9、防火墙规则的保存与恢复
iptables-save 保存,默认输出到屏幕
iptables-restore 恢复,加上文件
写入/etc/sysconfig/iptables
1. [root@Ansible ~]# iptables-save >/etc/sysconfig/iptables 2. [root@Ansible ~]# cat /etc/sysconfig/iptables 3. # Generated by iptables-save v1.4.21 on Sun May 7 16:11:34 2023 4. *nat 5. :PREROUTING ACCEPT [306:36403] 6. :INPUT ACCEPT [182:29467] 7. :OUTPUT ACCEPT [145:11135] 8. :POSTROUTING ACCEPT [145:11135] 9. COMMIT 10. # Completed on Sun May 7 16:11:34 2023 11. # Generated by iptables-save v1.4.21 on Sun May 7 16:11:34 2023 12. *filter 13. :INPUT DROP [17:1428] 14. :FORWARD ACCEPT [0:0] 15. :OUTPUT ACCEPT [49:5580] 16. -A INPUT -p icmp -m limit --limit 10/min -j ACCEPT 17. -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 18. COMMIT 19. # Completed on Sun May 7 16:11:34 2023 20. [root@Ansible ~]# iptables -nL 21. Chain INPUT (policy DROP) 22. target prot opt source destination 23. ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 24. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 25. 26. Chain FORWARD (policy ACCEPT) 27. target prot opt source destination 28. 29. Chain OUTPUT (policy ACCEPT) 30. target prot opt source destination 31. [root@Ansible ~]# iptables -D INPUT 1 32. [root@Ansible ~]# iptables -nL 33. Chain INPUT (policy DROP) 34. target prot opt source destination 35. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 36. 37. Chain FORWARD (policy ACCEPT) 38. target prot opt source destination 39. 40. Chain OUTPUT (policy ACCEPT) 41. target prot opt source destination 42. [root@Ansible ~]# iptables-restore < /etc/sysconfig/iptables 43. [root@Ansible ~]# iptables -nL 44. Chain INPUT (policy DROP) 45. target prot opt source destination 46. ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 47. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 48. 49. Chain FORWARD (policy ACCEPT) 50. target prot opt source destination 51. 52. Chain OUTPUT (policy ACCEPT) 53. target prot opt source destination 54. 55. 此外,systemctl restart iptables 会读取/etc/sysconfig/iptables内容
10、filter表简单总结
1、封ip,端口,网段
2、禁止ping
3、限制速度和并发
4、iptables filter表功能可以在云服务器使用
企业中用法
iptables配置方式:1、逛公园模式,默认规则是ACCEPT;2、看电影模式,默认规则是DROP
默认是拒绝
1、ssh可以连接
1. [root@Ansible ~]# iptables -F 2. [root@Ansible ~]# iptables -X 3. [root@Ansible ~]# iptables -Z 4. [root@Ansible ~]# iptables -nL 5. Chain INPUT (policy ACCEPT) 6. target prot opt source destination 7. 8. Chain FORWARD (policy ACCEPT) 9. target prot opt source destination 10. 11. Chain OUTPUT (policy ACCEPT) 12. target prot opt source destination 13. [root@Ansible ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT 14. [root@Ansible ~]# iptables -nL 15. Chain INPUT (policy ACCEPT) 16. target prot opt source destination 17. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 18. 19. Chain FORWARD (policy ACCEPT) 20. target prot opt source destination 21. 22. Chain OUTPUT (policy ACCEPT) 23. target prot opt source destination 24. 25. 26. 27. [root@Web01 ~]# ssh 10.0.0.61 hostname 28. root@10.0.0.61's password: 29. Ansible 30.
