【运维知识进阶篇】iptables防火墙详解(iptables执行过程+表与链概述+iptables命令参数+配置filter表规则+NAT表实现共享上网、端口转发、IP映射)(三)

本文涉及的产品
公网NAT网关,每月750个小时 15CU
简介: 【运维知识进阶篇】iptables防火墙详解(iptables执行过程+表与链概述+iptables命令参数+配置filter表规则+NAT表实现共享上网、端口转发、IP映射)(三)

9、防火墙规则的保存与恢复

iptables-save 保存,默认输出到屏幕

iptables-restore 恢复,加上文件

写入/etc/sysconfig/iptables

1. [root@Ansible ~]# iptables-save   >/etc/sysconfig/iptables
2. [root@Ansible ~]#  cat /etc/sysconfig/iptables
3. # Generated by iptables-save v1.4.21 on Sun May  7 16:11:34 2023
4. *nat
5. :PREROUTING ACCEPT [306:36403]
6. :INPUT ACCEPT [182:29467]
7. :OUTPUT ACCEPT [145:11135]
8. :POSTROUTING ACCEPT [145:11135]
9. COMMIT
10. # Completed on Sun May  7 16:11:34 2023
11. # Generated by iptables-save v1.4.21 on Sun May  7 16:11:34 2023
12. *filter
13. :INPUT DROP [17:1428]
14. :FORWARD ACCEPT [0:0]
15. :OUTPUT ACCEPT [49:5580]
16. -A INPUT -p icmp -m limit --limit 10/min -j ACCEPT
17. -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
18. COMMIT
19. # Completed on Sun May  7 16:11:34 2023
20. [root@Ansible ~]# iptables -nL
21. Chain INPUT (policy DROP)
22. target     prot opt source               destination
23. ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 10/min burst 5
24. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
25. 
26. Chain FORWARD (policy ACCEPT)
27. target     prot opt source               destination
28. 
29. Chain OUTPUT (policy ACCEPT)
30. target     prot opt source               destination
31. [root@Ansible ~]# iptables -D INPUT 1
32. [root@Ansible ~]# iptables -nL
33. Chain INPUT (policy DROP)
34. target     prot opt source               destination
35. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
36. 
37. Chain FORWARD (policy ACCEPT)
38. target     prot opt source               destination
39. 
40. Chain OUTPUT (policy ACCEPT)
41. target     prot opt source               destination
42. [root@Ansible ~]# iptables-restore < /etc/sysconfig/iptables
43. [root@Ansible ~]# iptables -nL
44. Chain INPUT (policy DROP)
45. target     prot opt source               destination
46. ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 10/min burst 5
47. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
48. 
49. Chain FORWARD (policy ACCEPT)
50. target     prot opt source               destination
51. 
52. Chain OUTPUT (policy ACCEPT)
53. target     prot opt source               destination
54. 
55. 此外,systemctl restart iptables 会读取/etc/sysconfig/iptables内容

10、filter表简单总结

1、封ip,端口,网段

2、禁止ping

3、限制速度和并发

4、iptables filter表功能可以在云服务器使用

企业中用法

iptables配置方式:1、逛公园模式,默认规则是ACCEPT;2、看电影模式,默认规则是DROP

默认是拒绝

1、ssh可以连接

1. [root@Ansible ~]# iptables -F
2. [root@Ansible ~]# iptables -X
3. [root@Ansible ~]# iptables -Z
4. [root@Ansible ~]# iptables -nL
5. Chain INPUT (policy ACCEPT)
6. target     prot opt source               destination
7. 
8. Chain FORWARD (policy ACCEPT)
9. target     prot opt source               destination
10. 
11. Chain OUTPUT (policy ACCEPT)
12. target     prot opt source               destination
13. [root@Ansible ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
14. [root@Ansible ~]# iptables -nL
15. Chain INPUT (policy ACCEPT)
16. target     prot opt source               destination
17. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
18. 
19. Chain FORWARD (policy ACCEPT)
20. target     prot opt source               destination
21. 
22. Chain OUTPUT (policy ACCEPT)
23. target     prot opt source               destination
24. 
25. 
26. 
27. [root@Web01 ~]# ssh 10.0.0.61 hostname
28. root@10.0.0.61's password: 
29. Ansible
30.

