03-iptables-实验
实验
A(172.16.11.206)
B(172.16.11.216)
C(172.16.11.207)
1 允许B访问A而C不行
# A
[root@husa ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 782 packets, 74731 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 72 packets, 12516 bytes)
pkts bytes target prot opt in out source destination
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.216 -d 172.16.11.206 -j ACCEPT
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -j DROP
[root@husa ~]# iptables -t filter -L -n -v
Chain INPUT (policy ACCEPT 53 packets, 4997 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 172.16.11.216 172.16.11.206
0 0 DROP all -- * * 172.16.11.207 172.16.11.206
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29 packets, 4152 bytes)
pkts bytes target prot opt in out source destination
# B
[root@husa ~]# ssh root@172.16.11.206
The authenticity of host '172.16.11.206 (172.16.11.206)' can't be established.
ECDSA key fingerprint is d8:88:76:ef:30:e0:f5:f7:4b:a2:63:51:55:2e:74:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.11.206' (ECDSA) to the list of known hosts.
root@172.16.11.206's password:
Last failed login: Sun Jan 24 19:16:54 CST 2016 from 172.16.16.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Jan 24 19:16:39 2016 from 172.16.11.207
[root@husa ~]# ip addr
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4d:a0:50 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.206/16 brd 172.16.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:a050/64 scope link
valid_lft forever preferred_lft forever
# C
[root@localhost ~]# ssh root@172.16.11.206
ssh: connect to host 172.16.11.206 port 22: Connection timed out
| # 由于A直接将pact丢弃导致Cssh链接没有任何响应
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
# ping也ping不通
# A动态查看匹配的规则
Every 1.0s: iptables -L -n -v --line-numbers Sun Jan 24 19:24:44 2016
Chain INPUT (policy ACCEPT 528 packets, 53690 bytes)
num pkts bytes target prot opt in out source destination
1 43 5995 ACCEPT all -- * * 172.16.11.216 172.16.11.206
2 74 6168 DROP all -- * * 172.16.11.207 172.16.11.206
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 146 packets, 25966 bytes)
num pkts bytes target prot opt in out source destination
2 限制C不能pingA但是可以sshA
# A
[root@husa ~]# iptables -F
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p icmp -j REJECT
[root@husa ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 10 packets, 860 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- * * 172.16.11.207 172.16.11.206 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 872 bytes)
num pkts bytes target prot opt in out source destination
# C
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
From 172.16.11.206 icmp_seq=1 Destination Port Unreachable
From 172.16.11.206 icmp_seq=2 Destination Port Unreachable
From 172.16.11.206 icmp_seq=3 Destination Port Unreachable
^C
--- 172.16.11.206 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2491ms
[root@localhost ~]# ssh root@172.16.11.206
root@172.16.11.206's password:
Last login: Sun Jan 24 19:22:25 2016 from 172.16.250.35
[root@husa ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4d:a0:50 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.206/16 brd 172.16.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:a050/64 scope link
valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4d:a0:5a brd ff:ff:ff:ff:ff:ff
inet 192.168.200.137/24 brd 192.168.200.255 scope global eno33554984
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:a05a/64 scope link
valid_lft forever preferred_lft forever
可以看到C不能pingA但是可以sshA
3 A有两张网卡,其中IP为172.16.11.206另一IP为192.16.200.137,限制C只能从192.16.200.137ping通
# A
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -p icmp -j REJECT
# C
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
From 172.16.11.206 icmp_seq=1 Destination Port Unreachable
From 172.16.11.206 icmp_seq&#