安裝前
裡面有iptables的命令 [root@mcw01 ~]$ rpm -qa|grep iptables iptables-1.4.21-18.0.1.el7.centos.x86_64 [root@mcw01 ~]$ rpm -ql iptables /etc/sysconfig/ip6tables-config /etc/sysconfig/iptables-config /usr/bin/iptables-xml 。.......... /usr/sbin/ip6tables /usr/sbin/ip6tables-restore /usr/sbin/ip6tables-save /usr/sbin/iptables #iptables管理命令 /usr/sbin/iptables-restore /usr/sbin/iptables-save /usr/sbin/xtables-multi ..... [root@mcw01 ~]$
我們需要安裝iptables-services,用來啟動和停止iptables服務
[root@mcw01 ~]$ yum list all|grep iptables-services iptables-services.x86_64 1.4.21-35.el7 base [root@mcw01 ~]$ yum install -y iptables-services [root@mcw01 ~]$ rpm -ql iptables-services /etc/sysconfig/ip6tables /etc/sysconfig/iptables #防火牆配置就是這個 /usr/lib/systemd/system/ip6tables.service /usr/lib/systemd/system/iptables.service #服務啟動停止檔案 /usr/libexec/initscripts/legacy-actions/ip6tables /usr/libexec/initscripts/legacy-actions/ip6tables/panic /usr/libexec/initscripts/legacy-actions/ip6tables/save /usr/libexec/initscripts/legacy-actions/iptables /usr/libexec/initscripts/legacy-actions/iptables/panic /usr/libexec/initscripts/legacy-actions/iptables/save /usr/libexec/iptables /usr/libexec/iptables/ip6tables.init /usr/libexec/iptables/iptables.init [root@mcw01 ~]$ modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' #預設是沒有開啟這些核心模組的 [root@mcw01 ~]$ [root@mcw01 ~]$ modprobe ip_tables #載入這些模組,應該寫進配置,即使重啟了也載入,永久性修改生效。 [root@mcw01 ~]$ modprobe iptable_filter [root@mcw01 ~]$ modprobe iptable_nat [root@mcw01 ~]$ modprobe ip_conntrack [root@mcw01 ~]$ modprobe ip_conntrack_ftp [root@mcw01 ~]$ modprobe ip_nat_ftp [root@mcw01 ~]$ modprobe ipt_state 載入核心模組的配置在/etc/modprobe.d/目錄下 [root@mcw01 ~]$ ls /etc/modprobe.d/ tuned.conf [root@mcw01 ~]$ [root@mcw01 ~]$ tail -7 /etc/rc.local #也可以直接加到開機自啟動檔案裡 modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state [root@mcw01 ~]$ 然後再檢查下,現在有這些核心模組了 [root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable' nf_nat_ftp 12770 0 nf_conntrack_ftp 18638 1 nf_nat_ftp iptable_nat 12875 0 nf_nat_ipv4 14115 1 iptable_nat nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4 nf_conntrack 133387 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4 iptable_filter 12810 0 ip_tables 27115 2 iptable_filter,iptable_nat libcrc32c 12644 4 xfs,sctp,nf_nat,nf_conntrack [root@mcw01 ~]$
關閉firewalld,開啟iptables
關閉firewalld systemctl stop firewalld systemctl disable firewalld systemctl is-active firewalld.service systemctl is-enabled firewalld.service [root@mcw01 ~]$ systemctl stop firewalld [root@mcw01 ~]$ systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@mcw01 ~]$ systemctl is-active firewalld.service #只有不活躍,就關閉了,只有禁用了就不會開機自啟了 unknown [root@mcw01 ~]$ systemctl is-enabled firewalld.service disabled [root@mcw01 ~]$ 開啟iptables systemctl start iptables.service systemctl enable iptables.service [root@mcw01 ~]$ systemctl start iptables.service [root@mcw01 ~]$ systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -Ln #寫反了什麼都沒有 iptables: No chain/target/match by that name. [root@mcw01 ~]$ iptables -nL #這裡預設顯示的是filter表的。這裡有filter表的input鏈,forword鏈,和output鏈 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #使用者請求來的時候,預設先從input鏈這裡一行一行規則往下匹配,如果都沒有匹配上了,就走input鏈後面的小括號裡面的規則, #這裡是(policy ACCEPT),小括號裡面表示預設規則 Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