2、设置允许本机lo通讯规则

允许本机回环lo(本地操作)接口数据流量流出和流入

1. [root@Ansible ~]# iptables -A INPUT -i lo -j ACCEPT
2. [root@Ansible ~]# iptables -A OUTPUT -o lo -j ACCEPT

3、配置默认规则及放行80,443端口

1. [root@Ansible ~]# iptables -P INPUT DROP 
2. [root@Ansible ~]# iptables -P FORWARD DROP 
3. [root@Ansible ~]# iptables -P OUTPUT ACCEPT
4. [root@Ansible ~]# 
5. [root@Ansible ~]# iptables -A INPUT  -m multiport -p tcp  --dport 443,80   -j ACCEPT
6. [root@Ansible ~]# iptables -nL 
7. Chain INPUT (policy DROP)
8. target     prot opt source               destination
9. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
10. ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
11. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 443,80
12. 
13. Chain FORWARD (policy DROP)
14. target     prot opt source               destination
15. 
16. Chain OUTPUT (policy ACCEPT)
17. target     prot opt source               destination
18. ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
19. [root@Ansible ~]# iptables -A INPUT  -s 10.0.0.0/24  -j ACCEPT
20. [root@Ansible ~]# iptables -A INPUT  -s 172.16.1.0/24  -j ACCEPT
21. #此处还可以添加 vpn网段 比如说 10.7.1.0/24
22. 
23. [root@Ansible ~]# iptables -nL
24. Chain INPUT (policy DROP)
25. target     prot opt source               destination
26. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
27. ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
28. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 443,80
29. ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
30. ACCEPT     all  --  172.16.1.0/24        0.0.0.0/0
31. 
32. Chain FORWARD (policy DROP)
33. target     prot opt source               destination
34. 
35. Chain OUTPUT (policy ACCEPT)
36. target     prot opt source               destination
37. ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
38. [root@Ansible ~]# iptables-save 
39. # Generated by iptables-save v1.4.21 on Sun May  7 16:24:29 2023
40. *nat
41. :PREROUTING ACCEPT [9:711]
42. :INPUT ACCEPT [2:112]
43. :OUTPUT ACCEPT [3:312]
44. :POSTROUTING ACCEPT [3:312]
45. COMMIT
46. # Completed on Sun May  7 16:24:29 2023
47. # Generated by iptables-save v1.4.21 on Sun May  7 16:24:29 2023
48. *filter
49. :INPUT DROP [0:0]
50. :FORWARD DROP [0:0]
51. :OUTPUT ACCEPT [7:1480]
52. -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
53. -A INPUT -i lo -j ACCEPT
54. -A INPUT -p tcp -m multiport --dports 443,80 -j ACCEPT
55. -A INPUT -s 10.0.0.0/24 -j ACCEPT
56. -A INPUT -s 172.16.1.0/24 -j ACCEPT
57. -A OUTPUT -o lo -j ACCEPT
58. COMMIT
59. # Completed on Sun May  7 16:24:29 2023

NAT表

恢复链

1. [root@Ansible ~]# iptables -P INPUT ACCEPT
2. [root@Ansible ~]# iptables -P FORWARD ACCEPT
3. [root@Ansible ~]# iptables -nL
4. Chain INPUT (policy ACCEPT)
5. target     prot opt source               destination
6. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
7. ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
8. ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 443,80
9. ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
10. ACCEPT     all  --  172.16.1.0/24        0.0.0.0/0
11. 
12. Chain FORWARD (policy ACCEPT)
13. target     prot opt source               destination
14. 
15. Chain OUTPUT (policy ACCEPT)
16. target     prot opt source               destination
17. ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
18. [root@Ansible ~]# iptables -F
19. [root@Ansible ~]# iptables -nL
20. Chain INPUT (policy ACCEPT)
21. target     prot opt source               destination
22. 
23. Chain FORWARD (policy ACCEPT)
24. target     prot opt source               destination
25. 
26. Chain OUTPUT (policy ACCEPT)
27. target     prot opt source               destination

1、实现共享上网

1、防火墙配置

1. [root@Ansible ~]#  iptables -t nat -A POSTROUTING  -s 172.16.1.0/24   -j SNAT  --to-source 10.0.0.61
2. [root@Ansible ~]# echo 'net.ipv4.ip_forward = 1'  >> /etc/sysctl.conf 
3. [root@Ansible ~]# sysctl -p
4. net.ipv4.icmp_echo_ignore_all = 0
5. net.ipv4.ip_forward = 1
6. 
7. 注意:公网IP不固定
8. iptables -t nat -A POSTROUTING  -s 172.16.1.0/24   -j  MASQUERADE

