一,iptables的启用
[root@200 Desktop]# systemctl stop firewalld >>>>>首先要关闭firewalld [root@200 Desktop]# systemctl disable firewalld rm '/etc/systemd/system/basic.target.wants/firewalld.service' rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' [root@200 Desktop]# systemctl start iptables.service >>>>>开启iptables [root@200 Desktop]# systemctl enable iptables.service ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
二,刷新与保存
[root@200 Desktop]# iptables -nL >>>>>-n 不做解析,直接显示ip,端口 -L 列出规则 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@200 Desktop]# iptables -F >>>>>刷新 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@200 Desktop]# service iptables save >>>>>保存iptables的规则 iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] 保存在/etc/sysconfig/iptables里面,可以直接查看
三,三张表,五条链
[root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@200 Desktop]# iptables -t filter -nL >>>>>>-t表示 表 filter表和上面这个默认表是一样的 Chain INPUT (policy ACCEPT) >>>>>>filter表有INPUT FORWARD OUTPUT 三条链 target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@200 Desktop]# iptables -t nat -nL >>>>显示nat表信息 Chain PREROUTING (policy ACCEPT) >>>>nat表有PREROUTING INPUT OUTPUT POSTROUTING四条链 target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@200 Desktop]# iptables -t mangle -nL >>>>>显示mangle表信息 Chain PREROUTING (policy ACCEPT) >>>>>mangle表有PREROUTING INPUT FORWARD OUTPUT POSTROUTING五条链 target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination
四,修改策略
[root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) >>>默认是ACCEPT的,也就是此时任何人都可以访问本机的apache target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@200 Desktop]# iptables -P INPUT DROP DROP就是丢弃,不给出拒绝信息,apache访问本机时,会一直加载,但是不会显示拒绝信息 [root@200 Desktop]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
五,基于端口的访问设置
[root@200 Desktop]# iptables -A INPUT -p tcp --dport 80 -j REJECT REJECT表示,并且会给出拒绝信息 --dport表示目的地端口是80,表示访问80端口时,拒绝,访问其他端口时,默认时DROP [root@200 Desktop]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
六,基于ip的访问控制
[root@200 Desktop]# iptables -A INPUT -s 172.25.254.156 -p tcp --dport 80 -j ACCEPT >>>>>表示156这个主机访问我80端口时,允许,但是由于之前那个拒绝写在前面,所以这条命令是不生效的!!! [root@200 Desktop]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable >>>>这个已经拒绝了所有人,下面这个就不生效了 ACCEPT tcp -- 172.25.254.156 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
七,iptables命令常用命令
1,删除端口
[root@200 Desktop]# iptables -D INPUT 1 删除第一条拒绝所有的规则,此时所有人默认DROP,只有156可以访问80,访问其他端口也是DROP [root@200 Desktop]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 172.25.254.156 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
2,改变链默认链规则
[root@200 Desktop]# iptables -P INPUT ACCEPT [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 172.25.254.156 0.0.0.0/0 tcp dpt:80 只有156可以正常访问80端口, Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
3,插入链规则
[root@200 Desktop]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT -I表示插入,1表示插入位置 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 按照从上到下的读取规则所以第二条规则没有什么作用 ACCEPT tcp -- 172.25.254.156 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
4,修改链规则
[root@200 Desktop]# iptables -R INPUT 2 -p tcp --dport 80 -j REJECT -R表示修改内容,表示第2条规则 >>>>>>由于这里没有指定是156,所以全部拒绝,注意这是第二条规则,所以当他读到第一条时,会先读接受,然后就不读第二条了 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination5,建立用户自己的链
[root@200 Desktop]# iptables -N westos -N表示自定义链的名称 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain westos (0 references) >>>>>>>新建立的链 target prot opt source destination
6,修改自定义链的名称
[root@200 Desktop]# iptables -E westos WESTOS >>>>>-E表示修改 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain WESTOS (0 references) >>>>>修改成功 target prot opt source destination
7,删除自定义的链
[root@200 Desktop]# iptables -X WESTOS >>>>>-X表示删除连 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@200 Desktop]#
八,为端口添加链规则
1,删除原有链规则
[root@200 Desktop]# iptables -D INPUT 1 [root@200 Desktop]# iptables -D INPUT 1 >>>>>>>也可以直接用-F刷新 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
2,为httpd,sshd,dns,iscsi添加端口规则
[root@200 Desktop]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT >>>>httpd开放80端口 [root@200 Desktop]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT >>>>sshd开放22端口 [root@200 Desktop]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT >>>>dns开放53端口 [root@200 Desktop]# iptables -A INPUT -p tcp --dport 3260 -j ACCEPT >>>>iscsi开放3260端口 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3260 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@200 Desktop]# iptables -A INPUT -i lo -j ACCEPT >>>>>>!!!!本机回环接口一定要写上 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3260 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
注意:这种做法虽然可行,但是会降低效率,因为每个数据包进来都要做判断。
3,添加端口规则的更进版
[root@200 Desktop]# iptables -F >>>>>刷新链规则 我们让已经建立连接和属于已建立连接的新连接的数据包直接通过 [root@200 Desktop]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>>>>-m表示匹配状态 >>>>>>让已经建立(ESTABLISHED)和正在建立(RELATED)连接的下次直接通过 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@200 Desktop]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT >>>>新的数据包如果符合条件就允许通过 [root@200 Desktop]# iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT [root@200 Desktop]# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT [root@200 Desktop]# iptables -A INPUT -m state --state NEW -p tcp --dport 3260 -j ACCEPT [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3260
[root@200 Desktop]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT >>>>>本地回环接口
[root@200 Desktop]# iptables -A INPUT -j REJECT >>>>除了这些端口之外,其他的全部拒绝 [root@200 Desktop]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3260 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable注意:上面的过程是有顺序的,因为读取是有顺序的,先判断数据包是不是新的,如果不是,直接允许,如果是新的,那么看看不是这个几个端口允许的数据包,如果是,允许过,如果不是,拒绝!
