Linux之iptables(网络防火墙及NAT)

Posted 朝圣布达拉

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux之iptables(网络防火墙及NAT)相关的知识,希望对你有一定的参考价值。

网络防火墙

  • iptables/netfilter网络防火墙:
  • (1) 充当网关
  • (2) 使用filter表的FORWARD链
  • 注意的问题:
  • (1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
  • (2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行

NAT

  • NAT: network address translation
  • PREROUTING,INPUT,OUTPUT,POSTROUTING
  • 请求报文:修改源/目标IP,由定义如何修改
  • 响应报文:修改源/目标IP,根据跟踪机制自动实现
  • SNAT:source NAT POSTROUTING, INPUT
  • 让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装
  • 请求报文:修改源IP
  • DNAT:destination NAT PREROUTING , OUTPUT
  • 把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP
  • 请求报文:修改目标IP
  • PNAT: port nat,端口和IP都进行修改

SNAT

  • nat表的target:
  • SNAT:固定IP
  • --to-source [ipaddr[-ipaddr]][:port[-port]]
  • --random
  • iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
[[email protected] ~]#iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.16.32.6-172.16.32.10
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       10.0.1.0/24         !10.0.1.0/24          to:172.20.71.105-172.20.71.110

SNAT

  • MASQUERADE:动态IP,如拨号网络
  • --to-ports port[-port]
  • --random
  • iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE
[[email protected] ~]#iptables -t nat -I POSTROUTING -s 10.0.1.0/24 ! -d  10.0.1.0/24 -j MASQUERADE
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 4 packets, 765 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 4 packets, 765 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       10.0.1.0/24         !10.0.1.0/24     

DNAT

  • --to-destination [ipaddr[-ipaddr]][:port[-port]]
  • iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
[[email protected] ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 22 -j DNAT --to-destination 10.0.1.22
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.32.20.6          tcp dpt:22 to:10.0.1.22
[[email protected] ~]#iptables -t nat -A PREROUTING -s 0/0 -d 172.16.32.6 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.22:80
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.18.100.6         tcp dpt:80 to:10.0.1.22:80

PNAT:利用虚拟端口进行数据转发

转发

  • REDIRECT:
  • NAT表
  • 可用于:PREROUTING OUTPUT 自定义链
  • 通过改变目标IP和端口,将接受的包转发至不同端口
  • --to-ports port[-port]
[[email protected] ~]#iptables -t nat -A PREROUTING -d 172.16.32.6 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[[email protected] ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            172.16.100.10        tcp dpt:80 redir ports 8080

以上是关于Linux之iptables(网络防火墙及NAT)的主要内容,如果未能解决你的问题,请参考以下文章

Linux下防火墙iptables原理及实战

iptables nat及端口映射

iptables系列之基础原理

Linux之iptables

防火墙iptables实现Linux强大的NAT功能

Linux防火墙详解