iptables作为网络防火墙的应用

iptables网络防火墙

iptables做为网络防火墙是需要将其充当网关使用,需要使用到filer表的FORWARD链
iptables作为网络防火墙时需要注意的问题
1.请求-响应报文均会经由FORWARD链,需要注意规则的方向性
2.如果要启用conntrack机制,建议将两个方向的状态都为ESTABLISHED的报文直接放行



实验环境
准备3台主机,node1为外网主机,node2为网络防火墙,node3为内网主机

主机 外网IP 内网IP
node1 172.22.27.10 -
node2 172.22.27.20 192.168.73.10
node3 - 192.168.73.20

1.node1和node3的网关都指向node2
node1操作

[[email protected] ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=172.22.27.10
PREFIX=16
GATEWAY=172.22.27.20

node3操作

[[email protected] ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.73.20
PREFIX=24
GATEWAY=192.168.73.10

2.node2开启转发功能

[[email protected] ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward=1
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1

环境准备完毕


一、拒绝所有得内外网的访问

在FORWARD链上拒绝所有的访问

[[email protected] ~]# iptables -A FORWARD -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 81 packets, 5914 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination         

测试

从内网访问外网

[[email protected] ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
From 192.168.73.10 icmp_seq=1 Destination Port Unreachable

外网访问内网

[[email protected] ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable

二、允许内网去ping外网,不允许外网ping内网

定义规则

1.放行从内网至外网的请求报文

[[email protected] ~]# iptables -I FORWARD -s 192.168.73.0/24 -p icmp --icmp-type 8 -j ACCEPT

2.放行从外网至内网的响应报文

[[email protected] ~]# iptables -I FORWARD -d 192.168.73.0/24 -p icmp --icmp-type 0 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 83745 packets, 6373K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.73.0/24      icmptype 0
    0     0 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
    7   588 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 83187 packets, 4326K bytes)
 pkts bytes target     prot opt in     out     source               destination         

测试

内网访问外网

[[email protected] ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
64 bytes from 172.22.27.10: icmp_seq=1 ttl=63 time=1.30 ms

外网访问内网

[[email protected] ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable

也可以使用状态让已经建立的连接允许通过

[[email protected] ~]# iptables -R FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 98 packets, 6362 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    3   252 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
   10   840 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 39 packets, 3092 bytes)
 pkts bytes target     prot opt in     out     source               destination   

测试

内网访问外网

[[email protected] ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
64 bytes from 172.22.27.10: icmp_seq=1 ttl=63 time=1.30 ms

外网访问内网

[[email protected] ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable

三、内网允许访问外网的web服务

定义规则

添加从内网访问外网80和443端口的放行规则

[[email protected] ~]# iptables -I FORWARD 2 -s 192.168.73.20 -p tcp -m multiport --dports 80,443 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 520 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.73.20        0.0.0.0/0            multiport dports 80,443
    4   336 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
   12  1008 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4 packets, 376 bytes)
 pkts bytes target     prot opt in     out     source               destination       

测试

内网访问外网web服务

[[email protected] ~]# curl 172.22.27.10
this is node1

外网访问内网的web服务

[[email protected] ~]# curl 192.168.73.20
curl: (7) Failed connect to 192.168.73.20:80; Connection refused            #被拒绝

四、允许外网可以访问内网的web服务

定义规则

添加规则允许外网访问内网的web服务

[[email protected] ~]# iptables -I FORWARD 2 -d 192.168.73.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 132 packets, 9064 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   12  1058 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      multiport dports 80,443
    1    60 ACCEPT     tcp  --  *      *       192.168.73.20        0.0.0.0/0            multiport dports 80,443
    4   336 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
   12  1008 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 62 packets, 3716 bytes)
 pkts bytes target     prot opt in     out     source               destination         

测试

从外网访问内网的web服务

[[email protected] ~]# curl 192.168.73.20
this is node3

五、使用自定义链实现内网的访问控制

1.将刚才定义的规则全部清除

[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 71 packets, 4418 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 40 packets, 2340 bytes)
 pkts bytes target     prot opt in     out     source               destination    

