iptables

N23-蘇州-void ? 2016-11-20 14:50 ? Linux干貨

Evernote Export

基于本機服務器的iptables：

創建、重命名、刪除自定義chain

~]# iptables -N testchain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain testchain (0 references)

target prot opt source destination

~]# iptables -E testchain mychain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain mychain (0 references)

target prot opt source destination

~]# iptables -X mychain

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@localhost ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-P：Policy，設置默認策略；對filter表中的鏈而言，其默認策略有：

ACCEPT：接受

DROP：丟棄

REJECT：拒絕

默認table為filter，如對filter進行操作時可以不寫

~]#iptables -t filter -P FORWARD DROP

~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

iptables查看：

-S:seletced，以iptables-save命令的格式顯示鏈上的規則

-L：list, 列出指定鏈上的所有規則；

-n：numberic，以數字格式顯示地址和端口號；

-v：verbose，詳細信息；

-vv, -vvv

-x：exactly，顯示計數器結果的精確值；

–line-numbers：顯示規則的序號；

~]# iptables -nvxL –line-numbers

Chain INPUT (policy ACCEPT 275 packets, 18823 bytes)

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 154 packets, 24528 bytes)

[root@localhost ~]# iptables -nvvxL –line-numbers

Chain INPUT (policy ACCEPT 300 packets, 20863 bytes)

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 175 packets, 26988 bytes)

libiptc vlibxtables.so.10. 632 bytes.

Table `filter'

Hooks: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff

Underflows: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff

Entry 0 (0):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 300 packets, 20863 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_ACCEPT

Entry 1 (152):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_DROP

Entry 2 (304):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 175 packets, 26988 bytes

Cache: 00000000

Target name: `' [40]

verdict=NF_ACCEPT

Entry 3 (456):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/…………….to `'/…………….

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

Target name: `ERROR' [64]

error=`ERROR'