學習前環境準備
清除所有的iptables規則 --flush -F [chain] Delete all rules in chain or all chains 清除所有規則 --delete-chain -X [chain] Delete a user-defined chain 刪除使用者自定義的規則 --zero -Z [chain [rulenum]] Zero counters in chain or all chains 清除鏈的計數器 清除所有規則,但不會清除預設規則 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F #清除所有的iptables規則 [root@mcw01 ~]$ iptables -nL #再次檢視,安裝好後預設設定的規則都清除掉了 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
禁止訪問22埠(指定埠)
--append -A chain Append to chain #追加鏈,追加是放到最下面,如果是拒絕的規則,那麼應該放到最上面才防止未匹配到而失效。 --delete -D chain Delete matching rule from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) #把規則放到前面,插入,一般拒絕的規則放到前面 --jump -j target target for rule (may load target extension) #匹配到規則需要做的動作,滿足條件後的動作,比如:DROP/ACCEPT/REJECT 拒絕,接受,拒絕 --dport 目標埠, -d 目標ip --sport源埠 -A新增規則;INPUT,我要在INPUT鏈中新增規則。是需要指定埠還是ip呢,這裡是22埠,指定埠的話一般要先指定協議(協議一般這裡有tcp,udp,icmp,all就是所有),埠在網路中一般有兩種情況,ip也是有兩種情況,就是目標埠,源埠,目標ip,源ip,我這裡是禁止訪問22埠,也就是埠是目標埠,所以--dport 22;需要禁止訪問,那就是 -j DROP ,這個DROP要大寫 iptables -A INPUT -p tcp --dport 22 -j DROP iptables -t filter -A INPUT -p tcp --dport 22 -j DROP 需要謹慎,看清了。這裡是演示,如果真的把22埠禁了,就連不上了。我這裡是虛擬機器,可以在VMware上把這條規則清除掉重新遠端連線 如果我們只是想清除一條規則,可以先執行 iptables -nL --line-numbers 檢視到是第幾條鏈,防止眼睛數錯行。這裡是在INPUT鏈上的第一條規則,然後執行刪除這條規則.清除之後,22埠就能重新連線了 iptables -D INPUT 1 如下,我禁用23埠和解除23埠的過程 [root@mcw01 ~]$ iptables -A INPUT -p tcp --dport 23 -j DROP #未指定預設是filter表了;新增;在input鏈上;tcp協議,目標埠23;來訪問了就drop丟掉 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 #禁用23埠 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -nL --line-numbers #檢視規則是第幾個,刪除可以用到 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@mcw01 ~]$ iptables -D INPUT 1 #刪除,指定是INPUT鏈,第一個規則 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
禁止指定ip,訪問本伺服器指定埠
禁止指定ip,訪問本伺服器指定埠 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 防火牆四表五鏈,我們常用的是filter,nat表。我們常用的是filter表的INPUT,FORWARD,OUTPUT鏈;nat表的PREROUTING,POSTROUTING鏈,OUTPUT鏈 禁止10.0.0.12訪問10.0.0.11伺服器的22埠 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 一開始12能訪問11的22埠 [root@mcw02 ~]$ ssh 10.0.0.11 hostname root@10.0.0.11's password: mcw01 [root@mcw02 ~]$ [root@mcw01 ~]$ iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP [root@mcw01 ~]$ iptables -nL #禁止10.0.0.12訪問10.0.0.11伺服器的22埠 Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22 #來自10.0.0.12的IP,訪問本機的22埠被drop Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 再次從12上訪問11的22埠,發現是連線超時的 [root@mcw02 ~]$ ssh 10.0.0.11 hostname ssh: connect to host 10.0.0.11 port 22: Connection timed out [root@mcw02 ~]$ [root@mcw02 ~]$ ssh 172.16.0.11 hostname #如果使用內網ip,還是可以訪問的,因為只是禁用10.0.0.12訪問 root@172.16.0.11's password: mcw01 [root@mcw02 ~]$ ping 10.0.0.11 -c 1 #訪問icmp協議的還是不影響的 PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data. 