2、web配置

1. [root@Web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
2. TYPE=Ethernet
3. BOOTPROTO=none
4. NAME=eth0
5. DEVICE=eth0
6. ONBOOT=no            #修改网卡,禁止开机自启动
7. IPADDR=10.0.0.7
8. PREFIX=24
9. GATEWAY=10.0.0.2
10. DNS1=223.5.5.5
11. [root@Web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
12. TYPE=Ethernet
13. BOOTPROTO=none
14. NAME=eth0
15. DEVICE=eth0
16. ONBOOT=yes
17. IPADDR=10.0.0.7
18. PREFIX=24
19. GATEWAY=172.16.1.61
20. DNS1=1.2.4.8
21. [root@Web01 ~]# systemctl restart network
22. [root@Ansible ~]# ssh 172.16.1.7
23. Last login: Sun May  7 21:16:43 2023 from 10.0.0.1
24. [root@Web01 ~]# ip a
25. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
26.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
27.     inet 127.0.0.1/8 scope host lo
28. valid_lft forever preferred_lft forever
29.     inet6 ::1/128 scope host 
30. valid_lft forever preferred_lft forever
31. 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
32.     link/ether 00:0c:29:91:01:20 brd ff:ff:ff:ff:ff:ff
33. 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
34.     link/ether 00:0c:29:91:01:2a brd ff:ff:ff:ff:ff:ff
35.     inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
36. valid_lft forever preferred_lft forever
37.     inet6 fe80::20c:29ff:fe91:12a/64 scope link 
38. valid_lft forever preferred_lft forever

3、在web01测试结果

1. [root@Web01 ~]# ip r
2. default via 172.16.1.61 dev eth1
3. 169.254.0.0/16 dev eth1 scope link metric 1003
4. 172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.7
5. [root@Web01 ~]# route -n
6. Kernel IP routing table
7. Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
8. 0.0.0.0         172.16.1.61     0.0.0.0         UG    0      0        0 eth1
9. 169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
10. 172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
11. [root@Web01 ~]# ping baidu.com
12. PING baidu.com (39.156.66.10) 56(84) bytes of data.
13. 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=1 ttl=127 time=10.3 ms
14. 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=2 ttl=127 time=12.3 ms
15. ^C
16. --- baidu.com ping statistics ---
17. 2 packets transmitted, 2 received, 0% packet loss, time 1000ms
18. rtt min/avg/max/mdev = 10.306/11.346/12.386/1.040 ms
19. [root@Web01 ~]# ping 1.2.4.8
20. PING 1.2.4.8 (1.2.4.8) 56(84) bytes of data.
21. 64 bytes from 1.2.4.8: icmp_seq=1 ttl=127 time=12.5 ms
22. 64 bytes from 1.2.4.8: icmp_seq=2 ttl=127 time=11.3 ms
23. ^C
24. --- 1.2.4.8 ping statistics ---
25. 2 packets transmitted, 2 received, 0% packet loss, time 1002ms
26. rtt min/avg/max/mdev = 11.337/11.945/12.554/0.618 ms

2、端口转发(端口映射)

1. [root@Ansible ~]# iptables -t nat -A PREROUTING    -d 10.0.0.61 -p tcp --dport 9000  -j DNAT --to-destination 172.16.1.7:22
2. [root@Ansible ~]# iptables -nL -t nat
3. Chain PREROUTING (policy ACCEPT)
4. target     prot opt source               destination
5. DNAT       tcp  --  0.0.0.0/0            10.0.0.61            tcp dpt:9000 to:172.16.1.7:22
6. 
7. Chain INPUT (policy ACCEPT)
8. target     prot opt source               destination
9. 
10. Chain OUTPUT (policy ACCEPT)
11. target     prot opt source               destination
12. 
13. Chain POSTROUTING (policy ACCEPT)
14. target     prot opt source               destination
15. SNAT       all  --  172.16.1.0/24        0.0.0.0/0            to:10.0.0.61

本地shell测试

1. c:\~]$ ssh root@10.0.0.61 9000
2. 
3. 
4. Connecting to 10.0.0.61:9000...
5. Connection established.
6. To escape to local shell, press Ctrl+Alt+].
7. 
8. Last login: Sun May  7 21:34:55 2023 from 10.0.0.61

