7.13 10.15-10.18
Iptables相關參數:
-F 清空規則
-t 指定表,默認不加-t則為filter表
-Z 計數器清零
-A 在鏈的末尾添加規則
-I 在鏈的行首添加規則
-D 刪除規則
-P 設置默認規則
-nvL 查看iptables表
service iptables save 保存規則(將內存中的規則保存到/etc/sysconfig/iptables文件下),重啟後會被調用
--line-numbers 在iptables –nvL中顯示規則對應的編號(顯示編號後在刪除規則時可以指定編號刪除,不用詳細規則語法)
iptables小案例
需求:
1 放行80/21端口
2 只有指定ip段訪問
操作:
[root@hyc-01-01 ~]# vim /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables" 由於後續會經常用到所以專門定義成變量(定義變量時為避免問題盡量寫全局變量)
$ipt –F 清空filter表的規則
$ipt -P INPUT DROP 指定filter表默認規則為DROP
$ipt -P OUTPUT ACCEPT 指定output和forward默認規則ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
放行RELATED和ESTABLISHED兩個狀態的數據包,否則放行的數據也可能通信不正常
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT
指定放行基於tcp協議,源ip為192.168.133.0/24網段,目標端口22的數據包
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT 放行基於tcp協議,目標端口80/21的數據包
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
[root@hyc-01-01 ~]# sh /usr/local/sbin/iptables.sh 執行腳本
[root@hyc-01-01 ~]# iptables -nvL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 66 4548 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- * * 192.168.31.0/24 0.0.0.0/0 tcp dpt:22
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 41 packets, 7392 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
icmp案例
[root@hyc-01-01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
本機ping外部機器可以通,外部機器ping本機不通
10.16 iptables nat表應用(上)
需求:B機器可以通過A機器上外網
步驟:
hyc-01-01作為A機器
為hyc-01-01新增內網網卡:
在VMWare中選中虛擬機hyc-01-01,右鍵屬性->
點添加按鈕選擇網絡適配器,點下一步->
保持默認,點擊完成即可->
選中新網卡,在網絡連接中選擇LAN區段->
點擊下方的LAN區段按鈕添加新的LAN區段->
在LAN區段的下拉列表中選中剛建的LAN區段->
確定
hyc-01作為B機器
選中hyc-01右鍵屬性->
選中網絡適配器,將網絡連接改為LAN區段,下拉列表中選擇剛建的LAN區段
此時hyc-01應該從xshell中掉線
為機器A的內網網卡設置ip
1 永久有效
復制ifcfg-ens33配置文件改名為ifcfg-ens37;
ifcfg-ens37文件中不用設置網關、DNS;
修改時要註意修改mac地址,可以直接刪掉(mac不能重復);
需要修改文件中的網卡名稱、ip地址等信息;
2 重啟失效
手工命令行設置
[root@hyc-01-01 ~]# ifconfig ens37 192.168.100.1/24
[root@hyc-01-01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.129 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::d46b:4589:4da1:2f34 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:9d:95 txqueuelen 1000 (Ethernet)
RX packets 320 bytes 30767 (30.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 324 bytes 31408 (30.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::375d:175d:e671:f6ad prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:9d:9f txqueuelen 1000 (Ethernet)
RX packets 42 bytes 2520 (2.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 101 bytes 17646 (17.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5736 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5736 (5.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
為hyc-01的內網網卡設置與hyc-01-01相同的網段的ip
此處必須在虛擬機上操作
[root@hyc-01-01 ~]# ifconfig ens33 192.168.100.2/24
A與B內網網卡連接測試
[root@hyc-01-01 ~]# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=5.80 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=0.597 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=64 time=0.664 ms
10.17 iptables nat表應用(中)
A機器
NAT網卡:192.168.31.129/24
內網網卡:192.168.100.1/24
B機器
內網網卡:192.168.100.2/24
此時100.1和100.2可以互通,windows主機無法ping通所有內網網卡,所有內網網卡均無法上網
操作:
打開端口轉發:
改寫配置文件,開啟機器的端口轉發功能
[root@hyc-01-01 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@hyc-01-01 ~]# echo "1"> !$
echo "1"> /proc/sys/net/ipv4/ip_forward
[root@hyc-01-01 ~]# cat /proc/sys/net/ipv4/ip_forward
1
以上文件參數為0則機器未開啟端口轉發,修改為1則端口轉發功能開啟
新加規則,實現上網:
[root@hyc-01-01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@hyc-01-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 2646 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
188 14240 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
188 14240 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
187 14156 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
1 84 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
188 14240 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
188 14240 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
12 2646 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
12 2646 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
12 2646 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
將A機器的內網網卡地址設為B機器的網關地址
[root@hyc-01 ~]# route add default gw 192.168.100.1
[root@hyc-01-01 ~]# route –n 檢查網關
設置DNS測試網絡連通性
ping網關地址31.1發現通信正常;
設置DNS後ping DNS地址通信正常;
ping域名解析DNS出錯?
10.18 iptables nat表應用(下)
需求2:可以遠程登錄hyc-01
步驟:
打開端口轉發
[root@hyc-01-01 ~]# echo "1"> /proc/sys/net/ipv4/ip_forward
增加nat規則(增加新規則前先刪除原有的nat規則)
[root@hyc-01-01 ~]# iptables -t nat -A PREROUTING -d 192.168.31.129 -p tcp --dport 1122 -j DNAT --to 192.168.100.2:22
在PREROUTING鏈添加規則將目標地址192.168.133.130,目標端口1122的數據轉換為目標地址192.168.100.100,目標端口22的數據
[root@hyc-01-01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to 192.168.31.129
在POSTROUTING鏈添加規則將源地址192.168.100.100的地址轉換為192.168.133.130
為hyc-01配網關
[root@hyc-01 ~]# route add default gw 192.168.100.1
測試
確定à連接
7.13 10.15-10.18