64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=0.682 ms --- 10.0.0.11 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms [root@mcw02 ~]$ [root@mcw02 ~]$ nc 10.0.0.11 22 #使用nc檢視埠是否能連上 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw02 ~]$ telnet 10.0.0.11 22 #telnet檢視是否能連上 Trying 10.0.0.11... telnet: connect to address 10.0.0.11: Connection timed out [root@mcw02 ~]$ 正常能連的顯示 [root@mcw03 ~]$ nc 10.0.0.11 22 SSH-2.0-OpenSSH_7.4 #夯住
命令有,但不知道是哪個包帶來的命令,兩種方式找到包
[root@mcw01 ~]$ rpm -qa nc [root@mcw01 ~]$ rpm -qa ncat [root@mcw01 ~]$ rpm -qa |grep nc irqbalance-1.0.7-10.el7.x86_64 ncurses-base-5.9-14.20130511.el7_4.noarch perl-Encode-2.51-7.el7.x86_64 qrencode-libs-3.4.1-3.el7.x86_64 ncurses-libs-5.9-14.20130511.el7_4.x86_64 ncurses-5.9-14.20130511.el7_4.x86_64 nmap-ncat-6.40-19.el7.x86_64 vim-enhanced-7.4.629-8.el7_9.x86_64 ncurses-devel-5.9-14.20130511.el7_4.x86_64 [root@mcw01 ~]$ [root@mcw01 ~]$ rpm -qa |grep ncat nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$ which nc /usr/bin/nc [root@mcw01 ~]$ yum provides nc #方式一:yum檢視命令是哪個包裡的 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile netcat-1.218-2.el7.x86_64 : OpenBSD netcat to read and write data across connections using TCP or UDP Repo : epel Matched from: Provides : nc = 1.218-2.el7 2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo : base Matched from: Provides : nc 2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement Repo : @base Matched from: Provides : nc [root@mcw01 ~]$ rpm -qf `which nc` #方式二:rpm檢視命令是哪個包裡的 nmap-ncat-6.40-19.el7.x86_64 [root@mcw01 ~]$
使用nc命令進行埠間通訊
當我使用nc連線本伺服器埠的時候 [root@mcw03 ~]$ nc -l 6381 #夯住 新開一個視窗,發現這個命令的程式 [root@mcw03 ~]$ ps -ef|grep -v grep |grep 6381 root 19421 19094 0 03:26 pts/0 00:00:00 nc -l 6381 [root@mcw03 ~]$ -- 如下當我將mcw03上redis埠,使用nc命令夯住後 [root@mcw03 ~]$ nc -l 6381 wo shi machangwei nihaoya 當我在其他機器,比如在mcw01上telnet mcw03的這個6381埠,也會夯住,然後這樣兩者間就可以互相寫字進行通訊了,一行一行的傳送,點選enter就傳送。telnet如果是客戶端的話,那麼我斷開telnet,nc命令並不會終止 [root@mcw01 ~]$ telnet 10.0.0.13 6381 Trying 10.0.0.13... Connected to 10.0.0.13. Escape character is '^]'. wo shi machangwei nihaoya 當我在mcw03上使用nc之後,夯住 [root@mcw03 ~]$ nc -l 6381 然後 [root@mcw01 ~]$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw01 ~]$ cat /etc/hosts |nc 10.0.0.13 6381 #然後在另一個主機上連線這個埠,就能傳送檔案內容過去 [root@mcw03 ~]$ nc -l 6381 #接收到檔案內容,我們也可以將接收的檔案內容重定向到檔案裡,實現nc通過埠傳輸檔案 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$ [root@mcw03 ~]$ nc -l 6381 >1.host [root@mcw03 ~]$ cat 1.host 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@mcw03 ~]$
禁止指定網段訪問本伺服器的指定埠
禁止指定網段訪問本伺服器的指定埠 iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP 別人訪問我,是進入的包,INPUT鏈。別人訪問我的某個埠服務,我這個埠是對方訪問的目標埠,所以是dport,禁止就得drop,-I拒絕的就往前面插入 我在mcw01上開啟了8080埠的監聽,然後通過兩個ip訪問,都能通,接收到資訊 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ 現在設定防火牆規則,禁止指定172.16.0.0/24網段訪問本伺服器的指定埠8080 [root@mcw01 ~]$ iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 172.16.0.0/24 0.0.0.0/0 tcp dpt:8080 DROP tcp -- 10.0.0.12 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 然後再看,mcw02連線mcw01的nc開啟的連線服務,發現172.16.0.11只有這個網段的不能連上服務了,說明禁止生效了 [root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080 [root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 8080 111 [root@mcw01 ~]$ nc -l 8080 #夯住,沒反應
