10.12 firewalld和netfilter
关闭SELinux
[root@localhost ~]# vim /etc/selinux/config
SELINUX=disabled关闭firewalld
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.安装iptables,打开netfilter
[root@localhost ~]# yum install -y iptables-services
[root@localhost ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables.service 10.13 netfilter5表5链介绍
filter 表用于过滤包,最常用的表有INPUT丶FORWARD丶OUTPUT三个链
nat表用于网络地址转换,有PREROUTING丶OUTPUT丶POSTROUTING三个链
managle表用于给数据包做标记,几乎用不到
raw表可以实现不追踪某些数据包
security表在centos6中并没有,用于强制访问控制(MAC)的网络规则
10.14 iptables语法
查看规则
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
65 4868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
74 23480 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 54 packets, 3884 bytes)
pkts bytes target prot opt in out source destination 规则文件
[root@localhost ~]# vim /etc/sysconfig/iptables重启iptables
[root@localhost ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service清空规则(文件内不变)
[root@localhost ~]# iptables -F保存当前规则到文件
[root@localhost ~]# service iptables save指定表(默认filter)
[root@localhost ~]# iptables -t nat计数器清0
[root@localhost ~]# iptables -Z| 参数 | 作用 |
|---|---|
| -P | 设置默认策略 |
| -F | 清空规则链 |
| -L | 查看规则链 |
| -A | 在规则链的末尾加入新规则 |
| -I num | 在规则链的头部加入新规则 |
| -D num | 删除某一条规则 |
| -s | 匹配来源地址IP/MASK,加叹号“!”表示除这个IP外 |
| -d | 匹配目标地址 |
| -i | 网卡名称 匹配从这块网卡流入的数据 |
| -o | 网卡名称 匹配从这块网卡流出的数据 |
| -p | 匹配协议,如TCP、UDP、ICMP |
| --dport num | 匹配目标端口号 |
| --sport num | 匹配来源端口号 |
| --line-num | 显示行号 |
10.15 iptables filter表案例
[root@localhost ~]# vi /usr/local/sbin/iptables.sh
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
[root@localhost ~]# sh /usr/local/sbin/iptables.shicmp示例
[root@localhost ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP10.16/10.17/10.18 iptables nat表应用
01虚拟机两块网卡:
一块为公网网卡ens33
一块为LAN区段的网卡ens37
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.123.132 netmask 255.255.255.0 broadcast 192.168.123.255
inet6 fe80::122f:aaa5:b42a:9ccc prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:99:e3:1e txqueuelen 1000 (Ethernet)
RX packets 7712 bytes 6696592 (6.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2603 bytes 262797 (256.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.24.128 netmask 255.255.255.0 broadcast 192.168.24.255
inet6 fe80::273e:f741:bcf4:4f7e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:99:e3:28 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 2111 (2.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14 bytes 1624 (1.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
02虚拟机一块网卡:
为LAN区段的网卡ens37
[root@localhost ~]# ifconfig
ens33: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:29:53:94:53 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.24.129 netmask 255.255.255.0 broadcast 192.168.24.255
inet6 fe80::96e:55fd:ac76:7251 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:53:94:5d txqueuelen 1000 (Ethernet)
RX packets 75 bytes 10266 (10.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 245 bytes 25394 (24.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 001打开打开路由转发,并设置规则
[root@localhost ~]# echo "1">/proc/sys/net/ipv4/ip_forward
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.24.0/24 -o ens33 -j MASQUERADE02设置网关
[root@localhost ~]# route add default gw 192.168.24.101设置规则
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130