码迷,mamicode.com
首页 > 其他好文 > 详细

iptables作为网络防火墙的应用

时间:2019-05-22 15:28:49      阅读:77      评论:0      收藏:0      [点我收藏+]

标签:rate   script   stop   node   失效   store   0.0.0.0   自动   att   

iptables网络防火墙

iptables做为网络防火墙是需要将其充当网关使用,需要使用到filer表的FORWARD链
iptables作为网络防火墙时需要注意的问题
1.请求-响应报文均会经由FORWARD链,需要注意规则的方向性
2.如果要启用conntrack机制,建议将两个方向的状态都为ESTABLISHED的报文直接放行


实验环境
准备3台主机,node1为外网主机,node2为网络防火墙,node3为内网主机

主机 外网IP 内网IP
node1 172.22.27.10 -
node2 172.22.27.20 192.168.73.10
node3 - 192.168.73.20

1.node1和node3的网关都指向node2
node1操作

[root@node1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=172.22.27.10
PREFIX=16
GATEWAY=172.22.27.20

node3操作

[root@node3 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.73.20
PREFIX=24
GATEWAY=192.168.73.10

2.node2开启转发功能

[root@node2 ~]# vi /etc/sysctl.conf 
net.ipv4.ip_forward=1
[root@node2 ~]# sysctl -p
net.ipv4.ip_forward = 1

环境准备完毕


一、拒绝所有得内外网的访问

在FORWARD链上拒绝所有的访问

[root@node2 ~]# iptables -A FORWARD -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 81 packets, 5914 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination         

测试

从内网访问外网

[root@node3 ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
From 192.168.73.10 icmp_seq=1 Destination Port Unreachable

外网访问内网

[root@node1 ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable

二、允许内网去ping外网,不允许外网ping内网

定义规则

1.放行从内网至外网的请求报文

[root@node2 ~]# iptables -I FORWARD -s 192.168.73.0/24 -p icmp --icmp-type 8 -j ACCEPT

2.放行从外网至内网的响应报文

[root@node2 ~]# iptables -I FORWARD -d 192.168.73.0/24 -p icmp --icmp-type 0 -j ACCEPT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 83745 packets, 6373K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.73.0/24      icmptype 0
    0     0 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
    7   588 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 83187 packets, 4326K bytes)
 pkts bytes target     prot opt in     out     source               destination         

测试

内网访问外网

[root@node3 ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
64 bytes from 172.22.27.10: icmp_seq=1 ttl=63 time=1.30 ms

外网访问内网

[root@node1 ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable

也可以使用状态让已经建立的连接允许通过

[root@node2 ~]# iptables -R FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 98 packets, 6362 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    3   252 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
   10   840 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 39 packets, 3092 bytes)
 pkts bytes target     prot opt in     out     source               destination   

测试

内网访问外网

[root@node3 ~]# ping 172.22.27.10
PING 172.22.27.10 (172.22.27.10) 56(84) bytes of data.
64 bytes from 172.22.27.10: icmp_seq=1 ttl=63 time=1.30 ms

外网访问内网

[root@node1 ~]# ping 192.168.73.20
PING 192.168.73.20 (192.168.73.20) 56(84) bytes of data.
From 172.22.27.20 icmp_seq=1 Destination Port Unreachable

三、内网允许访问外网的web服务

定义规则

添加从内网访问外网80和443端口的放行规则

[root@node2 ~]# iptables -I FORWARD 2 -s 192.168.73.20 -p tcp -m multiport --dports 80,443 -j ACCEPT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 520 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.73.20        0.0.0.0/0            multiport dports 80,443
    4   336 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
   12  1008 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4 packets, 376 bytes)
 pkts bytes target     prot opt in     out     source               destination       

测试

内网访问外网web服务

[root@node3 ~]# curl 172.22.27.10
this is node1

外网访问内网的web服务

[root@node1 ~]# curl 192.168.73.20
curl: (7) Failed connect to 192.168.73.20:80; Connection refused            #被拒绝

四、允许外网可以访问内网的web服务

定义规则

添加规则允许外网访问内网的web服务

[root@node2 ~]# iptables -I FORWARD 2 -d 192.168.73.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 132 packets, 9064 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12  1058 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      multiport dports 80,443
    1    60 ACCEPT     tcp  --  *      *       192.168.73.20        0.0.0.0/0            multiport dports 80,443
    4   336 ACCEPT     icmp --  *      *       192.168.73.0/24      0.0.0.0/0            icmptype 8
   12  1008 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 62 packets, 3716 bytes)
 pkts bytes target     prot opt in     out     source               destination         

