Linux: 网络防火墙
netfilter: Frame
iptables: 数据报文过滤,NAT、mangle等规则生成的工具;
网络: IP报文首部,TCP报文首部
IP Header:
IP version(4bits): 版本号;
Hdr len(4bit): 报文首部长度
Type of Service(TOS)(8 bits):服务类型;
Total Length(16 bites): 总长度
Identification (Fragment ID)(16 bits): 标识符;
DF:不能分片
MF: More fragment更多分片;
Fragment Offset(13 bites): 偏移量;
Time-TO-Live(TTL)(8 bits): 生存时间;
Protocol(8 bits):协议;
Header Checksum(16 bites): 首部校验和;
Source IP Address(32 bits):源地址;
Destination IP Address: 目标地址;
ICMP: 互联网控制消息协议;
端口号范围0-65535,linux主机上0-1023的端口只有管理员有权限使用,其它任何用户都没有权限,在BSD系列的主机上一般大于5000的端口才允许客户端使用,对linux而言一切皆文件,每打开一个端口就称为打开一个套接字文件;
TCP Header:
Source Port Number(16 bits):源端口;
Destination Port Number(16bits):目标端口;
Sequence Number(32bits):序列号;
Acknowledgement Number:确认号;
Header Length(4 bits):头部长度
Reserved(6 bits):保留位;
URG:加急,置位说明Urgent Pointer有效;
ACK:确认,置位说明Acknowledgement Number有效;
PSH:推,置位说明需要紧急处理的报文,不能停留在缓冲区
RST:重置,当连接发生故障有可能需要重置连接;
SYN:同步,tcp三次握手开始发送SYN;
FIN:完成,断开连接
Window Size(16bits):窗口大小
TCP Checksum(16 bits):校验和
Urgent Pointer(16 bits):紧急指针;
转换为能够通过网络发送的数据格式
文本
二进制
TCP有限状态机:
TCP State:
CLOSED: There is no connection
LISTEN: Passive open reveived;waiting for SYN
SYN-SENT: SYN sent;waiting for ACK
SYN-RCVD: SYN+ACK sent;waiting for ACK
ESTABLISHED: Connection established;data transfer in progress
FIN-WAIT-1: First FIN sent;waiting for ACK
FIN-WAIT-2: ACK to first FIN received;waiting for second FIN
CLOSE-WAIT: First FIN received, ACK sent; waiting for application to close
TIME-WAIT: Second FIN received,ACK sent;waiting for 2MSL time-out
LAST-ACK: Second FIN sent;waiting for ACK
CLOSING: Both sides have decided to close simultaneously
防火墙: 硬件, 软件: 规则(匹配标准,处理办法)
Framework:
默认规则:
开放: 堵
关闭: 通
规则: 匹配标准
IP: SIP, DIP
TCP: SPORT, DPORT, SYN_1,FIN=0,RST=0,ACK=0; SYN=1,ACK=1,FIN=0,RST=0; ACK=1,SYN=0,RST=0,FIN=0(ESTABLISHED)
UDP: SPORT, DPORT
ICMP: icmp-type
数据报文过滤:
OpenBSD
Linux2.0
ipfw/firewall
Linux2.2
ipchain/firewall
Linux2.4
iptables/netfilter
/proc/sys/net/ipv4/ip_forward: 是否打开本机的转发功能;
hook function: 钩子函数
prerouting:在数据包未被路由决策之前,一般用于DNAT;
input:进入防火墙处理的报文,一般用于过去进入防火墙报文过滤;
output:从防火墙出去的报文,一般用于防火墙出去的报文过滤;
forward:从防火墙转发到其他区域网络的报文,一般用于从一个区域网络访问另一个区域网络过滤;
postrouting:在数据包已经做出路由决策之后,一般用于SNAT;
规则链:
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
filter(过滤):表
INPUT
OUTPUT
FORWARD
nat(地址转换):表
PREROUTING
OUTPUT
POSTROUTING
mangle(拆开、修改、封装): 表
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
raw():
PREROUTING
OUTPUT
iptables: IP表
数据包过滤匹配流程:
500条规则
能否使用自定义链?
