filter过滤和转发控制
问题
本案例要求熟悉filter表的过滤和转发控制,练习以下操作:
利用ip_forward机制实现Linux路由/网关功能
针对Linux主机进行出站、入站控制
在Linux网关上实现数据包转发访问控制
方案
采用三台RHEL6虚拟机svr5、gw1、pc120,如图-2所示。其中,虚拟机svr5作为局域网络的测试机,接入NAT网络(virbr0);虚拟机pc120作为Internet的测试机,接入隔离网络(virbr1);虚拟机gw1作为网关/路由器,配置eth0、eth1两块网卡,分别接入两个网络virbr0、virbr1。
对于管理员来说,局域网客户机应该将默认网关指向本公司接入Internet的路由器的地址,即本例中的Linux网关;而Internet中各种客户机的默认网关却是未知的。因此,除了按照上述环境配好接口IP地址以外,内网测试机svr5还需要将默认网关指向Linux网关的内网接口192.168.4.1:
[root@svr5 ~]# route -n | grep UG
0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 eth0
步骤
实现此案例需要按照如下步骤进行。
步骤一:调整路由转发环境
本案例用到了192.168.4.0/24、174.16.16.0/24两个网段,若希望将Linux网关作为路由器使用,使两个网段互通,路由方面首先要解决以下两个问题:
为192.168.4.0/24网段的客户机添加到174.16.16.0/24网段的路由
为174.16.16.0/24网段的客户机添加到192.168.4.0/24网段的路由
其中,内网测试机svr5已经设置好默认网关,因此第一个问题解决;而第二个问题,只要为外网测试机pc120也添加默认网关(或者具体的静态路由)即可:
[root@pc205 ~]# route add default gw 174.16.16.1
[root@pc205 ~]# route -n | grep UG
0.0.0.0 174.16.16.1 0.0.0.0 UG 0 0 0 eth0
步骤二:利用ip_forward机制实现Linux路由/网关功能
1) 开启路由之前,内外网无法互通
在主机svr5上ping主机pc120,丢包率100%:
[root@svr5 ~]# ping -c4 -W2174.16.16.120
ping: bad linger time.
[root@svr5 ~]# ping -c4 -W2 174.16.16.120
PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.
--- 174.16.16.120 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 5002ms
[root@svr5 ~]#
在主机pc120上ping主机svr5,丢包率100%:
[root@pc205 ~]# ping -c4 -W2 192.168.4.5
PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data.
--- 192.168.4.5 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 5002ms
[root@pc205 ~]#
2)开启Linux网关的路由转发功能
使用sysctl可以直接修改运行中的ip_forward参数:
[root@gw1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0 //默认未开启
[root@gw1 ~]# sysctl -w net.ipv4.ip_forward=1 //开启转发功能
net.ipv4.ip_forward = 1
若希望固定此配置,推荐修改/etc/sysctl.conf配置文件:
[root@svr5 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 //查找更改为此行
[root@svr5 ~]# sysctl -p //更新配置
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
3) 开启路由之后,内外网可以互通
在主机svr5上ping主机pc120,正常获得响应:
[root@svr5 ~]# ping -c4 -W2 174.16.16.120
PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.
64 bytes from 174.16.16.120: icmp_seq=1 ttl=63 time=1.60 ms
64 bytes from 174.16.16.120: icmp_seq=2 ttl=63 time=0.608 ms
64 bytes from 174.16.16.120: icmp_seq=3 ttl=63 time=0.587 ms
64 bytes from 174.16.16.120: icmp_seq=4 ttl=63 time=1.10 ms
--- 174.16.16.120 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.587/0.975/1.606/0.419 ms
[root@svr5 ~]#
在主机pc120上ping主机svr5,正常获得响应:
[root@pc205 ~]# ping -c4 -W2 192.168.4.5
PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data.
64 bytes from 192.168.4.5: icmp_seq=1 ttl=63 time=0.802 ms
64 bytes from 192.168.4.5: icmp_seq=2 ttl=63 time=0.867 ms
64 bytes from 192.168.4.5: icmp_seq=3 ttl=63 time=1.13 ms
64 bytes from 192.168.4.5: icmp_seq=4 ttl=63 time=2.10 ms
--- 192.168.4.5 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 0.802/1.226/2.107/0.524 ms
步骤三:防火墙filter表的出站、入站访问控制
1)在网关gw1上限制ping测试(允许ping别人,禁止别人ping自己)
丢弃进来的ping请求包、允许进来的各种ping应答包(非请求包)
[root@gw1 ~]# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
[root@gw1 ~]# iptables -A INPUT -p icmp ! --icmp-type echo-request -j ACCEPT
或者,允许出去的ping请求包、丢弃出去的各种ping应答包(非请求包)
[root@gw1 ~]# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
[root@gw1 ~]# iptables -A OUTPUT -p icmp ! --icmp-type echo-request -j DROP
2)验证ping限制效果
在网关gw1上ping主机pc120,可以ping通:
[root@gw1 ~]# ping -c4 -W2 174.16.16.120
PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.