测试

从外网访问内网的web服务

[root@node1 ~]# curl 192.168.73.20
this is node3

五、使用自定义链实现内网的访问控制

1.将刚才定义的规则全部清除

[root@node2 ~]# iptables -F
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 71 packets, 4418 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 40 packets, 2340 bytes)
 pkts bytes target     prot opt in     out     source               destination    

2.创建自定义链

[root@node2 ~]# iptables -N CLASS
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 76 packets, 4808 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42 packets, 2420 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)          #此为新创建的自定义链
 pkts bytes target     prot opt in     out     source               destination    

3.允许内网用户访问外网的web服务

3.1 访问web服务需要放行http,https和dns的相关服务,所以需要开放53、80、443端口

[root@node2 ~]# iptables -A CLASS -s 192.168.73.0/24 -p tcp -m multiport --dports 53,80,443 -j ACCEPT
[root@node2 ~]# iptables -A CLASS -s 192.168.73.0/24 -p udp --dport 53 -j ACCEPT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 58 packets, 3632 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 36 packets, 2080 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53

3.2 开启连接追踪放行响应的报文

[root@node2 ~]# iptables -I CLASS -m state --state ESTABLISHED,RELATED -j ACCEPT

3.3 将其余没有匹配到的规则全部拒绝

root@node2 ~]# iptables -A CLASS -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 247 packets, 16085 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 159 packets, 9328 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

