显示详细信息 -V (version)查看iptable的版本信息 -Z 清空计数器值 --line-number 查看规则连是,显示列表号 二.举例 # iptable -t filter -F(清空filter表中所有规则) # iptable -t filter -Z(清空filter表中的计数器值) # iptable -t filter -X (清除filter表中自定义连) # iptable -t filter -P INPUT DROP (设置INPUT连默认策略为DROP) # iptable -t filter -P OUTPUT DROP # iptable -t filter -P FORWROD DROP # iptable -t filter -A INPUT -p tcp -j ACCEPT (在INPUT连最后添加一条允许tcp协议的数据包进入的规则) # iptable -t filter -R INPUT 1 -p tcp -j DROP (替换INPUT连的第1条规则为拒绝tcp数据包进入) # iptable -t nat -vnL --line-number (以详细的、数字的格式列出nat表中的所有规则) # iptable -t nat -D POSTROUTING 1 (删除nat表POSTROUTING 连中的第1条规则) 三.条件匹配 1. 协议匹配:用于检查数据包使用的协议,符合规则就允许,反之拒绝。允许使用的协议名在/etc/protocols文件中。常用的协议有tcp,udp,icmp,ip 和all。( -p 协议名 ) # iptable -I INPUT -p icmp -j REJECT (拒绝进入防火墙本身的icmp数据包) # iptable -A FORWARD -p udp -j ACCEPT (允许转发udp的所有数据包) 2. 地址匹配:用于检查数据包的地址是否符合规则,包括源地址和目的地址。(-s 源地址, -d 目的地址) # iptable -A FORWARD -s 10.0.0.0/8 -j DROP (拒绝转发来自10.0.0.0/8 网段的数据包) # iptable -A FORWARD -d 80.0.0.0/8 -j DROP ( 拒绝转发目的是80.0.0.0/8 网段的数据包) 3.端口匹配:用于检查数据包的tcp或udp端口,需要和 “-p 协议类型” 一起使用(-sport 源端口,-dport 目的端口) # iptables -A FORWARD -s 10.0.0.0/8 -p tcp --dport 80 -j ACCEPT (允许转发来自10.0.0.0/8网段,目的端口是80的数据包) # iptables -I FORWARD -s 10.0.0.0/8 -p tcp --sport 21 -j ACCEPT(允许转发来自10.0.0.0/8网段,源端口是21的数据包) 4.接口匹配:用于检查数据包从防火墙那个接口进入或出去,来判断是否允许。 # iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -p tcp --dport 80 -j ACCEPT(允许转发从eth0进入,来自10.0.0.0/8网段,使用tcp 协议,目的端口椒80的数据包) # iptables -A INPUT -i eth0 -s 80.0.0.0/8 -j DORP (拒绝从eth0进入,来自80.0.0.0/8的数据包) 5.SNAT转换:一般linux充当网关服务器时使用,SNAT只能用在nat表的POSTROUTING连,用于对源地址进行转换。要结合 --to 使用。 # iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to 202.106.1.1(将来自10.0.0.0/8网段的所有数据包的源地址转为202.106.1.1) # iptables -t nat -A POSTROUTING -i eth0 -s 80.0.0.0/8 -p tcp --dport 25 -j SNAT --to 202.106.1.1 6.DNAT转换:只能用在nat表中的PREROUTING连,用于对目的地址或端口进行转换。 # iptables -t nat -A PREROUTING -i eth1 -d 202.106.1.1 -p tcp --dport 80 -j DNAT --to 10.0.0.10(将从eth1 进入,目的地址是202.106.1.1,使用tcp 协议,目的端口是80的数据包的目的地址转为10.0.0.1) 7.MASQUERADE:伪装,是SNAT的特例。 # iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE(将来自10.0.0.0/8网段,从eth1出去的数据包的源地址伪装为eth1接口地址)
3)数据包流向判断
如果是本机: PREROUTING——INPUT——OUTPUT——POSTROUTING 不是本机:PREROUTING——FORWARD——POSTROUTING https://blog.csdn.net/achejq/article/details/53067170
4)具体操作
[root@ma-1 ~]# iptables -nvL (查看iptable默认规则) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 380 29628 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 63 6726 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 358 packets, 26368 bytes) pkts bytes target prot opt in out source destination [root@ma-1 ~]# iptables -F (清空规则命令) [root@ma-1 ~]# iptables -nvL Chain INPUT (policy ACCEPT 7 packets, 488 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 492 bytes) pkts bytes target prot opt in out source destination [root@ma-1 ~]# service iptables save (将当前的规则保存到配置文件中) iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ] [root@ma-1 ~]# cat /etc/sysconfig/iptables (保存规则的配置文件) # Generated by iptables-save v1.4.21 on Sat Jun 9 14:30:38 2018 *filter :INPUT ACCEPT [63:4324] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [40:4104] COMMIT # Completed on Sat Jun 9 14:30:38 2018 [root@ma-1 ~]# service iptables restart (重启iptables) Redirecting to /bin/systemctl restart iptables.service [root@ma-1 ~]# iptables -nvL (已经没有规则) Chain INPUT (policy ACCEPT 8 packets, 600 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 744 bytes) pkts bytes target prot opt in out source destination [root@ma-1 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP (不加-t,则默认是filter表,添加规则,各选项和参数意义上文已经提及) [root@ma-1 ~]# iptables -nvL (查看已经添加的规则) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 31 2160 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 8 packets, 1120 bytes) pkts bytes target prot opt in out source destination [root@ma-1 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP (还有-I,是一种插入的方式,会在规则第一行显示) [root@ma-1 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/00.0.0.0/0tcp dpt:80 141 9768 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes) pkts bytes target prot opt in out source destination (-A会添加在最后,-I会添加在最前边,添加的规则会优先过滤前边的规则) [root@ma-1 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP (-D为删除规则) [root@ma-1 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP [root@ma-1 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 368 29076 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 732 bytes) pkts bytes target prot opt in out source destination [root@ma-1 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP [root@ma-1 ~]# iptables -nvL --line-number (会显示规则的顺序号) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 492 38008 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 5 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited 6 0 0 DROP tcp -- * * 192.168.188.1192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 10 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 73 packets, 6908 bytes) num pkts bytes target prot opt in out source destination [root@ma-1 ~]# iptables -D INPUT 6 (可以按照顺序号删除规则) [root@ma-1 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 628 47972 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 5 1 229 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 10 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 48 packets, 4592 bytes) num pkts bytes target prot opt in out source destination [root@ma-1 ~]# iptables -P INPUT DROP (丢弃默认的规则,会断开会导致数据包无法传送回来,只能回服务器加载默认规则)
5)iptable小案例
[root@ma-1 ~]# vim /usr/local/sbin/iptables.sh #! /bin/bash ipt="/usr/sbin/iptables" (设置变量,尽量设置去全局变量) $ipt -F (首先清空之前的规则) $ipt -P INPUT DROP (定义策略) $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT (指定状态,加此条规则是保证通信更加通畅;RELATED表示编译状态,ESTABLISHED保持链接) $ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT (添加规则) $ipt -A INPUT -p tcp --dport 80 -j ACCEPT $ipt -A INPUT -p tcp --dport 21 -j ACCEPT [root@ma-1 ~]# sh !$ sh /usr/local/sbin/iptables.sh [root@ma-1 ~]# iptables -nvL --line-number (查看添加之后的规则) Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 19 672 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 20 0 ACCEPT tcp -- * * 192.168.133.0/24 0.0.0.0/0tcp dpt:22 30 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0tcp dpt:80 40 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0tcp dpt:21 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7 packets, 916 bytes) num pkts bytes target prot opt in out source destination [root@ma-1 ~]# service iptables restart (重启之后规则不再有效,是因为没有保存到配置文件) Redirecting to /bin/systemctl restart iptables.service [root@ma-1 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 15 356 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 20 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 30 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 40 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 50 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 10 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes) num pkts bytes target prot opt in out source destination
icmp示例
[root@ma-1 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP (使用此命令可以使别的机器ping不同本机,但本机却可以ping通外机器) [root@ma-1 ~]# ping www.qq.com PING www.qq.com (182.254.34.74) 56(84) bytes of data. 64 bytes from 182.254.34.74 (182.254.34.74): icmp_seq=1 ttl=128 time=24.9 ms 64 bytes from 182.254.34.74 (182.254.34.74): icmp_seq=2 ttl=128 time=31.5 ms 64 bytes from 182.254.34.74 (182.254.34.74): icmp_seq=3 ttl=128 time=24.8 ms 64 bytes from 182.254.34.74 (182.254.34.74): icmp_seq=4 ttl=128 time=24.5 ms 64 bytes from 182.254.34.74 (182.254.34.74): icmp_seq=5 ttl=128 time=24.6 ms ^C --- www.qq.