2、设置允许本机lo通讯规则
允许本机回环lo(本地操作)接口数据流量流出和流入
1. [root@Ansible ~]# iptables -A INPUT -i lo -j ACCEPT 2. [root@Ansible ~]# iptables -A OUTPUT -o lo -j ACCEPT
3、配置默认规则及放行80,443端口
1. [root@Ansible ~]# iptables -P INPUT DROP 2. [root@Ansible ~]# iptables -P FORWARD DROP 3. [root@Ansible ~]# iptables -P OUTPUT ACCEPT 4. [root@Ansible ~]# 5. [root@Ansible ~]# iptables -A INPUT -m multiport -p tcp --dport 443,80 -j ACCEPT 6. [root@Ansible ~]# iptables -nL 7. Chain INPUT (policy DROP) 8. target prot opt source destination 9. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 10. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 11. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80 12. 13. Chain FORWARD (policy DROP) 14. target prot opt source destination 15. 16. Chain OUTPUT (policy ACCEPT) 17. target prot opt source destination 18. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 19. [root@Ansible ~]# iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT 20. [root@Ansible ~]# iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT 21. #此处还可以添加 vpn网段 比如说 10.7.1.0/24 22. 23. [root@Ansible ~]# iptables -nL 24. Chain INPUT (policy DROP) 25. target prot opt source destination 26. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 27. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 28. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80 29. ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 30. ACCEPT all -- 172.16.1.0/24 0.0.0.0/0 31. 32. Chain FORWARD (policy DROP) 33. target prot opt source destination 34. 35. Chain OUTPUT (policy ACCEPT) 36. target prot opt source destination 37. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 38. [root@Ansible ~]# iptables-save 39. # Generated by iptables-save v1.4.21 on Sun May 7 16:24:29 2023 40. *nat 41. :PREROUTING ACCEPT [9:711] 42. :INPUT ACCEPT [2:112] 43. :OUTPUT ACCEPT [3:312] 44. :POSTROUTING ACCEPT [3:312] 45. COMMIT 46. # Completed on Sun May 7 16:24:29 2023 47. # Generated by iptables-save v1.4.21 on Sun May 7 16:24:29 2023 48. *filter 49. :INPUT DROP [0:0] 50. :FORWARD DROP [0:0] 51. :OUTPUT ACCEPT [7:1480] 52. -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 53. -A INPUT -i lo -j ACCEPT 54. -A INPUT -p tcp -m multiport --dports 443,80 -j ACCEPT 55. -A INPUT -s 10.0.0.0/24 -j ACCEPT 56. -A INPUT -s 172.16.1.0/24 -j ACCEPT 57. -A OUTPUT -o lo -j ACCEPT 58. COMMIT 59. # Completed on Sun May 7 16:24:29 2023
NAT表
恢复链
1. [root@Ansible ~]# iptables -P INPUT ACCEPT 2. [root@Ansible ~]# iptables -P FORWARD ACCEPT 3. [root@Ansible ~]# iptables -nL 4. Chain INPUT (policy ACCEPT) 5. target prot opt source destination 6. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 7. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 8. ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80 9. ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 10. ACCEPT all -- 172.16.1.0/24 0.0.0.0/0 11. 12. Chain FORWARD (policy ACCEPT) 13. target prot opt source destination 14. 15. Chain OUTPUT (policy ACCEPT) 16. target prot opt source destination 17. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 18. [root@Ansible ~]# iptables -F 19. [root@Ansible ~]# iptables -nL 20. Chain INPUT (policy ACCEPT) 21. target prot opt source destination 22. 23. Chain FORWARD (policy ACCEPT) 24. target prot opt source destination 25. 26. Chain OUTPUT (policy ACCEPT) 27. target prot opt source destination
1、实现共享上网
1、防火墙配置
1. [root@Ansible ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61 2. [root@Ansible ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf 3. [root@Ansible ~]# sysctl -p 4. net.ipv4.icmp_echo_ignore_all = 0 5. net.ipv4.ip_forward = 1 6. 7. 注意:公网IP不固定 8. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
2、web配置