3.4 调用自定义链
自定义链创建完毕后需要在FORWARD链上调用

[root@node2 ~]# iptables -A FORWARD -j CLASS

3.4测试
内网访问外网web服务

[root@node3 ~]# curl 172.22.27.10
this is node1
外网访问内网web服务
```bash
[root@node1 ~]# curl 192.168.73.20
curl: (7) Failed connect to 192.168.73.20:80; Connection refused

4.添加规则上班时间拒绝访问外网web

4.1 CentOS 7所用的时间为utc时间所以设定时间时需要-8小时,并且拒绝的规则需要放在放行的规则之前,否则将直接匹配放行的规则,拒绝规则将失效

[root@node2 ~]# iptables -I CLASS 2 -s 192.168.73.0/24 -p tcp -m multiport --dports 53,80,443 -m time --timestart 1:00 --timestop 10:00 -j REJECT
[root@node2 ~]# iptables -I CLASS 3 -s 192.168.73.0/24 -p udp  --dport 53 -m time --timestart 1:00 --timestop 10:00 -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 33 packets, 1932 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   926 CLASS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 20 packets, 1516 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   806 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 REJECT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
    1    60 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53
    1    60 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

测试1
在防火墙上查看当前时间

[root@node2 ~]# date
Tue May 21 23:29:31 CST 2019        #UTC时间为当前时间-8小时,为下班时间,应该可以访问,查看测试结果

在内网访问外网web

[root@node3 ~]# curl 172.22.27.10
this is node1

测试2
将防火墙时间调整为上班时间

[root@node2 ~]# date -s "-12 hours"
Tue May 21 11:35:29 CST 2019

从内网访问外网web

[root@node3 ~]# curl 172.22.27.10
curl: (7) Failed connect to 172.22.27.10:80; Connection refused

5.添加对字符的过滤

5.1在防火墙上添加规则,对回应的内容中带有node字符进行过滤
注意过滤信息必须添加在状态追踪之前,否则失效

[root@node2 ~]# iptables -I CLASS  -d 192.168.73.0/24 -p tcp --sport 80 -m string --algo bm --string "node1" -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 38 packets, 2240 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  122 10512 CLASS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 21 packets, 1652 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp spt:80 STRING match  "node1" ALGO name bm TO 65535 reject-with icmp-port-unreachable      #注意过滤信息必须添加在状态追踪之前,否则失效
  108  9672 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    60 REJECT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53 TIME from 01:00:00 to 10:00:00 UTC reject-with icmp-port-unreachable
   12   720 ACCEPT     tcp  --  *      *       192.168.73.0/24      0.0.0.0/0            multiport dports 53,80,443
    0     0 ACCEPT     udp  --  *      *       192.168.73.0/24      0.0.0.0/0            udp dpt:53
    1    60 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

测试
防火墙将时间调整至下班

[root@node2 ~]# date -s "+12 hours"
Tue May 21 23:46:54 CST 2019

从内网访问外网web

[root@node3 ~]# curl 172.22.27.10/test.html        #访问不带有node1页面时有响应
mylinuxops.com
[root@node3 ~]# curl 172.22.27.10         #访问带有node1的页面时没有响应

6.自定义链的删除

自定义链删除时需要先清空链规则,取消调用,最后才能将其删除
6.1 清空规则

[root@node2 ~]# iptables -F CLASS
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 72 packets, 4212 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  180 21228 CLASS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 38 packets, 3008 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

6.2 取消调用

[root@node2 ~]# iptables -D FORWARD 1
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 131 packets, 8240 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 84 packets, 6680 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CLASS (0 references)
 pkts bytes target     prot opt in     out     source               destination         

6.3 删除自定义连

[root@node2 ~]# iptables -X CLASS
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 34 packets, 2044 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 20 packets, 1468 bytes)
 pkts bytes target     prot opt in     out     source               destination     

六、指定某些连续的地址范围无法访问外网web服务

定义规则

将内网的15-25的地址,无法访问外网web服务

[root@node2 ~]# iptables -A FORWARD -p tcp --dport 80 -m iprange --src-range 192.168.73.15-192.168.73.25 -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 1700 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 source IP range 192.168.73.15-192.168.73.25 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 16 packets, 1212 bytes)
 pkts bytes target     prot opt in     out     source               destination

测试

使用内网网段内主机去访问外网web

[root@node3 ~]# curl 172.22.27.10
curl: (7) Failed connect to 172.22.27.10:80; Connection refused      #访问被拒绝

七、限制外网用户访问内网web的连接数

定义规则

当每个ip的并发连接数大于2时拒绝访问

[root@node2 ~]# iptables -A FORWARD -d 192.168.73.0/24 -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 46 packets, 2704 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 source IP range 192.168.73.15-192.168.73.25 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp dpt:80 #conn src/32 > 2 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 26 packets, 1932 bytes)
 pkts bytes target     prot opt in     out     source               destination 

测试

从外网对内网的web服务泛洪

[root@node1 ~]# ./flood1 192.168.73.20
Starting flood connect attack on 192.168.73.20 port 80

内网web服务器上抓包

[root@node3 ~]# tcpdump -i ens33 -nn dst port 80         #没有响应报文。访问被拒绝
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
07:38:50.985045 IP 172.22.27.10.36248 > 192.168.73.20.80: Flags [.], ack 1054889742, win 229, options [nop,nop,TS val 11920183 ecr 11882921], length 0
07:38:51.846189 IP 172.22.27.10.36252 > 192.168.73.20.80: Flags [.], ack 1313004510, win 229, options [nop,nop,TS val 11921044 ecr 11883940], length 0
^C

八、状态追踪在ftp服务器中的应用

要使用状态追踪ftp的连接需要使用专用的模块nf_conntrack_ftp
模块路径:/lib/modules/3.10.0-957.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
需要手动装载

[root@node2 ~]# lsmod | grep nf_conntrack_ftp
[root@node2 ~]# modprobe nf_conntrack_ftp
[root@node2 ~]# lsmod | grep nf_conntrack_ftp
nf_conntrack_ftp       18638  0 
nf_conntrack          133095  4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4

或者写入配置文件

[root@node2 ~]# vi /etc/sysconfig/iptables-config 
IPTABLES_MODULES="nf_conntrack_ftp"

定义防火墙规则追踪ftp

1.先放行外网对内网21端口的访问

[root@node2 ~]# iptables -A FORWARD -d 192.168.73.0/24 -p tcp --dport 21 -j ACCEPT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1624 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp dpt:21

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination 

2.在放行规则之前添加连接追踪规则
添加连接追踪的功能,用于放行ftp数据通道,并添加规则拒绝所有不符合规则的连接

[root@node2 ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node2 ~]# iptables -A FORWARD -j REJECT
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 95 packets, 9072 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.73.0/24      tcp dpt:21
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 16 packets, 1272 bytes)
 pkts bytes target     prot opt in     out     source               destination  

测试

从外网访问内网的ftp服务

[root@node1 ~]# ftp 192.168.73.20
Connected to 192.168.73.20 (192.168.73.20).
220 (vsFTPd 3.0.2)
Name (192.168.73.20:root): ftp
331 Please specify the password.
Password:
230 Login successful.                  #成功
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

九、iptables的日志功能

当满足某条件时,将所匹配到的内容记录到日志中,日志位置/var/log/message
日志可以使用--log-prefix 选项来添加前缀
添加所有访问80端口的信息记录到日志

[root@node2 ~]# iptables -A FORWARD -p tcp --dport 80 -j LOG --log-prefix "ALL:"

测试

从外网访问内网的web服务

[root@node1 ~]# curl 192.168.73.20
this is node3

在防火墙上查看日志

[root@node2 ~]# tail /var/log/messages | grep "ALL"
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25563 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25564 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0 
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=129 TOS=0x00 PREC=0x00 TTL=63 ID=25565 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25566 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK URGP=0 
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25567 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK FIN URGP=0 
May 22 09:26:27 localhost kernel: ALL:IN=ens33 OUT=ens34 MAC=00:0c:29:3e:c7:e8:00:0c:29:b1:82:61:08:00 SRC=172.22.27.10 DST=192.168.73.20 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25568 DF PROTO=TCP SPT=36642 DPT=80 WINDOW=237 RES=0x00 ACK URGP=0 

十、iptables规则的存放

iptables的生存期为内核的生命周期,关机重启将失效,所以需要将规则进行保存,等再次开机时加载规则

规则的保存

使用iptables-save重定向输出至文件

[root@node2 ~]# iptables-save > test
[root@node2 ~]# cat test
# Generated by iptables-save v1.4.21 on Wed May 22 09:34:32 2019
*filter
:INPUT ACCEPT [2334:195479]
:FORWARD ACCEPT [10:867]
:OUTPUT ACCEPT [96:10460]
-A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "ALL:"
COMMIT
# Completed on Wed May 22 09:34:32 2019

规则的加载

使用iptables-restore将保存的规则重定向输入

[root@node2 ~]# iptables -F               #清空所有规则
[root@node2 ~]# iptables -nvL       
Chain INPUT (policy ACCEPT 43 packets, 3195 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@node2 ~]# iptables-restore < test      #将刚才所保存的规则重新导入
[root@node2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 45 packets, 3601 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 LOG flags 0 level 4 prefix "ALL:"           #新的规则已经加入

Chain OUTPUT (policy ACCEPT 15 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source               destination 

iptabes的规则优化

任何不允许的访问,应该在请求到达时给予拒绝
规则在链接上的次序即为其检查时的生效次序
基于上述,规则优化:

  1. 安全放行所有入站和出站的状态为ESTABLISHED状态连接
  2. 谨慎放行入站的新请求
  3. 有特殊目的限制访问功能,要在放行规则之前加以拒绝
  4. 同类规则(访问同一应用),匹配范围小的放在前面,用于特殊处理
  5. 不同类的规则(访问不同应用),匹配范围大的放在前面
  6. 应该将那些可由一条规则能够描述的多个规则合并为一条
  7. 设置默认策略,建议白名单(只放行特定连接)
    1) iptables -P,不建议
    2) 建议在规则的最后定义规则做为默认策略

iptables规则的保存和加载

iptables所定义的规则是有生命周期的,其周期为内核的存活周期,所以需要将其进行保存

保存方法

centos6和7保存方法不同

centos6

使用service iptables save 将规则覆盖保存至/etc/sysconfig/iptables中

service iptables save

centos7

使用iptables-save进行重定向

iptables-save > /path/to/file

iptables规则的载入

centos6使用service iptables restart会从/etc/sysconfig/iptables中重新载入

service iptables restart

centos7需要使用iptables-restore重新加载规则

iptables-restore < /PATH/FORM/FILE

iptables的自动加载

(1) 用脚本保存各iptables命令;让此脚本开机后自动运行 /etc/rc.d/rc.local文件中添加脚本路径

/PATH/TO/SOME_SCRIPT_FILE 

(2) 用规则文件保存各规则,开机时自动载入此规则文件中的规则 /etc/rc.d/rc.local文件添加

iptables-restore < /PATH/FROM/IPTABLES_RULES_FILE 

(3)自定义Unit File,进行iptables-restore

CentOS 7 可以安装 iptables-services 实现iptables.service

yum install iptables-services     
iptables-save > /etc/sysconfig/iptables     
systemctl enable iptables.service 

iptables作为网络防火墙的应用

标签:rate   script   stop   node   失效   store   0.0.0.0   自动   att   

原文地址:https://blog.51cto.com/11886307/2398424

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!