本文索引
- iptables自动配置脚本
- 特定端口开放
- icmp包规则设置
- iptables nat表应用
- 实验环境准备
- 实现类似路由器功能
- 实现端口转发功能
iptables自动配置脚本
# 放行80/21/22端口(其中22端口只放行特定网段)
[root@localhost ~]# vim /usr/local/src/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
# 情况iptables表
$ipt -F
# 修改默认策略
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FOREWARD ACCEPT
# 指定相关状态的数据包放行,必须写!!
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 允许ssh远程连接的网段数据包通信
$ipt -A INPUT -s192.168.65.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
实现可ping通外网,但无法ping通本机效果
原理是通过设置防火墙将发给本机的icmp包(ping请求,type为8)丢弃,导致外机无法收到ping应答包;本机发给外部主机的icmp包则不做处理,可以照常通信。
# 测试时,排除其他规则干扰,先清空规则表
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 47 packets, 3312 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 28 packets, 2736 bytes)
pkts bytes target prot opt in out source destination
# ping外网可通
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=1 ttl=128 time=37.4 ms
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=2 ttl=128 time=38.0 ms
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=3 ttl=128 time=37.9 ms
^C
--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 37.487/37.858/38.094/0.265 ms
# ping本机,无法ping通
C:\Users\18367>ping 192.168.65.133
正在 Ping 192.168.65.133 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
来自 192.168.65.133 的回复: 字节=32 时间=1ms TTL=64
192.168.65.133 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 1,丢失 = 3 (75% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 1ms,最长 = 1ms,平均 = 1ms
删除规则后重新测试(实验效果的原因直接使用-F清空,真实情况下最好不好这样做)
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 42 packets, 2976 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 2180 bytes)
pkts bytes target prot opt in out source destination
# ping本机,ping通
C:\Users\18367>ping 192.168.65.133
正在 Ping 192.168.65.133 具有 32 字节的数据:
来自 192.168.65.133 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.65.133 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.65.133 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.65.133 的回复: 字节=32 时间<1ms TTL=64
192.168.65.133 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
iptables nat表应用
环境准备
主机1:centos7,新增网卡ens37,原网卡可以连接外网,新增网卡连接内网(可以连接centos7-1),ip:192.168.0.100/24
主机2:centos7-1,新增一块网卡ens37,禁止原网卡启动(只能连接内网),网卡ip:192.168.0.200/24,无法访问外网
主机1与主机2之间可以通信
网卡设置(测试环境VMware下):
- 新增网卡并连接到内网
点击编辑虚拟设置选项 --> 添加(A)... --> 选择网络适配器 --> 下一步 --> 完成
点击LAN区段(S)...
--> 添加,命名后确定 --> 在LAN区段下拉菜单中选中即可
在一个虚拟机中设置了LAN,在其他虚拟机中就可以直接选择
- 设置ip 对于主机1来说,原网卡可以远程连接,直接设置新网卡ip即可
临时设置ip:ipconfig ens37 192.168.0.100/24
永久修改ip:vim /etc/sysconfig/network-scripts/ifcfg-ens37; 配置ip为192.168.0.100,网关为192.168.0.255 (无ifcfg-ens37文件,可以拷贝ens33文件)
对于主机2来说,由于原网卡被禁,需要直接登入,同样可以使用上述2种方法设置ip
验证环境是否搭建成功
主机1
# 网卡正常运行
[root@localhost ~]# mii-tool ens37
ens37: negotiated 1000baseT-FD flow-control, link ok
# ip配置成功
[root@localhost ~]# ifconfig ens37
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fe8b:d486 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:8b:d4:86 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62 bytes 10104 (9.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# ping 主机2可通
[root@localhost ~]# ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200) 56(84) bytes of data.
64 bytes from 192.168.0.200: icmp_seq=1 ttl=64 time=0.267 ms
64 bytes from 192.168.0.200: icmp_seq=2 ttl=64 time=1.16 ms
64 bytes from 192.168.0.200: icmp_seq=3 ttl=64 time=0.604 ms
^C
--- 192.168.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.267/0.679/1.166/0.370 ms
主机2
配置好ip(为了排除ens33的干扰,将其down掉),ping测试连通性,主机1,本机都可通
设置nat表,使得主机2连接外网
主机1开启路由转发
# 0表示未开启
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
主机1上添加nat规则
# MASQUERADW:IP伪装成为封包出去(-o)的那块装置上的IP
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ens33 -j MASQUERADE
# 查看nat表是否添加了该规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.0.0/24 0.0.0.0/0
主机2设置网关192.168.0.100(主机1新增网卡)
route add default gw 192.168.0.100
设置主机2的DNS,使之可以连接外网
[root@localhost ~]# vim /etc/reslov.conf
nameserver 119.29.29.29
:wq保存退出
验证DNS及外网连接
# ping DNS
[root@localhost ~]# ping 119.29.29.29
# ping 主机1
[root@localhost ~]# ping 192.168.65.134
# ping 外网
[root@localhost ~]# ping baidu.com
遇到的问题
按上述操作设置完毕后,验证时无法ping通DNS,错误为Destination Host Prohibited
;查看iptables时发现INPUT和FORWARD链内存在reject规则,使用iptables -D
删除该规则后,主机2可ping通!
实现端口映射,主机2借助主机1端口映射实现远程连接
打开端口转发
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
主机1添加端口转规则
进来的数据包规则
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.65.134 -p tcp --dport 1122 -j DNAT --to 192.168.0.200:22
出去的数据包规则
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.0.200 -j SNAT --to 192.168.65.134
# 查看规则表
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.65.134 tcp dpt:1122 to:192.168.0.200:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 2020 MASQUERADE all -- * ens33 192.168.0.0/24 0.0.0.0/0
0 0 SNAT all -- * * 192.168.0.200 0.0.0.0/0 to:192.168.65.134
主机2设置网关192.168.0.100(主机1新增网卡)
# route add default gw 192.168.0.100
验证是否可以远程连接 新建远程连接,输入ip:192.168.65.134,端口为1122,点击确定;输入用户名、密码,成功登录
Connecting to 192.168.65.134:1122...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Nov 30 21:03:36 2017 from 192.168.65.1
[root@localhost ~]#
# ifconfig,ens37的ip为主机2新增网卡ip!
[root@localhost ~]# ifconfig
ens33: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:29:d0:81:f5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.200 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fed0:81ff prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d0:81:ff txqueuelen 1000 (Ethernet)
RX packets 113 bytes 11726 (11.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 161 bytes 21946 (21.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 496 bytes 45156 (44.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 496 bytes 45156 (44.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
遇到的问题
在上述操作完成之后,无法远程连接;检测主机2的网关,发现ens33重连了,执行ifdown,关闭ens33网卡,远程连接成功!!