Internet Firewall
iptables / netfilter firewall network:
(1) acting as a gateway (2) using the filter table FORWARD chain
Note the question:
(1) Request - Response message will through the FORWARD chain, pay attention to the rules of directionality (2) To enable conntrack mechanism, it is recommended to both the state ESTABLISHED packets directly release
Practical exercise:
Preparing the environment:
A Host: 192.168.37.6 (NAT mode, do Intranet)
Host B: 192.168.37.7 (NAT mode), 172.16.0.7 (bridge mode) as a firewall host B
C Host: 172.16.0.17 (bridge mode, do extranet)
(1) modify the IP address of the host A
[root@centos7network-scripts]#cat ifcfg-ens33 DEVICE=ens33 BOOTPROTO=static IPADDR=192.168.37.6 PREFIX=24 GATEWAY=192.168.37.7 ONBOOT=yes
(2) modified B host IP address of the NAT mode profile
[root@centos7network-scripts]#cat ifcfg-ens33 DEVICE=ens33 BOOTPROTO=none IPADDR=192.168.37.7 PREFIX=24 ONBOOT=yes GATEWAY=192.168.34.2 DNS1=114.114.114.114
Modified B host bridge mode profile IP address
[root@centos7network-scripts]#cat ifcfg-ens37 DEVICE=ens37 BOOTPROTO=none IPADDR=172.16.0.7 PREFIX=24 ONBOOT=yes DNS1=114.114.114.114
(3) modify the IP address of the host C
[root@centos777network-scripts]#cat ifcfg-ens37 DEVICE=ens37 BOOTPROTO=dhcp IPADDR=172.16.0.17 PREFIX=24 GATEWAY=172.16.0.7 ONBOOT=yes
(4) modified B host routing rules, the host A and Host C through cross-segment ping
[centos7 the root @ ~] #vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [centos7 the root @ ~] -p #sysctl profile to take effect so net.ipv4.ip_forward = 1
(5) disposed FORWARD requests and responses provided a host firewall policy B (firewall) to achieve A host ping the host policy C
[root @ centos7 ~] #iptables -A FORWARD -j REJECT the host B (firewall) is provided a rejection policy FORWARD [centos7 the root @ ~] #iptales -vnL --line-Numbers [centos7 the root @ ~] # iptables -vnL Numbers---line Chain the INPUT (Policy ACCEPT 85 packets, 6520 bytes) NUM PKTS bytes in target Prot opt Where do you want OUT Source Chain the FORWARD (Policy ACCEPT 0 packets, bytes 0) NUM PKTS target Prot opt in bytes Source OUT Where do you want . 1 0 0 All REJECT - * * 0.0.0.0/0 0.0.0.0/0-Reject-with ICMP unreachable The Port- Chain the OUTPUT (Policy 63 is ACCEPT packets, 5876 bytes) num pkts bytes target prot opt in out source destination [the root centos7 @ ~] # iptables -I the FORWARD -s. 1 192.168 .37.6 -p icmp --icmp-type 8 -j ACCEPT a host request permission to set a policy [Root @ centos7 ~] #iptables -I FORWARD 1 -d 192.168.37.6 -p icmp --icmp-type 0 -j ACCEPT A set of policies allows host response
(6) may be deleted in response to the IP network allows, add a module state, the state track, out of ping through, back to become the old state may be successful, this method may be
[root@centos7~]#iptables -D FORWARD 2 [root@centos7~]#iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT [root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 49 packets, 3608 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 5 420 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 3 252 ACCEPT icmp -- * * 192.168.37.6 0.0.0.0/0 icmptype 8 3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 34 packets, 3040 bytes) num pkts bytes target prot opt in out source destination
Achieve within the network to access the Internet service httpd
(1) is installed in the C host service httpd
[root@centos777~]#yum install httpd [root@centos777~]#systemctl start httpd [root@centos777~]#echo internet server > /var/www/html/index.html
(2) Set up a firewall policy B host, allowing httpd service network access outside the network, but outside the network can not access the internal network services
[root@centos7~]#iptables -I FORWARD 2 -s 192.168.37.0/24 -p tcp --dport 80 -j ACCEPT
(3) A case in the host can access the host C (extranet) the httpd service
[root@centos7network-scripts]#curl 172.16.0.17 internet server
(4) C httpd external network host can also be encrypted service httpd
[root@centos777~]#yum install mod_ssl -y [root@centos777~]#systemctl restart httpd
