iptables网络防火墙
iptables做为网络防火墙是需要将其充当网关使用,需要使用到filer表的FORWARD链
iptables作为网络防火墙时需要注意的问题
1.请求-响应报文均会经由FORWARD链,需要注意规则的方向性
2.如果要启用conntrack机制,建议将两个方向的状态都为ESTABLISHED的报文直接放行
实验环境
准备3台主机,node1为外网主机,node2为网络防火墙,node3为内网主机
主机 | 外网IP | 内网IP |
---|---|---|
node1 | 172.22.27.10 | - |
node2 | 172.22.27.20 | 192.168.73.10 |
node3 | - | 192.168.73.20 |
1.node1和node3的网关都指向node2
node1操作
[[email protected] ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=172.22.27.10
PREFIX=16
GATEWAY=172.22.27.20
node3操作
[[email protected] ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.73.20
PREFIX=24
GATEWAY=192.168.73.10
2.node2开启转发功能
[[email protected] ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward=1
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1
环境准备完毕
一、拒绝所有得内外网的访问
在FORWARD链上拒绝所有的访问
[[email protected] ~]# iptables -A FORWARD -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 81 packets, 5914 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
pkts bytes target prot opt in out source destination
测试
从内网访问外网
[[email protected] ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
From 192.168.73.10 icmp_seq=1 Destination Port Unreachable
外网访问内网
[[email protected] ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable
二、允许内网去ping外网,不允许外网ping内网
定义规则
1.放行从内网至外网的请求报文
[[email protected] ~]# iptables -I FORWARD -s 192.168.73.0/24 -p icmp --icmp-type 8 -j ACCEPT
2.放行从外网至内网的响应报文
[[email protected] ~]# iptables -I FORWARD -d 192.168.73.0/24 -p icmp --icmp-type 0 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 83745 packets, 6373K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.73.0/24 icmptype 0
0 0 ACCEPT icmp -- * * 192.168.73.0/24 0.0.0.0/0 icmptype 8
7 588 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 83187 packets, 4326K bytes)
pkts bytes target prot opt in out source destination
测试
内网访问外网
[[email protected] ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
64 bytes from 172.22.27.10: icmp_seq=1 ttl=63 time=1.30 ms
外网访问内网
[[email protected] ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable
也可以使用状态让已经建立的连接允许通过
[[email protected] ~]# iptables -R FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 98 packets, 6362 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 252 ACCEPT icmp -- * * 192.168.73.0/24 0.0.0.0/0 icmptype 8
10 840 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 39 packets, 3092 bytes)
pkts bytes target prot opt in out source destination
测试
内网访问外网
[[email protected] ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
64 bytes from 172.22.27.10: icmp_seq=1 ttl=63 time=1.30 ms
外网访问内网
[[email protected] ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable
三、内网允许访问外网的web服务
定义规则
添加从内网访问外网80和443端口的放行规则
[[email protected] ~]# iptables -I FORWARD 2 -s 192.168.73.20 -p tcp -m multiport --dports 80,443 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 520 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.73.20 0.0.0.0/0 multiport dports 80,443
4 336 ACCEPT icmp -- * * 192.168.73.0/24 0.0.0.0/0 icmptype 8
12 1008 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 4 packets, 376 bytes)
pkts bytes target prot opt in out source destination
测试
内网访问外网web服务
[[email protected] ~]# curl 172.22.27.10
this is node1
外网访问内网的web服务
[[email protected] ~]# curl 192.168.73.20
curl: (7) Failed connect to 192.168.73.20:80; Connection refused #被拒绝
四、允许外网可以访问内网的web服务
定义规则
添加规则允许外网访问内网的web服务
[[email protected] ~]# iptables -I FORWARD 2 -d 192.168.73.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 132 packets, 9064 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 1058 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.73.0/24 multiport dports 80,443
1 60 ACCEPT tcp -- * * 192.168.73.20 0.0.0.0/0 multiport dports 80,443
4 336 ACCEPT icmp -- * * 192.168.73.0/24 0.0.0.0/0 icmptype 8
12 1008 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 62 packets, 3716 bytes)
pkts bytes target prot opt in out source destination
测试
从外网访问内网的web服务
[[email protected] ~]# curl 192.168.73.20
this is node3
五、使用自定义链实现内网的访问控制
1.将刚才定义的规则全部清除
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 71 packets, 4418 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 40 packets, 2340 bytes)
pkts bytes target prot opt in out source destination
2.创建自定义链
[[email protected] ~]# iptables -N CLASS