指定只能某個網段訪問本伺服器。(不是指定網段的拒絕掉)
指定只能某個網段訪問本伺服器。(不是指定網段的拒絕掉) iptables -I INPUT ! -s 10.0.0.0/24 -j DROP 當我清空所以防火牆配置之後,mcw02能訪問mcw01上nc開啟的2222埠 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT ! -s 10.0.0.0/24 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 當我兩次在mcw01上nc開啟2222埠時,只有訪問10.0.0.11能訪問到,訪問172.16.0.11訪問不到。所以防火牆配置生效 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222 [root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 2222 2222 [root@mcw01 ~]$ nc -l 2222
禁止使用者訪問本伺服器指定範圍或者指定多個的埠
禁止使用者訪問本伺服器指定範圍或者指定多個的埠 iptables -I INPUT -p tcp --dport 1024:65535 -j DROP iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP 執行命令前,nc開啟mcw01的埠,mcw02上都能訪問到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 2222 [root@mcw01 ~]$ nc -l 1024 2222 [root@mcw01 ~]$ nc -l 60000 2222 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 1024:65535 -j DROP [root@mcw01 ~]$ iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 執行命令後,無法訪問到 [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024 Ncat: Connection timed out. [root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000 Ncat: Connection timed out. [root@mcw02 ~]$ [root@mcw01 ~]$ nc -l 444 ^C [root@mcw01 ~]$ nc -l 1024 ^C [root@mcw01 ~]$ nc -l 60000 ^C [root@mcw01 ~]$
使用iptables實現禁止ping功能
使用iptables實現禁止ping功能 iptables -I INPUT -p icmp --icmp-type 8 -j DROP #實際上icmp協議的型別有很多,影響我們ping的型別是8,只需禁止8就行 iptables -I INPUT -p icmp --icmp-type any -j DROP 當我給mcw01新增核心設定為1的時候,mcw02就無法ping通mcw01了,當我修改為0的時候,就能ping同mcw01了 echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all 加上這條命令後,裡面就不能ping通了 ,這裡是任意型別,好像寫成8也可以 [root@mcw01 ~]$ iptables -I INPUT -p icmp --icmp-type any -j DROP [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
儲存和恢復規則
iptables-save儲存當前防火牆到配置檔案中,加上重定向,可以將防火牆規則匯入到指定檔案中備份起來 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-save #會把所有的列印出來,*後面顯示錶的名字;冒號後歐美是預設的規則,再往下就死我們自己配置的規則 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022 *nat :PREROUTING ACCEPT [6543:408185] :INPUT ACCEPT [76:11426] :OUTPUT ACCEPT [358288:21886420] :POSTROUTING ACCEPT [358288:21886420] COMMIT # Completed on Mon Mar 7 16:48:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:48:59 2022 *filter :INPUT ACCEPT [696:58996] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [653551:39668311] #*後面顯示錶的名字;冒號後歐美是預設的規則,再往下就死我們自己配置的規則 -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar 7 16:48:59 2022 [root@mcw01 ~]$ 防火牆配置,實際儲存的是如下檔案中。