iptables 学习总结--网络防火墙以及动作(六)

网络防火墙

查看是否已经开启转发功能
0-未开启
1-已开启

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0

查看转发链的规则

 iptables -nvL
 iptables -t filter -nvL FORWARD
[root@localhost ~]# iptables -t filter -I FORWARD -j ACCEPT
[root@localhost ~]# iptables -t filter -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

动作

基础动作
ACCEPT
DROP

扩展动作
REJECT –reject-with
–reject-with 后面跟以上参数

[root@localhost ~]# iptables -t filter -I INPUT  -s 10.39.0.4 -j REJECT
[root@localhost ~]# iptables -t filter -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       10.39.0.4            0.0.0.0/0            reject-with icmp-port-unreachable
  135  9596 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 REJECT     all  --  *      *       10.39.0.4            0.0.0.0/0            reject-with icmp-port-unreachable
     156    11112 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

LOG
主要是查看报文的相关属性

[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       7      488 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 LOG flags 0 level 4
       0        0 REJECT     all  --  *      *       10.39.0.4            0.0.0.0/0            reject-with icmp-port-unreachable
     256    18024 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

把报文的日志信息重定向到指定文件

 vi /etc/rsyslog.conf
kern.warning /var/log/iptables.log

service rsyslog restart

[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "demo-test-from-in-22"
[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 43 packets, 5191 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       1       64 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW LOG flags 0 level 4 prefix "demo-test-from-in-22"

这样就可以查看日志iptables的报文信息的日志了

➜  github.com ssh root@192.168.1.61
root@192.168.1.61's password:
Last login: Sat Jun  2 13:59:36 2018 from 192.168.1.31
[root@localhost ~]#

cat /var/log/iptables.log | less

...
2018-06-02T18:22:14.422300+08:00 localhost kernel: demo-test-from-in-22IN=enp0s8 OUT= MAC=08:00:27:de:2d:c7:18:65:90:d4:3a:e7:08:00 SRC=192.168.1.31 DST=192.168.1.61 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=38288 DF PROTO=TCP SPT=59102 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

SNAT –伪装源地址
DNAT–伪装目标地址
MASQUERATE–伪装
REDIRECT–重定向

参考:
网络防火墙
 snat dnat

iptables 学习总结--网络防火墙以及动作(六)

网络防火墙

动作

猜你喜欢