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 76 packets, 4808 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 42 packets, 2420 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (0 references) #此为新创建的自定义链
pkts bytes target prot opt in out source destination
3.允许内网用户访问外网的web服务
3.1 访问web服务需要放行http,https和dns的相关服务,所以需要开放53、80、443端口
[[email protected] ~]# iptables -A CLASS -s 192.168.73.0/24 -p tcp -m multiport --dports 53,80,443 -j ACCEPT
[[email protected] ~]# iptables -A CLASS -s 192.168.73.0/24 -p udp --dport 53 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 58 packets, 3632 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36 packets, 2080 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.73.0/24 0.0.0.0/0 multiport dports 53,80,443
0 0 ACCEPT udp -- * * 192.168.73.0/24 0.0.0.0/0 udp dpt:53
3.2 开启连接追踪放行响应的报文
[[email protected] ~]# iptables -I CLASS -m state --state ESTABLISHED,RELATED -j ACCEPT
3.3 将其余没有匹配到的规则全部拒绝
[email protected] ~]# iptables -A CLASS -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 247 packets, 16085 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 159 packets, 9328 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.73.0/24 0.0.0.0/0 multiport dports 53,80,443
0 0 ACCEPT udp -- * * 192.168.73.0/24 0.0.0.0/0 udp dpt:53
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
3.4 调用自定义链
自定义链创建完毕后需要在FORWARD链上调用
[[email protected] ~]# iptables -A FORWARD -j CLASS
3.4测试
内网访问外网web服务
[[email protected] ~]# curl 172.22.27.10
this is node1
外网访问内网web服务
```bash
[[email protected] ~]# curl 192.168.73.20
curl: (7) Failed connect to 192.168.73.20:80; Connection refused
4.添加规则上班时间拒绝访问外网web
4.1 CentOS 7所用的时间为utc时间所以设定时间时需要-8小时,并且拒绝的规则需要放在放行的规则之前,否则将直接匹配放行的规则,拒绝规则将失效
[[email protected] ~]# iptables -I CLASS 2 -s 192.168.73.0/24 -p tcp -m multiport --dports 53,80,443 -m time --timestart 1:00 --timestop 10:00 -j REJECT
[[email protected] ~]# iptables -I CLASS 3 -s 192.168.73.0/24 -p udp --dport 53 -m time --timestart 1:00 --timestop 10:00 -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 33 packets, 1932 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 926 CLASS all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 20 packets, 1516 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (1 references)
pkts bytes target prot opt in out source destination
9 806 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT tcp -- * * 192.168.73.0/24 0.0.0.0/0 multiport dports 53,80,443 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 192.168.73.0/24 0.0.0.0/0 udp dpt:53 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
1 60 ACCEPT tcp -- * * 192.168.73.0/24 0.0.0.0/0 multiport dports 53,80,443
0 0 ACCEPT udp -- * * 192.168.73.0/24 0.0.0.0/0 udp dpt:53
1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
测试1
在防火墙上查看当前时间
[[email protected] ~]# date
Tue May 21 23:29:31 CST 2019 #UTC时间为当前时间-8小时,为下班时间,应该可以访问,查看测试结果
在内网访问外网web
[[email protected] ~]# curl 172.22.27.10
this is node1
测试2
将防火墙时间调整为上班时间
[[email protected] ~]# date -s "-12 hours"
Tue May 21 11:35:29 CST 2019
从内网访问外网web
[[email protected] ~]# curl 172.22.27.10
curl: (7) Failed connect to 172.22.27.10:80; Connection refused
5.添加对字符的过滤
5.1在防火墙上添加规则,对回应的内容中带有node字符进行过滤
注意过滤信息必须添加在状态追踪之前,否则失效
[[email protected] ~]# iptables -I CLASS -d 192.168.73.0/24 -p tcp --sport 80 -m string --algo bm --string "node1" -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 38 packets, 2240 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
122 10512 CLASS all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 21 packets, 1652 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.73.0/24 tcp spt:80 STRING match "node1" ALGO name bm TO 65535 reject-with icmp-port-unreachable #注意过滤信息必须添加在状态追踪之前,否则失效
108 9672 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 REJECT tcp -- * * 192.168.73.0/24 0.0.0.0/0 multiport dports 53,80,443 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 192.168.73.0/24 0.0.0.0/0 udp dpt:53 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
12 720 ACCEPT tcp -- * * 192.168.73.0/24 0.0.0.0/0 multiport dports 53,80,443
0 0 ACCEPT udp -- * * 192.168.73.0/24 0.0.0.0/0 udp dpt:53
1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
测试
防火墙将时间调整至下班
[[email protected] ~]# date -s "+12 hours"
