RHEL5.4 iptables 配置详解(图)
本節中將重點 介紹下iptables的配置,這可是保證網絡安全的利器,iptables是基于內核的防火墻,內置了filter,nat和mangle三張 表,filter負責過濾數據包,nat則涉及到網絡地址轉換;mangle表則主要應用在修改數據包內容上,一般很少使用它;默認的規則鏈 有:INPUT,OUTPUT,NAT,POSTROUTING,PREROUTING;下面的兩張圖片很好的說明了iptables防火墻的工作機制, 關于詳細的使用和介紹可以參考man文檔
?
?
?
?
一:服務器同客戶端網絡的設定
[root@server ~]# ifconfig |grep 'inet addr' |cut -d ':' -f 2 |cut -d ' ' -f 1?? //查看服務ip和mac地址
10.0.0.200
192.168.100.254
127.0.0.1
[root@server ~]# ifconfig eth1 |grep HWaddr
eth1????? Link encap:Ethernet HWaddr 00:0C:29:0C:7C:4E
[root@server ~]# grep 'ip_forward' /etc/sysctl.conf??? //開啟服務器端路由功能并使其生效
net.ipv4.ip_forward = 1
[root@server ~]# sysctl -p
[root@server ~]# ping www.baidu.com -c 2??? //測試同公網的連接
PING www.a.shifen.com (119.75.213.51) 56(84) bytes of data.
64 bytes from 119.75.213.51: icmp_seq=1 ttl=53 time=71.6 ms
64 bytes from 119.75.213.51: icmp_seq=2 ttl=53 time=67.2 ms
[root@client ~]# ifconfig |grep 'inet addr' |cut -d ':' -f 2 |cut -d ' ' -f 1?? //客戶端的ip和路由設定
192.168.100.20
127.0.0.1
[root@client ~]# route -n
Kernel IP routing table
Destination???? Gateway???????? Genmask???????? Flags Metric Ref??? Use Iface
192.168.100.0?? 0.0.0.0???????? 255.255.255.0?? U???? 0????? 0??????? 0 eth0
169.254.0.0???? 0.0.0.0???????? 255.255.0.0???? U???? 0????? 0??????? 0 eth0
0.0.0.0???????? 192.168.100.254 0.0.0.0???????? UG??? 0????? 0??????? 0 eth0
[root@server ~]# ping 192.168.100.20 -c 2???? //在服務器端測試同客戶端的連接
PING 192.168.100.20 (192.168.100.20) 56(84) bytes of data.
64 bytes from 192.168.100.20: icmp_seq=1 ttl=64 time=5.92 ms
64 bytes from 192.168.100.20: icmp_seq=2 ttl=64 time=1.12 ms
二:設定不允許server ssh到client
[root@client ~]# iptables -L -n??? //查看客戶端默認的防火墻策略,-n參數代表不進行名字解析;可以看出默認的系統策略做的相當嚴格,同時自定義了一條RH-Firewall-1-INPUT規則鏈,然后在INPUT鏈中引用,這樣的執行效率會相對好些,同時維護起來也比較容易
Chain INPUT (policy ACCEPT)
target???? prot opt source?????????????? destination????????
RH-Firewall-1-INPUT all -- 0.0.0.0/0??????????? 0.0.0.0/0??????????
Chain FORWARD (policy ACCEPT)
target???? prot opt source?????????????? destination????????
RH-Firewall-1-INPUT all -- 0.0.0.0/0??????????? 0.0.0.0/0??????????
Chain OUTPUT (policy ACCEPT)
target???? prot opt source?????????????? destination????????
Chain RH-Firewall-1-INPUT (2 references)
target???? prot opt source?????????????? destination????????
ACCEPT???? all -- 0.0.0.0/0??????????? 0.0.0.0/0??????????
ACCEPT???? icmp -- 0.0.0.0/0??????????? 0.0.0.0/0?????????? icmp type 255
ACCEPT???? esp -- 0.0.0.0/0??????????? 0.0.0.0/0??????????
ACCEPT???? ah?? -- 0.0.0.0/0??????????? 0.0.0.0/0??????????