(5) B in an encrypted host firewall rule set 443 and httpd port 80
[root@centos7~]#iptables -I FORWARD 2 -s 192.168.37.0/24 -p tcp -m multiport --dport 80,443 -j ACCEPT
(6) A case in the host can be encrypted access the Internet service httpd
[root @ centos7network-scripts] #curl -k https://172.16.0.17 plus -k certificate need not be detected internet server
(7) may also be implemented httpd service access outside the network in the network host B
[root@centos7~]#iptables -I FORWARD 2 -d 192.168.37.6 -p tcp -m multiport --dport 80,443 -j ACCEPT
[root@centos7~]#iptables -vnL
Chain INPUT (policy ACCEPT 20 packets, 1528 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34 4644 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
4 240 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
4 336 ACCEPT icmp -- * * 192.168.37.6 0.0.0.0/0 icmptype 8
84 4889 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 14 packets, 1304 bytes)
pkts bytes target prot opt in out source destination
(8) A host access in the C host HTTPD Service
[root@centos777~]#curl 192.168.37.6 lan server
Chain Management:
-N: new, custom a new rule chain -X: delete, delete empty custom rules chain -P: Policy, set the default strategy; filter table for the chain, which has a default policy: ACCEPT: accepts DROP: discarding -E: rename a custom chain; reference count is not 0 is defined chain can not be renamed, can not be deleted
Combat demo: Create a custom chain, modular (realized within the intranet access network)
(1) Based on the above experiments, will create a new host B chain, modular management convenient
[root @ centos7 ~] #iptables -N TOINTERNET create a new chain of modules [root @ centos7 ~] #iptables -A TOINTERNET -s 192.168.37.0/24 -p tcp -m multiport --dports 80,443,22 -j ACCEPT will adding these rules of the visited network to the new network chain [the root centos7 @ ~] # iptables -A TOINTERNET -s 192.168.37.0/24 -p-type. 8 --icmp ICMP -j ACCEPT [centos7 the root @ ~] # iptables -I FORWARD 2 -j TOINTERNET new custom link is added to the FORWARD chain
(2) At this point you can access the Internet from within the network, to create a custom chain rule, easy management, the clarity
[root@centos7html]#curl -k https://172.16.0.17 internet server [root@centos7html]#curl 172.16.0.17 internet server [root@centos7html]#ssh 172.16.0.17 The authenticity of host '172.16.0.17 (172.16.0.17)' can't be established. ECDSA key fingerprint is SHA256:nl4GdONb/BsSo/TpR+UHsM/gFo4+tLpD40NhCklkf7M. ECDSA key fingerprint is MD5:55:a8:61:99:c3:52:fd:25:80:95:21:88:2b:98:1b:87. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.0.17' (ECDSA) to the list of known hosts. Last login: Fri Dec 6 12:15:40 2019 from lpj-pc [root@centos777~]#
(3) delete a custom chain
[root@centos7~]#iptables -vnL
Chain INPUT (policy ACCEPT 77 packets, 5948 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
143 24925 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 180 TOINTERNET all -- * * 0.0.0.0/0 0.0.0.0/0 删除第二条链表
316 19254 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 50 packets, 4452 bytes)
Prot opt in bytes target PKTS OUT Where do you want Source
Chain TOINTERNET (References. 1)
PKTS target bytes Source Where do you want OUT Prot opt in
. 3 180 [ACCEPT TCP - * * 192.168.37.0/24 0.0.0.0/0 Multiport dports 80,443,22
0 0 ACCEPT ICMP - 0.0.0.0/0 icmptype 192.168.37.0/24. 8 * *
[centos7 the root @ ~] # iptables -D remove the FORWARD 2 new second list
[root @ centos7 ~] #iptables -F TOINTERNET to empty list content
[root @ centos7 ~] #iptables -X TOINTERNET delete empty list
NAT
NAT concept
NAT (Network Address Translation) technology is an address translation, can convert IPv4 packet header address to another address. Typically, the use of NAT technology to convert IPv4 packet header of the private network address of the public network address, located in the private network can be realized using a small number of users of a plurality of public network addresses simultaneously access the Internet. Therefore, NAT technology used to solve the problem with the growing size of the Internet brought public IPv4 address shortage.