1. [root@Web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 2. TYPE=Ethernet 3. BOOTPROTO=none 4. NAME=eth0 5. DEVICE=eth0 6. ONBOOT=no #修改网卡,禁止开机自启动 7. IPADDR=10.0.0.7 8. PREFIX=24 9. GATEWAY=10.0.0.2 10. DNS1=223.5.5.5 11. [root@Web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 12. TYPE=Ethernet 13. BOOTPROTO=none 14. NAME=eth0 15. DEVICE=eth0 16. ONBOOT=yes 17. IPADDR=10.0.0.7 18. PREFIX=24 19. GATEWAY=172.16.1.61 20. DNS1=1.2.4.8 21. [root@Web01 ~]# systemctl restart network 22. [root@Ansible ~]# ssh 172.16.1.7 23. Last login: Sun May 7 21:16:43 2023 from 10.0.0.1 24. [root@Web01 ~]# ip a 25. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 26. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 27. inet 127.0.0.1/8 scope host lo 28. valid_lft forever preferred_lft forever 29. inet6 ::1/128 scope host 30. valid_lft forever preferred_lft forever 31. 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 32. link/ether 00:0c:29:91:01:20 brd ff:ff:ff:ff:ff:ff 33. 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 34. link/ether 00:0c:29:91:01:2a brd ff:ff:ff:ff:ff:ff 35. inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1 36. valid_lft forever preferred_lft forever 37. inet6 fe80::20c:29ff:fe91:12a/64 scope link 38. valid_lft forever preferred_lft forever
3、在web01测试结果
1. [root@Web01 ~]# ip r 2. default via 172.16.1.61 dev eth1 3. 169.254.0.0/16 dev eth1 scope link metric 1003 4. 172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.7 5. [root@Web01 ~]# route -n 6. Kernel IP routing table 7. Destination Gateway Genmask Flags Metric Ref Use Iface 8. 0.0.0.0 172.16.1.61 0.0.0.0 UG 0 0 0 eth1 9. 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 10. 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 11. [root@Web01 ~]# ping baidu.com 12. PING baidu.com (39.156.66.10) 56(84) bytes of data. 13. 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=1 ttl=127 time=10.3 ms 14. 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=2 ttl=127 time=12.3 ms 15. ^C 16. --- baidu.com ping statistics --- 17. 2 packets transmitted, 2 received, 0% packet loss, time 1000ms 18. rtt min/avg/max/mdev = 10.306/11.346/12.386/1.040 ms 19. [root@Web01 ~]# ping 1.2.4.8 20. PING 1.2.4.8 (1.2.4.8) 56(84) bytes of data. 21. 64 bytes from 1.2.4.8: icmp_seq=1 ttl=127 time=12.5 ms 22. 64 bytes from 1.2.4.8: icmp_seq=2 ttl=127 time=11.3 ms 23. ^C 24. --- 1.2.4.8 ping statistics --- 25. 2 packets transmitted, 2 received, 0% packet loss, time 1002ms 26. rtt min/avg/max/mdev = 11.337/11.945/12.554/0.618 ms
2、端口转发(端口映射)
1. [root@Ansible ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -p tcp --dport 9000 -j DNAT --to-destination 172.16.1.7:22 2. [root@Ansible ~]# iptables -nL -t nat 3. Chain PREROUTING (policy ACCEPT) 4. target prot opt source destination 5. DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000 to:172.16.1.7:22 6. 7. Chain INPUT (policy ACCEPT) 8. target prot opt source destination 9. 10. Chain OUTPUT (policy ACCEPT) 11. target prot opt source destination 12. 13. Chain POSTROUTING (policy ACCEPT) 14. target prot opt source destination 15. SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61
本地shell测试
1. c:\~]$ ssh root@10.0.0.61 9000 2. 3. 4. Connecting to 10.0.0.61:9000... 5. Connection established. 6. To escape to local shell, press Ctrl+Alt+]. 7. 8. Last login: Sun May 7 21:34:55 2023 from 10.0.0.61
3、IP映射
1. [root@Ansible ~]# iptables -t nat -A PREROUTING -d 10.0.0.62 -j DNAT --to-destination 172.16.1.7 2. [root@Ansible ~]# iptables -nL -t nat 3. Chain PREROUTING (policy ACCEPT) 4. target prot opt source destination 5. DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000 to:172.16.1.7:22 6. DNAT all -- 0.0.0.0/0 10.0.0.62 to:172.16.1.7 7. 8. Chain INPUT (policy ACCEPT) 9. target prot opt source destination 10. 11. Chain OUTPUT (policy ACCEPT) 12. target prot opt source destination 13. 14. Chain POSTROUTING (policy ACCEPT) 15. target prot opt source destination 16. SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61
4、NAT表简单总结
1、可以实现共享上网
2、可以实现端口转发
3、NAT功能在云服务器无法使用,但有替代品叫NAT网关
iptables简单练习
1、查看iptables当前所有规则的命令
1. iptables-save 2. 3. iptables -nL 4. 5. iptables -nL -t nat
2、禁止来自10.0.0.188IP地址访问80端口的请求
iptables -I INPUT -s 10.0.0.188 -p tcp --dport 80 -j DROP
3、在命令行执行的iptables规则永久生效
iptables-save > /etc/sysconfig/iptables
4、实现把访问10.0.0.3:80请求转到172.16.1.17:80
iptables -t nat -A PREROUTING -d 10.0.0.3 -p tcp --dport 80 -j DNAT --to-destination 172.16.1.17:80
5、实现172.16.1.0/24段所有主机通过124.32.54.26外网IP共享上网
1. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 123.32.54.26 2. 3. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT MASQUERADE
6、iptables实现防止syn ddos和ping攻击
1. -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT 2. -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT 3. -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT 4. 说明:第一行:每秒中最多允许5个新连接。第二行:防止各种端口扫描。第三行:Ping洪水攻击(Ping of Death),可以根据需要调整或关闭
我是koten,10年运维经验,持续分享运维干货,感谢大家的阅读和关注!
