工作场景:主机防火墙
filter表: 主要和主机自身有关,是真正负责主机防火墙功能的。filter是iptables默认使用的表,定义了三个链(chains):
INPUT:
过滤所有目标地址是本机地址的数据包(过滤进入主机的数据包)FORWARD:
负责转发流经主机的数据包,起转发的作用OUTPUT:
处理所有源地址是本机地址的数据包(从本机发出去的数据包)
iptables实践场景
场景一:
规则1:对所有的地址开放本机的tcp(80,22,10-21)端口的访问
规则2:允许对所有的地址开放本机的基于ICMP协议的数据包访问
规则3:其他未被允许的端口则禁止访问
配置:
iptables -A INPUT -p tcp -m multiport --dport 22,80 -j ACCEPT
iptables -A INPUT -p tcp --dport 10:21 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT
查看:
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:10:21
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
在其他机器上进行端口扫描:
# nmap -sS -p 0-1000 192.168.20.151
Starting Nmap 5.51 ( http://nmap.org ) at 2019-04-06 10:47 CST
Nmap scan report for 192.168.20.151
Host is up (0.00024s latency).
Not shown: 987 filtered ports
PORT STATE SERVICE
10/tcp closed unknown
11/tcp closed systat
12/tcp closed unknown
13/tcp closed daytime
14/tcp closed unknown
15/tcp closed netstat
16/tcp closed unknown
17/tcp closed qotd
18/tcp closed unknown
19/tcp closed chargen
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:94:F8:92 (VMware)
上面的配置存在以下问题:
1.本机无法访问本机
2.本机无法访问其他主机
解决办法:
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
补充:在场景1的基础上,修改只允许192.168.20.152访问本机的httpd服务
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -s 192.168.20.152 --dport 80 -j ACCEPT
场景二:ftp主被动模式下iptables的规则配置
1.ftp主动模式下iptables的规则配置
ftp连接的默认模式为被动模式
vsftpd服务支持主动模式需要注意配置选项:
port_enable=yes
connect_from_port_20=YES
iptables需要开启21端口的访问权限
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
配置:
iptables -F
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT
测试:
# ftp 192.168.20.151
Connected to 192.168.20.151 (192.168.20.151).
220 (vsFTPd 2.2.2)
Name (192.168.20.151:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,20,151,115,181).
ftp: connect: Connection refused
ftp>
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Mar 22 2017 pub
226 Directory send OK.
ftp>
2.ftp被动模式下iptables的规则配置
方法1:为vsftpd指定数据端口,并且通过iptables开放相应需要传输的端口段
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
vim /etc/vsftpd/vsftpd.conf
pasv_min_port=50000
pasv_max_port=60000
iptables -I INPUT -p tcp --dport 50000:60000 -j ACCEPT (在之前主动模式的基础上添加)
方法2:使用连接追踪模块
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
modprobe nf_conntrack_ftp //临时
vim /etc/sysconfig/iptables-config //开机自动加载
IPTABLES_MODULES="nf_conntrack_ftp"
测试:
# ftp 192.168.20.151
Connected to 192.168.20.151 (192.168.20.151).
220 (vsFTPd 2.2.2)
Name (192.168.20.151:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,20,151,232,245).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Mar 22 2017 pub
226 Directory send OK.
ftp>
场景三:
要求1:员工在公司内部(10.10.155.0/24,10.10.188.0/24)能访问服务器上的任何服务
要求2:当员工出差时,通过vpn连接到公司能够访问内网的ftp,SAMBA,NFS,SSH
要求3:公司有一个网站需要允许公网访问
iptables -F
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -s 10.10.155.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.188.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT (VPN)
iptables -A INPUT -j REJECT
生产环境下配置防火墙
默认规则:
开放:堵 (逛公园) 应用:配置上网网关路由
关闭:通 (看电影) 应用:服务器主机防火墙
下面以看电影的模式配置主机防火墙:
#remove any existing rules (清理当前所有规则和计数器)
iptables -F
iptables -X
iptables -Z
#allow ssh port (配置允许ssh登录)
iptables -A INPUT -p tcp --dport 22 -s 192.168.239.0/24 -j ACCEPT
#setting for loopback interface (允许本机回环lo接口)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#setting default firewall policy (设置默认的防火墙禁止和允许规则)
#设置默认 DROP掉FORWARD、INPUT链,允许OUTPUT链
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#setting Lan access rules (开启信任的IP网段)
iptables -A INPUT -s 192.168.239.0/24 -p all -j ACCEPT
....
#outer server (允许http服务通过)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#允许icmp类型协议通过
#iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
#只对内开放
iptables -A INPUT -p icmp -s 192.168.239.0/24 --icmp-type 8 -j ACCEPT
#others RELATED ftp协议 (允许关联的状态包)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#通过其他服务器扫描配置的防火墙
nmap 192.168.239.151 -p 1-65535
维护:直接编辑配置文件
vim /etc/sysconfig/iptables
/etc/init.d/iptables reload