网络防火墙
查看是否已经开启转发功能
0-未开启
1-已开启
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
查看转发链的规则
iptables -nvL
iptables -t filter -nvL FORWARD
[root@localhost ~]# iptables -t filter -I FORWARD -j ACCEPT
[root@localhost ~]# iptables -t filter -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
动作
基础动作
ACCEPT
DROP
扩展动作
REJECT –reject-with
–reject-with 后面跟以上参数
[root@localhost ~]# iptables -t filter -I INPUT -s 10.39.0.4 -j REJECT
[root@localhost ~]# iptables -t filter -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 10.39.0.4 0.0.0.0/0 reject-with icmp-port-unreachable
135 9596 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 10.39.0.4 0.0.0.0/0 reject-with icmp-port-unreachable
156 11112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
LOG
主要是查看报文的相关属性
[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7 488 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 4
0 0 REJECT all -- * * 10.39.0.4 0.0.0.0/0 reject-with icmp-port-unreachable
256 18024 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
把报文的日志信息重定向到指定文件
vi /etc/rsyslog.conf
kern.warning /var/log/iptables.log
service rsyslog restart
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "demo-test-from-in-22"
[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 43 packets, 5191 bytes)
pkts bytes target prot opt in out source destination
1 64 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW LOG flags 0 level 4 prefix "demo-test-from-in-22"
这样就可以查看日志iptables的报文信息的日志了
登录
➜ github.com ssh root@192.168.1.61
root@192.168.1.61's password:
Last login: Sat Jun 2 13:59:36 2018 from 192.168.1.31
[root@localhost ~]#
cat /var/log/iptables.log | less
...
2018-06-02T18:22:14.422300+08:00 localhost kernel: demo-test-from-in-22IN=enp0s8 OUT= MAC=08:00:27:de:2d:c7:18:65:90:d4:3a:e7:08:00 SRC=192.168.1.31 DST=192.168.1.61 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=38288 DF PROTO=TCP SPT=59102 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
SNAT –伪装源地址
DNAT–伪装目标地址
MASQUERATE–伪装
REDIRECT–重定向