防火牆:
架設在内網和公網之間,起到保護和隔離的作用
RHEL7預設使用的是firewalld ,不過其底層還是調用iptables(包過濾防火牆)
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl disable firewalld.service
[[email protected] ~]# yum -y install iptables-services.x86_64
[[email protected] ~]# systemctl start iptables.service
iptables的表,鍊結構
4張表:iptables服務功能分類 優先級順序(高->低)raw -> mangle -> nat -> filter
5條鍊:ip包傳輸的方向
INPUT 比對進入防火牆本機的ip包
OUTPUT 比對從防火牆本機出去的ip包
FORWARD 比對經過防火牆主機的ip包(源位址和目标位址均不是防火牆本機ip)
POSTROUTING 路由後處理
PREROUTING 路由前處理
| raw表(狀态跟蹤表) | mangle表(包标記表) | nat表(位址轉換表) | filter表(過濾表)預設 |
|---|---|---|---|
| PREROUTING OUTPUT | PREROUTING POSTROUTING INPUT OUTPUT FORWARD | PREROUTING POSTROUTING INPUT(rhel7/CentOS7) OUTPUT | INPUT OUTPUT FORWARD |
包過濾比對流程:順序比對,比對即停止(LOG除外),若無比對,則按照該鍊的預設政策處理
規則鍊之間的順序:入站 PREROUTING->INPUT 出站 OUTPUT->POSTROUTING
轉發 PREROUTING->FORWARD->POSTROUTING
iptables用法
管理程式位置:/sbin/iptables
規則永久儲存: iptables-save > /etc/sysconfig/iptables
指令組成: iptables [-t 表名] 選項 [鍊名] [條件] [-j 目标操作]
| 類别 | 選項 | 用途 |
|---|---|---|
| 檢視規則 | -L | 列出所有的規則條目(如果和n連用,放在後面) |
| -n | 以數字形式顯示位址,端口等資訊 | |
| --line-numbers | 檢視規則時,顯示規則的序号 | |
| 添加 | -A | 在鍊的預設追加一條規則 |
| -I | 在鍊的開頭(或指定序列号)插入一條規則 | |
| 删除規則 | -D | 删除鍊内指定序号(或内容)的一條規則 |
| -F | 清空所有規則 | |
| 預設政策 | -P | 為指定的鍊設定預設規則 |
| 類别 | 選項 | 用法 |
|---|---|---|
| 通用比對 | 協定比對 | -p 協定名(icmp tcp udp...) |
| 位址比對 | -s 源位址 -d 目标位址 | |
| 接口比對 | -i 收資料的網卡 -o 發資料的網卡 | |
| 隐含比對 | 端口比對 | --sport 源端口 --dport 目标端口 |
| ICMP類型比對 | --icmp-type ICMP類型 |
| 類别 | 選項 | 用法 |
|---|---|---|
| 擴 展 匹 配 -m | MAC位址比對 | -m mac --mac-source MAC位址 |
| 多端口比對 | -m multiport --sports 源端口清單 | |
| -m multiport --dports 目标端口清單 | ||
| IP範圍比對 | -m iprange --src-range IP1-IP2 | |
| -m iprange --dst-range IP1-IP2 |
| ACCEPT | 允許通過/放行 |
| DROP | 直接丢棄,不給出任何回應 |
| REJECT | 拒絕通過,必要時給出提示 |
| LOG | 記錄日志,傳給下一條規則( “比對即停止”規律的例外) |
在filter表上實行控制
注意事項/規律
可以不指定表,預設為filter,若不指定鍊,則預設對應表的所有鍊,沒有規則,使用預設規則
選項(個别除外)/鍊名/目标操作用大寫字母,其餘都小寫
指令行修改規則之後,需要儲存到相關配置檔案,否則重新開機又恢複最初狀态
[[email protected] ~]# iptables -t filter -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[[email protected] ~]# iptables -t filter -F
[[email protected] ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinatio
[[email protected] ~]# iptables-save //儲存輸出到螢幕,但不能永久儲存
# Generated by iptables-save v1.4.21 on Fri Jan 4 10:44:40 2019
*raw
:PREROUTING ACCEPT [188:13984]
:OUTPUT ACCEPT [131:12720]
...
