####################
##### iptables######
####################
-t #指定表名称
-n #不做解析
-L #列出指定表中的策略
-A #添加策略
-P #网络协议
--dport ##端口
-s ##数据来源
-j #动作
ACCEPT #允许
REJECT ##拒绝
DROP ##丢弃
-N ##增加链
-E ##修改链名称
-X ##删除链
-D ##删除指定策略
-I ##插入
-R ##修改策略
-P ##修改默认策略
iptables -F ##只是刷掉了内存里的,刷掉filter表中所有数据(不加-t默认为filter表)
service iptables save ##保存当前策略
iptables -t filter -nL ##查看filter表中的策略
iptables -A INPUT -i lo -j ACCEPT ##允许lo(这几条是逐条匹配的,一旦找到匹配的,就不再向下匹配)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #允许访问22端口
iptables -A INPUT -s 172.25.254.44 -j ACCEPT #允许20主机访问本纪所有端口
iptables -A INPUT -j REJECT ##拒绝所有主机的数据来源
iptables -nL
-------------------------------------------------------------------------
1 vim /etc/yum.repos.d/rhel_dvd.repo
2 yum clean all
7 systemctl status firewalld.service
10 systemctl start iptables
11 systemctl status iptables
18 iptables -A INPUT -i lo -j ACCEPT
19 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
20 iptables -A INPUT -s 172.25.254.44 -j ACCEPT
21 iptables -A INPUT -j REJECT
24 systemctl start httpd
------------------------------------------------------------------------
19 iptables -D INPUT 1 ##删除INPUT链中的第一条策略
21 iptables -N cat ##添加链cat
22 iptables -nL
23 iptables -E cat ccc ##改变链名称
24 iptables -nL
25 iptables -X ccc ##删除ccc链
26 iptables -nL
27 iptables -I INPUT -s 172.25.254.1 -j ACCEPT ##插入策略到INPUT中的第一条
28 iptables -nL
29 iptables -R INPUT 1 -i lo -j ACCEPT ##修改第一条策略
30 iptables -nL
31 iptables -D INPUT 1 ##删除INPUT链中的第一条策略
32 iptables -nL
33 iptables -P INPUT DROP ##把INPUT表中的默认策略改为DROP
---------------------------------------------------------------------------------
[root@localhost ~]# iptables -D INPUT 3
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -N cat
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain cat (0 references)
target prot opt source destination
[root@localhost ~]# iptables -E cat ccc
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ccc (0 references)
target prot opt source destination
[root@localhost ~]# iptables -X ccc
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -I INPUT -s 172.25.254.44 -j ACCEPT
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.25.254.44 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -R INPUT 1 -s 172.25.254.44 -j ACCEPT
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.25.254.44 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
----------------------------------------------------------------------------------
iptables -F
iptables -nL
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j REJECT
iptables -nL
----------------------------------------------------------------------------
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
-------------------------------------------------------------------------------
server端:
配置ip为0网段的
desktop端:
sysctl -a | grep forward
echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.0.144
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.144
-------------------------------------------------------------------------------
[root@localhost ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
[root@localhost ~]# echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.0.144
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.144
[root@localhost ~]# ping 172.25.254.44
PING 172.25.254.44 (172.25.254.44) 56(84) bytes of data.
64 bytes from 172.25.254.44: icmp_seq=1 ttl=64 time=0.125 ms
64 bytes from 172.25.254.44: icmp_seq=2 ttl=64 time=0.179 ms
^C
--- 172.25.254.44 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.125/0.152/0.179/0.027 ms
[root@localhost ~]# ping 172.25.0.45
PING 172.25.0.45 (172.25.0.45) 56(84) bytes of data.
^C
--- 172.25.0.45 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1037ms
[root@localhost ~]# ping 172.25.0.45
PING 172.25.0.45 (172.25.0.45) 56(84) bytes of data.
