Linux实验:iptables的相关配置
要求:
1.已知node2的主机名称为node2.timinglee.org其ip为192.168.0.200,这台主机中只允许sshd,和nginx两个服务可以被访问
2.已知node1的主机名为node1.timinglee.org,此主机为双网卡主机其IP为172.25.254.200,和192.168.0.100,请在此主机中配置策略可以使node2主机访问外网
note1主机操作
[root@server102 ~]# hostnamectl hostname node1.timinglee.org
[root@server102 ~]# hostname
node1.timinglee.org
#查看网卡的ip信息
[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:33:49:40 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 172.25.254.200/24 brd 172.25.254.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::fa94:b632:5bd6:a146/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:33:49:4a brd ff:ff:ff:ff:ff:ff
altname enp19s0
altname ens224
inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::518f:2870:1a4c:178f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# # 安装iptables软件并开启,注意要先关闭firewalld,并锁定
[root@node1 ~]# dnf install iptables-services -y
[root@node1 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@node1 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@node1 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
# 先清空iptables的默认策略
[root@node1 ~]# iptables -F
[root@node1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# 发现内核路由转发功能没有开启需要手动开启
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@node1 ~]# vim /etc/sysctl.conf
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
# 配置iptables的策略
[root@node1 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.200
[root@node1 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.200
# 永久保存策略
[root@node1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
node2主机操作
[root@server102 ~]# hostnamectl hostname node2.timinglee.org
[root@server102 ~]# hostname
node2.timinglee.org
#查看网卡的ip信息
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:8c:36:ce brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::fecd:4c84:736e:eae/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# 安装iptables软件并开启,注意要先关闭firewalld,并锁定
[root@node2 ~]# dnf install iptables-services -y
# 开启iptables服务,并关闭firewalld服务且锁定
[root@node2 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@node2 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@node2 ~]# systemctl enable --now iptables.service
# 先清空iptables的默认策略
[root@node2 ~]# iptables -F
[root@node2 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# 再向filter表中添加策略
[root@node2 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@node2 ~]# iptables -A INPUT -j REJECT
[root@node2 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# 永久保存策略
[root@node2 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
# 测试node2主机是否只开放22端口和80端口,使用ftp服务测试,ftp服务使用的是21端口,测试结果应该是被拒绝
[root@node2 ~]# dnf install vsftpd-3.0.3-49.el9.x86_64 lftp -y
[root@node2 ~]# systemctl enable --now vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.
[root@node2 ~]# lftp 192.168.0.200
# 登录失败,测试成功
lftp 192.168.0.200:~> ls
`ls' at 0 [530 Login incorrect.]
# 让node2主机可以访问外网的配置
# 修改node2的网关以及dns
[root@node2 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection
[ipv4]
address1=192.168.0.200/24,192.168.0.100
dns=114.114.114.114;
method=manual
# 重启网卡配置文件
[root@node2 ~]# nmcli connection reload
[root@node2 ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
# 查看是否修改成功
[root@node2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search timinglee.org
nameserver 114.114.114.114
[root@node2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# 测试看是否可以访问外网,测试成功
[root@node2 ~]# ping www.baidu.com
PING www.a.shifen.com (110.242.68.3) 56(84) bytes of data.
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=1 ttl=127 time=54.3 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=2 ttl=127 time=65.6 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=3 ttl=127 time=49.2 ms
^C64 bytes from 110.242.68.3: icmp_seq=4 ttl=127 time=99.9 ms
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 30198ms
rtt min/avg/max/mdev = 49.160/67.248/99.925/19.780 ms