2.创建自定义链

[[email protected] ~]# iptables -N CLASS
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 76 packets, 4808 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42 packets, 2420 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)          #此为新创建的自定义链
 pkts bytes target     prot opt in     out     source               destination    

3.允许内网用户访问外网的web服务

3.1 访问web服务需要放行http,https和dns的相关服务,所以需要开放53、80、443端口

[[email protected] ~]# iptables -A CLASS -s 192.168.73.0/24 -p tcp -m multiport --dports 53,80,443 -j ACCEPT
[[email protected] ~]# iptables -A CLASS -s 192.168.73.0/24 -p udp --dport 53 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 58 packets, 3632 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 36 packets, 2080 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53

3.2 开启连接追踪放行响应的报文

[[email protected] ~]# iptables -I CLASS -m state --state ESTABLISHED,RELATED -j ACCEPT

3.3 将其余没有匹配到的规则全部拒绝

[email protected] ~]# iptables -A CLASS -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 247 packets, 16085 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 159 packets, 9328 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

3.4 调用自定义链
自定义链创建完毕后需要在FORWARD链上调用

[[email protected] ~]# iptables -A FORWARD -j CLASS

3.4测试
内网访问外网web服务

[[email protected] ~]# curl 172.22.27.10
this is node1
外网访问内网web服务
```bash
[[email protected] ~]# curl 192.168.73.20
curl: (7) Failed connect to 192.168.73.20:80; Connection refused

4.添加规则上班时间拒绝访问外网web

4.1 CentOS 7所用的时间为utc时间所以设定时间时需要-8小时,并且拒绝的规则需要放在放行的规则之前,否则将直接匹配放行的规则,拒绝规则将失效

[[email protected] ~]# iptables -I CLASS 2 -s 192.168.73.0/24 -p tcp -m multiport --dports 53,80,443 -m time --timestart 1:00 --timestop 10:00 -j REJECT
[[email protected] ~]# iptables -I CLASS 3 -s 192.168.73.0/24 -p udp  --dport 53 -m time --timestart 1:00 --timestop 10:00 -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 33 packets, 1932 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   11   926 CLASS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 20 packets, 1516 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   806 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 REJECT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
    1    60 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53
    1    60 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

测试1
在防火墙上查看当前时间

[[email protected] ~]# date
Tue May 21 23:29:31 CST 2019        #UTC时间为当前时间-8小时,为下班时间,应该可以访问,查看测试结果

在内网访问外网web

[[email protected] ~]# curl 172.22.27.10
this is node1

测试2
将防火墙时间调整为上班时间

[[email protected] ~]# date -s "-12 hours"
Tue May 21 11:35:29 CST 2019

从内网访问外网web

[[email protected] ~]# curl 172.22.27.10
curl: (7) Failed connect to 172.22.27.10:80; Connection refused

5.添加对字符的过滤

5.1在防火墙上添加规则,对回应的内容中带有node字符进行过滤
注意过滤信息必须添加在状态追踪之前,否则失效

[[email protected] ~]# iptables -I CLASS  -d 192.168.73.0/24 -p tcp --sport 80 -m string --algo bm --string "node1" -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 38 packets, 2240 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  122 10512 CLASS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 21 packets, 1652 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp spt:80 STRING match  "node1" ALGO name bm TO 65535 reject-with icmp-port-unreachable      #注意过滤信息必须添加在状态追踪之前,否则失效
  108  9672 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    60 REJECT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