NAT principle
NAT basic principle is that when IP packets private network communication with the host and the host public network through a NAT gateway, the IP packet source or destination IP conversion between the private IP and public IP NAT.
As shown in, FIG. 2 following the NAT gateway network ports, the IP address of the public network ports assigned public IP unity, is 202.20.65.5; IP address of the private network are reserved port addresses 192.168.1.1. 192.168.1.2 host private network to the public network is transmitted in a host 202.20.65.4 an IP packet (Dst = 202.20.65.4, Src = 192.168.1.2).
When the IP packet through the NAT gateway, the source IP Gateway will convert NAT NAT Gateway IP packet is forwarded to the public IP and public network, then the IP packet (Dst = 202.20.65.4, Src = 202.20.65.5) has not with any private IP network information. Since the IP packet's source IP NAT Gateway has been converted to a public IP, Web Server in response to the IP packet sent (Dst = 202.20.65.5, Src = 202.20.65.4) to be transmitted to NAT Gateway.
In this case, the purpose of IP NAT Gateway sends the IP packet to the private network host's IP, then the IP packet (Des = 192.168.1.2, Src = 202.20.65.4) forwarded to the private network. For communication both sides, this address conversion process is completely transparent. Conversion diagram below.
Request packet if the network has not been issued by the host NAT, then when the destination address of the Web Server receives a request packet, reply to the response packet is the private network IP addresses on the Internet can not be delivered properly, the connection fails.
NAT: network address translation
PREROUTING, INPUT, OUTPUT, POSTROUTING request packet: modifying the source / destination IP, defined by how to modify the response packet: modifying the source / destination IP, the tracking mechanism automatically
SNAT:source NAT POSTROUTING, INPUT
Let the hosts on the local network to access the external network via a particular address, implement address masquerading request message: modify the source IP
DNAT:destination NAT PREROUTING , OUTPUT
把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP 请求报文:修改目标IP
PNAT: port nat,端口和IP都进行修改
注意:局域网内的IP地址要规范,尽量配置公有地址,如果不配置规范地址,和访问的外网地址一致时,就会冲突,无法连接到外网。
nat表的target:
SNAT:固定IP --to-source [ipaddr[-ipaddr]][:port[-port]] --random
MASQUERADE:动态IP,如拨号网络
--to-ports port[-port] --random
实战演练:SNAT
A主机:192.168.37.6(NAT模式,作为内网)
B主机:192.168.37.7,172.16.0.7(NAT和桥接模式,作为防火墙)
C主机:172.16.0.17 (桥接模式,作为外网)
(1)在C主机将网关删掉,暂时不配置172.16.0.7网关,此时A主机去访问C主机,无法返回信息,就无法上网
[root@centos777network-scripts]#cat ifcfg-ens37 DEVICE=ens37 BOOTPROTO=dhcp PREFIX=24 IPADDR=172.16.0.17 ONBOOT=yes DNS1=114.114.114.114