可以看到和命令查詢出來的差不多 [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ 如下儲存防火牆規則 [root@mcw01 ~]$ iptables-save >iptRule.txt [root@mcw01 ~]$ cat iptRule.txt # Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022 *nat :PREROUTING ACCEPT [6642:414294] :INPUT ACCEPT [77:11655] :OUTPUT ACCEPT [363901:22224847] :POSTROUTING ACCEPT [363901:22224847] COMMIT # Completed on Mon Mar 7 16:53:44 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 16:53:44 2022 *filter :INPUT ACCEPT [781:65217] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [664961:40365111] -A INPUT -p icmp -m icmp --icmp-type any -j DROP -A INPUT -p tcp -m multiport --dports 81,444 -j DROP -A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT ! -s 10.0.0.0/24 -j DROP COMMIT # Completed on Mon Mar 7 16:53:44 2022 [root@mcw01 ~]$ 不小心把防火牆都誤清除了,因為之前儲存到配置裡了,重啟一下防火牆重新就出來了 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ systemctl restart iptables.service [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-restore無需重啟防火牆,可以將備份匯出來的防火牆規則,再匯入回去 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables-restore <iptRule.txt [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 DROP all -- !10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$
修改預設規則為drop,預設都不接受的做法
-i --input 資料進入的時候通過哪個網路卡 -o --output 資料出去的時候通過哪個網路卡 -P --policy -P chain target Change policy on chain to target 修改預設規則 修改預設規則前設定: iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT 修改預設規則 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT 修改預設規則後新增自己使用的網段為白名單 iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT 清除好環境 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 在修改預設策略為拒絕時,首先要提前做些準備。比如接收22埠訪問 [root@mcw01 ~]$ #准許連線 22埠 [root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ 設定本地lo通訊規則 [root@mcw01 ~]$ iptables -A INPUT -i lo -j ACCEPT [root@mcw01 ~]$ iptables -A OUTPUT -o lo -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 新增指定服務需要能被訪問,比如80 443 [root@mcw01 ~]$ iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 修改預設規則 [root@mcw01 ~]$ #修改預設規則 [root@mcw01 ~]$ iptables -P INPUT DROP #進來的時候,預設是drop [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ iptables -P FORWARD DROP #這個也預設是drop [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT #出去的時候不管,都接受 [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@mcw01 ~]$ 新增兩個白名單 [root@mcw01 ~]$ iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT [root@mcw01 ~]$ iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 ACCEPT all -- 172.16.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 然後儲存下我們的配置 [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022 *nat :PREROUTING ACCEPT [148:9218] :INPUT ACCEPT [13:949] :OUTPUT ACCEPT [2894:191439] :POSTROUTING ACCEPT [2894:191439] COMMIT # Completed on Mon Mar 7 17:21:59 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 17:21:59 2022 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [195:20374] -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/24 -j ACCEPT -A INPUT -s 172.16.0.0/24 -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Mon Mar 7 17:21:59 2022 [root@mcw01 ~]$ #其中預設是drop ,INPUT和OUTPUT鏈新增了規則
內網伺服器通過iptables轉發實現訪問外網SNAT(共享上網)