   12   720 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53
    1    60 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

测试
防火墙将时间调整至下班

[[email protected] ~]# date -s "+12 hours"
Tue May 21 23:46:54 CST 2019

从内网访问外网web

[[email protected] ~]# curl 172.22.27.10/test.html        #访问不带有node1页面时有响应
mylinuxops.com
[[email protected] ~]# curl 172.22.27.10         #访问带有node1的页面时没有响应

6.自定义链的删除

自定义链删除时需要先清空链规则,取消调用,最后才能将其删除
6.1 清空规则

[[email protected] ~]# iptables -F CLASS
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 72 packets, 4212 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  180 21228 CLASS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 38 packets, 3008 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

6.2 取消调用

[[email protected] ~]# iptables -D FORWARD 1
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 131 packets, 8240 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 84 packets, 6680 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)
 pkts bytes target     prot opt in     out     source               destination         

6.3 删除自定义连

[[email protected] ~]# iptables -X CLASS
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 34 packets, 2044 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 20 packets, 1468 bytes)
 pkts bytes target     prot opt in     out     source               destination     

六、指定某些连续的地址范围无法访问外网web服务

定义规则

将内网的15-25的地址,无法访问外网web服务

[[email protected] ~]# iptables -A FORWARD -p tcp --dport 80 -m iprange --src-range 192.168.73.15-192.168.73.25 -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 1700 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 source IP range 192.168.73.15-192.168.73.25 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 16 packets, 1212 bytes)
 pkts bytes target     prot opt in     out     source               destination

测试

使用内网网段内主机去访问外网web

[[email protected] ~]# curl 172.22.27.10
curl: (7) Failed connect to 172.22.27.10:80; Connection refused      #访问被拒绝

七、限制外网用户访问内网web的连接数

定义规则

当每个ip的并发连接数大于2时拒绝访问

[[email protected] ~]# iptables -A FORWARD -d 192.168.73.0/24 -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 46 packets, 2704 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 source IP range 192.168.73.15-192.168.73.25 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp dpt:80 #conn src/32 > 2 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 26 packets, 1932 bytes)
 pkts bytes target     prot opt in     out     source               destination 

测试

从外网对内网的web服务泛洪

[[email protected] ~]# ./flood1 192.168.73.20
Starting flood connect attack on 192.168.73.20 port 80

内网web服务器上抓包

[[email protected] ~]# tcpdump -i ens33 -nn dst port 80         #没有响应报文。访问被拒绝
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
07:38:50.985045 IP 172.22.27.10.36248 > 192.168.73.20.80: Flags [.], ack 1054889742, win 229, options [nop,nop,TS val 11920183 ecr 11882921], length 0
07:38:51.846189 IP 172.22.27.10.36252 > 192.168.73.20.80: Flags [.], ack 1313004510, win 229, options [nop,nop,TS val 11921044 ecr 11883940], length 0
^C

八、状态追踪在ftp服务器中的应用

要使用状态追踪ftp的连接需要使用专用的模块nf_conntrack_ftp
模块路径:/lib/modules/3.10.0-957.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
需要手动装载

[[email protected] ~]# lsmod | grep nf_conntrack_ftp
[[email protected] ~]# modprobe nf_conntrack_ftp
[[email protected] ~]# lsmod | grep nf_conntrack_ftp