*filter
:INPUT ACCEPT [233:17208]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:15000]
COMMIT
# Completed on Fri Jan 4 10:44:40 2019
主機型防火牆 通過入站進行控制filter表INPUT
[[email protected] ~]# iptables -t filter -P INPUT DROP //修改預設規則
[[email protected] ~]# iptables -t filter -nL INPUT //其他主機無法遠端本機
Chain INPUT (policy DROP)
target prot opt source destination
[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT 修改權限之後可以遠端連結
[[email protected] ~]# ssh -X 192.168.4.51
[email protected]'s password:
Last login: Fri Jan 4 10:16:36 2019 from 192.168.4.254
[[email protected] ~]# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
[[email protected] ~]# iptables -t filter -nL INPUT
...
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[[email protected] ~]# iptables -t filter -I INPUT -p tcp -s 192.168.4.254 -j ACCEPT
//修改防火牆規則,可以接收來自192.168.4.254的包
[[email protected] ~]# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.4.254 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[[email protected] ~]# ping 192.168.4.51 //通過實體機ping 192.168.4.51 不能到達
PING 192.168.4.51 (192.168.4.51) 56(84) bytes of data.
[[email protected] ~]# iptables -t filter -I INPUT -p icmp -j ACCEPT //修改規則
[[email protected] ~]# ping 192.168.4.51
PING 192.168.4.51 (192.168.4.51) 56(84) bytes of data.
64 bytes from 192.168.4.51: icmp_seq=149 ttl=64 time=0.333 ms
64 bytes from 192.168.4.51: icmp_seq=150 ttl=64 time=0.184 ms
修改規則使自己可以ping别的主機,别的主機不可以ping自己
--icmp-type ICMP類型 echo-reply (pong) echo-request (ping)
[[email protected] ~]# iptables -t filter -D INPUT 1 /删除上面添加的允許icmp規則
[[email protected] ~]# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.4.254 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[[email protected] ~]# iptables -t filter -I INPUT -p icmp --help //檢視幫助
[[email protected] ~]# iptables -t filter -I INPUT -p icmp --icmp-type echo-reply -j ACCEPT //修改規則使ping包的回應接收
[[email protected] ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
[[email protected] ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 //使用數字顯示規則顯示為0
[[email protected] ~]# ping 192.168.4.254
PING 192.168.4.254 (192.168.4.254) 56(84) bytes of data.
64 bytes from 192.168.4.254: icmp_seq=1 ttl=64 time=0.129 ms
64 bytes from 192.168.4.254: icmp_seq=2 ttl=64 time=0.173 ms
[[email protected] ~]# ping 192.168.4.51
PING 192.168.4.51 (192.168.4.51) 56(84) bytes of data.
^C
--- 192.168.4.51 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
通過控制MAC位址禁止其他主機ping自己(恢複預設INPUT為ACCEPT,删除其他規則進行驗證)
[[email protected] ~]# arp -n //可以看到ping自己主機的MAC位址
Address HWtype HWaddress Flags Mask Iface
192.168.4.52 ether 52:54:00:c0:85:a7 C eth0
192.168.4.254 ether 52:54:00:37:78:11 C eth
[[email protected] ~]# iptables -t filter -A INPUT -p icmp -m mac --mac-source 52:54:00:c0:85:a7 -j DROP //禁用192.168.4.52主機
[[email protected] ~]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 MAC 52:54:00:C0:85:A7
通過多端口禁止通路本機的80(httpd/nginx)和8080(tomcat)端口
[[email protected] ~]# iptables -t filter -A INPUT -p tcp -m multiport --dports 80,8080 -j DROP
[[email protected] ~]# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080
通過IP範圍控制其他主機
[[email protected] ~]# iptables -t filter -A INPUT -p icmp -m iprange --src-range 192.168.4.100-192.168.4.110 -j DROP
[[email protected] ~]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.4.100-192.168.4.110
網絡型防火牆 通過網關控制
拓撲結構:
| 192.168.4.51 eth0 | 192.168.4.52 eth0 192.168.2.52 eth1 | 192.168.2.53 eth1 |
實作4.51和2.53互通(分别在51上和53上操作)
[[email protected] ~]# systemctl stop NetworkManager
[[email protected] ~]# route add default gw 192.168.4.52 //添加網關 删除用del
[[email protected] ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.4.52 0.0.0.0 UG 0 0 0 eth0
192.168.4.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
[[email protected] ~]# systemctl stop NetworkManager
[[email protected] ~]# route add default gw 192.168.2.52
[[email protected] ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.52 0.0.0.0 UG 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
配置52核心路由轉發
[[email protected] ~]# sysctl -a | grep forward //列出所有核心參數,搜尋關于forward的
...
