目录
3.4、添加规则:禁止另一台机器(之前的从DNS服务器的IP)进行ssh连接
一、实验要求
添加规则:禁止所有的IP进行ssh连接
禁止所有的IP访问web服务器的80端口
删除规则:删除禁止所有IP进进行SSH连接
添加规则:禁止另一台机器(之前的从DNS服务器的IP)进行ssh连接
二、环境准备
搭建环境
[root@manage ~]# yum install iptables
关闭firewalld服务
[root@manage ~]# systemctl stop firewalld
注意:iptables与firewalld不能同时启动
清空所有的规则表
[root@manage ~]# iptables -F #清空之后客户端可以访问ssh和http服务
iptables命令可以根据流量的源地址、目的地址、传输协议、服务类型等信息进行匹配,一旦匹配成功,iptables就会根据策略规则所预设的动作来处理这些流量。
三、实验开始
3.1、禁止所有的IP访问web服务器的80端口
[root@manage ~]# iptables -I INPUT -p tcp --dport 80 -j REJECT
没有-t选项默认使用的是filter表
I: Insert:插入,在任意的位置插入
-I chain rulenum: 在哪个链中的哪条规则(规则的编号)前插入
-I chain rule-specification: 在哪个链中的哪条规则(规则的描述)前插入
规则链名 链名: INPUT,PREROUTING,FORWARD,OUTPUT, PostRouting
-p: protocol 协议
--dport: 目标端口
-j: jump, 动作: ACCEPT, REJECT, DROP
ACCEPT:接收,即允许通过
REJECT:拒绝,不允许通过
DROP:丢弃
可以看到拒绝了80端口的访问
3.2、禁止所有的IP进行ssh连接
[root@manage ~]# iptables -I INPUT -p tcp --dport 22 -j REJECT
拒绝访问SSH后,虚拟机与XSHELL断开连接了
[root@manage ~]# iptables -I INPUT -p tcp --dport 22 -j REJE
[root@manage ~]#
Socket error Event: 32 Error: 10053.
Connection closing...Socket close.
Connection closed by foreign host.
Disconnected from remote host(192.168.153.133:22) at 16:20:25.
Type `help' to learn how to use Xshell prompt.
[C:\~]$
使用其他虚拟机进行校验
[root@node1 ~]# ssh root@192.168.153.133
ssh: connect to host 192.168.153.133 port 22: Connection refused
[root@node1 ~]#
可以看到连接被拒绝了
3.3、删除禁止所有IP进进行SSH连接
可以看到22端口是被禁止的
[root@manage ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 3312 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
60 3120 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
删除第一条规则
[root@manage ~]# iptables -D INPUT 1
可以看到禁止ssh的22端口已删除
[root@manage ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60 3120 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
试着登录一下
[C:\~]$ ssh 192.168.153.133
Connecting to 192.168.153.133:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Wed Nov 2 04:32:59 2022
Session lifetime based on X11 requested, but X11 initialization failed.
[root@manage ~]#
# 成功登录
我们顺便把禁止80端口的也删除了
[root@manage ~]# iptables -D INPUT 1
[root@manage ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_INP (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_OUT (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_FWO (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_FWI (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_FWX (0 references)
pkts bytes target prot opt in out source destination
3.4、添加规则:禁止另一台机器(之前的从DNS服务器的IP)进行ssh连接
[root@manage ~]# iptables -I INPUT -p tcp -s 192.168.153.132 --dport 22 -j REJECT
[root@manage ~]# iptables -I INPUT -p tcp -s 192.168.153.132 --dport 22 -j REJECT
[root@manage ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.153.132 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
使用另一台机器(之前的从DNS服务器的IP)进行ssh连接
[root@node1 ~]# ssh root@192.168.153.133
ssh: connect to host 192.168.153.133 port 22: Connection refused
可以看到无法进行ssh进行连接
我们把禁止是删除掉再登录试一下
[root@manage ~]# iptables -D INPUT 1 # 主服务器
[root@node1 ~]# ssh root@192.168.153.133
The authenticity of host '192.168.153.133 (192.168.153.133)' can't be established.
ECDSA key fingerprint is SHA256:UaVXNypzvh/2gu62geEItuFt0x+zMa0VAjDEtSrH+Vk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.153.133' (ECDSA) to the list of known hosts.
root@192.168.153.133's password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Wed Nov 2 04:40:26 2022 from 192.168.153.1
[root@manage ~]# # 从服务器登录主服务器
可以成功登录
实验结束