iptables练习题
1.INPUT和OUTPUT默认策略为DROP;
[root@web-server1 ~]# iptables -t filter -P INPUT DROP
[root@web-server1 ~]# iptables -t filter -P OUTPUT DROP
2.限制本地主机的web服务器在周二、周五不允许访问;新请求的速率不能超过150个每秒;web服务器包含了demo字符串的页面不允许访问;web服务器仅允许响应报文离开本机;
[root@web-server1 ~]# iptables -I INPUT 1 -d 192.168.100.65 -p tcp --dport 80 -m limit --limit 150/second -m time --weekdays Tue,Fri -j REJECT
[root@web-server1 ~]# iptables -I OUTPUT 1 -d 192.168.100.65 -p tcp --dport 80 -m string --string "demo" --algo kmp -j REJECT
3.在工作时间,即周一到周五的8:30-18:00,开放本机的samba服务共享的目录给192.168.100.20网络中的主机访问;数据访问次数每分钟不得超过20个;
[root@web-server1 ~]# iptables -I INPUT -s 192.168.100.65 -m time --timestart 08:30:00 --timestop 18:00:00 --weekdays Mon,Tue,Wed,Thu,Fri -m limit --limit 20/Minute -j ACCEPT
4.开放本机的ssh服务给192.168.100.9-192.168.100.155中的主机,新请求建立的速率一分钟不得超过3个;仅允许响应报文通过其服务端口离开本机;
[root@web-server1 ~]# iptables -I INPUT -p tcp --dport 22 -m iprange --src-range 192.168.100.9-192.168.100.155 -m limit --limit 3/Minute -m recent --set --name SSH
5.定制源地址访问策略:1)接收来自192.168.100.30的IP访问;2)拒绝来自192.168.200.0/24网段的访问
1)
[root@web-server1 ~]# iptables -i ens33 -s 192.168.100.30 -j ACCEPT
2)
[root@web-server1 ~]# iptables -i ens33 -s 192.168.200.0/24 -p tcp -j DROP
6.目标地址192.168.100.20的访问给予记录,并查看/var/log/message
[root@web-server1 ~]# iptables -A INPUT -s 192.168.100.20 -j LOG
7.定制端口访问策略:
1)拒绝任何地址访问本机的8081端口;
[root@web-server1 ~]# iptables -A INPUT -i ens33 -p tcp --dport 8081 -j DROP
2)拒绝192.168.200.0/24网段的1024-65534的源端口访问SSH
[root@web-server1 ~]# iptables -A INPUT -i ens33 -p tcp -s 192.168.200.0/24 --sport 1024:65534 --dport ssh -j DROP
8.定制防火墙的MAC地址访问策略:
1)清除所以已经存的规则;
[root@web-server1 ~]# iptables -F
[root@web-server1 ~]# iptables -X
[root@web-server1 ~]# iptables -Z
2)将INPUT设为DROP;
[root@web-server1 ~]# iptables -P INPUT DROP
3)将目标计算机192.168.100.30的MAC设为ACCEPT
[root@web-server1 ~]# iptables -A INPUT -m mac --mac-source 00:0c:29:34:9f:01 -j ACCEPT
9.定制防火墙的NAT访问策略:
1)清除所有NAT策略;
[root@web-server1 ~]# iptables -F -t nat
[root@web-server1 ~]# iptables -X -t nat
[root@web-server1 ~]# iptables -Z -t nat
2)重置ip_forward为1;
[root@web-server1 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
3)通过SNAT设定来源于192.168.100.20网段通过ens33转发出去;
[root@web-server1 ~]# iptables -t nat -A POSTROUTING -o ens33 -j SNAT --to 192.168.100.20
4)用iptables观察转发的数据包。
[root@web-server1 ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
552 36178 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:0C:29:34:9F:01
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 185 packets, 17548 bytes)
pkts bytes target prot opt in out source destination
10.端口转发访问策略:
1)清除所有NAT策略;
[root@web-server1 ~]# iptables -F -t nat
[root@web-server1 ~]# iptables -X -t nat
[root@web-server1 ~]# iptables -Z -t nat
2)重置ip_forward为1;
[root@web-server1 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
3)通过DNAT设定为所有访问192.168.100.30的22端口,都访问到192.168.100.20的22端口;
[root@web-server1 ~]# iptables -t nat -A PREROUTING -d 192.168.100.30 -p tcp --dport 22 -j DNAT --to-destination 192.168.100.20:22
4)设定所有到192.168.100.20的22端口的数据包都通过FORWARD转发;
[root@web-server1 ~]# iptables -A FORWARD -p tcp -d 192.168.100.20 --dport 22 -j ACCEPT
5)设定回应数据包,即通过NAT的POSTROUTING设定,使通讯正常。
[root@web-server1 ~]# iptables -t nat -I POSTROUTING -p tcp --dport 22 -j MASQUERADE
Firewalld练习题
1.配置防火墙规则
允许192.168.100.0/24 网段的用户对controller和compute进行ssh访问;禁止192.168.200.0/24 网段的用户对controller和compute进行ssh访问.