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 8226ms rtt min/avg/max/mdev = 24.518/26.128/31.554/2.721 ms C:\Users\ma>ping 192.168.1.131 正在 Ping 192.168.1.131 具有 32 字节的数据: 请求超时。 请求超时。 192.168.1.131 的 Ping 统计信息: 数据包: 已发送 = 2,已接收 = 0,丢失 = 2 (100% 丢失) Control-C ^C [root@ma-1 ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP C:\Users\ma>ping 192.168.1.131 正在 Ping 192.168.1.131 具有 32 字节的数据: 来自 192.168.1.131 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.1.131 的回复: 字节=32 时间<1ms TTL=64 192.168.1.131 的 Ping 统计信息: 数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失), 往返行程的估计时间(以毫秒为单位): 最短 = 0ms,最长 = 0ms,平均 = 0ms Control-C
二、iptables nat 表应用
A机器两块网卡ens33(192.168.1.131)、ens37(192.168.100.1),ens33可以上外网,ens37仅仅是内部网络,B机器只有ens37(192.168.100.100),和A机器ens37可以通信互联。
需求1:可以让B机器连接外网
1、添加网卡,设置成添加LAN字段,命名一个新的字段
2、在机器内操作修改ip
[root@ma-1 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.131 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::6aac:3e4d:6b3:73ee prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ec:44:82 txqueuelen 1000 (Ethernet) RX packets 110 bytes 10783 (10.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 130 bytes 14454 (14.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.145 netmask 255.255.255.0 broadcast 192.168.1.255 ether 00:0c:29:ec:44:82 txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether 00:0c:29:ec:44:8c txqueuelen 1000 (Ethernet) RX packets 34 bytes 11628 (11.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 55 bytes 10362 (10.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@ma-1 ~]# ifconfig ens37 192.168.100.1/24 (直接设置IP的命令,重启后将不再有用,需要修改配置文件) [root@ma-1 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.131 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::6aac:3e4d:6b3:73ee prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ec:44:82 txqueuelen 1000 (Ethernet) RX packets 344 bytes 30654 (29.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 313 bytes 41938 (40.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.145 netmask 255.255.255.0 broadcast 192.168.1.255 ether 00:0c:29:ec:44:82 txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::20c:29ff:feec:448c prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ec:44:8c txqueuelen 1000 (Ethernet) RX packets 36 bytes 11748 (11.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 65 bytes 11170 (10.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 (同样的方法将另一台机器ip设置为192.168.100.100) [root@ma-1 ~]# ping 192.168.100.100 PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data. 64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=1.03 ms 64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.461 ms ^C --- 192.168.100.100 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.461/0.747/1.034/0.287 ms
3、准备工作完成之后,修改配置,添加规则
[root@ma-1 ~]# cat /proc/sys/net/ipv4/ip_forward 0 (0状态下表示未打开端口转发) [root@ma-1 ~]# echo "1">/proc/sys/net/ipv4/ip_forward [root@ma-1 ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@ma-1 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE (添加规则) [root@ma-1 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 228 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3 packets, 228 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
4、在B机器上设置网关,为192.168.100.1,就可以进行通信
[root@ma-1 ~]# route add default gw 192.168.100.1 设置完成之后就可以在机器上连接外网,但是在外网上是连接不到机器
需求2:C机器只能和A通信,让C机器可以直接连通B机器的22端口
A机器打开路由转发 echo "1">/ proc/sys/net/ipv4/ip_forward A上执行 iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 (设置规则) A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130(设置规则) B上设置网关为 192.168.100.1
知识点
1)iptables应用在一个网段
[root@ma-1 ~]#iptables -I INPUT -m iprange --src-range 61.4.176.0-61.4.191.255 -j DROP
2)iptables限制syn速率
http://www.aminglinux.com/bbs/thread-985-1-1.html
3)sant,dnat,masquerade
http://www.aminglinux.com/bbs/thread-7255-1-1.html