內網伺服器通過iptables轉發實現訪問外網(共享上網) 10.0.0.11是叢集中的外網ip,能通過這個ip訪問外網的。這個ip所在伺服器可以做成閘道器,讓其它主機的閘道器設定成該主機的內網ip,然後通過ipv4核心源地址轉換實現訪問外網 單個ip實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p 指定網段的地址實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 當公網ip不固定時:更換。用如下命令 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE MASQUERADE masquerade 英[ˌmæskəˈreɪd] 美[ˌmæskəˈreɪd] n. 掩藏; 掩飾; 化裝舞會; 假面舞會; vi. 假扮; 喬裝; 偽裝; nat表(可以共享上網,埠對映,ip對映) 主機環境(將mcw02和mcw03的外網ip10網段的先停掉網路卡,只剩內網ip172網段的,純內網機子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 準備環境: 先把上面做的環境改回來,記得先改回預設策略為接受,然後再清空所有的規則。不然預設規則是拒絕,我把22接受服務的刪除掉,那麼就連不上伺服器了,只能去機房連線伺服器恢復了 [root@mcw01 ~]$ iptables -P INPUT ACCEPT [root@mcw01 ~]$ iptables -P FORWARD ACCEPT [root@mcw01 ~]$ iptables -P OUTPUT ACCEPT [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ [root@mcw01 ~]$ ping www.baidu.com -c 1 #檢視百度的ip是110.242.68.4,我現在需要內網的機子能訪問這個ip PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=17.1 ms --- www.a.shifen.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.186/17.186/17.186/0.000 ms [root@mcw01 ~]$ 我現在mcw03這個後端內網伺服器不能訪問到外網,mcw01可以訪問到外網。我想通過mcw01做轉發,實現mcw03訪問外網 mcw03的ip是172.16.0.13,這時資料包通過mcw01訪問110.242.68.4時,目標ip110.242.68.4不變,在mcw01上要將源ip172.16.0.13修改mcw01的ip即10.0.0.11。 所以,需要內網實現共享上網的時候,需要使用snat,源網路地址轉換 這時我們的mcw03的資料包,是需要通過mcw01上出去,進而訪問外網,所以我們需要修改的是以前畫的那張圖裡的nat表POSTROUTING 所以,需要設定防火牆命令如下:需要在nat表設定;需要在POSTROUTING鏈裡追加;目標ip是訪問的外網ip, 需要指定源ip是mcw03內網ip地址需要轉換為可以訪問的外網ip;動作是mcw03的內網ip,源ip轉換為能訪問外網的mcw01上的外網ip,動作是源地址訪問;將源地址改為mcw01上的外網ip10.0.0.11 mcw01配置了防火牆,還要開啟mcw01的ip轉發核心引數。將mcw03閘道器應該修改為mcw01的內網ip,內網網路卡上給mcw03新增DNS伺服器的配置,不然無法解析了。 單個ip實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 echo 1 >/proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf sysctl -p 指定網段的地址實現源地址轉換 iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 操作前檢查情況 [root@mcw02 ~]$ ssh 172.16.0.13 #從mcw02上連線mcw03內網ip root@172.16.0.13's password: Last login: Mon Mar 7 17:58:21 2022 from 172.16.0.12 [root@mcw03 ~]$ ip a #檢視網路卡情況 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff inet 10.0.0.13/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::6782:98:f742:b0e8/64 scope link valid_lft forever preferred_lft forever inet6 fe80::6faf:5935:98b1:7f8d/64 scope link tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link tentative dadfailed valid_lft forever preferred_lft forever [root@mcw03 ~]$ ifdown ens33 #將mcw03的外網網路卡關閉掉 Device 'ens33' successfully disconnected. [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ ping www.baidu.com #檢視mcw03無法訪問外網,只有內網ip172.16.0.13可以通訊 ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ echo 1 >/proc/sys/net/ipv4/ip_forward [root@mcw01 ~]$ echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf [root@mcw01 ~]$ sysctl -p 發現mcw03還是不通外網,是因為忘記修改閘道器了,閘道器應該修改為mcw01的內網ip. [root@mcw03 ~]$ ping www.baidu.com ping: www.baidu.com: Name or service not known [root@mcw03 ~]$ ip r default via 172.160.0.253 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 172.160.0.253 dev ens34 proto static scope link metric 100 這裡將內網網路卡配置的閘道器設定為mcw01主機的內網ip。讓它onboot改為yes,不然重啟就關閉網路卡了 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens34 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens34 ONBOOT=yes GATEWAY=172.16.0.11 [root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens33 #將外網網路卡的onboot關閉掉,防止重啟網路,而重啟網路卡 [root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens33 ONBOOT="no" GATEWAY="10.0.0.253" [root@mcw03 ~]$ systemctl restart network [root@mcw03 ~]$