[root@localhost ~]# iptables -S

-P INPUT ACCEPT

-P FORWARD DROP

-P OUTPUT ACCEPT

[root@localhost ~]# iptables -S INPUT

-P INPUT ACCEPT

可以通過查看安裝包的庫文件看下相關對應的命令

~]# rpm -ql iptables

/etc/sysconfig/ip6tables-config

/etc/sysconfig/iptables-config

/usr/bin/iptables-xml

/usr/lib64/libip4tc.so.0

/usr/lib64/libip4tc.so.0.1.0

/usr/lib64/libip6tc.so.0

/usr/lib64/libip6tc.so.0.1.0

/usr/lib64/libiptc.so.0

/usr/lib64/libiptc.so.0.0.0

/usr/lib64/libxtables.so.10

/usr/lib64/libxtables.so.10.0.0

/usr/lib64/xtables

/usr/lib64/xtables/libip6t_DNAT.so

/usr/lib64/xtables/libip6t_DNPT.so

/usr/lib64/xtables/libip6t_HL.so

/usr/lib64/xtables/libip6t_LOG.so

/usr/lib64/xtables/libip6t_MASQUERADE.so

/usr/lib64/xtables/libip6t_NETMAP.so

/usr/lib64/xtables/libip6t_REDIRECT.so

/usr/lib64/xtables/libip6t_REJECT.so

/usr/lib64/xtables/libip6t_SNAT.so

/usr/lib64/xtables/libip6t_SNPT.so

/usr/lib64/xtables/libip6t_ah.so

/usr/lib64/xtables/libip6t_dst.so

/usr/lib64/xtables/libip6t_eui64.so

/usr/lib64/xtables/libip6t_frag.so

/usr/lib64/xtables/libip6t_hbh.so

/usr/lib64/xtables/libip6t_hl.so

/usr/lib64/xtables/libip6t_icmp6.so

/usr/lib64/xtables/libip6t_ipv6header.so

/usr/lib64/xtables/libip6t_mh.so

/usr/lib64/xtables/libip6t_rt.so

/usr/lib64/xtables/libipt_CLUSTERIP.so

/usr/lib64/xtables/libipt_DNAT.so

/usr/lib64/xtables/libipt_ECN.so

/usr/lib64/xtables/libipt_LOG.so

/usr/lib64/xtables/libipt_MASQUERADE.so

/usr/lib64/xtables/libipt_MIRROR.so

/usr/lib64/xtables/libipt_NETMAP.so

/usr/lib64/xtables/libipt_REDIRECT.so

/usr/lib64/xtables/libipt_REJECT.so

/usr/lib64/xtables/libipt_SAME.so

/usr/lib64/xtables/libipt_SNAT.so

/usr/lib64/xtables/libipt_TTL.so

/usr/lib64/xtables/libipt_ULOG.so

/usr/lib64/xtables/libipt_ah.so

/usr/lib64/xtables/libipt_icmp.so

/usr/lib64/xtables/libipt_realm.so

/usr/lib64/xtables/libipt_ttl.so

/usr/lib64/xtables/libipt_unclean.so

/usr/lib64/xtables/libxt_AUDIT.so

/usr/lib64/xtables/libxt_CHECKSUM.so

/usr/lib64/xtables/libxt_CLASSIFY.so

/usr/lib64/xtables/libxt_CONNMARK.so

/usr/lib64/xtables/libxt_CONNSECMARK.so

/usr/lib64/xtables/libxt_CT.so

/usr/lib64/xtables/libxt_DSCP.so

/usr/lib64/xtables/libxt_HMARK.so

/usr/lib64/xtables/libxt_IDLETIMER.so

/usr/lib64/xtables/libxt_LED.so

/usr/lib64/xtables/libxt_MARK.so

/usr/lib64/xtables/libxt_NFLOG.so

/usr/lib64/xtables/libxt_NFQUEUE.so

/usr/lib64/xtables/libxt_NOTRACK.so

/usr/lib64/xtables/libxt_RATEEST.so

/usr/lib64/xtables/libxt_SECMARK.so

/usr/lib64/xtables/libxt_SET.so

/usr/lib64/xtables/libxt_SYNPROXY.so

/usr/lib64/xtables/libxt_TCPMSS.so

/usr/lib64/xtables/libxt_TCPOPTSTRIP.so

/usr/lib64/xtables/libxt_TEE.so

/usr/lib64/xtables/libxt_TOS.so

/usr/lib64/xtables/libxt_TPROXY.so

/usr/lib64/xtables/libxt_TRACE.so

/usr/lib64/xtables/libxt_addrtype.so

/usr/lib64/xtables/libxt_bpf.so

/usr/lib64/xtables/libxt_cgroup.so

/usr/lib64/xtables/libxt_cluster.so

/usr/lib64/xtables/libxt_comment.so

/usr/lib64/xtables/libxt_connbytes.so

/usr/lib64/xtables/libxt_connlabel.so

/usr/lib64/xtables/libxt_connlimit.so

/usr/lib64/xtables/libxt_connmark.so

/usr/lib64/xtables/libxt_conntrack.so

/usr/lib64/xtables/libxt_cpu.so

/usr/lib64/xtables/libxt_dccp.so

/usr/lib64/xtables/libxt_devgroup.so

/usr/lib64/xtables/libxt_dscp.so

/usr/lib64/xtables/libxt_ecn.so

/usr/lib64/xtables/libxt_esp.so

/usr/lib64/xtables/libxt_hashlimit.so

/usr/lib64/xtables/libxt_helper.so

/usr/lib64/xtables/libxt_iprange.so

/usr/lib64/xtables/libxt_ipvs.so

/usr/lib64/xtables/libxt_length.so

/usr/lib64/xtables/libxt_limit.so

/usr/lib64/xtables/libxt_mac.so

/usr/lib64/xtables/libxt_mark.so

/usr/lib64/xtables/libxt_multiport.so

/usr/lib64/xtables/libxt_nfacct.so

/usr/lib64/xtables/libxt_osf.so

/usr/lib64/xtables/libxt_owner.so

/usr/lib64/xtables/libxt_physdev.so

/usr/lib64/xtables/libxt_pkttype.so

/usr/lib64/xtables/libxt_policy.so

/usr/lib64/xtables/libxt_quota.so

/usr/lib64/xtables/libxt_rateest.so

/usr/lib64/xtables/libxt_recent.so

/usr/lib64/xtables/libxt_rpfilter.so

/usr/lib64/xtables/libxt_sctp.so

/usr/lib64/xtables/libxt_set.so

/usr/lib64/xtables/libxt_socket.so

/usr/lib64/xtables/libxt_standard.so

/usr/lib64/xtables/libxt_state.so

/usr/lib64/xtables/libxt_statistic.so

/usr/lib64/xtables/libxt_string.so

/usr/lib64/xtables/libxt_tcp.so

/usr/lib64/xtables/libxt_tcpmss.so

/usr/lib64/xtables/libxt_time.so

/usr/lib64/xtables/libxt_tos.so

/usr/lib64/xtables/libxt_u32.so

/usr/lib64/xtables/libxt_udp.so

/usr/sbin/ip6tables

/usr/sbin/ip6tables-restore

/usr/sbin/ip6tables-save

/usr/sbin/iptables

/usr/sbin/iptables-restore

/usr/sbin/iptables-save

/usr/sbin/xtables-multi

/usr/share/doc/iptables-1.4.21

/usr/share/doc/iptables-1.4.21/COPYING

/usr/share/doc/iptables-1.4.21/INCOMPATIBILITIES

/usr/share/man/man1/iptables-xml.1.gz

/usr/share/man/man8/ip6tables-restore.8.gz

/usr/share/man/man8/ip6tables-save.8.gz

/usr/share/man/man8/ip6tables.8.gz

/usr/share/man/man8/iptables-extensions.8.gz

/usr/share/man/man8/iptables-restore.8.gz

/usr/share/man/man8/iptables-save.8.gz

/usr/share/man/man8/iptables.8.gz

創建iptables規則

規則格式：iptables [-t table] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]