可以使用自定义链,但只在被调用时才能发挥作用,而且如果没有自定义链中的任何规则匹配,还应该有返回机制;
用户可以删除自定义的空链,
默认链无法删除
每个规则都有两个内置的计数器
被匹配的报文个数
被匹配的报文大小之和
规则: 匹配标准,处理动作
iptables [-t TABLE] COMMAND CHAIN [num] 匹配标准 -j 处理办法
匹配标准:
通用匹配
-s, --src: 指定源地址
-d, --dst: 指定目标地址
-p {tcp|udp|icmp} 指定协议
-i INTERFACE: 指定数据报文流入的接口
可用于的链:PREROUTING,INPUT,FORWARD
-o INTERFACE: 指定数据报文流出的接口
可用于的链:OUTPUT,POSTROUTING,FORWARD
扩展匹配(要想实现这种匹配,它必须要使用netfilter的扩展模块才能完成)
隐含扩展: 不用特别指明由那个模块进行的扩展,因为此时使用-p {tcp|udp|icmp}
显示扩展: 必须指明由那个模块进行的扩展,在iptables中使用-m选项可完成此功能;
-j TARGET(目标)
ACCEPT: 通过;
DROP: 拒绝;
REJECT: 拒绝并发信息;
iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -j DROP
[root@Smoke ~]# iptables -t raw -L -n(查看raw表中规则链的条目,-L显示规则链中已有的条目,-n以数字显示) Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Smoke ~]# rpm -ql iptables(查看安装iptables生成那些文件) /etc/rc.d/init.d/iptables /etc/sysconfig/iptables-config /lib/iptables /lib/iptables/libipt_CLASSIFY.so /lib/iptables/libipt_CLUSTERIP.so /lib/iptables/libipt_CONNMARK.so /lib/iptables/libipt_DNAT.so /lib/iptables/libipt_DSCP.so /lib/iptables/libipt_ECN.so /lib/iptables/libipt_LOG.so /lib/iptables/libipt_MARK.so /lib/iptables/libipt_MASQUERADE.so /lib/iptables/libipt_MIRROR.so /lib/iptables/libipt_NETMAP.so /lib/iptables/libipt_NFQUEUE.so /lib/iptables/libipt_NOTRACK.so /lib/iptables/libipt_REDIRECT.so /lib/iptables/libipt_REJECT.so /lib/iptables/libipt_SAME.so /lib/iptables/libipt_SNAT.so /lib/iptables/libipt_TARPIT.so /lib/iptables/libipt_TCPMSS.so /lib/iptables/libipt_TOS.so /lib/iptables/libipt_TRACE.so /lib/iptables/libipt_TTL.so /lib/iptables/libipt_ULOG.so /lib/iptables/libipt_addrtype.so /lib/iptables/libipt_ah.so /lib/iptables/libipt_comment.so /lib/iptables/libipt_connlimit.so /lib/iptables/libipt_connmark.so /lib/iptables/libipt_conntrack.so /lib/iptables/libipt_dccp.so /lib/iptables/libipt_dscp.so /lib/iptables/libipt_ecn.so /lib/iptables/libipt_esp.so /lib/iptables/libipt_hashlimit.so /lib/iptables/libipt_helper.so /lib/iptables/libipt_icmp.so /lib/iptables/libipt_iprange.so /lib/iptables/libipt_length.so /lib/iptables/libipt_limit.so /lib/iptables/libipt_mac.so /lib/iptables/libipt_mark.so /lib/iptables/libipt_multiport.so /lib/iptables/libipt_owner.so /lib/iptables/libipt_physdev.so /lib/iptables/libipt_pkttype.so /lib/iptables/libipt_policy.so /lib/iptables/libipt_realm.so /lib/iptables/libipt_recent.so /lib/iptables/libipt_rpc.so /lib/iptables/libipt_sctp.so /lib/iptables/libipt_standard.so /lib/iptables/libipt_state.so /lib/iptables/libipt_statistic.so /lib/iptables/libipt_string.so /lib/iptables/libipt_tcp.so /lib/iptables/libipt_tcpmss.so /lib/iptables/libipt_tos.so /lib/iptables/libipt_ttl.so /lib/iptables/libipt_udp.so /lib/iptables/libipt_unclean.so /sbin/iptables /sbin/iptables-restore /sbin/iptables-save /usr/share/doc/iptables-1.3.5 /usr/share/doc/iptables-1.3.5/COPYING /usr/share/doc/iptables-1.3.5/INCOMPATIBILITIES /usr/share/doc/iptables-1.3.5/INSTALL /usr/share/man/man8/iptables-restore.8.gz /usr/share/man/man8/iptables-save.8.gz /usr/share/man/man8/iptables.8.gz
netfilter: Framework, TCP/IP,内核中
iptables:
iptables [t TABLE] COMMAND CHAIN [num] 匹配条件 -j 处理动作
匹配条件
通用匹配
-s: 源地址
-d: 目标地址
-p {tcp|udp|icmp}:协议
-i: 指定数据包流入接口
-o: 指定数据包流出接口
扩展匹配
隐含扩展
-p tcp
--sport PORT[-PORT]: 源端口
--dport PORT[-PORT]: 目标端口
--tcp-flags mask comp: 只检查mask指定的标志位,是逗号分隔的标志位列表,comp此列表中出现的标记位必须为1,comp中没出现,而mask中出现的,必须为0)
--tcp-flags SYN,FIN,ACK,RST SYN = --syn (检查TCP报文的SYN,FIN,ACK,RST四个标志位,而四个标志位只能是SYN置为1,剩下的都必须为0)
--syn:专门匹配TCP三次握手的第一次;
-p icmp
--icmp-type:ICMP报文协议类型;
0: echo-reply(ICMP响应报文)
8: echo-request(ICMP请求报文)
-p udp
--sport PORT[-PORT]:源端口
--dport PORT[-PORT]: 目标端口
-p tcp -m tcp --dport
显示扩展: 使用额外的匹配机制
-m EXTESTION --spe-opt: 指定显示扩展;
state:状态扩展
结合ip_conntrack追踪会话的状态
NEW:发起的新的连接请求,例如tcp的第一次握手;
ESTABLISHED: 已建立的连接,例如tcp完成三次握手;
INVLID: 非法连接,SYN=1,FIN=1;
RELATED: 相关联的连接,比如FTP;
-m state --state NEW,ESTABLISHED -j ACCEPT(只检查状态为NEW和ESTABLISHED,都允许通过)
首先要装载ip_conntrack_ftp和ip_nat_ftp模块
iptables -A INPUT -d 172.16.100.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
multiport: 离散的多端口匹配扩展
--source-port: 匹配多个离散的源端口,离散端口使用,逗号隔开,连续端口使用:冒号隔开;
--destination-port: 匹配多个离散的目标端口,离散端口使用,逗号隔开,连续端口使用:冒号隔开;
--ports: 同时匹配源和目标离散多个端口,离散端口使用,逗号隔开,连续端口使用:冒号隔开;
-m multiport --destination-ports 21,22,80 -j ACCEPT(表示目的端口为21,22,80)
-m multiport --destination-ports 21:23,80 -j ACCEPT(表示目的端口为21,22,23,80)
条件取反: !, -s ! 172.16.100.6(除了172.16.100.6的地址): 所有条件都可以通过叹号取反;
命令:
管理规则:
-A: 附加一条规则,添加在链尾部
-I CHAIN [num]: 插入一条规则,插入为对应CHAIN上的第num条,省略num默认插入第一条;
-D CHAIN [num]: 删除指定链中的第num条规则;
-R CHAIN [num]: 替换指定的规则;
管理链:
-F [CHAIN]: flush, 清空指定规则链,如果省略CHAIN,则可以实现删除对应表中的所有链;
-P CHAIN: 设定指定链的默认策略;
-N: 自定义一条新的空链;
-X: 删除一条自定义的空链;
-Z: 置零指定链中所有规则的计数器;
-E: 重命名自定义的链;
查看类:
-L: 显示指定表中的规则;
-n: 以数字格式显示主机地址和端口号;
-v: 显示链及规则的详细信息;
-vv: 显示链及规则的更详细信息;
-vvv: 显示链及规则的更更详细信息;
-x: 显示计数器的精确值;
--line-number: 显示规则号码;
动作(target):
ACCEPT: 放行;
DROP: 丢弃;
REJECT: 拒绝并返回信息;
DNAT: 目标地址转换