檢查環境以及驗證內網訪問外網 [root@mcw03 ~]$ ip a #檢視網路,沒有問題,還是內網ip 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ [root@mcw03 ~]$ ip r #檢視閘道器,已經變成了mcw01主機的內網ip default via 172.16.0.11 dev ens34 proto static metric 100 172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 [root@mcw03 ~]$ [root@mcw03 ~]$ ping www.baidu.com #成功訪問外網 PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data. 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=127 time=14.8 ms 64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=2 ttl=127 time=13.6 ms ^C --- www.a.shifen.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 13.674/14.261/14.848/0.587 ms [root@mcw03 ~]$ 附上mcw01的內網ip查詢 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ 執行完後,記得儲存一下配置 iptables -t nat -nL 檢視nat表的轉發規則 [root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022 *nat :PREROUTING ACCEPT [143:9307] :INPUT ACCEPT [1:229] :OUTPUT ACCEPT [80:6466] :POSTROUTING ACCEPT [80:6466] -A POSTROUTING -s 172.16.0.13/32 -j SNAT --to-source 10.0.0.11 -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11 COMMIT # Completed on Mon Mar 7 18:52:42 2022 # Generated by iptables-save v1.4.21 on Mon Mar 7 18:52:42 2022 *filter :INPUT ACCEPT [698927:234693305] :FORWARD ACCEPT [5426:390414] :OUTPUT ACCEPT [704597:225964959] COMMIT # Completed on Mon Mar 7 18:52:42 2022 [root@mcw01 ~]$ [root@mcw01 ~]$ cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
如何刪除nat表的規則:
[root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.61 [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -D POSTROUTING 2 #刪除nat表的規則,需要指定nat表 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11
DNAT埠轉發(內網伺服器不暴露在公網上,但是它上面的服務可以通過某臺伺服器的埠轉發提供給外網)
DNAT埠轉發(內網伺服器不暴露在公網上,但是它上面的服務可以通過某臺伺服器的埠轉發提供給外網) iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 有點像Nginx的埠轉發 當外網需要訪問內網某個主機的某個服務時,服務無法提供。我們可以使用埠轉發,mcw01有外網ip,當外網訪問mcw01的外網時,我們可以根據埠來將請求轉發給內網某個伺服器如mcw03,mcw03上是沒有外網ip的。 主機環境(將mcw02和mcw03的外網ip10網段的先停掉網路卡,只剩內網ip172網段的,純內網機子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 例如:當使用者訪問我們的mcw01主機上的9000埠(10.0.0.11:9000)時,我們將它轉發到我們內網伺服器mcw03上的22埠(172.16.0.13:22)。使用者訪問時,源地址是他們自己, 他們的目標是訪問我們的10.0.0.11:9000,我們要實現轉發,需要將這個目標地址改成172.16.0.13:22。所以這裡是目標地址轉換DNAT。 這裡是目標地址轉換,是nat表;這是使用者來訪問的資料包,也就是使用者要進來,所以是PREROUTING 鏈;目標訪問的是10.0.0.11;對方訪問的是9000埠;動作我就用DNAT,目標地址轉換,轉換成我們內網的地址;這裡是轉換成目標地址172.16.0.13:22 注意:此時這裡的mcw03的網路卡上配置的閘道器,要設定成mcw01上內網的ip。因為資料包是轉發給mcw03了,但是我要回包的話,得發給mcw01的內網ip,然後mcw01內網ip再發給mcw01的公網ip10.0.0.11,這樣才能給客戶返回響應資料。這裡之前已經配置了,詳情見上面的SNAT共享上網 iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport -j DNAT --to-destination 172.16.0.13:22 然後還需要開啟ipv4轉發。