[root@localhost ~]# iptables -A INPUT -s 192.168.150.0/24 -j ACCEPT

[root@localhost ~]# iptables -A OUTPUT -d 192.168.150.0/24 -j ACCEPT

[root@localhost ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all — 192.168.150.0/24 0.0.0.0/0

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all — 0.0.0.0/0 192.168.150.0/24

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

146 10462 ACCEPT all — * * 192.168.150.0/24 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

21 2308 ACCEPT all — * * 0.0.0.0/0 192.168.150.0/24

[root@localhost ~]#

[root@localhost ~]#

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -A INPUT -s 192.168.150.1 -d 192.168.150.137 -j ACCEPT

[root@localhost ~]# iptables -A OUTPUT -d 192.168.150.1 -s 192.168.150.137 -j ACCEPT

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 8 packets, 817 bytes)

pkts bytes target prot opt in out source destination

214 16156 ACCEPT all — * * 192.168.150.1 192.168.150.137

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7 packets, 588 bytes)

pkts bytes target prot opt in out source destination

24 2136 ACCEPT all — * * 192.168.150.137 192.168.150.1

[root@localhost ~]# iptables -P INPUT DROP

[root@localhost ~]# iptables -P OUTPUT DROP

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

483 34060 ACCEPT all — * * 192.168.150.1 192.168.150.137

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

176 26324 ACCEPT all — * * 192.168.150.137 192.168.150.1

[root@localhost ~]# iptables -P INPUT ACCEPT

[root@localhost ~]# iptables -P FORWARD ACCEPT

[root@localhost ~]# iptables -P OUTPUT ACCEPT

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -nvL

Chain INPUT (policy ACCEPT 73 packets, 4880 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 40 packets, 3608 bytes)

pkts bytes target prot opt in out source destination

iptabels之http

~]# vim /var/www/html/index.html

~]# more /var/www/html/index.html

<h1>192.168.150.137</h1>

~]# systemctl start httpd

~]# ss -tn;

State Recv-Q Send-Q Local Address:Port Peer Address:Port

ESTAB 0 0 192.168.150.137:22 192.168.150.1:63850

ESTAB 0 0 192.168.150.137:22 192.168.150.1:59463

~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

~]# iptables -P INPUT DROP^C

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 22 -j ACCEPT

~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

32 2112 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 17 packets, 1596 bytes)

pkts bytes target prot opt in out source destination

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –dport 22 -j ACCEPT

~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

221 15948 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp dpt:22

[root@localhost ~]# iptables -P INPUT DROP

[root@localhost ~]# iptables -P OUTPUT DROP

Connection closed by foreign host.

~]# iptables -nvL

Chain INPUT (policy DROP 5 packets, 378 bytes)

pkts bytes target prot opt in out source destination

486 40089 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 136 packets, 14751 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp dpt:22

~]# iptables -nvL –line-number

Chain INPUT (policy DROP 5 packets, 378 bytes)

num pkts bytes target prot opt in out source destination

1 592 47177 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 200 packets, 21999 bytes)

num pkts bytes target prot opt in out source destination

1 0 0 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp dpt:22

~]# iptables -D OUTPUT 1

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –sport 22 -j ACCEPT

~]# iptables -P OUTPUT DROP

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

1027 76713 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

74 7144 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:22

~]# iptables -nvL

Chain INPUT (policy DROP 8 packets, 472 bytes)

pkts bytes target prot opt in out source destination

1037 77393 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

82 8380 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:22

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 80 -j ACCEPT

~]# iptables -A OUTPUT -d 0/0 -s 192.168.150.137 -p tcp –sport 80 -j ACCEPT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

1474 110K ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:22

10 1004 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

386 37764 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:22

8 954 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:80

iptables之ICMP

icmp

[!] –icmp-type {type[/code]|typename}

echo-request：8

echo-reply：0

服務器開通ping ip功能，此時服務器的OUTPUT發送request至外部ip，并reply至服務器的INPUT口

~]# iptables -A OUTPUT -s 192.168.150.137 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

~]# ping 192.168.150.136

PING 192.168.150.136 (192.168.150.136) 56(84) bytes of data.

64 bytes from 192.168.150.136: icmp_seq=1 ttl=64 time=1.68 ms

64 bytes from 192.168.150.136: icmp_seq=2 ttl=64 time=0.750 ms

^C

— 192.168.150.136 ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 0.750/1.216/1.682/0.466 ms

服務器開通被ping功能，此時外部ip發送request至服務器INPUT，服務器發送reply至OUTPUT

~]# iptables -A INPUT -d 192.168.150.137 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A OUTPUT -s 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

iptables之multiport

以離散方式定義多端口匹配；最多指定15個端口；

[!] –source-ports,–sports port[,port|,port:port]…：指定多個源端口；

[!] –destination-ports,–dports port[,port|,port:port]…：指定多個目標端口；

[!] –ports port[,port|,port:port]…：指明多個端口；

~]# iptables -I INPUT -s 0/0 -d 192.168.150.137 -p tcp -m multiport –dports 22,80 -j ACCEPT

