08-iptables网络防火墙

网络防火墙

  • iptables/netfilter 利用filter表的FORWARD链,可以充当网络防火墙:
  • 注意的问题:
    • (1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
    • (2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行

实战:FORWARD链实现内外网络流量控制

 环境准备

  • 外网机器172.17.0.37
[root@c8-client01 ~]# hostname -I
172.17.0.37
[root@c8-client01 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.0.2      0.0.0.0         UG    101    0        0 eth0
172.17.0.0      0.0.0.0         255.255.255.0   U     101    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.56.0    0.0.0.0         255.255.255.0   U     100    0        0 eth1
  • firewalld机器192.168.56.11
[root@admin-dns ~]# hostname -I
172.17.0.37 192.168.56.37
[root@admin-dns ~]# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf && sysctl -p
[root@admin-dns ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.56.2    0.0.0.0         UG    100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.255.0   U     101    0        0 eth1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.56.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0
  • 内网lanserver1、lanserver2
[root@vb26 ~]# hostname -I
192.168.56.26
[root@vb26 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.56.11   0.0.0.0         UG    100    0        0 eth0
192.168.56.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0


[root@web12 ~]# hostname -I
192.168.56.12
[root@web15 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.56.11   0.0.0.0         UG    100    0        0 eth0
192.168.56.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0

添加防火墙规则

  • firewalld机器上操作
#方法1 通过标准模块实现内网访问外网特定服务http和icmp,反之禁止
iptables -A FORWARD -j REJECT
iptables -I FORWARD -s 192.168.56.0/24 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 192.168.56.0/24 -p tcp --sport 80 -j ACCEPT
iptables -I FORWARD -s 192.168.56.0/24 -p icmp --icmp-type 8 -j ACCEPT
iptables -I FORWARD -d 192.168.56.0/24 -p icmp --icmp-type 0 -j ACCEPT

#方法2 利用state模块实现内网访问可以访问外网,反之禁止
iptables -D FORWARD 1
iptables -D FORWARD 2
iptables -IFORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -vnL --line-numbers
#利用state模块实现允许内网可以访问外网所有资源
iptables -DFORWARD 2
iptables -DFORWARD 2
iptables -IFORWARD 2 -s 192.168.56.0/24 -m state --state NEW -j ACCEPT
iptables -vnL --line-numbers
  • 内网lanserver1、lanserver2操作
[root@vb26 /etc/sysconfig/network-scripts]# ping 172.17.0.37
PING 172.17.0.37 (172.17.0.37) 56(84) bytes of data.
64 bytes from 172.17.0.37: icmp_seq=1 ttl=63 time=3.00 ms
64 bytes from 172.17.0.37: icmp_seq=2 ttl=63 time=13.5 ms
64 bytes from 172.17.0.37: icmp_seq=3 ttl=63 time=9.10 ms
^C
  • 允许内网指定主机被外网访问
[root@admin-dns ~]# iptables -IFORWARD 3 -d 192.168.56.0/24 -p tcp --dport 80 -j ACCEPT
[root@admin-dns ~]# iptables -vnL --line-numbers
[root@admin-dns ~]# curl -i "http:www.clientchzi.org/indexlm"
[root@admin-dns ~]# curl -i "http://www.clientchzi.org/index.html"
HTTP/1.1 200 OK
Date: Tue, 31 May 2022 17:35:50 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Tue, 31 May 2022 17:02:21 GMT
ETag: "13-5e051bc6f2b3c"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

www.clientchzi.org
  • 内网lanserver1、lanserver2测试
[root@vb26 ~]# curl -i "http://www.clientchzi.org/index.html"
HTTP/1.1 200 OK
Date: Tue, 31 May 2022 17:36:07 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Tue, 31 May 2022 17:02:21 GMT
ETag: "13-5e051bc6f2b3c"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

NAT 表

  • NAT: network address translation,支持PREROUTING,INPUT,OUTPUT,POSTROUTING四个链
    • 请求报文:修改源/目标IP,由定义如何修改
    • 响应报文:修改源/目标IP,根据跟踪机制自动实现
  • NAT的实现分为下面类型:
    • SNAT:source NAT ,支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装,请求报文:修改源IP
    • DNAT:destination NAT 支持PREROUTING , OUTPUT,把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
    • PNAT: port nat,端口和IP都进行修改 

SNAT 

  • SNAT:基于nat表的target,适用于固定的公网IP
  • SNAT选项:
    • --to-source [ipaddr[-ipaddr]][:port[-port]] 
    • --random
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
  • 注意: 需要开启 ip_forward

 

#范例
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! –d 10.0.0.0/24 -j SNAT --tosource 172.18.1.6-172.18.1.9
  • MASQUERADE:基于nat表的target,适用于动态的公网IP,如:拨号网络
  • MASQUERADE选项:
    • --to-ports port[-port]
    • --random

 实践:SNAT转发

  •  firewalld机器
echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf 
sysctl -p
#针对专线静态公共IP
iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -j SNAT --to-source 172.17.0.11
#针对拨号网络和专线静态公共IP
iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
service iptables save
systemctl reload iptables.service
iptables-save|grep POSTROUTING
#查看监听端口
ss -ntl
  • internet机器172.17.0.37
iptables -I INPUT -s 172.17.0.0/16 -p tcp -m tcp --dport 21 -j ACCEPT
service iptables save
systemctl reload iptables.service
iptables-save|grep 172.17.0.0
  • 内网机器192.168.56.15/26
#56.26机器
[root@vb26 ~]# ping 172.17.0.37
PING 172.17.0.37 (172.17.0.37) 56(84) bytes of data.
^C
--- 172.17.0.37 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2004ms

[root@vb26 ~]# ping 172.17.0.37
PING 172.17.0.37 (172.17.0.37) 56(84) bytes of data.
64 bytes from 172.17.0.37: icmp_seq=1 ttl=63 time=1.41 ms
64 bytes from 172.17.0.37: icmp_seq=2 ttl=63 time=4.49 ms

[root@vb26 ~]# curl -i "http://www.clientchzi.org/index.html"
HTTP/1.1 200 OK
Date: Sun, 05 Jun 2022 17:46:56 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Tue, 31 May 2022 17:02:21 GMT
ETag: "13-5e051bc6f2b3c"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

www.clientchzi.org


#56.15机器
[root@web15 ~]# curl -i "http://www.clientchzi.org/index.html"
HTTP/1.1 200 OK
Date: Sun, 05 Jun 2022 18:13:06 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Tue, 31 May 2022 17:02:21 GMT
ETag: "13-5e051bc6f2b3c"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

www.clientchzi.org
  • firewalld查看转换状态
#查看转换状态信息
[root@firewall ~]#cat /proc/net/nf_conntrack
ipv4     2 tcp      6 112 TIME_WAIT src=192.168.56.26 dst=172.17.0.37 sport=58384
dport=80 src=172.17.0.37 dst=172.17.0.11 sport=80 dport=58384 [ASSURED] mark=0
zone=0 use=2

 

 

 

 

 

 

 

 

 

posted @ 2022-06-02 03:23  西瓜的春天  阅读(30)  评论(0)    收藏  举报