SNAT: 源地址转换
REDIRECT: 端口重定向;
MASQUERADE: 地址伪装;
LOG: 记录日志;
MARK: 设定标记;
iptables -t filter -A INPUT -s 172.16.0.0/16 -j DROP
172.16.100.1, sshd: 22/tcp
iptables -t filter -A INPUT -s 172.160.0.0/16 -d 172.16.100.1 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -s 172.16.100.1 -d 172.16.0.0/16 -p tcp --sport 22 -j ACCEPT
iptables不是服务,但有服务脚本;服务脚本的主要作用在于管理保存的规则;
装载及移除iptables/netfilter相关的内核模块;
iptables_nat, iptables_filter, iptables_mangle, iptables_raw, ip_nat, ip_conntrack
ip_conntrack:连接追踪,内核模块,实时记录当前主机上客户端服务器端彼此正在建立的连接关系,并切能够追踪到那个一个连接和另外其他连接之间处于什么状态并且拥有什么样的关系的;
/proc/net/ip_conntrack: 内核当中的文件,位于内存当中,因为它在proc文件系统上,这是一个存储文件,这个文件保存有当前系统上每一个其它和当前主机所建立的连接关系;
/proc/net/ip_conntrack: ip_contrack连接追踪保存文件;
/proc/sys/net/ipv4/ip_contrack_max: 设定追踪的最大保存数量;
cat /proc/slabinfo
iptstate
ip_conntrack_tcp_timeout_established默认情况下 timeout 是5天 (432000秒)
目录:/proc/sys/net/ipv4/netfilter/
sysctl -w net.ipv4.ip_conntrack_max=65536(更改内核运行参数ip_conntrack_max最大连接为65536,-w改变内核参数,不会永久有限)
etc/sysctl.conf(内核参数配置文件)
要想修改ip_conntrack相关的协议超时时间使用sysctl -w修改不会永久有效,要想永久有效写在内核参数配置文件sysctl.conf文件中;
保存规则:
# service iptables save(保存iptables规则)
/etc/sysconfig/iptables(默认保存到/etc/sysconfig/iptables文件中)
# iptables-save > /etc/sysconfig/iptables.2013041801(将iptables规则通过输出重定向保存到/etc/sysconfig/iptables.2013041801文件中,这样保存后重启iptables服务不会自动加载)
# iptables-restore < /etc/sysconfig/iptables.2013041801(要想加载iptables.2013041801文件中的规则,使用iptables-restore < /etc/sysconfig/iptables.2013041801文件中读取规则并让他生效)
Server: 172.16.100.1
sshd, httpd
对于ftp服务器而言,当我们建立连接请求的时候,不管你连接请求那个端口,只要是状态为RELATED(相关联)的,跟此前的命令连接有关系,那我统统放行;
附录 C. ICMP类型
这是一个完整的ICMP类型的列表:
Table C-1. ICMP类型
TYPE CODE Description Query Error
0 0 Echo Reply——回显应答(Ping应答) x
3 0 Network Unreachable——网络不可达 x
3 1 Host Unreachable——主机不可达 x
3 2 Protocol Unreachable——协议不可达 x
3 3 Port Unreachable——端口不可达 x
3 4 Fragmentation needed but no frag. bit set——需要进行分片但设置不分片比特 x
3 5 Source routing failed——源站选路失败 x
3 6 Destination network unknown——目的网络未知 x
3 7 Destination host unknown——目的主机未知 x
3 8 Source host isolated (obsolete)——源主机被隔离(作废 不用) x
3 9 Destination network administratively prohibited——目的网络被强制禁止 x
3 10 Destination host administratively prohibited——目的主机被强制禁止 x
3 11 Network unreachable for TOS——由于服务类型TOS,网络 不可达 x
3 12 Host unreachable for TOS——由于服务类型TOS,主机不可 达 x
3 13 Communication administratively prohibited by filtering——由于过滤,通信被强制禁止 x
3 14 Host precedence violation——主机越权 x
3 15 Precedence cutoff in effect——优先中止生效 x