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

tcp dpt:22

tcp dpt:80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

tcp spt:22

tcp spt:80

icmptype 8

icmptype 0

~]# iptables -D INPUT 2

~]# iptables -D INPUT 2

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

tcp spt:22

tcp spt:80

icmptype 8

icmptype 0

~]# iptables -D OUTPUT 2

~]# iptables -D OUTPUT 2

~]# iptables -vnL –line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

multiport dports 22,80

icmptype 0

icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

multiport sports 22,80

icmptype 8

icmptype 0

iptables至iprange

指明連續的（但一般不是整個網絡）ip地址范圍；

[!] –src-range from[-to]：源IP地址；

[!] –dst-range from[-to]：目標IP地址；

~]# iptables -A OUTPUT -s 192.168.150.137 -p tcp –sport 23 -m iprange –dst-range 192.168.150.130-192.168.150.140 -j ACCEPT

~]# iptables -A INPUT -d 192.168.150.137 -p tcp –sport 23 -m iprange –src-range 192.168.150.130-192.168.150.140 -j ACCEPT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

ports 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

ports 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

estination IP range 192.168.150.130-192.168.150.140

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 10 packets, 931 bytes)

pkts bytes target prot opt in out source destination

orts 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

ource IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

orts 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

estination IP range 192.168.150.130-192.168.150.140

[root@localhost ~]# systemctl start telnet.socket

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 128 :::23 :::*

LISTEN 0 100 ::1:25 :::*

[root@localhost ~]# useradd centos

useradd：用戶“centos”已存在

[root@localhost ~]# echo "oracleadmin" | passwd –stdin centos

更改用戶 centos 的密碼。

passwd：所有的身份驗證令牌已經成功更新。

[root@localhost ~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

4277 289K ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 multiport dports 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

164 8892 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:23 source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 6 packets, 440 bytes)

pkts bytes target prot opt in out source destination

2516 790K ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 multiport sports 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

113 6638 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:23 destination IP range 192.168.150.130-192.168.150.140

iptables之string

對報文中的應用層數據做字符串模式匹配檢測；

–algo {bm|kmp}：字符串匹配檢測算法；

bm：Boyer-Moore

kmp：Knuth-Pratt-Morris

[!] –string pattern：要檢測的字符串模式；

[!] –hex-string pattern：要檢測的字符串模式，16進制格式；

~]# vim /var/www/html/test.html

~]#iptables -I OUTPUT -s 192.168.150.137 -d 0/0 -p tcp –sport 80 -m string –algo bm –string "old" -j REJECT

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

4894 332K ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 multiport dports 22,80

2 168 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 0

4 336 ACCEPT icmp — * * 0.0.0.0/0 192.168.150.137 icmptype 8

263 14230 ACCEPT tcp — * * 0.0.0.0/0 192.168.150.137 tcp dpt:23 source IP range 192.168.150.130-192.168.150.140

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 REJECT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:80 STRING match "old" ALGO name bm TO 65535 reject-with icmp-port-unreachable

2907 839K ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 multiport sports 22,80

2 168 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 8

4 336 ACCEPT icmp — * * 192.168.150.137 0.0.0.0/0 icmptype 0

174 10487 ACCEPT tcp — * * 192.168.150.137 0.0.0.0/0 tcp spt:23 destination IP range 192.168.150.130-192.168.150.140

~]# vim /var/www/html/test2.html

iptables之time

根據將報文到達的時間與指定的時間范圍進行匹配；

–datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

–datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

–timestart hh:mm[:ss]

–timestop hh:mm[:ss]

[!] –monthdays day[,day…]

[!] –weekdays day[,day…]

–kerneltz：使用內核上的時區，而非默認的UTC；

~]# iptables -R INPUT 4 -d 192.168.150.137 -p tcp –dport 23 -m iprange –src-range 192.168.150.130-192.168.150.140 -m time –timestart 09:00:00 –timestop 18:00:00 -j ACCEPT

iptabels之connlimit

根據每客戶端IP做并發連接數數量匹配；

–connlimit-upto n：連接的數量小于等于n時匹配；

–connlimit-above n：連接的數量大于n時匹配；

~]# iptables -A INPUT -s 0/0 -d 192.168.150.137 -p tcp –dport 23 -m connlimit –connlimit-upto 2 -j ACCEPT

iptable之limit

基于收發報文的速率做匹配；

令牌桶過濾器；

–limit rate[/second|/minute|/hour|/day]

–limit-burst number 突發速率

~]# iptables -R INPUT 3 -d 192.168.150.137 -p icmp –icmp-type 8 -m limit –limit 20/minute –limit-burst 3 -j ACCEPT