net.ipv4.ip_forward = 1
...
[[email protected] ~]# vim /etc/sysctl.conf
[[email protected] ~]# tail -1 /etc/sysctl.conf
net.ipv4.ip_forward = 1
//預設這個是開啟的
在主機52上寫防火牆規則
[[email protected] ~]# iptables -t filter -A FORWARD -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -t filter -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[[email protected] ~]# curl http://192.168.4.51 //測試不能連結
[[email protected] ~]# iptables -t filter -F FORWARD
[[email protected] ~]# iptables -t filter -A FORWARD -p tcp -m multiport --dports 80,8080,22 -j DROP //集中禁用服務
[[email protected] ~]# iptables -t filter -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080,22
當預設政策為DROP時 修改規則允許通路
[[email protected] ~]# iptables -t filter -F
[[email protected] ~]# iptables -t filter -P FORWARD DROP
[[email protected] ~]# iptables -t filter -nL FORWARD
Chain FORWARD (policy DROP)
[[email protected] ~]# iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT
[[email protected] ~]# tcpdump -i eth0 -A tcp port 80 //在51上抓取包來進行驗證,看是否到達
[[email protected] ~]# iptables -t filter -A FORWARD -p tcp --sport 80 -j ACCEPT
[[email protected] ~]# iptables -t filter -nL FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
[[email protected] ~]# curl 192.168.4.51 //驗證可以通路,可以用firefox測試
預設政策為DROP 修改規則使主機可以 互相ping通
可以直接修改為 iptables -t filter -A FORWARD -p icmp -j ACCEPT 也可以用下面的方法
[[email protected] ~]# iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
[[email protected] ~]# iptables -t filter -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
[[email protected] ~]# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
在nat表實行控制
| 模拟内網 | Linux網關(防火牆) | 模拟公網 |
|---|---|---|
| 192.168.2.53 eth1 | 192.168.2.52 eth1 192.168.4.52 eth0 | 192.168.4.51 eth0 |
源位址轉換(共享一個IP位址)
将2.53預設網關指向2.52
[[email protected] ~]# route -n //53為内網,網關位址改為192.168.2.52
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.52 0.0.0.0 UG 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
配置主機52
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -t filter -P FORWARD ACCEPT
[[email protected] ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
配置主機51并打開httpd或者nginx服務
[[email protected] ~]# route -n //51為公網,不用指定預設網關
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.4.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
[[email protected] ~]# netstat -pntul | grep :80
tcp6 0 0 :::80 :::* LISTEN 6370/httpd
[[email protected] ~]# echo "123" > /var/www/html/test.html //寫個測試頁
在52上進行位址轉換
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -p tcp --dport 80 -j SNAT --to-source 192.168.4.52
//-s 192.168.2.0/24區域網路網段位址 -p tcp --dport 80 -j SNAT --to-source 192.168.4.52 外網接口 IP位址
在53上連結51的http服務,在51上檢視日志檔案
[[email protected] ~]# curl 192.168.4.51/test.html
123
[[email protected] ~]# tail -1 /var/log/httpd/access_log //檢視日志
192.168.4.52 - - [04/Jan/2019:17:53:50 +0800] "GET / HTTP/1.1" 403 3985 "-" "curl/7.29.0"
目标位址轉換(釋出私有網絡服務)