From 172.25.254.144 icmp_seq=1 Destination Host Unreachable
From 172.25.254.144 icmp_seq=2 Destination Host Unreachable
From 172.25.254.144 icmp_seq=3 Destination Host Unreachable
From 172.25.254.144 icmp_seq=4 Destination Host Unreachable
From 172.25.254.144 icmp_seq=5 Destination Host Unreachable
From 172.25.254.144 icmp_seq=6 Destination Host Unreachable
From 172.25.254.144 icmp_seq=7 Destination Host Unreachable
From 172.25.254.144 icmp_seq=8 Destination Host Unreachable
^C^C
--- 172.25.0.45 ping statistics ---
9 packets transmitted, 0 received, +8 errors, 100% packet loss, time 8001ms
pipe 4
[root@localhost ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.144 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:2c0a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:2c:0a txqueuelen 1000 (Ethernet)
RX packets 7413 bytes 5910109 (5.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6325 bytes 425473 (415.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.0.44 netmask 255.255.255.0 broadcast 172.25.0.255
inet6 fe80::5054:ff:fe52:afcd prefixlen 64 scopeid 0x20<link>
ether 52:54:00:52:af:cd txqueuelen 1000 (Ethernet)
RX packets 9213 bytes 394926 (385.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 4313 (4.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 3083 bytes 275604 (269.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3083 bytes 275604 (269.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# w -f
11:23:05 up 2:02, 3 users, load average: 0.02, 0.07, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 09:21 ?xdm? 1:14 0.18s gdm-session-worker [pam/gdm-passw
root pts/0 :0 09:21 1:58m 0.06s 0.06s /bin/bash
root pts/1 172.25.254.44 09:25 1.00s 0.46s 0.39s -bash
[root@localhost ~]# w
11:23:22 up 2:02, 3 users, load average: 0.02, 0.07, 0.06
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
root :0 09:21 ?xdm? 1:14 0.18s gdm-session-worker [pam/gdm-password]
root pts/0 09:21 1:58m 0.06s 0.06s /bin/bash
root pts/1 09:25 2.00s 0.39s 0.39s -bash
[root@localhost ~]# ssh root@172.25.254.44
The authenticity of host '172.25.254.44 (172.25.254.44)' can't be established.
ECDSA key fingerprint is 10:0e:58:f6:67:f6:6f:8b:fc:b0:64:79:2e:52:dd:e6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.44' (ECDSA) to the list of known hosts.
root@172.25.254.44's password:
Last login: Thu Jun 1 09:22:33 2017
[root@foundation44 ~]# w
11:24:29 up 2:19, 4 users, load average: 0.15, 0.31, 0.29
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
kiosk :0 :0 09:05 ?xdm? 17:55 0.19s gdm-session-worker [pam/gdm-autol
kiosk pts/2 :0 09:20 37.00s 0.10s 22.45s /usr/libexec/gnome-terminal-serve
kiosk pts/3 :0 09:25 5.00s 0.22s 0.18s ssh root@172.25.254.144
root pts/4 172.25.254.144 11:24 5.00s 0.06s 0.02s w
[root@foundation44 ~]# w -f
11:24:32 up 2:19, 4 users, load average: 0.15, 0.31, 0.29
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
kiosk :0 09:05 ?xdm? 17:56 0.19s gdm-session-worker [pam/gdm-autologin]
kiosk pts/2 09:20 40.00s 0.10s 22.48s /usr/libexec/gnome-terminal-server
kiosk pts/3 09:25 0.00s 0.23s 0.19s ssh root@172.25.254.144
root pts/4 11:24 0.00s 0.05s 0.00s w -f
[root@foundation44 ~]# quit
bash: quit: command not found...
Similar command is: 'quot'
[root@foundation44 ~]# logout
Connection to 172.25.254.44 closed.
