iptables
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了iptables相关的知识,希望对你有一定的参考价值。
iptables filter表小案例
1.放行22端口,80端口,21端口数据,且22端口只能固定ip段:
[[email protected] ~]# vim /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.188.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
然后执行该脚本
[[email protected] ~]# sh /usr/local/sbin/iptables.sh
[[email protected] ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 3144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.188.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 4376 bytes)
pkts bytes target prot opt in out source destination
2.让本机可以ping通外网,但是外网无法ping通本机:
[[email protected] ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
iptables nat表
1.首先准备两台主机,一台具备两个网卡,一台具备一个网卡
2.将第一台主机增加两块网卡,一个设置成NAT,一个设置成LAN区段模式,修改ip
[[email protected] ~]# ifconfig ens37 192.168.100.1/24
3.参照第二步,将另一台主机增加一块网卡,设置成LAN区段模式,区段与第一台一致。
4.设置好后互相ping
[[email protected] ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.287 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.375 ms
5.首先打开路由转发:
[[email protected] ~]# cat /proc/sys/net/ipv4/ip_forward
0
[[email protected] ~]# echo "1" >!$
echo "1" >/proc/sys/net/ipv4/ip_forward
[[email protected] ~]# cat /proc/sys/net/ipv4/ip_forward
1
6.增加一条规则:
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
7.设置网关:
route add default gw 192.168.100.18.在设置dns,就可以连接外网了:
vi /etc/resolv.conf
nameserver 119.29.29.299.需求2,让其他主机可以访问到这台机子:
[[email protected] ~]# iptables -t nat -A PREROUTING -d 192.168.188.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.188.130
添加两条规则,然后增加网关,现在通过1122端口就可以访问只有一块网卡的主机。
[[email protected] ~]# w
23:24:40 up 1:25, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 22:06 2:24 0.16s 0.16s -bash
root pts/0 192.168.188.1 23:24 0.00s 0.01s 0.00s w
[[email protected] ~]# ifconfig
ens33: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:29:ca:b5:ec txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:feca:b5f6 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ca:b5:f6 txqueuelen 1000 (Ethernet)
RX packets 259 bytes 31802 (31.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 382 bytes 41908 (40.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 446 bytes 37058 (36.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 446 bytes 37058 (36.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
注意事项:在需求1中,全部配置完成后,主机2可以ping通主机1ip,但是无法ping通网关以及外网,需要做以下操作:如第一个所示,将FORWARD表的规则删除即可实现
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1127 107K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 468 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 175 packets, 20774 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 753 packets, 99000 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 500 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)
pkts bytes target prot opt in out source destination
以上是关于iptables的主要内容,如果未能解决你的问题,请参考以下文章