Tue May 21 23:46:54 CST 2019
从内网访问外网web
[[email protected] ~]# curl 172.22.27.10/test.html #访问不带有node1页面时有响应
mylinuxops.com
[[email protected] ~]# curl 172.22.27.10 #访问带有node1的页面时没有响应
6.自定义链的删除
自定义链删除时需要先清空链规则,取消调用,最后才能将其删除
6.1 清空规则
[[email protected] ~]# iptables -F CLASS
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 72 packets, 4212 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
180 21228 CLASS all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 38 packets, 3008 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (1 references)
pkts bytes target prot opt in out source destination
6.2 取消调用
[[email protected] ~]# iptables -D FORWARD 1
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 131 packets, 8240 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 84 packets, 6680 bytes)
pkts bytes target prot opt in out source destination
Chain CLASS (0 references)
pkts bytes target prot opt in out source destination
6.3 删除自定义连
[[email protected] ~]# iptables -X CLASS
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 34 packets, 2044 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1468 bytes)
pkts bytes target prot opt in out source destination
六、指定某些连续的地址范围无法访问外网web服务
定义规则
将内网的15-25的地址,无法访问外网web服务
[[email protected] ~]# iptables -A FORWARD -p tcp --dport 80 -m iprange --src-range 192.168.73.15-192.168.73.25 -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 1700 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 source IP range 192.168.73.15-192.168.73.25 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 16 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
测试
使用内网网段内主机去访问外网web
[[email protected] ~]# curl 172.22.27.10
curl: (7) Failed connect to 172.22.27.10:80; Connection refused #访问被拒绝
七、限制外网用户访问内网web的连接数
定义规则
当每个ip的并发连接数大于2时拒绝访问
[[email protected] ~]# iptables -A FORWARD -d 192.168.73.0/24 -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 46 packets, 2704 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 120 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 source IP range 192.168.73.15-192.168.73.25 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.73.0/24 tcp dpt:80 #conn src/32 > 2 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 26 packets, 1932 bytes)
pkts bytes target prot opt in out source destination
测试
从外网对内网的web服务泛洪
[[email protected] ~]# ./flood1 192.168.73.20
Starting flood connect attack on 192.168.73.20 port 80
内网web服务器上抓包
[[email protected] ~]# tcpdump -i ens33 -nn dst port 80 #没有响应报文。访问被拒绝
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
07:38:50.985045 IP 172.22.27.10.36248 > 192.168.73.20.80: Flags [.], ack 1054889742, win 229, options [nop,nop,TS val 11920183 ecr 11882921], length 0
07:38:51.846189 IP 172.22.27.10.36252 > 192.168.73.20.80: Flags [.], ack 1313004510, win 229, options [nop,nop,TS val 11921044 ecr 11883940], length 0
^C
八、状态追踪在ftp服务器中的应用
要使用状态追踪ftp的连接需要使用专用的模块nf_conntrack_ftp
模块路径:/lib/modules/3.10.0-957.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
需要手动装载
[[email protected] ~]# lsmod | grep nf_conntrack_ftp
[[email protected] ~]# modprobe nf_conntrack_ftp
[[email protected] ~]# lsmod | grep nf_conntrack_ftp
nf_conntrack_ftp 18638 0
nf_conntrack 133095 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
或者写入配置文件
[[email protected] ~]# vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"
定义防火墙规则追踪ftp
1.先放行外网对内网21端口的访问
[[email protected] ~]# iptables -A FORWARD -d 192.168.73.0/24 -p tcp --dport 21 -j ACCEPT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1624 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.73.0/24 tcp dpt:21
Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
pkts bytes target prot opt in out source destination
2.在放行规则之前添加连接追踪规则
添加连接追踪的功能,用于放行ftp数据通道,并添加规则拒绝所有不符合规则的连接
[[email protected] ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[[email protected] ~]# iptables -A FORWARD -j REJECT
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 95 packets, 9072 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.73.0/24 tcp dpt:21
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 16 packets, 1272 bytes)
pkts bytes target prot opt in out source destination
测试
从外网访问内网的ftp服务
[[email protected] ~]# ftp 192.168.73.20
Connected to 192.168.73.20 (192.168.73.20).