3、IP映射

1. [root@Ansible ~]#  iptables -t nat -A PREROUTING  -d 10.0.0.62  -j DNAT  --to-destination 172.16.1.7
2. [root@Ansible ~]# iptables -nL -t nat 
3. Chain PREROUTING (policy ACCEPT)
4. target     prot opt source               destination
5. DNAT       tcp  --  0.0.0.0/0            10.0.0.61            tcp dpt:9000 to:172.16.1.7:22
6. DNAT       all  --  0.0.0.0/0            10.0.0.62            to:172.16.1.7
7. 
8. Chain INPUT (policy ACCEPT)
9. target     prot opt source               destination
10. 
11. Chain OUTPUT (policy ACCEPT)
12. target     prot opt source               destination
13. 
14. Chain POSTROUTING (policy ACCEPT)
15. target     prot opt source               destination
16. SNAT       all  --  172.16.1.0/24        0.0.0.0/0            to:10.0.0.61

4、NAT表简单总结

1、可以实现共享上网

2、可以实现端口转发

3、NAT功能在云服务器无法使用,但有替代品叫NAT网关

iptables简单练习

1、查看iptables当前所有规则的命令

1. iptables-save 
2. 
3. iptables -nL
4. 
5. iptables -nL -t nat

2、禁止来自10.0.0.188IP地址访问80端口的请求

iptables -I   INPUT   -s 10.0.0.188 -p tcp   --dport 80      -j  DROP

3、在命令行执行的iptables规则永久生效

iptables-save > /etc/sysconfig/iptables

4、实现把访问10.0.0.3:80请求转到172.16.1.17:80

iptables -t nat  -A PREROUTING  -d 10.0.0.3  -p tcp --dport 80    -j   DNAT  --to-destination  172.16.1.17:80

5、实现172.16.1.0/24段所有主机通过124.32.54.26外网IP共享上网

1. iptables   -t nat  -A POSTROUTING    -s 172.16.1.0/24    -j  SNAT  --to-source   123.32.54.26
2. 
3. iptables   -t nat  -A POSTROUTING    -s 172.16.1.0/24    -j  SNAT  MASQUERADE

6、iptables实现防止syn ddos和ping攻击

1. -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
2. -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
3. -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
4. 说明:第一行:每秒中最多允许5个新连接。第二行:防止各种端口扫描。第三行:Ping洪水攻击(Ping of Death),可以根据需要调整或关闭

我是koten,10年运维经验,持续分享运维干货,感谢大家的阅读和关注!

目录
相关文章
|
18天前
|
网络协议
iptables配置tcp端口转发
iptables配置tcp端口转发
25 1
|
18天前
|
Linux 网络安全
Centos 防火墙端口控制命令
Centos 防火墙端口控制命令
28 3
|
19天前
|
运维 Kubernetes 监控
揭秘高效运维:如何用kubectl top命令实时监控K8s资源使用情况?
揭秘高效运维:如何用kubectl top命令实时监控K8s资源使用情况?
23 0
|
3月前
|
缓存 网络协议 数据安全/隐私保护
[运维笔记] - (命令).Windows server常用网络相关命令总结
[运维笔记] - (命令).Windows server常用网络相关命令总结
188 0
|
3月前
|
运维 Cloud Native Devops
云原生 DevOps 自动化运维 概述
【1月更文挑战第7天】云原生 DevOps 自动化运维 概述
|
19天前
|
运维 Kubernetes 容器
K8S运维命令必备kubectl命令总结
K8S运维命令必备kubectl命令总结
23 3
|
2月前
|
前端开发 Java 数据库连接
Springboot-MyBatis配置-配置端口号与服务路径(idea社区版2023.1.4+apache-maven-3.9.3-bin)
Springboot-MyBatis配置-配置端口号与服务路径(idea社区版2023.1.4+apache-maven-3.9.3-bin)
33 0
|
1月前
|
存储 安全 网络协议
使用 firewall-cmd 管理 Linux 防火墙端口
本文将介绍如何使用 firewall-cmd 工具在 Linux 系统中进行简单端口管理,包括开放、查询、关闭等操作。通过实例展示相关命令的用法,希望能对大家有所帮助。
|
5天前
|
运维 网络协议 安全
neutron 运维命令
OpenStack Neutron是OpenStack的网络服务,它负责管理虚拟机和其他计算资源之间的网络连接。Neutron提供API和插件,支持多种网络拓扑和服务,包括虚拟网络和物理网络的配置、管理和调度。它还支持IP地址分配、网络连接和安全策略等。
7 1
|
17天前
|
运维 Linux Shell
linux运维常用命令
linux运维常用命令