~]# iptables -A OUTPUT -s 192.168.150.137 -p icmp –icmp-type 0 -j ACCEPT

iptables之state

根據”連接追蹤機制“去檢查連接的狀態；

conntrack機制：追蹤本機上的請求和響應之間的關系；狀態有如下幾種：

NEW：新發出請求；連接追蹤模板中不存在此連接的相關信息條目，因此，將其識別為第一次發出的請求；

ESTABLISHED：NEW狀態之后，連接追蹤模板中為其建立的條目失效之前期間內所進行的通信狀態；

RELATED：相關聯的連接；如ftp協議中的數據連接與命令連接之間的關系；

INVALID：無效的連接；

UNTRACKED：未進行追蹤的連接；

[!] –state state

~]# iptables -A INPUT -d 172.16.100.67 -p tcp -m multiport –dports 22,80 -m state –state NEW,ESTABLISHED -j ACCEPT

~]# iptables -A OUTPUT -s 172.16.100.67 -p tcp -m multiport –sports 22,80 -m state –state ESTABLISHED -j ACCEPT

調整連接追蹤功能所能夠容納的最大連接數量：

/proc/sys/net/nf_contrack_max

sysctl -w net.nf_conntrack_max=300000

echo 300000>/proc/sys/net/nf_conntrack_max

已經追蹤到到的并記錄下來的連接：

/proc/net/nf_conntrack

不同的協議的連接追蹤時長：

/proc/sys/net/netfilter/

iptables的鏈接跟蹤表最大容量為/proc/sys/net/nf_contrack_max，鏈接碰到各種狀態的超時后就會從表中刪除；當模板滿載時，后續的連接可能會超時

解決方法一般有兩個：

(1) 加大nf_conntrack_max 值

vi /etc/sysctl.conf

net.ipv4.nf_conntrack_max = 393216

net.ipv4.netfilter.nf_conntrack_max = 393216

(2) 降低 nf_conntrack timeout時間

vi /etc/sysctl.conf

net.ipv4.netfilter.nf_conntrack_tcp_timeout_established = 300

net.ipv4.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.ipv4.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.ipv4.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

~]# watch -n1 'iptables -nvL'

規則的檢查次序：規則在鏈接上的次序即為其檢查時的生效次序；因此，其優化使用有一定法則；

(1)同類規則(訪問同一應用)，匹配范圍小的放前面；用于特殊處理；

(2)不同類的規則(訪問不同應用)，匹配范圍大的放前面；

(3)應該將那些可由一條規則描述的多個規則合并為一；

(4)設置默認策略；

如何開放被動模式的ftp服務？

(1) 裝載ftp連接追蹤的專用模塊：

~]# modproble nf_conntrack_ftp

(2) 放行命令連接(假設Server地址為172.16.100.67)：

~]# iptables -A INPUT -d 172.16.100.67 -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT

~]# iptables -A OUTPUT -s 172.16.100.67 -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT

(3) 放行數據連接(假設Server地址為172.16.100.67)：

~]# iptables -A INPUT -d 172.16.100.67 -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT

~]# iptables -I OUTPUT -s 172.16.100.67 -m state –state ESTABLISHED -j ACCEPT

規則優化：

服務器端規則設定：任何不允許的訪問，應該在請求到達時給予拒絕；

(1) 可安全放行所有入站的狀態為ESTABLISHED狀態的連接；

(2) 可安全放行所有出站的狀態為ESTABLISHED狀態的連接；

(3) 謹慎放行入站的新請求

(4) 有特殊目的限制訪問功能，要于放行規則之前加以拒絕；

iptables之save

~]# iptables-save

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:49:53 2016

*nat

:PREROUTING ACCEPT [569:58999]

:INPUT ACCEPT [95:11029]

:OUTPUT ACCEPT [512:34919]

:POSTROUTING ACCEPT [153:9591]

COMMIT

# Completed on Thu Nov 17 19:49:53 2016

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:49:53 2016

*filter

:INPUT DROP [11:1438]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -d 192.168.150.137/32 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m multiport –dports 22,23,80 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m tcp –dport 21 -m state –state NEW -j ACCEPT

-A OUTPUT -m state –state ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Nov 17 19:49:53 2016

~]# iptables-save > /etc/sysconfig/iptables.v1

~]# cat /etc/sysconfig/iptables.v1

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:51:01 2016

*nat

:PREROUTING ACCEPT [572:59233]

:INPUT ACCEPT [95:11029]

:OUTPUT ACCEPT [512:34919]

:POSTROUTING ACCEPT [153:9591]

COMMIT

# Completed on Thu Nov 17 19:51:01 2016

# Generated by iptables-save v1.4.21 on Thu Nov 17 19:51:01 2016

*filter

:INPUT DROP [14:1672]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -d 192.168.150.137/32 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m multiport –dports 22,23,80 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW -j ACCEPT

-A INPUT -d 192.168.150.137/32 -p tcp -m tcp –dport 21 -m state –state NEW -j ACCEPT

-A OUTPUT -m state –state ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Nov 17 19:51:01 2016

