|NO.Z.00050|——————————|Applications|——|防火牆.V4|----------------------------------------------|3臺server|

阿新 • • 發佈：2022-03-22

一、實驗專題.DNAT轉換

### --- 實驗環境

~~~     HA-server1：10.10.10.11：內網的web伺服器
~~~     HA-server2：10.10.10.12：兩塊網絡卡，第一塊網絡卡：10.10.10.12和10.10.10.11相連，第二塊網絡卡：20.20.20.12模擬的是公網IP；公網的路由器。
~~~     HA-server3：10.10.10.13：內網使用者                         // 所有網路均為僅主機模式。

### --- 在HA-server1下開啟Apache服務

[root@server11 ~]# service httpd start
[root@server11 ~]# chkconfig httpd on
[root@server11 ~]# echo "this is the HA-server1:10.10.10.11 DNAT" >>/var/www/html/index.html
[root@server11 ~]# curl localhost
this is the HA-server1:10.10.10.11 DNAT

### --- 並且把路由指向HA-server2:10.10.10.12

[root@server11 ~]# echo "GATEWAY=10.10.10.12" >>/etc/sysconfig/network-scripts/ifcfg-eth0
[root@server11 ~]# service network restart
[root@server11 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.0      0.0.0.0         255.255.255.0   U     1      0        0 eth0
0.0.0.0         10.10.10.12     0.0.0.0         UG    0      0        0 eth0

### --- 在HA-server2上開啟路由轉發

[root@server12 ~]# vim /etc/sysctl.conf 
 net.ipv4.ip_forward = 1
[root@server12 ~]# sysctl -p
net.ipv4.ip_forward = 1 

[root@server12 ~]# service iptables start
[root@server12 ~]# chkconfig iptables on
[root@server12 ~]# iptables -L
[root@server12 ~]# iptables -F

### --- 新增一條DNAT規則
[root@server12 ~]# iptables -t nat -A PREROUTING -i eth1 -d 20.20.20.12 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.11  //-t nat:nat表 -A PREROUTING：路由前 -i eth1：eth1網絡卡；原因是這邊的客戶端方向是從公網網絡卡訪問進來的，所以寫的是公網ip地址 -d 20.20.20.12：目標的訪問地址是，也就是這臺伺服器的公網地址 -p tcp：tcp協議 --dport 80：80埠 -j DNAT：動作轉化DNAT --to-destination 10.10.10.11轉換的內網地址

~~~     當入站網絡卡是eth1並這找的是20.20.20.12這個地址的話並且目標埠是80埠的話直接把它的IP地址改寫為內網10.10.10.11這個服務的IP上。
[root@server12 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             20.20.20.12         tcp dpt:http to:10.10.10.11  
[root@server12 ~]# service iptables save

### --- 配置eth1網絡卡為20.20.20.12

[root@server12 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1  
ONBOOT=yes
BOOTPROTO=static
IPADDR=20.20.20.12
NETMASK=255.255.255.0
[root@server12 ~]# service network restart

### --- HA-server13下配置網絡卡

[root@server13 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=20.20.20.13
NETMASK=255.255.255.0
[root@server13 ~]# service network restart

### --- 驗證：在HA-server3客戶端下發起訪問正常可以獲取資料。DNA轉換可以暴露一些內網的服務

[root@server13 ~]# curl 20.20.20.12                                         // 可以正常訪問獲取資料。
this is the HA-server1:10.10.10.11 DNAT

二、防火牆指令碼

### --- 防火牆指令碼

~~~     匯出（備份）規則：iptables-save工具：可結合重定向輸出儲存到指定檔案
~~~     匯入（還原）規則：iptables-restore工具：可結合重定向輸入指定規則來源
~~~     iptables服務：
~~~     指令碼位置：/etc/init.d/iptables
~~~     規則檔案位置：/etc/sysconfig/iptables

### --- Centos7更改

~~~     rpm    -e    --nodeps    firewalld    
~~~     yum     -y     install    iptables-services
~~~     systemctl     start     iptables
~~~     systemctl    enable    iptables

三、實驗專題：iptables規則備份還原操作

### --- iptables規則備份還原操作
### --- 新增一條規則

[root@server11 ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server11 ~]# iptables -L
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