64 bytes from 174.16.16.120: icmp_seq=1 ttl=64 time=2.32 ms
64 bytes from 174.16.16.120: icmp_seq=2 ttl=64 time=0.226 ms
64 bytes from 174.16.16.120: icmp_seq=3 ttl=64 time=0.583 ms
64 bytes from 174.16.16.120: icmp_seq=4 ttl=64 time=0.239 ms
--- 174.16.16.120 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.226/0.844/2.328/0.868 ms
在主机pc205上ping网关gw1,丢包率为100%,实际上被防火墙封堵了:
[root@pc205 ~]# ping -c4 -W2 174.16.16.1
PING 174.16.16.1 (174.16.16.1) 56(84) bytes of data.
--- 174.16.16.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 5001ms
[root@pc205 ~]#
3)针对网关gw1上的FTP服务做访问控制
快速安装、启用vsftpd服务:
[root@gw1 ~]# yum -y install vsftpd
.. ..
[root@gw1 ~]# service vsftpd restart
.. ..
禁止从主机pc120访问本机的FTP服务:
[root@gw1 ~]# iptables -A INPUT -s 174.16.16.120 -p tcp --dport 20:21 -j DROP
[root@gw1 ~]# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp !type 8
DROP tcp -- 174.16.16.120 0.0.0.0/0 tcp dpts:20:21
4)测试FTP访问控制效果
在被封堵的主机pc120上,访问gw1的FTP服务将会失败:
[root@pc205 ~]# ftp 174.16.16.1
ftp: connect: 连接超时
ftp> quit
[root@pc205 ~]#
在其他主机(比如svr5)上,可以正常访问gw1的FTP服务:
[root@svr5 ~]# ftp 174.16.16.1
Connected to 174.16.16.1 (174.16.16.1).
220 (vsFTPd 2.2.2)
Name (174.16.16.1:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
[root@svr5 ~]#
步骤四:防火墙filter表的转发访问控制
1)INPUT、OUTPUT链对转发数据包不起作用
根据步骤三在gw1上设置的防火墙规则:
[root@gw1 ~]# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp !type 8
DROP tcp -- 174.16.16.120 0.0.0.0/0 tcp dpts:20:21
其他主机ping网关gw1会被拒绝,但是经过防火墙ping其他主机不受影响。比如从主机pc120上ping主机svr5是可以的:
[root@pc205 ~]# ping -c4 -W2 174.16.16.1 //入站ping测试被拒
PING 174.16.16.1 (174.16.16.1) 56(84) bytes of data.
--- 174.16.16.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 5002ms
[root@pc205 ~]# ping -c4 -W2 192.168.4.5 //转发ping测试允许
PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data.
64 bytes from 192.168.4.5: icmp_seq=1 ttl=63 time=0.520 ms
64 bytes from 192.168.4.5: icmp_seq=2 ttl=63 time=0.919 ms
64 bytes from 192.168.4.5: icmp_seq=3 ttl=63 time=0.650 ms
64 bytes from 192.168.4.5: icmp_seq=4 ttl=63 time=1.97 ms
--- 192.168.4.5 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 0.520/1.014/1.970/0.571 ms
[root@pc205 ~]#
2)在网关gw1上设置转发限制
禁止转发来自或发往网段174.16.16.0/24的ping测试包:
[root@gw1 ~]# iptables -A FORWARD -p icmp -s 174.16.16.0/24 -j DROP
[root@gw1 ~]# iptables -A FORWARD -p icmp -d 174.16.16.0/24 -j DROP
确认当前防火墙规则:
[root@gw1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp !type 8
DROP tcp -- 174.16.16.120 0.0.0.0/0 tcp dpts:20:21
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP icmp -- 174.16.16.0/24 0.0.0.0/0
DROP icmp -- 0.0.0.0/0 174.16.16.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
3)测试ping转发限制效果
在主机svr5上ping主机pc120,对gw1来说属于转发(FORWARD),因此被拒绝:
[root@svr5 ~]# ping -c4 -W2 174.16.16.120
PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.
--- 174.16.16.120 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 5001ms
[root@svr5 ~]#
在主机gw1上ping主机svr5,这个对gw1来说属于出站(OUTPUT),不受限制:
[root@gw1 ~]# ping -c4 -W2 174.16.16.120
PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.
64 bytes from 174.16.16.120: icmp_seq=1 ttl=64 time=0.602 ms
64 bytes from 174.16.16.120: icmp_seq=2 ttl=64 time=0.426 ms
64 bytes from 174.16.16.120: icmp_seq=3 ttl=64 time=0.517 ms
64 bytes from 174.16.16.120: icmp_seq=4 ttl=64 time=0.507 ms
--- 174.16.16.120 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.426/0.513/0.602/0.062 ms
[root@gw1 ~]#
扫一扫
450
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