220 (vsFTPd 3.0.2)
Name (192.168.73.20:root): ftp
331 Please specify the password.
Password:
230 Login successful. #成功
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
九、iptables的日志功能
当满足某条件时,将所匹配到的内容记录到日志中,日志位置/var/log/message
日志可以使用--log-prefix 选项来添加前缀
添加所有访问80端口的信息记录到日志
[[email protected] ~]# iptables -A FORWARD -p tcp --dport 80 -j LOG --log-prefix "ALL:"
测试
从外网访问内网的web服务
[[email protected] ~]# curl 192.168.73.20
this is node3
在防火墙上查看日志
[[email protected] ~]# tail /var/log/messages | grep "ALL"
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25563 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25564 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=129 TOS=0x00 PREC=0x00 TTL=63 ID=25565 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25566 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25567 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK FIN URGP=0
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25568 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK URGP=0
十、iptables规则的存放
iptables的生存期为内核的生命周期,关机重启将失效,所以需要将规则进行保存,等再次开机时加载规则
规则的保存
使用iptables-save重定向输出至文件
[[email protected] ~]# iptables-save > test
[[email protected] ~]# cat test
# Generated by iptables-save v1.4.21 on Wed May 22 09:34:32 2019
*filter
:INPUT ACCEPT [2334:195479]
:FORWARD ACCEPT [10:867]
:OUTPUT ACCEPT [96:10460]
-A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "ALL:"
COMMIT
# Completed on Wed May 22 09:34:32 2019
规则的加载
使用iptables-restore将保存的规则重定向输入
[[email protected] ~]# iptables -F #清空所有规则
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 43 packets, 3195 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]# iptables-restore < test #将刚才所保存的规则重新导入
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 45 packets, 3601 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 LOG flags 0 level 4 prefix "ALL:" #新的规则已经加入
Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
pkts bytes target prot opt in out source destination
iptabes的规则优化
任何不允许的访问,应该在请求到达时给予拒绝
规则在链接上的次序即为其检查时的生效次序
基于上述,规则优化:
- 安全放行所有入站和出站的状态为ESTABLISHED状态连接
- 谨慎放行入站的新请求
- 有特殊目的限制访问功能,要在放行规则之前加以拒绝
- 同类规则(访问同一应用),匹配范围小的放在前面,用于特殊处理
- 不同类的规则(访问不同应用),匹配范围大的放在前面
- 应该将那些可由一条规则能够描述的多个规则合并为一条
- 设置默认策略,建议白名单(只放行特定连接)
1) iptables -P,不建议
2) 建议在规则的最后定义规则做为默认策略
iptables规则的保存和加载
iptables所定义的规则是有生命周期的,其周期为内核的存活周期,所以需要将其进行保存
保存方法
centos6和7保存方法不同
centos6
使用service iptables save 将规则覆盖保存至/etc/sysconfig/iptables中
service iptables save
centos7
使用iptables-save进行重定向
iptables-save > /path/to/file
iptables规则的载入
centos6使用service iptables restart会从/etc/sysconfig/iptables中重新载入
service iptables restart
centos7需要使用iptables-restore重新加载规则
iptables-restore < /PATH/FORM/FILE
iptables的自动加载
(1) 用脚本保存各iptables命令;让此脚本开机后自动运行 /etc/rc.d/rc.local文件中添加脚本路径
/PATH/TO/SOME_SCRIPT_FILE
(2) 用规则文件保存各规则,开机时自动载入此规则文件中的规则 /etc/rc.d/rc.local文件添加
iptables-restore < /PATH/FROM/IPTABLES_RULES_FILE
(3)自定义Unit File,进行iptables-restore
CentOS 7 可以安装 iptables-services 实现iptables.service
yum install iptables-services
iptables-save > /etc/sysconfig/iptables
systemctl enable iptables.service
原文地址:https://blog.51cto.com/11886307/2398424