~~~     持久化生效
[root@server11 ~]# service iptables save
 
### --- iptables規則備份操作：若是想把這條規則匯出且匯出到其它裝置的操作。
[root@server11 ~]# iptables-save >1.iptables            
[root@server11 ~]# cat 1.iptables                                           // 該檔案和 cat /etc/sysconfig/iptables檔案是一樣的。
[root@server11 ~]# iptables -F

### --- iptables規則還原操作

[root@server11 ~]# iptables-restore < 1.iptables 
[root@server11 ~]# iptables -L
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

四、把Centos7.x的firewalld.service改為iptables

### --- centos7.x下預設的防火牆是firewalld.service

[root@server11 ~]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core)
[root@server11 ~]# systemctl start firewalld.service
[root@server11 ~]# systemctl status firewalld.service

### --- 停止firewalld.service服務或者寫在firewalld.service

[root@server11 ~]# systemctl stop firewalld.service
[root@server11 ~]# systemctl disable firewalld.service
[root@server11 ~]# rpm -e --nodeps  firewalld                               // 寫在firewalld服務

### --- 安裝iptables服務

[root@server11 ~]# yum install -y iptables-services
[root@server11 ~]# systemctl start iptables
[root@server11 ~]# systemctl enable iptables
[root@server11 ~]# iptables -L       
[root@server11 ~]# iptables -F

### --- 新增一條新的規則

[root@server11 ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server11 ~]# service iptables save                                    // 持久化儲存
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@server11 ~]# systemctl restart iptables                               // 重啟iptables後規則還是存在

[root@server11 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

### --- 重要錯誤；慎重使用。  

[root@server11 ~]# iptables -P INPUT DROP                                   // 22埠不是在80裡面，所以斷掉，是需要登入到伺服器重新放行。

五、iptables生產環境指令碼(雲端計算-安全防禦-57） 1、編寫iptables執行指令碼：生產環境慎重使用：建議修改為適應自己的系統，非標準版。

### --- 編寫iptables執行指令碼：生產環境慎重使用：建議修改為適應自己的系統，非標準版。
[root@localhost ~]# vim iptables.sh 
#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH

function support_distro(){
    if [ -z "`egrep -i "centos" /etc/issue`" ];then
        echo "Sorry,iptables script only support centos system now."
        exit 1
    fi
}

support_distro

echo "==================================iptables configure===================================================================="
# Only support CentOS system

# 獲取SSH埠
if grep "^Port" /etc/ssh/sshd_config>/dev/null;then
    sshdport=`grep "^Port" /etc/ssh/sshd_config | sed "s/Port\s//g" `
else
    sshdport=22
fi

# 獲取DNS伺服器IP
if [ -s /etc/resolv.conf ];then
    nameserver1=`cat /etc/resolv.conf |grep nameserver |awk 'NR==1{print $2 }'`
    nameserver2=`cat /etc/resolv.conf |grep nameserver |awk 'NR==1{print $2 }'`
fi

IPT="/sbin/iptables"

# 刪除已有規則
$IPT --delete-chain
$IPT --flush

# 禁止進,允許出,允許迴環網絡卡
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# 允許已建立的或相關連線的通行
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# 限制80埠單個IP的最大連線數為10
$IPT -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP

# 允許80(HTTP)/873(RSYNC)/443(HTTPS)/20,21(FTP)/25(SMTP)埠連線
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# 允許SSH埠的連線,指令碼自動偵測目前的SSH埠,否認預設為22埠
$IPT -A INPUT -p tcp -m tcp --dport $sshdport -j ACCEPT

# 允許ping
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

# 允許DNS
[ ! -z "$nameserver1" ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver1 --dport 53 -j ACCEPT
[ ! -z "$nameserver2" ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver2 --dport 53 -j ACCEPT

# 儲存規則並重啟IPTABLES
service iptables save
service iptables restart
echo "==================================iptables configure completed=========================================================="

2、執行指令碼

[root@localhost ~]# chmod a+x iptables.sh 
 
[root@localhost ~]# bash iptables.sh 
==================================iptables configure====================================================================
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
Redirecting to /bin/systemctl restart iptables.service
==================================iptables configure completed==========================================================

[root@localhost ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:http #conn src/32 > 10
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:rsync
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             gateway              udp dpt:domain
ACCEPT     udp  --  anywhere             gateway              udp dpt:domain

===============================END===============================

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart ——W.S.Landor

來自為知筆記(Wiz)