(1)容许192.168.42.1 访问22端口,容许192.168.42.0/24 访问80 ,其他所有请求拒绝
[root@localhost ~]# iptables -t filter -I INPUT -p ICMP -j REJECT
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 22 -s 192.168.42.1 -j ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -j REJECT
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 80 -s 192.168.42.0/24 -j ACCEPT
[root@localhost ~]# iptables -t filter -D INPUT 4
(2)外网 ---- 防火墙 ----- 内网
------->
路由转发功能的开始:
[
root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward #查看
[root@localhost ~]# echo “1” > /proc/sys/net/ipv4/ip_forward #临时修改
[root@localhost ~]# vim /etc/sysctl.conf net.ipv4.ip_forward=1
[root@localhost ~]# sysctl -p #生效,检查语法
[root@localhost ~]# vim /etc/sysctl.d/xxxx.conf
[root@localhost ~]# iptables -t filter -I INPUT -p ICMP -s 192.168.147.0/24 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -j REJECT
[root@localhost ~]# iptables -I FORWARD -p tcp -dport 80 -s 192.168.42.134 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -p tcp -sport 80 -d 192.168.42.134 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -p tcp -dport 22 -s 192.168.42.134 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -p tcp -sport 22 -d 192.168.42.134 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
自定义链:
(1)创建
[root@localhost ~]# iptables -t filter -N IN_WEB
(2)添加规则
[root@localhost ~]# iptables -t filter -I IN_WEB -p tcp --dport 80 -s 192.168.42.61 -j REJECT
(3)引用
[root@localhost ~]# iptables -I INPUT -j IN_WEB
(4)修改
[root@localhost ~]# iptables -E IN_WEB WEB #修改之后挂载的内容自动发生变化
(5)删除
[root@localhost ~]# iptables -F INPUT
[root@localhost ~]# iptables -F WEB
[root@localhost ~]# iptables -X WEB
条件:(1)没有应用
(2)没有规则
LOG动作:
[root@localhost ~]# iptables -t filter -I INPUT -p tcp -dport 80 -j LOG
对数据包不做操作,只是将数据请求记录到了日志中,默认是/var/log/messages.
修改配置生成Iptables的log文件。
/etc/rsyslog.conf
kern.warning /var/log/iptables.log
REJECT : --reject-with
端口映射:
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
Port:8080
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
80 ----》8080
****原地址和目的地址的转化:
[root@localhost ~]# iptables -t nat -I POSTROUTING -p tcp --dport 80 -s 192.168.42.61 -j SNAT --to-source 192.168.147.145
[root@localhost ~]# iptables -t nat -I PREROUTING -p tcp --sport 80 -d 192.168.147.145 -j DNAT --to-destination 192.168.42.61
iptables 模块:
(1)iprange:
[root@localhost ~]# iptables -t nat -I POSTROUTING -p tcp --dport 80 -m iprange --src-range 192.168.42.50-192.168.42.100 -j SNAT --to-source 192.168.147.145
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 80 -m iprange --src-range 192.168.42.50-192.168.42.100 -j ACCEPT
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 22 -m iprange --src-range 192.168.42.50-192.168.42.100 -j ACCEPT
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --sport 22 -m iprange --dst-range 192.168.42.50-192.168.42.100 -j ACCEPT
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --sport 80 -m iprange --dst-range 192.168.42.50-192.168.42.100 -j ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -j REJECT
(2)string:
[root@localhost~]# mkdir /var/www/html/aaa
[root@localhost~]# cd /var/www/html/aaa
[root@localhost~]# vim cret.html
xxxxxxxxxxxxxx cret
[root@localhost~]# vim anliu.html
xxxxxxxxxxxxxx anliu
[root@localhost aaa]# iptables -t filter -I INPUT -m string --algo kmp
–string “cret” -j REJECT[root@localhost ~]# curl 192.168.42.111:8080/aaa/anliu.html
“This is a test from anliu …”
[root@localhost ~]# curl 192.168.42.111:8080/aaa/cret.html
(3)time:
目前结论:只限制本机
[root@localhost aaa]# iptables -t filter -I OUTPUT -p TCP --dport 80 -m time --timestart 9:00:00 --timestop 10:00:00 -j REJECT
[root@localhost aaa]# iptables -t filter -I OUTPUT -p TCP --dport 80 -m time --weekdays 6,7 -j REJECT
(4)connlimit:
并发链接限制
(5)Limit
对流量的限制
[root@localhost aaa]# iptables -t filter -I INPUT -p icmp -m limit --limit-burst 10 --limit 10/min -j ACCEPT
(6) tcp-flags
[root@localhost aaa]# iptables -t filter -I INPUT -p tcp --dport 80 --tcp-flags ALL SYN -j REJECT
[root@localhost ~]# nmap -sT 192.168.42.111
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-23 10:56 UTC
Nmap scan report for 192.168.42.111
Host is up (0.0032s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:6E:7D:A2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
[root@localhost ~]# nmap -sS 192.168.42.111
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-23 10:57 UTC
Nmap scan report for 192.168.42.111
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp filtered http
MAC Address: 00:0C:29:6E:7D:A2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds
练习:(1)对于目的地址有一个转到多个上,如何实现?
(2)如何测试connlimit模块的效果。