火墙类型及火墙策略

最新推荐文章于 2024-06-08 16:34:06 发布

随便啦ing

最新推荐文章于 2024-06-08 16:34:06 发布

阅读量692

点赞数 26

文章标签：网络服务器运维

本文链接：https://blog.csdn.net/2301_79767652/article/details/139045640

版权

火墙拥有两套服务工具

一种是iptables另一种就是我们生活中常见的firewalld

我们主要看看iptables的工作机制及配置

iptables

已知node2的主机名称为node2.timinglee.org其ip为192.168.0.200，这台主机中只允许sshd，和nginx两个服务可以被访问
2.已知node1的主机名为node1.timinglee.org,此主机为双网卡主机其IP为172.25.254.200，和192.168.0.100，请在此主机中配置策略可以使node2主机访问外网

主机：node2

[root@server200 ~]# hostnamectl set-hostname node2.timinglee.org //修改主机名

[root@server200 ~]# hostname //查看主机名

node2.timinglee.org

[root@server200 ~]# ip a //网卡配置

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether 00:0c:29:a4:2e:e7 brd ff:ff:ff:ff:ff:ff

altname enp3s0

altname ens160

inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0

valid_lft forever preferred_lft forever

inet6 fe80::1d24:d487:e06a:e4dd/64 scope link noprefixroute

valid_lft forever preferred_lft forever

关闭firewalld开启iptables

[root@server200 ~]# dnf install iptables-services -y //下载软件

[root@server200 ~]# systemctl disable --now firewalld //关闭firewalld

[root@server200~]# systemctl mask firewalld //锁住firewalld

Created symlink /etc/systemd/system/firewalld.service → /dev/null.

[root@server200 ~]# systemctl enable --now iptables.service //开启iptables

Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

[root@server200 ~]# iptables -nL //查看火墙策略

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target prot opt source destination

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@server200~]# iptables -F //清空火墙策略

[root@server200 ~]# iptables -nL //查看

[root@server200 ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

//添加一条策略允许访问80端口nginx服务

[root@server200 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

//添加一条策略允许访问22 端口sshd服务

[root@server129 ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

主机：node1

[root@server100 ~]# hostnamectl set-hostname node1.timinglee.org //修改主机名

[root@server100 ~]# hostname //查看主机名

Node1.timinglee.org

[root@server100 ~]# ip a

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether 00:0c:29:8f:0c:9d brd ff:ff:ff:ff:ff:ff

altname enp3s0

altname ens160

inet 172.25.254.100/24 brd 172.25.254.255 scope global noprefixroute eth0

valid_lft forever preferred_lft forever

inet6 fe80::a7db:2566:dc91:6001/64 scope link noprefixroute

valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether 00:0c:29:8f:0c:a7 brd ff:ff:ff:ff:ff:ff

altname enp27s0

altname ens256

inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1

valid_lft forever preferred_lft forever

inet6 fe80::a77c:6744:4c82:9f3/64 scope link noprefixroute

valid_lft forever preferred_lft forever

[root@server129 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection

[ipv4]

address1=192.168.0.200/24,192.168.0.100

dns=114.114.114.114;

method=manual

[root@server100 ~]# vim /etc/sysctl.conf //开启内核路由功能

net.ipv4.ip_forward=1

[root@server100 ~]# sysctl -p

net.ipv4.ip_forward = 1

[root@server100 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.100 //将内网的IP地址转换为172.25.254.100去上网

[root@server100 ~]# iptables -t nat -nL //查看策略

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.111

测试：

[root@server129 ~]# ping www.baidu.com

PING www.a.shifen.com (183.2.172.185) 56(84) 比特的数据。

64 比特，来自 183.2.172.185 (183.2.172.185): icmp_seq=1 ttl=127 时间=59.4 毫秒

--- www.a.shifen.com ping 统计 ---

已发送 3 个包，已接收 3 个包, 0% packet loss, time 2004ms

rtt min/avg/max/mdev = 39.857/60.949/83.585/17.885 ms

[root@server100 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200 //外网访问内网将共有IP转换为私有的192.168.0.200

[root@server111 ~]# iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.0.200

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.111

测试：

[C:\~]$ ssh root@172.25.254.100 //用真机的ssh去链接172.25.254.100

[root@server129 ~]# ip a

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether 00:0c:29:a4:2e:e7 brd ff:ff:ff:ff:ff:ff

altname enp3s0

altname ens160

inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0

valid_lft forever preferred_lft forever

inet6 fe80::1d24:d487:e06a:e4dd/64 scope link noprefixroute

valid_lft forever preferred_lft forever

连接的是172.25.254.100其实实际上连接的是192.168.0.200

随便啦ing

关注

26
点赞
踩
29

收藏

觉得还不错? 一键收藏
打赏
0
评论
火墙类型及火墙策略

root@server100 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200 //外网访问内网将共有IP转换为私有的192.168.0.200。[root@server200 ~]# systemctl enable --now iptables.service //开启iptables。
复制链接

扫一扫