[root@localhost ~]# netstat -antlpe | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 23510 1256/sshd
tcp 0 0 172.25.254.144:22 172.25.254.44:47855 ESTABLISHED 0 57905 2502/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 0 23512 1256/sshd
---------------------------------------------------------------------------------
##### iptables######
####################
重置虚拟机
配置yum源
添加网卡,使两个网卡不在同一网段
防火墙开启
iptables开启
-t #指定表名称
-n #不做解析
-L #列出指定表中的策略
-A #添加策略
-P #网络协议
--dport ##端口
-s ##数据来源
-j #动作
ACCEPT #允许
REJECT ##拒绝
DROP ##丢弃
-N ##增加链
-E ##修改链名称
-X ##删除链
-D ##删除指定策略
-I ##插入
-R ##修改策略
-P ##修改默认策略
iptables -F ##只是刷掉了内存里的,刷掉filter表中所有数据(不加-t默认为filter表)
service iptables save ##保存当前策略
iptables -t filter -nL ##查看filter表中的策略
iptables -A INPUT -i lo -j ACCEPT ##允许lo(这几条是逐条匹配的,一旦找到匹配的,就不再向下匹配)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #允许访问22端口
iptables -A INPUT -s 172.25.254.44 -j ACCEPT #允许20主机访问本纪所有端口
iptables -A INPUT -j REJECT ##拒绝所有主机的数据来源
iptables -nL
-------------------------------------------------------------------------
1 vim /etc/yum.repos.d/rhel_dvd.repo
2 yum clean all
3 iptables -nL
6 systemctl start firewalld.service7 systemctl status firewalld.service
10 systemctl start iptables
11 systemctl status iptables
12 iptables -nL
14 iptables -t filter -nL
16 iptables -nL
18 iptables -A INPUT -i lo -j ACCEPT
19 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
20 iptables -A INPUT -s 172.25.254.44 -j ACCEPT
21 iptables -A INPUT -j REJECT
22 iptables -nL
24 systemctl start httpd
------------------------------------------------------------------------
19 iptables -D INPUT 1 ##删除INPUT链中的第一条策略
21 iptables -N cat ##添加链cat
22 iptables -nL
23 iptables -E cat ccc ##改变链名称
24 iptables -nL
25 iptables -X ccc ##删除ccc链
26 iptables -nL
27 iptables -I INPUT -s 172.25.254.1 -j ACCEPT ##插入策略到INPUT中的第一条
28 iptables -nL
29 iptables -R INPUT 1 -i lo -j ACCEPT ##修改第一条策略
30 iptables -nL
31 iptables -D INPUT 1 ##删除INPUT链中的第一条策略
32 iptables -nL
33 iptables -P INPUT DROP ##把INPUT表中的默认策略改为DROP
---------------------------------------------------------------------------------
[root@localhost ~]# iptables -D INPUT 3
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -N cat
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain cat (0 references)
target prot opt source destination
[root@localhost ~]# iptables -E cat ccc
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ccc (0 references)
target prot opt source destination
[root@localhost ~]# iptables -X ccc
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -I INPUT -s 172.25.254.44 -j ACCEPT
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.25.254.44 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -R INPUT 1 -s 172.25.254.44 -j ACCEPT
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.25.254.44 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
----------------------------------------------------------------------------------
iptables -F
iptables -nL
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j REJECT
iptables -nL
----------------------------------------------------------------------------
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
-------------------------------------------------------------------------------
server端:
配置ip为0网段的
desktop端:
sysctl -a | grep forward
echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.0.144
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.144
-------------------------------------------------------------------------------
[root@localhost ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
[root@localhost ~]# echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.0.144
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.144
[root@localhost ~]# ping 172.25.254.44
PING 172.25.254.44 (172.25.254.44) 56(84) bytes of data.
64 bytes from 172.25.254.44: icmp_seq=1 ttl=64 time=0.125 ms
64 bytes from 172.25.254.44: icmp_seq=2 ttl=64 time=0.179 ms
^C
--- 172.25.254.44 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.125/0.152/0.179/0.027 ms
[root@localhost ~]# ping 172.25.0.45
PING 172.25.0.45 (172.25.0.45) 56(84) bytes of data.
^C
--- 172.25.0.45 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1037ms
[root@localhost ~]# ping 172.25.0.45
PING 172.25.0.45 (172.25.0.45) 56(84) bytes of data.
