iptables其实不是真正的防火墙,我们可以把它理解成一个客户端代理,用户通过iptables这个代理,将用户的安全设定执行到对应的”安全框架”中,这个”安全框架”才是真正的防火墙,这个框架的名字叫netfilter。
netfilter才是防火墙真正的安全框架(framework),netfilter位于内核空间。iptables其实是一个命令行工具,位于用户空间,我们用这个工具操作真正的框架。
我的需求是禁止通过虚拟ip网段(网卡设备名称为eth1:1)访问bmc设备,当前已经确定为5.5.66.xx这个网段,实现所有端口访问的限制。
1、安装iptables应用
sudo apt-get install iptables
2、执行iptables -L,出现以下报错:
root@vclustersBMC:~# iptables -L
iptables v1.4.21: can't initialize iptables table `filter': No chain/target/match by that name
Perhaps iptables or your kernel needs to be upgraded.
原因分析,主要内核没有打开netfilter相关模块有关,需要在内核打开对应配置,然后更新内核。
解决办法:在编译内核的时候把对应的netfilter config配置项打开(具体根据你的内核的版本来具体分析,需要自己验证),更新内核即可。
解决办法主要为:
1.make menuconfig
2.-*- Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<*> Netfilter NFACCT over NFNETLINK interface
<*> Netfilter NFQUEUE over NFNETLINK interface
<*> Netfilter LOG over NFNETLINK interface
<*> Netfilter connection tracking support
<*> nfmark target and match support
<*> Netfilter Xtables support (required for ip_tables)
<*> Ethernet Bridge tables (ebtables) support --->
--- Ethernet Bridge tables (ebtables) support
<*> ebt: broute table support
<*> ebt: filter table support
<*> ebt: nat table support
<*> ebt: 802.3 filter support
<*> ebt: among filter support
<*> ebt: ARP filter support
<*> ebt: IP filter support
<*> ebt: IP6 filter support
<*> ebt: limit match support
<*> ebt: mark filter support
<*> ebt: packet type filter support
<*> ebt: STP filter support
<*> ebt: 802.1Q VLAN filter support
<*> ebt: arp reply target support
<*> ebt: dnat target support
<*> ebt: mark target support
<*> ebt: redirect target support
<*> ebt: snat target support
<*> ebt: log support
<*> ebt: nflog support
IP: Netfilter Configuration --->
<*> IP tables support (required for filtering/masq/NAT)
<*> raw table support (required for NOTRACK/TRACE)
3、当前的bmc设备虚拟ip一般设置为eth1:1
所以目前的做法是先解析到虚拟ip的网段,然后设置该网段禁止访问bmc即可,具体可使用一个shell脚本实现,开机之后自动运行来设置。
4、其中的一些验证情况
root@vclustersBMC:~# netstat -lntp /查看有哪些端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2476/rpcbind
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 2702/python
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2640/nginx
tcp 0 0 0.0.0.0:54321 0.0.0.0:* LISTEN 2693/socat
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2593/sshd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 2586/xinetd
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 2640/nginx
tcp 0 0 0.0.0.0:8800 0.0.0.0:* LISTEN 2742/python
tcp 0 0 0.0.0.0:50628 0.0.0.0:* LISTEN 2521/rpc.statd
tcp6 0 0 :::111 :::* LISTEN 2476/rpcbind
tcp6 0 0 :::48341 :::* LISTEN 2521/rpc.statd
tcp6 0 0 :::22 :::* LISTEN 2593/sshd
设置192.168.32.0网段的ip禁止访问以上端口:
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 111 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 8080 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 80 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 54321 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 22 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 23 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 8888 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 8800 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 43969 -j DROP
iptables -I INPUT -s 192.168.32.0/24 -p tcp --dport 43907 -j DROP
root@vclustersBMC:~# iptables -L -n //查看设置情况
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:43907
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:43969
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:8800
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:8888
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:23
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:54321
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:80
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:8080
DROP tcp -- 192.168.32.0/24 0.0.0.0/0 tcp dpt:111
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
设置完之后,在192.168.11.xx的网段可以访问bmc,在192.168.32.xx的网段不能访问bmc,验证如下:
C:\Users\Administrator>curl 192.168.11.252 //通过adb工具在192.168.11.xx网段访问bmc,可以访问
<!DOCTYPE html><html><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge,chrome=1"><meta name=renderer content=webkit><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>瑞驰安卓云BMC管理平台</title><link rel="shortcut icon" href=./favicon.ico><link href=./statics/css/app.eef63f7ed93a1120348bc674ec20c3e4.css rel=stylesheet></head><body><div id=app></div><script type=text/javascript src=./statics/js/manifest.384d899ab88bcd62bd7f.js></script><script type=text/javascript src=./statics/js/vendor.9f20ca3945be15b2c109.js></script><script type=text/javascript src=./statics/js/app.4afb5192aaa53cae6c66.js></script></body></html>
root@driver:~# curl 192.168.11.252 //在192.168.32.xx网段访问bmc,不能访问
curl: (7) Failed to connect to 192.168.11.252 port 80: Connection timed out
root@vclustersBMC:~# sudo iptables -F //清除所有iptables预设表filter里的所有规则
root@vclustersBMC:~# sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
删除规则
我们需要知道这条规则的编号,每条规则都对应一个编号
通过 iptables -nL --line-number 可以显示规则和相对应的编号
iptables -D INPUT 2 //删除编号为2的INPUT规则