目录
1 iptables filter表小案例
- 编辑脚本设定规则
vi /usr/local/sbin/iptables.sh //加入如下内容
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT - icmp示例,拒绝ping本机 iptables -I INPUT -p icmp --icmp-type 8 -j DROP
- 没有设置规则前,ping服务器:
- 设定iptables规则:
[root@worker01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@worker01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 684 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 776 bytes)
pkts bytes target prot opt in out source destination - 在windows机器上,再次ping服务器:
- 删除icmp规则
[root@worker01 ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP
2 iptables nat表应用
A机器两块网卡eno16777736(192.168.139.100)、eno33554984(192.168.100.1),eno16777736可以上外网,eno33554984仅仅是内部网络,B机器只有eno33554984(192.168.100.100),和A机器eno33554984可以通信互联。
- 需求1:可以让B机器连接外网
实验准备:
虚拟机的A机器:设置一个内网网卡,一个外网网卡
外网网卡配置:
动态获取ip:
[root@worker1 ~]#dhclient静态获取ip:
[root@worker1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=32447f57-e011-4b11-97ea-a7fe8a52099a
#DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.139.100
GATEWAY=192.168.139.2
NETMASK=255.255.255.0
DNS1=8.8.8.8
DNS2=119.29.29.29重启网络服务
[root@worker1 ~]# systemctl restart network.service内网网卡配置:
- 临时设置:
[root@worker1 ~]# ifconfig eno33554984 192.168.100.1
[root@worker1 ~]# ifconfig eno33554984 192.168.100.1/24
[root@worker1 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.100 netmask 255.255.255.0 broadcast 192.168.139.255
inet6 fe80::20c:29ff:fee5:56b1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
RX packets 611 bytes 54252 (52.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 374 bytes 47939 (46.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fee5:56bb prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e5:56:bb txqueuelen 1000 (Ethernet)
RX packets 35 bytes 11970 (11.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 628 (628.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0- 永久设置:
拷贝原网卡eno16777736的配置文件,进行修改即可
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno33554984
#UUID=32447f57-e011-4b11-97ea-a7fe8a52099a
#DEVICE=eno33554984
ONBOOT=yes
IPADDR=192.168.100.1
NETMASK=255.255.255.0iptables规则设置:(设置前规则前,需要把firewalld关闭)
[root@worker1 ~]# systemctl stop firewalld- A机器上打开路由转发
默认:
[root@worker1 ~]# cat /proc/sys/net/ipv4/ip_forward
0
修改:
[root@worker1 ~]# echo "1">/proc/sys/net/ipv4/ip_forward
[root@worker1 ~]# cat /proc/sys/net/ipv4/ip_forward
1- A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE //eno16777736是外网网卡
[root@worker1 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE
B机器:设置一个内网网卡
内网网卡配置:
临时设置:
[root@worker1 ~]# ifconfig eno33554984 192.168.100.100/24永久设置:
拷贝原网卡eno16777736的配置文件,进行修改即可
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno33554984
#UUID=32447f57-e011-4b11-97ea-a7fe8a52099a
#DEVICE=eno33554984
ONBOOT=yes
IPADDR=192.168.100.100
GATEWAY=192.168.100.1
NETMASK=255.255.255.0
DNS1=119.29.29.29B上设置网关为192.168.100.1 (如果以上配置内网网卡时候,这里就不用再次配置网关了)
网关设置:
route add default gw 192.168.100.1 //临时设置
域名设置:
vim /etc/resolv.conf
nameserver 119.29.29.29
测试B机器连外网:
测试成功了
需求2:C机器只能和A通信,让C机器可以直接连通B机器的22端口
- A,B机器网卡如上配置,然后把以上需求1的iptables规则删除
[root@worker1 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE- A上打开路由转发
[root@worker1 ~]# echo "1">/ proc/sys/net/ipv4/ip_forward- A上执行iptables -t nat -A PREROUTING -d 192.168.139.100 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@worker1 ~]# iptables -t nat -A PREROUTING -d 192.168.139.100 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22- A上执行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.139.100
[root@worker1 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.139.100B上设置网关为192.168.100.1 (如果以上配置内网网卡时候,这里就不用再次配置网关了)
网关设置:
route add default gw 192.168.100.1 //临时设置
使用xshell远程登录工具测试:
创建远程登录会话
设置好登录的机器的信息(A机器)
设置用户身份认证,这里是选密码登录(A机器)
创建完成后的会话,然后点击连接
成功登录到worker2机器上了(B机器)
扩展
1. iptables应用在一个网段 http://www.aminglinux.com/bbs/thread-177-1-1.html
2. sant,dnat,masquerade http://www.aminglinux.com/bbs/thread-7255-1-1.html
3. iptables限制syn速率 http://www.aminglinux.com/bbs/thread-985-1-1.html
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