之前我已經配置好了 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 操作前檢查情況 mcw03和mcw01的9000埠目前都不能連線 [c:\~]$ ssh root@172.16.0.13 Connecting to 172.16.0.13:22... Could not connect to '172.16.0.13' (port 22): Connection failed. Type `help' to learn how to use Xshell prompt. [c:\~]$ [c:\~]$ [c:\~]$ [c:\~]$ ssh root@10.0.0.11 9000 Connecting to 10.0.0.11:9000... Could not connect to '10.0.0.11' (port 9000): Connection failed. Type `help' to learn how to use Xshell prompt. [c:\~]$ 執行操作:配置目標地址轉發,檢視配置的規則,檢視ipv4轉發是否開啟 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ tail -1 /etc/sysctl.conf net.ipv4.ip_forward=1 [root@mcw01 ~]$ 檢驗配置的效果:發現當我們外網上連線mcw01的9000埠時,實際上我們是訪問到了沒有外網ip,不通外網的mcw03主機上。也就是在mcw01上成功實現埠轉發。這樣當我們內網的主機上某個服務要提供給外網訪問時,可以使用埠轉發的方式提供服務,這也能保證了內網伺服器的安全性。 [c:\~]$ ssh root@10.0.0.11 9000 Connecting to 10.0.0.11:9000... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Mon Mar 7 18:06:33 2022 from 172.16.0.12 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$
ip地址轉發(DNAT實現ip地址轉發,ip對映)
主機環境(將mcw02和mcw03的外網ip10網段的先停掉網路卡,只剩內網ip172網段的,純內網機子了): 10.0.0.11 172.16.0.11 mcw01 10.0.0.12 172.16.0.12 mcw02 10.0.0.13 172.16.0.13 mcw03 配置過程中需要注意的事項請參考上面的snat和dnat配置過程 檢視環境,將之前已有的埠轉發配置去掉 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.11 tcp dpt:9000 to:172.16.0.13:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ iptables -t nat -D PREROUTING 1 #刪除之前配置的埠轉發,防止收到影響 [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ 在mcw01上新增一個新的公網ip,當訪問這個公網ip10.0.0.111時,將它轉發到內網伺服器mcw03的內網ip172.16.0.13 然後可以給這個公網ip,在閘道器mcw01上加上標籤,這樣在mcw01上就能看到這個ip了。 [root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.111 -j DNAT --to-destination 172.16.0.13 [root@mcw01 ~]$ ip a a 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet 10.0.0.111/24 scope global secondary ens33:0 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$ ^C 驗證: 當我在外網連線剛剛在mcw01上新增的公網ip10.0.0.111時,實際上連上了內網伺服器mcw03上。 也就是當使用者訪問mcw01上的外網ip10.0.0.111的某個埠服務時,它就會轉發給內網伺服器mcw03上對應的埠。 這樣就成功實現了ip地址轉發。缺點是,只要某個伺服器某個埠需要外網訪問,就要對應一個外網ip,而一般情況下,不需要訪問這麼多埠,所以浪費公網ip資源 [c:\~]$ [c:\~]$ ssh root@10.0.0.111 Connecting to 10.0.0.111:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Mon Mar 7 19:30:16 2022 from 10.0.0.1 [root@mcw03 ~]$ hostname -I 172.16.0.13 [root@mcw03 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff [root@mcw03 ~]$ 當刪除這個標籤後,就不能通過這個ip訪問內網指定伺服器了 [root@mcw01 ~]$ ip a del 10.0.0.111/24 dev ens33 label ens33:0 [root@mcw01 ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::9910:d66a:5b4d:7102/64 scope link valid_lft forever preferred_lft forever inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::cdd:d005:758:ad29/64 scope link valid_lft forever preferred_lft forever [root@mcw01 ~]$
-F不能清除nat表的規則
[root@mcw01 ~]$ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$ iptables -F [root@mcw01 ~]$ iptables -X [root@mcw01 ~]$ iptables -Z [root@mcw01 ~]$ iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.111 to:172.16.0.13 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.13 0.0.0.0/0 to:10.0.0.11 SNAT all -- 172.16.0.0/24 0.0.0.0/0 to:10.0.0.11 [root@mcw01 ~]$