~]# iptables -P INPUT ACCEPT

~]# iptables -P OUTPUT ACCEPT

~]# iptables -F

~]# iptables -nvL

Chain INPUT (policy ACCEPT 33 packets, 2188 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 18 packets, 1636 bytes)

pkts bytes target prot opt in out source destination

~]# iptables-restore < /etc/sysconfig/iptables.v1

~]# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

D,ESTABLISHED

orts 22,23,80 state NEW

tate NEW

tate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

ISHED

通過iptables做Firewall（FORWARD）

實驗拓撲圖

內部服務器 1.1.1.2 默認網關設置為1.1.1.100

Firewall 1.1.1.100，192.168.31.120

外部服務器 192.168.31.32 添加路由指向route add -net 1.1.1.0/24 gw 192.168.31.120

防火墻默認的ip forward是關閉的，手動進行開啟

~]# cat /proc/sys/net/ipv4/ip_forward

0

~]# echo 1 > /proc/sys/net/ipv4/ip_forward

1.1.1.2和192.168.31.32網絡通

通過iptables將FORWARD DROP，并添加策略使兩臺機子可以ping通

~]# iptables -P FORWARD DROP

~]# iptables -A FORWARD -s 1.1.1.0/24 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT

~]# iptables -A FORWARD -s 0/0 -d 1.1.1.0/24 -p icmp –icmp-type 0 -j ACCEPT

通過tcpdump工具可以查看結果

~]# tcpdump -i eno33554976 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno33554976, link-type EN10MB (Ethernet), capture size 65535 bytes

21:26:59.297765 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 54, length 64

21:27:00.298340 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 55, length 64

21:27:01.298184 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 56, length 64

21:27:02.298255 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 57, length 64

21:27:03.298343 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 58, length 64

21:27:04.298548 IP 192.168.31.32 > 1.1.1.2: ICMP echo request, id 61190, seq 59, length 64

^C

6 packets captured

6 packets received by filter

0 packets dropped by kernel

通過state設定防火墻規則

~]# iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p icmp –icmp-type 8 -m state –state NEW

開啟80和21 ftp開啟設定

~]# iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p tcp –dport 80 -m state –state NEW -j

CCEPT

~]# iptables -A FORWARD -s 1.1.1.0/24 -p tcp –dport 21 -m state –state NEW -j A

CCEPT

~]# modprobe nf_conntrack_ftp

~]# iptables -R FORWARD 1 -m state –state ESTABLISHED,RELATED -j ACCEPT

設定策略開啟自動生成

~]# iptables-save >/etc/sysconfig/iptables.v2

~]# vim /etc/rc.local

~]# cat /etc/rc.local

#!/bin/bash

# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES

#

# It is highly advisable to create own systemd services or udev rules

# to run scripts during boot instead of using this file.

#

# In contrast to previous versions due to parallel execution during boot

# this script will NOT be run after all other services.

#

# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure

# that this script will be executed during boot.

touch /var/lock/subsys/local

iptables-restore < /etc/sysconfig/iptables.v2

[END] 2016/11/18 21:57:53

iptables之NAT

默認情況下內部服務器發送http訪問，外部服務器記錄的是內部主機ip

1.1.1.2

[root@localhost ~]# curl http://192.168.31.32

<h1>remote </h1>

192.168.31.32

[root@MiWiFi-R3-srv ~]# tail /var/log/httpd/access_log

192.168.31.32 – – [08/Nov/2016:14:23:20 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.19.7 (x86

_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"1.1.1.2 – – [08/Nov/2016:14:27:00 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

1.1.1.2 – – [08/Nov/2016:15:12:41 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

1.1.1.2 – – [08/Nov/2016:15:24:40 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

nat: network address translation

snat: source nat

修改IP報文中的源IP地址

讓本地網絡中的主機可使用統一地址與外部主機通信，從而實現地址偽裝；

請求：修改源IP,如何修改則由管理員定義；

相應：修改目標IP，由nat自動根據會話表中追蹤機制實現相應修改；

dnat: destination nat

修改IP報文中的目標IP地址

讓本地網絡中的服務器使用統一的地址向外提供服務（發布服務），但隱藏了自己的真實地址；

請求：由外網主機發起，修改其目標地址，由管理員定義；

相應：修改源地址，但由nat自動根據會話表中的追蹤機制實現對應修改；

pnat: port nat

SNAT示例：

~]# iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j SNAT –to-source 172.16.100.67

[root@MiWiFi-R3-srv ~]# iptables -t nat -A POSTROUTING -s 1.1.1.0/24 -j SNAT –to-source 192.168.31.1 20

可以添加一個范圍

[root@MiWiFi-R3-srv ~]# iptables -t nat -A POSTROUTING -s 1.1.1.0/24 -j SNAT –to-source 192.168.31.120-192.168.31.255

示例驗證

1、ping驗證

1.1.1.2上進行ping操作

[root@localhost ~]# ping 192.168.31.32

PING 192.168.31.32 (192.168.31.32) 56(84) bytes of data.