[root@web-server1 ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.100.0/24" service name="ssh" reject'
[root@web-server1 ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.100.0/24" service name="ssh" reject'
success
2.配置端口转发在controller和compute配置端口转发,要求:在192.168.200.0/24网段中的主机,访问server的本地端口5321将被转发到80端口此设置必须永久有效、设置开机启动防火墙.
[root@web-server1 ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.200.0/24" forward-port port="5321" protocol="tcp" to-port="80"'
success
3.开启80端口,查看80端口状态;
[root@web-server1 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@web-server1 ~]# firewall-cmd --reload
success
[root@web-server1 ~]# firewall-cmd --zone=public --query-port=80/tcp
yes
4.允许来自主机 192.168.100.20 的80 端口的 IPv4 的 TCP 流量,并将流量转发到6532 端口上;
[root@web-server1 ~]# firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=192.168.100.20 forward-port port=80 protocol=tcp to-port=6532'
success
[root@web-server1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.0/24" service name="ssh" reject
rule family="ipv4" source address="192.168.200.0/24" forward-port port="5321" protocol="tcp" to-port="80"
rule family="ipv4" source address="192.168.100.20" forward-port port="80" protocol="tcp" to-port="6532"
5.每分钟允许2个新连接访问ftp服务;
[root@web-server1 ~]# firewall-cmd --add-rich-rule="rule service name=ftp limit value=2/m accept"
success
[root@web-server1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.0/24" service name="ssh" reject
rule family="ipv4" source address="192.168.200.0/24" forward-port port="5321" protocol="tcp" to-port="80"
rule family="ipv4" source address="192.168.100.20" forward-port port="80" protocol="tcp" to-port="6532"
rule service name="ftp" accept limit value="2/m"
6.修改默认区域为home,并添加接口ens33到当前默认区域下,查询出结果;
[root@web-server1 ~]# firewall-cmd --set-default-zone=home
success
[root@web-server1 ~]# sudo firewall-cmd --get-default-zone
home
[root@web-server1 ~]# firewall-cmd --permanent --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'home'.
success
[root@web-server1 ~]# firewall-cmd --zone=home --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 1000-8888/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.30" port port="3306" protocol="tcp" accept
7.放开ssh服务,并限制只有192.168.100.30可以访问3306端口;
[root@web-server1 ~]# firewall-cmd --zone=public --add-port=22/tcp --permanent
success
[root@web-server1 ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.30" port protocol="tcp" port="3306" accept"
success
[root@web-server1 ~]# firewall-cmd --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.30" port port="3306" protocol="tcp" accept
8.增加666端口到public域上,并查询结果;
[root@web-server1 ~]# firewall-cmd --zone=public --add-port=666/tcp --permanent
success
[root@web-server1 ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 22/tcp 666/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.0/24" service name="ssh" reject
rule family="ipv4" source address="192.168.200.0/24" forward-port port="5321" protocol="tcp" to-port="80"
9.将tcp协议1000-8888端口,添加到home区域下;并添加192.168.100.0/24网段到home区域;
[root@web-server1 ~]# firewall-cmd --zone=home --add-port=1000-8888/tcp --permanent
success
[root@web-server1 ~]# firewall-cmd --reload
success
[root@web-server1 ~]# firewall-cmd --zone=home --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 1000-8888/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.30" port port="3306" protocol="tcp" accept
[root@web-server1 ~]# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=192.168.100.0/24 port protocol=tcp port="80" accept"
success
[root@web-server1 ~]# firewall-cmd --reload
success
[root@web-server1 ~]# firewall-cmd --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 1000-8888/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.30" port port="3306" protocol="tcp" accept
rule family="ipv4" source address="192.168.100.0/24" port port="80" protocol="tcp" accept
10.修改home区域绑定的网卡接口,将它绑定到internal区域,并查询接口所在区域结果;
[root@web-server1 ~]# firewall-cmd --zone=home --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 1000-8888/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.30" port port="3306" protocol="tcp" accept
rule family="ipv4" source address="192.168.100.0/24" port port="80" protocol="tcp" accept
[root@web-server1 ~]# firewall-cmd --zone=internal --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@web-server1 ~]# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: