1. 程式人生 > >iptables端口安全高級應用

iptables端口安全高級應用

red inpu rsync 自定義消息 eth redirect 原來 === eth0

netfilter不只是包過濾防火墻(四層)
netfilter同樣是狀態防火墻
[root@uplook ~]# iptables -m icmp -h //從後往前查看 -m指定模塊 從下往上看
[root@uplook ~]# iptables -m iprange -h //從後往前查看

[root@uplook ~]# yum -y install vsftpd httpd
[root@uplook ~]# service httpd start; service vsftpd start; service sshd start
[root@uplook ~]# iptables -F

[root@uplook ~]# iptables -A INPUT -j REJECT

-m icmp
[root@uplook ~]# iptables -t filter -I INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT //回應
any禁止ping,但可以訪問
-m iprange
[root@uplook ~]# iptables -t filter -I INPUT -m iprange --src-range 192.168.2.20-192.168.2.100 -j REJECT

-m multiport
[root@uplook ~]# iptables -m multiport -h

[root@uplook ~]# iptables -t filter -I INPUT -p tcp -m multiport --dports 20,21,22,25,80,110 -j ACCEPT

-m state
跟TCP中的狀態沒有關系
NEW 新生態
ESTABLISHED 連接態
RELATED 衍生態 ftp
INVALID 無效態
[root@uplook ~]# iptables -t filter -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

==================================================================
lab1: 使用狀態防火墻,放行本機FTP服務[被動模式]
[root@uplook ~]# iptables -t filter -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@uplook ~]# iptables -t filter -I INPUT -p tcp --dport 20:21 -j ACCEPT
[root@uplook ~]# iptables -t filter -A INPUT -j REJECT
[root@uplook ~]# modprobe nf_conntrack_ftp
[root@uplook ~]# vim /etc/sysconfig/iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"
小結: 該內核模塊的作用是在<連接數據端口時>,將第一次握手的數據包狀態由原來的 NEW 識別成 RELATED

-m tos //ip協議頭部type of service
[root@uplook ~]# iptables -F
[root@uplook ~]# tcpdump -i eth0 -nn port 22 -vvv //抓取遠程主機訪問本機ssh數據包,分別於輸入密碼前和後觀察TOS值
[root@uplook ~]# tcpdump -i eth0 -nn port 22 -vvv //抓取遠程從本機rsync或scp復制文件,分別於輸入密碼前和後觀察TOS值
小結:都是使用22/tcp,但可以通過IP報文中的TOS值來區分應用
ssh: tos 0x0 0x10
scp: tos 0x0 0x8
rsync: tos 0x0 0x8
[root@uplook ~]# iptables -m tos -h
[root@uplook ~]# iptables -t filter -A INPUT -p tcp --dport 22 -m tos ! --tos 0x10 -j ACCEPT //僅拒絕客戶端ssh到本機
[root@uplook ~]# iptables -t filter -A INPUT -j REJECT

-m tcp
按TCP標記匹配
Flags are: SYN ACK FIN RST URG PSH ALL NONE
[root@uplook ~]# iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN --dport 80 -j ACCEPT
[root@uplook ~]# iptables -t filter -A INPUT -p tcp --syn --dport 80 -j ACCEPT

--tcp-flags SYN,ACK,FIN,RST SYN 檢查四個標記位SYN,ACK,FIN,RST 但只有SYN標記位才匹配
則允許三次握手中的第一次握手,等價於 --syn

-m limit [要命不要臉]
[root@uplook ~]# iptables -F
實驗:從客戶端ping本機,觀察序列號
[root@uplook ~]# iptables -t filter -A INPUT -p icmp -m limit --limit 20/minute -j ACCEPT
[root@uplook ~]# iptables -t filter -A INPUT -j REJECT
進入本機INPUT鏈的ICMP,如果匹配第一條則放行,不匹配的將被第二條拒絕,默認前5個不限
16/second
16/minute
16/hour
16/day
[root@uplook ~]# iptables -t filter -A INPUT -p tcp --syn --dport 80 -m limit --limit 50/second -j ACCEPT
[root@uplook ~]# iptables -t filter -A INPUT -j REJECT

-m connlimit 限同一IP最大連接數
[root@uplook ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@uplook ~]# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit ! --connlimit-above 2 -j ACCEPT
//僅允許每個客戶端有兩個ssh連接

等價於:
[root@uplook ~]# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT
//超過兩個連接拒絕

[root@uplook ~]# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 100 -j ACCEPT
//僅允許每個客戶端有100個requests
[root@uplook ~]# iptables -A INPUT -j REJECT

-m time
[root@uplook ~]# iptables -A INPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
[root@uplook ~]# iptables -A INPUT -p tcp --syn --dport 22 -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
[root@uplook ~]# iptables -A INPUT -j REJECT