[root@200 Desktop]# service iptables save >>>>>保存规则,该文件可以直接查看 iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@200 Desktop]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.21 on Sat Jun 9 12:23:11 2018 *mangle :PREROUTING ACCEPT [3219:239011] :INPUT ACCEPT [1512:135471] :FORWARD ACCEPT [1707:103540] :OUTPUT ACCEPT [4325:373843] :POSTROUTING ACCEPT [6032:477383] COMMIT # Completed on Sat Jun 9 12:23:11 2018 # Generated by iptables-save v1.4.21 on Sat Jun 9 12:23:11 2018 *nat :PREROUTING ACCEPT [941:56636] :INPUT ACCEPT [6:360] :OUTPUT ACCEPT [606:36464] :POSTROUTING ACCEPT [1368:82360] COMMIT # Completed on Sat Jun 9 12:23:11 2018 # Generated by iptables-save v1.4.21 on Sat Jun 9 12:23:11 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [19:1140] :OUTPUT ACCEPT [53:4160] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3260 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Sat Jun 9 12:23:11 2018
九,路由之后地址伪装
1,配置服务端软件
[root@200 Desktop]# iptables -F >>>>>刷新表
[root@200 Desktop]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.200 >>>>>>!!!这个需要在nat表里面写 指定POSTROUTING链 -o 指定网卡 SNAT表示源转换 --to-source 指定ip [root@200 Desktop]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.200也就是说:客户端网关是服务端另一个ip(本例中eth1=172.25.0.200),客户端的数据出去之后都伪装成172.25.254.200。
2,客户端测试
客户端的网关是服务端eth1的ip
[root@100xxx network-scripts]# ping 172.25.254.156 >>>本机ip为172.25.0.100,没有伪装之前是ping不通的,因为不在同一个网段 PING 172.25.254.156 (172.25.254.156) 56(84) bytes of data. ^C --- 172.25.254.156 ping statistics --- 8 packets transmitted, 0 received, 100% packet loss, time 6998ms
本机ip为172.25.0.100,可以ping通不在同一网段的156,这其实是172.25.254.200ping的,172.25.254.200和156在同一网段,这个需要网关的帮助和地址转换,注意网关一定能被ping通。
[root@100xxx network-scripts]# ssh [email protected] >>>连接看似是172.25.0.100连接的,其实的伪装地址之后172.25.254.200连接的 [email protected]'s password: Last login: Sat Jun 9 22:56:59 2018 from 172.25.254.200 [root@156 ~]# w -i 00:50:45 up 4:00, 4 users, load average: 1.29, 1.33, 1.26 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT kiosk :0 :0 20:50 ?xdm? 3:52m 0.31s gdm-sessio kiosk pts/2 :0 20:51 1:38m 0.08s 4.25s /usr/libex kiosk pts/3 :0 21:18 1:43m 1:24 0.04s bash root pts/4 172.25.254.200 00:50 5.00s 0.02s 0.00s w -i >>>>这里可以查看到是172.25.254.200连接的
3,路由之前伪装
[root@200 Desktop]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-dest 172.25.0.100 注意这个和POSTROUTING格式不一样,进来时,只对22端口做此处理,只要你从我eth0的172.25.254.200这里进入,我就直接把你送到172.25.0.100那去 DNAT表示目的地转换 [root@200 Desktop]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:172.25.0.100 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.200
[root@156 ~]# ssh [email protected] >>>看似是连接200,但是这是路由之前连接,直接送到172.25.0.100,网段不同也无所谓,这个和网关无关,因为156和200本就在同一个网段 [email protected]'s password: Last login: Sat Jun 9 09:29:55 2018 from 172.25.254.200 [root@100xxx ~]# ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.25.0.100 netmask 255.255.255.0 broadcast 172.25.0.255 >>>>可以看到虽然连接172.25.254.200,但是送到了172.25.0.100 inet6 fe80::5054:ff:fe00:9c0a prefixlen 64 scopeid 0x20<link> ether 52:54:00:00:9c:0a txqueuelen 1000 (Ethernet) RX packets 20714 bytes 7622169 (7.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10864 bytes 741136 (723.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0