首先,请允许我先介绍一下什么是iptables?
iptables 并不是真正的防火墙,可以理解为一个客户端代理。用户通过iptables这个代理,将用户的安全设定执行到对应的“安全框架”(netfilter).所以说,iptables其实是一个命令行工具,位于用户空间,我们用iptables操作整整的框架。
iptables是按照规则办事的,即rules,规则一般制订了源地址、目的地址、传输协议(tcp、udp)等。当数据包与规则匹配时,iptables就会根据定义的规则来处理数据包,如accept(接受)、reject(拒绝)、drop(丢弃)三种动作。
那我们如何利用iptables去配置防火墙,即添加、更改、删除规则呢?
//iptables后跟参数的含义:
iptables -nL ##查看规则
iptables -F ##清空规则
iptables -t ##制定操作的表; iptables -nL -t nat //查看表nat的规则
iptables -P ##默认规则
-A ##添加规则
-I ##插入,可以指定规则添加的位置
-R ##修改某条规则
-n ##表示不做解析
-L ##查看表的策略信息
-p ##制定某个协议(tcp、udp)
-N ##自动以添加链名
-E ##修改规则链名称
-X ##删除自定义链
在使用iptables功能时,需要关闭firewalld;
[root@server Desktop]# systemctl stop firewalld //关闭防火墙
[root@server Desktop]# systemctl disable firewalld
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
[root@server Desktop]# systemctl start iptables.service //开启iptables功能
[root@server Desktop]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
[root@server Desktop]# iptables -nL //查看防火墙策略信息
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server Desktop]# iptables -F //刷新
[root@server Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server Desktop]# service iptables save //保存规则信息
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@server Desktop]# vim /etc/sysconfig/iptables //所有规则信息被保存的位置
测试 1:
[root@desktop Desktop]# systemctl start httpd //开启appache服务
[root@desktop Desktop]# iptables -P INPUT ACCEPT
//所有主机浏览器都可以看到httpd页面
[root@desktop Desktop]# iptables -A INPUT -p tcp --dport 80 -j REJECT //添加规则:所有主机通过浏览器访问172.25.254.174为拒绝模式
[root@desktop Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
//这时,所有主机浏览器都会显示连接不上服务主机httpd端口
测试 2:添加规则的使用
[root@desktop Desktop]# iptables -A INPUT -s 172.25.254.74 -p tcp --dport 80 -j ACCEPT //添加规则:只允许172.25.254.74主机通过浏览器可以访问到本机httpd
[root@desktop Desktop]# iptables -nL //查看当前规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
ACCEPT tcp -- 172.25.254.74 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop Desktop]# iptables -D INPUT 2 //删除表INPUT的第二条规则
[root@desktop Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
测试 3 :插入规则的使用
[root@desktop Desktop]# iptables -I INPUT 1 -s 172.25.254.74 -p tcp --dport 80 -j ACCEPT //插入规则:指定在第一行添加指定ip的主机可以通过浏览器访问本机
[root@desktop Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.25.254.74 0.0.0.0/0 tcp dpt:80
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
测试 4 :修改规则的使用
[root@desktop Desktop]# iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT //指定添加表在第二行内容
[root@desktop Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.25.254.74 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop Desktop]# iptables -R INPUT 2 -s 172.25.254.74 -p tcp --dport 80 -j REJECT //修改规则:修改表INPUT的第二条规则的内容
[root@desktop Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.25.254.74 0.0.0.0/0 tcp dpt:80
REJECT tcp -- 172.25.254.74 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
注意:这里需要说明一点,从上到下依次读取规则,如果上面的满足了,就不读取下面的规则,就如同测试4中,显示允许172.25.254.74这台主机访问,后又添加了172.25.254.74这台主机拒绝访问;实际上生效的是第一条规则,第二条的规则不会被读取;所以172.25.254.74通过浏览器访问时,是可以看到内容的
测试 5 :对自定义表的管理
[root@desktop Desktop]# iptables -N westos //自定义添加westos表
[root@desktop Desktop]# iptables -E westos WESTOS //修改表westos的名称为WESTOS
[root@desktop Desktop]# iptables -X WESTOS //删除WESTOS表
测试 6:实现对于第二次的访问请求,直接接受;对于新的请求,只允许ssh 、http 、https、dns、isscis端口接受
NEW ##表示第一次访问
ESTABLISHED ##表示第二次访问
RELATED ##表示关闭访问后再次访问
[root@desktop Desktop]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@desktop Desktop]# iptables -A INPUT -m state --state NEW -p TCP --dport 22 -j ACCEPT //添加ssh的端口为接受
[root@desktop Desktop]# iptables -A INPUT -m state --state NEW -p TCP --dport 80 -j ACCEPT //添加httpd端口为接受
[root@desktop Desktop]# iptables -A INPUT -m state --state NEW -p TCP --dport 53 -j ACCEPT //添加dns端口为接受
[root@desktop Desktop]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT //本机回环
[root@desktop Desktop]# iptables -A INPUT -m state --state NEW -p TCP --dport 3260 -j ACCEPT //添加isscis为接受模式
[root@desktop Desktop]# iptables -A INPUT -m state --state NEW -p TCP --dport 443 -j ACCEPT //添加https为接受模式
[root@desktop Desktop]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3260
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop Desktop]# service iptables save //保存添加的策略
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@desktop Desktop]# cat /etc/sysconfig/iptables //保存的策略信息在此文件中
地址伪装
//首先我们在单网卡的主机先看看可不可以ping通
[root@server Desktop]# systemctl stop iptables.service
[root@server Desktop]# ping 172.25.254.74
PING 172.25.254.74 (172.25.254.74) 56(84) bytes of data.
^C
--- 172.25.254.74 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
//双网卡主机进行如下配置:
[root@desktop Desktop]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.174 //在路由后,通过SNAT的方式将其转换为源地址
[root@desktop Desktop]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.174
在单网卡主机进行测试:
[root@server Desktop]# ping 172.25.254.74
[root@server Desktop]# ssh root@172.25.254.74
效果如下图所示:
端口转发
//单网卡主机(server)
[root@server Desktop]# yum install httpd
[root@server Desktop]# systemctl start httpd
[root@server Desktop]# echo 172.25.7.247 > /var/www/html/index.html
//双网卡主机(desktop)
[root@desktop Desktop]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-dest 172.25.7.247 //在路由前,通过DNAT的方式将其转换为目标地址
[root@desktop Desktop]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 172.25.7.247
[root@desktop Desktop]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:172.25.7.247
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.25.7.247
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.174
在真机172.25.254.74上进行测试连接:
[kiosk@foundation74 Desktop]$ ssh root@172.25.254.174
浏览器查看172.25.254.174内容为172.25.7.247(单网卡主机)的httpd默认文件内容;