-m comment
[root@uplook ~]# iptables -A INPUT -s 172.16.130.7 -m comment --comment "cloud class" -j REJECT

-m mark
[root@uplook ~]# iptables -t filter -A INPUT -m mark --mark 2 -j REJECT

二、動作擴展 TARGET EXTENSIONS
filter:
-j ACCEPT
-j DROP
-j REJECT
-j LOG

nat:
-j SNAT //轉換源地址
-j MASQUERADE //轉換源地址
-j DNAT //轉換目標地址及端口
-j REDIRECT //轉換目標端口(重定向)

mangle:
-j MARK

-j LOG
[root@uplook ~]# grep ‘kern.‘ /etc/rsyslog.conf
kern.
/var/log/kernel.log
[root@uplook ~]# service rsyslog restart

[root@uplook ~]# iptables -j LOG -h
[root@uplook ~]# iptables -t filter -A INPUT -p tcp --syn --dport 22 -j LOG --log-prefix " uplook_ssh "
[root@uplook ~]# iptables -t filter -A INPUT -p tcp --syn --dport 22 -j ACCEPT
[root@uplook ~]# iptables -t filter -A INPUT -j REJECT

-j REJECT
當訪問一個未開啟的TCP端口時,應該返回一個帶有RST標記的數據包
當訪問一個開啟的TCP端口,但被防火墻REJECT,結果返回port xxx unreachable
[root@uplook ~]# iptables -j REJECT -h
[root@uplook ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset //返回一個自定義消息類型

-j MARK
[root@uplook ~]# iptables -t mangle -L
[root@uplook ~]# iptables -j MARK -h
[root@uplook ~]# iptables -t mangle -A PREROUTING -s 192.168.2.110 -j MARK --set-mark 1
[root@uplook ~]# iptables -t mangle -A PREROUTING -s 192.168.2.25 -j MARK --set-mark 2
[root@uplook ~]# iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT //按照標記匹配
[root@uplook ~]# iptables -t filter -A INPUT -m mark --mark 2 -j REJECT

NAT表:

POSTROUTING: SNAT, MASQUERADE
PRETROUTING: DNAT, REDIRECT
OUTPUT: DNAT,針對本機

讓KVM虛擬機訪問外部網絡(默認):
-j SNAT/MASQUERADE [必須開啟kernel ip_forward]
[root@uplook ~]# iptables -t nat -F
[root@uplook ~]# iptables -F
[root@uplook ~]# iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j SNAT --to 外部地址
[root@uplook ~]# iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

暴露KVM虛擬機的服務(端口映射):
-j DNAT [必須開啟kernel ip_forward]
[root@uplook ~]# iptables -t nat -A PREROUTING -d 172.16.30.30 -p tcp --dport 80 -j DNAT --to 192.168.122.66:80
[root@uplook ~]# iptables -t nat -A PREROUTING -d 172.16.30.30 -p tcp --dport 8080 -j DNAT --to 192.168.122.77:80
[root@uplook ~]# iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to 192.168.122.66:22

[root@uplook ~]# iptables -t nat -A PREROUTING -d 172.16.30.240 -p tcp --dport 80 -j DNAT --to 192.168.122.66
[root@uplook ~]# iptables -t nat -A PREROUTING -d 172.16.30.240 -p tcp --dport 22 -j DNAT --to 192.168.122.66
[root@uplook ~]# iptables -t nat -A PREROUTING -d 172.16.30.241 -p tcp --dport 80 -j DNAT --to 192.168.122.67
[root@uplook ~]# iptables -t nat -A PREROUTING -d 172.16.30.241 -p tcp --dport 22 -j DNAT --to 192.168.122.67

為接口綁定地址
[root@uplook ~]# ip addr add dev eth0 172.16.30.240/24
[root@uplook ~]# ip addr add dev eth0 172.16.30.241/24
[root@uplook ~]# ip a s eth0
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 3c:97:0e:54:c5:82 brd ff:ff:ff:ff:ff:ff
inet 172.16.30.30/24 brd 172.16.30.255 scope global eth0
inet 172.16.30.240/24 scope global secondary eth0
inet 172.16.30.241/24 scope global secondary eth0
inet6 fe80::3e97:eff:fe54:c582/64 scope link
valid_lft forever preferred_lft forever

[root@uplook ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
IPADDR=172.16.30.30
PREFIX=24
IPADDR1=172.16.30.240
PREFIX1=24
IPADDR2=172.16.30.241
PREFIX2=24
GATEWAY=172.16.30.254

-j REDIRECT //本地端口轉發
[root@nat_server ~]# iptables -t nat -A PREROUTING -s 172.16.130.0/24 -p tcp --dport 8888 -j REDIRECT --to-ports 22

iptables端口安全高級應用