(2)在B主机进行设置SNAT防火墙策略。
[root@centos7network-scripts]#iptables -t nat -A POSTROUTING -s 192.168.37.0/24 -j SNAT --to-source 172.16.0.7 将192.168.37.0出去的IP网段都替换成172.16.0.7的源地址
[root@centos7network-scripts]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.37.0/24 0.0.0.0/0 to:172.16.0.7
(3)此时在A主机就可以访问C主机
[root@centos7~]#ping 172.16.0.17 PING 172.16.0.17 (172.16.0.17) 56(84) bytes of data. 64 bytes from 172.16.0.17: icmp_seq=1 ttl=63 time=2.23 ms 64 bytes from 172.16.0.17: icmp_seq=2 ttl=63 time=0.688 ms 64 bytes from 172.16.0.17: icmp_seq=3 ttl=63 time=0.919 ms
(4)此时在C主机查看,以为是172.16.0.7地址在访问,实则是内网的192.168.37.7在连接
[root@centos777~]#tcpdump -i ens37 -nn host 172.16.0.7 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 17:17:17.505943 IP 172.16.0.7 > 172.16.0.17: ICMP echo request, id 12095, seq 13, length 64 17:17:17.506055 IP 172.16.0.17 > 172.16.0.7: ICMP echo reply, id 12095, seq 13, length 64 17:17:18.502328 IP 172.16.0.7 > 172.16.0.17: ICMP echo request, id 12095, seq 14, length 64 17:17:18.502438 IP 172.16.0.17 > 172.16.0.7: ICMP echo reply, id 12095, seq 14, length 64 17:17:19.519997 IP 172.16.0.7 > 172.16.0.17: ICMP echo request, id 12095, seq 15, length 64
MASQUERADE:动态IP,如拨号网络,也可以实现替换源地址功能
直接在B主机重新设置一个防火墙策略,就可以在A主机访问C主机
[root@centos7network-scripts]#iptables -F -t nat [root@centos7network-scripts]#iptables -t nat -A POSTROUTING -s 192.168.37.0/24 -j MASQUERADE
DNAT
--to-destination [ipaddr[-ipaddr]][:port[-port]] iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
实战演练:公网地址访问内网地址
(1)在B主机设置防火墙策略,将外网的IP地址映射为企业内网的IP地址及端口(即目标地址和80端口映射成192.168.37.6IP地址和8080端口)
[root@centos7network-scripts]#iptables -t nat -A PREROUTING -d 172.16.0.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.37.6:8080(端口号也可以默认为80端口)
(2)修改A主机的httpd端口,并重启httpd服务
[root@centos7~]#vim /etc/httpd/conf/httpd.conf Listen 8080 [root@centos7~]#systemctl restart httpd
(3)C主机进行访问A主机
[root@centos777~]#curl 172.16.0.7 lan server
(4)在A主机查看log日志,此时由于改的是目标地址,未改本地源地址(172.16.0.17),因此日志中查看到的就是外网地址访问信息
端口重定向(转发)
REDIRECT:
NAT表
可用于:PREROUTING OUTPUT 自定义链 通过改变目标IP和端口,将接受的包转发至不同端口 --to-ports port[-port]
实战演练:将企业服务器端口转发
(1)在A主机设置防火墙策略,将本地目标IP地址映射为8080端口,即将80端口转发为8080端口
[root@centos7~]#iptables -t nat -A PREROUTING -d 192.168.37.6 -p tcp --dport 80 -j REDIRECT --to-ports 8080
(2)在B主机将目标IP地址、端口映射为192.168.37.6和80端口
[root@centos7network-scripts]#iptables -t nat -A PREROUTING -d 172.16.0.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.37.6:80
(3)最后C主机还是可以访问A主机的httpd服务,虽然访问的是映射的172.16.0.7的IP地址,实则访问的是内网地址
[root@centos777~]#curl 172.16.0.7 lan server
(4)此时A主机监控的httpd服务端口号就是本机将80端口转发成的8080端口