ACCEPT???? udp -- 0.0.0.0/0??????????? 224.0.0.251???????? udp dpt:5353
ACCEPT???? udp -- 0.0.0.0/0??????????? 0.0.0.0/0?????????? udp dpt:631
ACCEPT???? tcp -- 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:631
ACCEPT???? all -- 0.0.0.0/0??????????? 0.0.0.0/0?????????? state RELATED,ESTABLISHED
ACCEPT???? tcp -- 0.0.0.0/0??????????? 0.0.0.0/0?????????? state NEW tcp dpt:22
REJECT???? all -- 0.0.0.0/0??????????? 0.0.0.0/0?????????? reject-with icmp-host-prohibited
[root@client ~]# service iptables stop?????? //關閉防火墻,這個操作可以用來初始化所有表中鏈的規則,并將鏈條的默認策略改為允許,也可以使用iptables -F來清空規則
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@client ~]# iptables -A INPUT -s 192.168.100.254 -p tcp --dport 22 -j REJECT //設定server不允許ssh到client,-A表示在鏈中末尾添加
[root@client ~]# iptables -L -n INPUT??? //查看設置好的策略
Chain INPUT (policy ACCEPT)
target???? prot opt source?????????????? destination????????
REJECT???? tcp -- 192.168.100.254????? 0.0.0.0/0?????????? tcp dpt:22 reject-with icmp-port-unreachable
?????
[root@client ~]# service iptables save //使用save命令保存規則,規則文件位于/etc/sysconfig/iptables文件中
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@server ~]# ssh 192.168.100.20???? //服務器端測試
ssh: connect to host 192.168.100.20 port 22: Connection refused
三:允許服務器端ssh到客戶端,但需要服務器端的IP和MAC地址合法
[root@client ~]# iptables -I INPUT -i eth0 -m mac --mac-source 00:0C:29:0C:7C:4E -s 192.168.100.254 -p tcp -m multiport --dports 22,21,20 -j ACCEPT?????? //-I參數表示在規則鏈最前面添加策略,iptables的工作機制是從上到下匹配,一旦匹配就根據規則來決定數據包,所以順序很重要
[root@client ~]# iptables -L -n????? //查看規則
Chain INPUT (policy ACCEPT)
target???? prot opt source?????????????? destination????????
ACCEPT???? tcp -- 192.168.100.254??????????? 0.0.0.0/0?????????? MAC 00:0C:29:0C:7C:4E multiport dports 22,21,20
REJECT???? tcp -- 192.168.100.254????? 0.0.0.0/0?????????? tcp dpt:22 reject-with icmp-port-unreachable
[root@server ~]# ssh 192.168.100.20???? //服務器端測試
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
RSA key fingerprint is 3a:5d:33:3c:c5:04:8f:31:19:38:1b:9a:b4:75:4c:51.
Are you sure you want to continue connecting (yes/no)?
[root@server ~]# ftp 192.168.100.20
Connected to 192.168.100.20.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.100.20:root): ftp
331 Please specify the password.
Password:
230 Login successful.
四:定義默認的策略規則和策略的刪除
[root@client ~]# iptables -P INPUT DROP???? //定義INPUT鏈的默認規則為拒絕并查看
[root@client ~]# iptables -L -n
Chain INPUT (policy DROP)
target???? prot opt source?????????????? destination????????
ACCEPT???? tcp -- 192.168.100.254??????????? 0.0.0.0/0?????????? MAC 00:0C:29:0C:7C:4E multiport dports 22,21,20
REJECT???? tcp -- 192.168.100.254????? 0.0.0.0/0?????????? tcp dpt:22 reject-with icmp-port-unreachable
[root@client ~]# iptables -D INPUT 2????? //刪除INPUT鏈中的第二條規則并查看
[root@client ~]# iptables -L -n
Chain INPUT (policy DROP)
target???? prot opt source?????????????? destination????????
ACCEPT???? tcp -- 192.168.100.254??????????? 0.0.0.0/0?????????? MAC 00:0C:29:0C:7C:4E multiport dports 22,21,20
五:利用iptables實現SNAT
[root@server ~]# iptables -L -t nat -n -v??? //查看nat表的策略,-v參數表示顯示詳細信息
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination????????
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination????????