64 bytes from 192.168.31.32: icmp_seq=1 ttl=63 time=2.79 ms

64 bytes from 192.168.31.32: icmp_seq=2 ttl=63 time=0.502 ms

64 bytes from 192.168.31.32: icmp_seq=3 ttl=63 time=0.689 ms

64 bytes from 192.168.31.32: icmp_seq=4 ttl=63 time=0.451 ms

192.168.31.32上抓包看，原地址已經轉換

[root@MiWiFi-R3-srv ~]# tcpdump -i eth0 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:54:07.722067 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 73, length 64

16:54:07.722106 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 73, length 64

16:54:08.722394 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 74, length 64

16:54:08.722429 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 74, length 64

16:54:09.722782 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 75, length 64

16:54:09.722817 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 75, length 64

16:54:10.723160 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2700, seq 76, length 64

16:54:10.723196 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2700, seq 76, length 64

nat服務器上的抓包

內網網卡：

[root@MiWiFi-R3-srv ~]# tcpdump -i eno16777736 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes

13:53:29.354768 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 8, length 64

13:53:29.355038 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 8, length 64

13:53:30.355449 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 9, length 64

13:53:30.355803 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 9, length 64

13:53:31.357455 IP 1.1.1.2 > 192.168.31.32: ICMP echo request, id 2702, seq 10, length 64

13:53:31.357842 IP 192.168.31.32 > 1.1.1.2: ICMP echo reply, id 2702, seq 10, length 64

外網網卡：

[root@MiWiFi-R3-srv ~]# tcpdump -i eno33554976 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno33554976, link-type EN10MB (Ethernet), capture size 65535 bytes

13:53:57.372568 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2702, seq 36, length 64

13:53:57.372842 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2702, seq 36, length 64

13:53:58.373001 IP 192.168.31.120 > 192.168.31.32: ICMP echo request, id 2702, seq 37, length 64

13:53:58.373249 IP 192.168.31.32 > 192.168.31.120: ICMP echo reply, id 2702, seq 37, length 64

2、http驗證

1.1.1.2主機上進行http請求

[root@localhost ~]# curl http://192.168.31.32

<h1>remote </h1>

192.168.31.32查看日志

~]# tail /var/log/httpd/access_log

192.168.31.120 – – [08/Nov/2016:16:58:47 +0800] "GET / HTTP/1.1" 200 17 "-" "curl/7.29.0"

NAT服務和filter結合，禁用22端口

~]# iptables -t filter -A FORWARD -s 1.1.1.0/24 -p tcp –dport 22 -j REJECT

1.1.1.2主機上進行ssh請求

~]# ssh 192.168.31.32

ssh: connect to host 192.168.31.32 port 22: Connection refused

MASQUERADE:

源地址轉換：當源地址為動態獲取的地址時，MASQUERADE可自行判斷要轉換為的地址；

~]# iptables -t nat -A POSTROUTING -s 1.1.10.24 -j MASQUERADE

DNAT

測試環境

1.1.1.2作為網http服務器

[root@localhost ~]# systemctl start httpd.service

[root@localhost ~]# vim /var/www/html/index.html

[root@localhost ~]# cat /var/www/html/index.html

<h1>INTERAL SERVER</h1>

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::80 :::*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

DNAT規則添加

1.1.1.100主機，外網ip192.168.31.120

自己的對外80端口沒有被監聽

[root@MiWiFi-R3-srv ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 5 192.168.122.1:53 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 128 127.0.0.1:631 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 127.0.0.1:6010 *:*

LISTEN 0 128 :::22 :::*

LISTEN 0 128 ::1:631 :::*

LISTEN 0 100 ::1:25 :::*

LISTEN 0 128 ::1:6010 :::*

~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 80 -j D

NAT –to-destination 1.1.1.2

[root@MiWiFi-R3-srv ~]# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 1 packets, 246 bytes)

pkts bytes target prot opt in out source destination

0 0 DNAT tcp — * * 0.0.0.0/0 192.168.31.120 tcp dpt:80 t

o:1.1.1.2

使用外網主機192.168.31.31訪問192.168.31.120，實際指向1.1.1.2

[root@MiWiFi-R3-srv ~]# curl http://192.168.31.120

<h1>INTERAL SERVER</h1>

端口映射測試：

首先修改1.1.1.2主機的http端口

~]# vim /etc/httpd/conf/httpd.conf

Listen 8090

[root@localhost ~]# systemctl restart httpd.service

[root@localhost ~]# ss -tnl

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 50 *:3306 *:*

LISTEN 0 128 *:22 *:*

LISTEN 0 100 127.0.0.1:25 *:*

LISTEN 0 128 :::22 :::*

LISTEN 0 100 ::1:25 :::*

LISTEN 0 128 :::8090 :::*

dnat主機設定

~]# iptables -t nat -F

[root@MiWiFi-R3-srv ~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 80 -j D