nf_conntrack_ftp       18638  0
nf_conntrack          133095  4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4

或者写入配置文件

[[email protected] ~]# vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"

定义防火墙规则追踪ftp

1.先放行外网对内网21端口的访问

[[email protected] ~]# iptables -A FORWARD -d 192.168.73.0/24 -p tcp --dport 21 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1624 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp dpt:21

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination 

2.在放行规则之前添加连接追踪规则
添加连接追踪的功能,用于放行ftp数据通道,并添加规则拒绝所有不符合规则的连接

[[email protected] ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[[email protected] ~]# iptables -A FORWARD -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 95 packets, 9072 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp dpt:21
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 16 packets, 1272 bytes)
 pkts bytes target     prot opt in     out     source               destination  

测试

从外网访问内网的ftp服务

[[email protected] ~]# ftp 192.168.73.20
Connected to 192.168.73.20 (192.168.73.20).
220 (vsFTPd 3.0.2)
Name (192.168.73.20:root): ftp
331 Please specify the password.
Password:
230 Login successful.                  #成功
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

九、iptables的日志功能

当满足某条件时,将所匹配到的内容记录到日志中,日志位置/var/log/message
日志可以使用--log-prefix 选项来添加前缀
添加所有访问80端口的信息记录到日志

[[email protected] ~]# iptables -A FORWARD -p tcp --dport 80 -j LOG --log-prefix "ALL:"

测试

从外网访问内网的web服务

[[email protected] ~]# curl 192.168.73.20
this is node3

在防火墙上查看日志

[[email protected] ~]# tail /var/log/messages | grep "ALL"
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25563 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25564 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=129 TOS=0x00 PREC=0x00 TTL=63 ID=25565 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25566 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25567 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK FIN URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25568 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK URGP=0 

十、iptables规则的存放

iptables的生存期为内核的生命周期,关机重启将失效,所以需要将规则进行保存,等再次开机时加载规则

规则的保存

使用iptables-save重定向输出至文件

[[email protected] ~]# iptables-save > test
[[email protected] ~]# cat test
# Generated by iptables-save v1.4.21 on Wed May 22 09:34:32 2019
*filter
:INPUT ACCEPT [2334:195479]
:FORWARD ACCEPT [10:867]
:OUTPUT ACCEPT [96:10460]
-A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "ALL:"
COMMIT
# Completed on Wed May 22 09:34:32 2019

规则的加载

使用iptables-restore将保存的规则重定向输入

[[email protected] ~]# iptables -F               #清空所有规则
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 43 packets, 3195 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination
[[email protected] ~]# iptables-restore < test      #将刚才所保存的规则重新导入
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 45 packets, 3601 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 LOG flags 0 level 4 prefix "ALL:"           #新的规则已经加入

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination 

iptabes的规则优化

任何不允许的访问,应该在请求到达时给予拒绝
规则在链接上的次序即为其检查时的生效次序
基于上述,规则优化:

  1. 安全放行所有入站和出站的状态为ESTABLISHED状态连接
  2. 谨慎放行入站的新请求
  3. 有特殊目的限制访问功能,要在放行规则之前加以拒绝
  4. 同类规则(访问同一应用),匹配范围小的放在前面,用于特殊处理
  5. 不同类的规则(访问不同应用),匹配范围大的放在前面
  6. 应该将那些可由一条规则能够描述的多个规则合并为一条
  7. 设置默认策略,建议白名单(只放行特定连接)
    1) iptables -P,不建议
    2) 建议在规则的最后定义规则做为默认策略