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination
//默認client端是連接不了公網的,因而需要在server端做SNAT, 同時客戶端的網關需要指向服務器的內網網卡eth1
[root@server ~]# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 -j SNAT --to-source 10.0.0.200
[root@server ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
[root@server ~]# iptables -A FORWARD -o eth0 -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
//在FROWARD中這兩條規則主要和tcp的三次握手的syn相關,加上之后 會提高轉發的效率,不加也是可以的
[root@server ~]# iptables -L FORWARD -n -v??? //查看配置信息
Chain FORWARD (policy ACCEPT 237 packets, 18186 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination????????
??? 0???? 0 ACCEPT???? all -- eth0?? eth1??? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state NEW
??? 0???? 0 ACCEPT???? all -- eth1?? eth0??? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state RELATED,ESTABLISHED
[root@client ~]# ping www.g.cn -c 2????? //客戶端測試
PING www.g.cn (203.208.39.99) 56(84) bytes of data.
64 bytes from bi-in-f99.1e100.net (203.208.39.99): icmp_seq=1 ttl=242 time=78.7 ms
64 bytes from bi-in-f99.1e100.net (203.208.39.99): icmp_seq=2 ttl=243 time=81.3 ms
[root@client ~]# traceroute www.g.cn
traceroute to www.g.cn (203.208.39.104), 30 hops max, 40 byte packets
1 bogon (192.168.100.254) 1.243 ms 1.217 ms 1.064 ms
2 bogon (10.0.0.1) 4.884 ms 4.738 ms 5.800 ms
3 122.90.176.1 (122.90.176.1) 68.062 ms 67.964 ms 67.821 ms
4 122.90.10.237 (122.90.10.237) 35.287 ms 64.357 ms 78.671 ms
//若在實際生產環境中,server端使用ADSL方式上網,那也可以使用 MASQUERADE參數來實現上述功能
[root@server ~]# iptables -t nat -D POSTROUTING 1
[root@server ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@server ~]# iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 2 packets, 194 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination????????
??? 0???? 0 MASQUERADE all -- *????? eth0??? 0.0.0.0/0??????????? 0.0.0.0/0
六:利用iptables實現DNAT
[root@client ~]# service httpd restart??? //在client端配置好Apache服務器
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@client ~]# echo "just one test" > /var/www/html/index.html
[root@server ~]# service httpd status??? //驗證服務器端沒有安裝Apache服務
httpd: unrecognized service
//配置DNAT
[root@server ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.100.20
[root@server ~]# iptables -t nat -L -v PREROUTING?????
Chain PREROUTING (policy ACCEPT 182 packets, 13431 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination????????
??? 0???? 0 DNAT?????? tcp -- any??? any???? anywhere???????????? anywhere??????????? tcp dpt:http to:192.168.100.20
[root@server ~]# iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 192.168.100.200:3128???? //iptables針對透明代理的配置
[root@server ~]# iptables -t nat -L OUTPUT -v????? //查看配置???
Chain OUTPUT (policy ACCEPT 1 packets, 140 bytes)
pkts bytes target???? prot opt in???? out???? source?????????????? destination????????
??? 0???? 0 DNAT?????? tcp -- any??? any???? anywhere???????????? anywhere??????????? tcp dpt:http to:192.168.100.200:3128
[root@server ~]# lsmod |grep ip??? //查看iptables所加載的模塊,配置文件為/etc/sysconfig/iptables-config
ipt_MASQUERADE????????? 7617 1
iptable_nat??????????? 11077 1
ip_nat???????????????? 21101 2 ipt_MASQUERADE,iptable_nat
ip_conntrack?????????? 53281 4 xt_state,ipt_MASQUERADE,iptable_nat,ip_nat
nfnetlink????????????? 10713 2 ip_nat,ip_conntrack
iptable_filter????????? 7105 1
ip_tables????????????? 17029 2 iptable_nat,iptable_filter
ipt_REJECT????????????? 9665 0
ip6t_REJECT???????????? 9409 1
ip6table_filter???????? 6849 1
ip6_tables???????????? 18053 1 ip6table_filter
…………………………………………………………
?
?http://www.linux.gov.cn/netweb/iptables.htm
?
轉自:http://zhumeng8337797.blog.163.com/blog/static/1007689142010112211587735/
總結
以上是生活随笔為你收集整理的RHEL5.4 iptables 配置详解(图)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: virtualbox安装centos 6
- 下一篇: rhel5.5配置yum