From 172.25.254.144 icmp_seq=1 Destination Host Unreachable
From 172.25.254.144 icmp_seq=2 Destination Host Unreachable
From 172.25.254.144 icmp_seq=3 Destination Host Unreachable
From 172.25.254.144 icmp_seq=4 Destination Host Unreachable
From 172.25.254.144 icmp_seq=5 Destination Host Unreachable
From 172.25.254.144 icmp_seq=6 Destination Host Unreachable
From 172.25.254.144 icmp_seq=7 Destination Host Unreachable
From 172.25.254.144 icmp_seq=8 Destination Host Unreachable
^C^C
--- 172.25.0.45 ping statistics ---
9 packets transmitted, 0 received, +8 errors, 100% packet loss, time 8001ms
pipe 4
[root@localhost ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.144 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:2c0a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:2c:0a txqueuelen 1000 (Ethernet)
RX packets 7413 bytes 5910109 (5.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6325 bytes 425473 (415.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.0.44 netmask 255.255.255.0 broadcast 172.25.0.255
inet6 fe80::5054:ff:fe52:afcd prefixlen 64 scopeid 0x20<link>
ether 52:54:00:52:af:cd txqueuelen 1000 (Ethernet)
RX packets 9213 bytes 394926 (385.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 4313 (4.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 3083 bytes 275604 (269.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3083 bytes 275604 (269.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# w -f
11:23:05 up 2:02, 3 users, load average: 0.02, 0.07, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 09:21 ?xdm? 1:14 0.18s gdm-session-worker [pam/gdm-passw
root pts/0 :0 09:21 1:58m 0.06s 0.06s /bin/bash
root pts/1 172.25.254.44 09:25 1.00s 0.46s 0.39s -bash
[root@localhost ~]# w
11:23:22 up 2:02, 3 users, load average: 0.02, 0.07, 0.06
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
root :0 09:21 ?xdm? 1:14 0.18s gdm-session-worker [pam/gdm-password]
root pts/0 09:21 1:58m 0.06s 0.06s /bin/bash
root pts/1 09:25 2.00s 0.39s 0.39s -bash
[root@localhost ~]# ssh root@172.25.254.44
The authenticity of host '172.25.254.44 (172.25.254.44)' can't be established.
ECDSA key fingerprint is 10:0e:58:f6:67:f6:6f:8b:fc:b0:64:79:2e:52:dd:e6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.44' (ECDSA) to the list of known hosts.
root@172.25.254.44's password:
Last login: Thu Jun 1 09:22:33 2017
[root@foundation44 ~]# w
11:24:29 up 2:19, 4 users, load average: 0.15, 0.31, 0.29
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
kiosk :0 :0 09:05 ?xdm? 17:55 0.19s gdm-session-worker [pam/gdm-autol
kiosk pts/2 :0 09:20 37.00s 0.10s 22.45s /usr/libexec/gnome-terminal-serve
kiosk pts/3 :0 09:25 5.00s 0.22s 0.18s ssh root@172.25.254.144
root pts/4 172.25.254.144 11:24 5.00s 0.06s 0.02s w
[root@foundation44 ~]# w -f
11:24:32 up 2:19, 4 users, load average: 0.15, 0.31, 0.29
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
kiosk :0 09:05 ?xdm? 17:56 0.19s gdm-session-worker [pam/gdm-autologin]
kiosk pts/2 09:20 40.00s 0.10s 22.48s /usr/libexec/gnome-terminal-server
kiosk pts/3 09:25 0.00s 0.23s 0.19s ssh root@172.25.254.144
root pts/4 11:24 0.00s 0.05s 0.00s w -f
[root@foundation44 ~]# quit
bash: quit: command not found...
Similar command is: 'quot'
[root@foundation44 ~]# logout
Connection to 172.25.254.44 closed.
[root@localhost ~]# netstat -antlpe | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 23510 1256/sshd
tcp 0 0 172.25.254.144:22 172.25.254.44:47855 ESTABLISHED 0 57905 2502/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 0 23512 1256/sshd
---------------------------------------------------------------------------------