iptables规则的保存和加载

iptables所定义的规则是有生命周期的,其周期为内核的存活周期,所以需要将其进行保存

保存方法

centos6和7保存方法不同

centos6

使用service iptables save 将规则覆盖保存至/etc/sysconfig/iptables中

service iptables save

centos7

使用iptables-save进行重定向

iptables-save > /path/to/file

iptables规则的载入

centos6使用service iptables restart会从/etc/sysconfig/iptables中重新载入

service iptables restart

centos7需要使用iptables-restore重新加载规则

iptables-restore < /PATH/FORM/FILE

iptables的自动加载

(1) 用脚本保存各iptables命令;让此脚本开机后自动运行 /etc/rc.d/rc.local文件中添加脚本路径

/PATH/TO/SOME_SCRIPT_FILE 

(2) 用规则文件保存各规则,开机时自动载入此规则文件中的规则 /etc/rc.d/rc.local文件添加

iptables-restore < /PATH/FROM/IPTABLES_RULES_FILE 

(3)自定义Unit File,进行iptables-restore

CentOS 7 可以安装 iptables-services 实现iptables.service

yum install iptables-services
iptables-save > /etc/sysconfig/iptables
systemctl enable iptables.service 

原文地址:https://blog.51cto.com/11886307/2398424

时间: 2024-11-08 12:21:40

iptables作为网络防火墙的应用的相关文章

使用iptables作为网络防火墙构建安全的网络环境

前言 一般情况下iptables只作为主机防火墙使用,但是在特殊情况下也可以使用iptables对整个网络进行流量控制和网络安全防护等功能,在本文中,我们使用iptables对三台服务器的安全进行安全防护 网络防火墙的优势 网络防火墙相比于主机防火墙而言,范围更大,不用对网络内的各主机各自设置防火墙规则就可以保证其安全性,但是必须在网络的进出口才能对出入数据包进行限制 实验拓扑图 实验环境 主机 IP地址 功用 fire.anyisalin.com 192.168.2.2,192.168.1.1

linux命令:iptables、网络防火墙服务

1.iptables的发展: iptables的前身叫ipfirewall (内核1.x时代),这是一个作者从freeBSD上移植过来的,能够工作在内核当中的,对数据包进行检测的一款简易访问控制工具.但是ipfirewall工作功能极其有限(它需要将所有的规则都放进内核当中,这样规则才能够运行起来,而放进内核,这个做法一般是极其困难的).当内核发展到2.x系列的时候,软件更名为ipchains,它可以定义多条规则,将他们串起来,共同发挥作用,而现在,它叫做iptables,可以将规则组成一个列表

iptables之网络防火墙(FORWARD链)初步实验

网络结构如下: A.B.C三台主机,A主机扮演外网访问角色:B主机打开核心转发,启用防火墙.两张网卡配置不同网段IP:C主机为内网HTTP服务器.以下为配置流程: 本次实验使用2台虚拟机,一台物理机:主机A和主机B虚拟机网卡设置成VMnet3 1.打开主机B中的核心转发功能: # vi /etc/sysctl.conf   将net.ipv4.ip_forward值修改为1   net.ipv4.ip_forward = 1 # sysctl -p  查看是否生效 2.主机C安装APACHE 在

Iptables番外篇-构建网络防火墙

前言 本文旨在复习iptables FORWARD表的相关知识,构建简易实验环境,实现通过iptables构建网络防火墙. iptables实现的防火墙功能: 主机防火墙:服务范围为当前主机 网络防火墙:服务范围为局域网络 1. 实验拓扑 2. 主机规划 主机名 角色 网卡 IP地址 node1 内网主机 vmnet2:eno16777736 192.168.11.2/24 node2 网关主机 vmnet2:eno16777736 桥接:eno33554984 192.168.11.1/24

4.iptables 网络防火墙

[1] #如果想要iptables作为网络防火墙,iptables所在主机开启核心转发功能,以便能够转发报文. [2] #使用如下命令查看当前主机是否已经开启了核心转发,0表示为开启,1表示已开启 cat /proc/sys/net/ipv4/ip_forward [3] #使用如下两种方法均可临时开启核心转发,立即生效,但是重启网络配置后会失效. 方法一:echo 1 > /proc/sys/net/ipv4/ip_forward 方法二:sysctl -w net.ipv4.ip_forwa

iptables网络防火墙和SNAT原理实战

网络防火墙 iptables/netfilter网络防火墙: (1) 充当网关 (2) 使用filter表的FORWARD链 注意的问题: (1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性 (2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行 实战演练: 环境准备: A主机:192.168.37.6(NAT模式,做内网) B主机:192.168.37.7(NAT模式),172.16.0.7(桥接模式)B主机作为防火墙 C主机:172

Linux命令:iptables网络防火墙

Linux命令:iptables 网络防火墙 一.iptables的发展: iptables的前身叫ipfirewall (内核1.x时代),这是一个作者从freeBSD上移植过来的,能够工作在内核当中的,对数据包进行检测的一款简易访问控制工具.但是ipfirewall工作功能极其有限(它需要将所有的规则都放进内核当中,这样规则才能够运行起来,而放进内核,这个做法一般是极其困难的).当内核发展到2.x系列的时候,软件更名为ipchains,它可以定义多条规则,将他们串起来,共同发挥作用,而现在,

网络防火墙之iptables的前世今生和归宿

任何事物都有一个从无到有,再归于无的过程.是的,我这里用了一个绝对词:任何. 防火墙 在计算机领域中,防火墙(英文:Firewall)是一项协助确保信息安全的设备,会依照特定的规则,允许或是限制传输的数据通过.防火墙可能是一台专属的硬件或是架设在一般硬件上的.通俗的一个类比就是中国古代的长城或者城市的城墙,用于安全防御的作用,只有满足特定要求,接受检查后才能进入. 防火墙作为内部网与外部网之间的一种访问控制设备, 常常安装在内部网和外部网交界点上.主要分为网络层防火墙和应用层防火墙两种,但也有些

Linux:网络防火墙原理

Linux:网络防火墙 netfilter:Frame iptables: 数据报文过滤,NAT,mangle等规则生成的工具 网络:IP报文首部,TCP报文首部 防火墙:硬件,软件:规则(匹配标准,处理办法) Framework: 默认规则: 开放: 堵 关闭: 通 规则:匹配标准 IP:源IP,目标IP TCP:源端口,目标端口 tcp三次握手: SYN=1,FIN=0,RST=0,ACK=0; SYN=1,ACK=1,FIN=0,RST=0; ACK=1,SYN=0.RST=0,FIN=0