一、构建测试环境
三台主机全部使用仅主机模式,并关闭对应的dhcp设置
- 客户机(192.168.30.100)
# 临时的配置
ip a a 192.168.30.100/24 dev ens33
ip rounte add default via 192.168.30.1 dev ens33
# 写入文件
nmcli conn add con-name default type ethernet autoconnect yes ip4 192.168.30.100/24 gw4 192.168.30.1 ifname ens33
- 网络防火墙(192.168.30.1和10.0.0.1)
ip a a 192.168.30.1/24 dev ens33
ip a a 10.0.0.1/8 dev ens37
# 写入文件
nmcli conn add con-name eth0 type ethernet autoconnect yes ip4 192.168.30.1/24 ifname ens33
nmcli conn add con-name eth1 type ethernet autoconnect yes ip4 10.0.0.1/8 ifname ens37
# 启用路由转发功能
echo 1 > /etc/sys/net/ipv4/ip_forward
# 或者
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
- 服务器(10.0.0.100)
ip a a 10.0.0.100/8 dev ens33
ip rounte add default via 10.0.0.1 dev ens33
# 写入文件
nmcli conn add con-name default type ethernet autoconnect yes ip4 10.0.0.100/8 gw4 10.0.0.1 ifname ens33
二、在防火墙配置
- 首先确认系统的默认防火墙服务是关闭的
iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 209 packets, 18373 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 26 packets, 2184 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 49 packets, 8409 bytes)
pkts bytes target prot opt in out source destination
- 先拒绝所有转发,随便测试
iptables -A FORWARD -j REJECT
- 开通dns端口
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- 开通samba端口
iptables -I FORWARD 2 -p tcp -m multiport --dports 139,445 -j ACCEPT
iptables -I FORWARD 2 -p udp -m multiport --dports 139,445 -j ACCEPT
- 开通被动模式的FTP端口
iptables -I FORWARD 2 -p tcp --dport 21 -j ACCEPT
# centos7上需要加载 nf_conntrack_ftp 的模块
modprobe nf_conntrack_ftp
# 这个模块是vsftpd包带的,将服务器上的这三个文件复制防火墙主机对应的位置
locate nf_conntrack_ftp
/usr/include/linux/netfilter/nf_conntrack_ftp.h
/usr/lib/modules/3.10.0-957.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
/usr/src/kernels/3.10.0-957.el7.x86_64/include/linux/netfilter/nf_conntrack_ftp.h
/usr/src/kernels/3.10.0-957.el7.x86_64/include/uapi/linux/netfilter/nf_conntrack_ftp.h
- 开通 httpd、ssh、telnet 端口
iptables -I FORWARD 2 -p tcp -m multiport --dports 22,23,80 -j ACCEPT
三、最终的防火墙规则
iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 17 packets, 1544 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 55 4198 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21:23,80,139,445
3 2 116 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 11 packets, 2920 bytes)
num pkts bytes target prot opt in out source destination