NAT –to-destination 1.1.1.2:8090[root@MiWiFi-R3-srv ~]# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 DNAT tcp — * * 0.0.0.0/0 192.168.31.120 tcp dpt:80 t

o:1.1.1.2:8090

外網訪問

[root@MiWiFi-R3-srv ~]# curl http://192.168.31.120

<h1>INTERAL SERVER</h1>

此時在1.1.1.2上面查看訪問指向為源地址的192.168.31.32

[root@localhost ~]# tail /var/log/httpd/access_log

192.168.31.32 – – [20/Nov/2016:13:17:46 +0800] "GET / HTTP/1.1" 200 24 "-" "curl/7.19.7 (x86_64-redha

t-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"::1 – – [20/Nov/2016:13:20:20 +0800] "OPTIONS * HTTP/1.0" 200 – "-" "Apache/2.4.6 (CentOS) (internal

dummy connection)"192.168.31.32 – – [20/Nov/2016:13:22:08 +0800] "GET / HTTP/1.1" 200 24 "-" "curl/7.19.7 (x86_64-redha

t-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

也可以通過tcpdump抓包查看

tcpdump – eno33554976 -nn tcp port 8090

ssh轉換

~]# iptables -t nat -A PREROUTING -s 0/0 -d 192.168.31.120 -p tcp –dport 22 -j D

NAT –to-destination 1.1.1.2

外網主機連接ssh會變成1.1.1.2

[root@MiWiFi-R3-srv ~]# ssh 192.168.31.120

The authenticity of host '192.168.31.120 (192.168.31.120)' can't be established.

RSA key fingerprint is 22:fc:db:5b:e5:26:8a:35:96:9f:2d:c4:4f:07:d1:e8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.31.120' (RSA) to the list of known hosts.

root@192.168.31.120's password:

Last login: Sun Nov 20 11:51:47 2016 from 1.1.1.1

[root@localhost ~]# ifconfig

eno33554976: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 1.1.1.2 netmask 255.255.255.0 broadcast 1.1.1.255

inet6 fe80::20c:29ff:fe87:41fd prefixlen 64 scopeid 0x20<link>

ether 00:0c:29:87:41:fd txqueuelen 1000 (Ethernet)

RX packets 2298 bytes 203573 (198.8 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1307 bytes 168590 (164.6 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 0 (Local Loopback)

RX packets 620 bytes 52990 (51.7 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 620 bytes 52990 (51.7 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

原創文章，作者：N23-蘇州-void，如若轉載，請注明出處：http://www.www58058.com/60128

贊 (0)

N23-蘇州-void

2

Linux基礎之shell腳本編程(三)

上一篇 2016-11-20

系統用戶基本信息

下一篇 2016-11-20

N26_第一周作業

計算機的組成計算機由五大部分組成： 1.控制器(control)：是整個計算機的中樞神經，其功能是對程序規定的控制信息進行解釋，根據其要求進行控制，調度程序、數據、地址，協調計算機各部分工作及內存與外設的訪問等； 2.運算器(datapath)：運算器的功能是對數據進行各種算術運算和邏輯運算，即對數據進行…

Linux干貨 2016-12-28
Linux干貨

etc的常見問答

1、復制/etc/skel目錄為/home/tuser1，要求/home/tuser1及其內部文件的屬組和其它用戶均沒有任何訪問權限。 [root@localhost tuser1]# cp -r /etc/skel/ /home/tuser1 [root@localhost tuser1]# chmod -R go= /home/tuser1/ [root…

2017-12-26
自用vim環境參數設置

基本顯示設置 set nu mber 顯示行號 syntax on 語法高亮 set cursorline 用淺色高亮當前行 set ruler 顯示標尺 set showcmd 輸入的命令顯示出來，看的清楚些 set cmdheight=1 命令行（在狀態行下）的高度，設置為1 set tabst…

Linux干貨 2017-04-24
Linux干貨

Linux中的分區管理

1. 磁盤分區類型磁盤分區主要分為兩種類型： MBR MBR是一個比較古老的分區類型了，不支持2TB的大硬盤。在磁盤的0磁道0扇區的512字節存放的就是MBR的信息。前446字節為bootloader，后面64字節存放的是分區表，后面2字節存放的是55aa的分區標識符。MBR分區類型最多只能支持4個主分區和擴展分區，其余的分區只能是邏輯分區。 …

2017-04-22
Linux干貨

LAMP搭建wordpress博客站點

使用WordPress可以搭建功能強大的網絡信息發布平臺，但更多的是應用于個性化的博客。針對博客的應用，WordPress能讓您省卻對后臺技術的擔心，集中精力做好網站的內容。本文將教您如何通過LAMP搭建自己的wordpress博客站點。 LAMP聽起來很高大上，其實是集中技術合起來的稱呼： L：linux A：apache httpd M：mysql、ma…

2017-06-01
Linux干貨

dns 服務

DNS服務 1.正向解析 1. 創建解析庫 2.改配置文件主要改 any no no 3個選項 3.添加一個解…

2017-05-31

評論列表（2條）

馬哥教育 2016-11-30 21:20

整個看下來內容可圈可點。但是這格式看的我眼都花了，并未能將翔實的內容很好的表現出來。好的內容更需要好的展現方式。
- N23-蘇州-void 2016-12-01 17:41
  
  @馬哥教育：我是從我的Evernote上拷貝過來的，格式就變亂了，這樣改下應該及好多了。。
  看來以后拷貝過來后得重新整理一下

欧美性久久久久