4 0 Source quench——源端被关闭(基本流控制)
5 0 Redirect for network——对网络重定向
5 1 Redirect for host——对主机重定向
5 2 Redirect for TOS and network——对服务类型和网络重定向
5 3 Redirect for TOS and host——对服务类型和主机重定向
8 0 Echo request——回显请求(Ping请求) x
9 0 Router advertisement——路由器通告
10 0 Route solicitation——路由器请求
11 0 TTL equals 0 during transit——传输期间生存时间为0 x
11 1 TTL equals 0 during reassembly——在数据报组装期间生 存时间为0 x
12 0 IP header bad (catchall error)——坏的IP首部(包括各 种差错) x
12 1 Required options missing——缺少必需的选项 x
13 0 Timestamp request (obsolete)——时间戳请求(作废不 用) x
14 Timestamp reply (obsolete)——时间戳应答(作废不用) x
15 0 Information request (obsolete)——信息请求(作废不 用) x
16 0 Information reply (obsolete)——信息应答(作废不用) x
17 0 Address mask request——地址掩码请求 x
18 0 Address mask reply——地址掩码应答 x
[root@Smoke ~]# man iptables(查看iptables的man帮助文档)
iptables - administration tool for IPv4 packet filtering and NAT
iptables [-t table] -[AD] chain rule-specification [options]
iptables [-t table] -I chain [rulenum] rule-specification [options]
iptables [-t table] -R chain rulenum rule-specification [options]
iptables [-t table] -D chain rulenum [options]
iptables [-t table] -[LFZ] [chain] [options]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target [options]
iptables [-t table] -E old-chain-name new-chain-name(将旧的链名重命名为新的链名)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字格式显示主机地址和端口号)
Chain INPUT (policy ACCEPT)(policy ACCEPT默认策略为ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-t指定表名,-L显示指定表中的规则,-n以数字格式显示主机地址和端口号)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# iptables -t nat -L -n(查看nat表中的规则并以数字显示,-t指定表名,-L显示指定表中的规则,-n以数字格式显示主机地址和端口号)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# iptables -t mangle -L -n(查看mangle表中的规则并以数字显示,-t指定表名,-L显示指定表中的规则,-n以数字格式显示主机地址和端口号)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# iptables -L -n -v(查看filter表中的详细规则并以数字显示,-L显示指定表中的规则,-n以数字格式显示主机地址和端口号,-v详细信息)
Chain INPUT (policy ACCEPT 35272 packets, 3112K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36221 packets, 4954K bytes)
pkts bytes target prot opt in out source destination
[root@Smoke ~]# iptables -L -n -vvv(查看filter表中的更更详细规则并以数字显示,-L显示指定表中的规则,-n以数字格式显示主机地址和端口,-vvv显示更更详细信息)
Chain INPUT (policy ACCEPT 35287 packets, 3113K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36238 packets, 4956K bytes)
pkts bytes target prot opt in out source destination
[root@Smoke ~]# iptables -L -n -v -x(查看filter表中的详细规则并以数字显示,-L显示指定表中的规则,-n以数字格式显示主机地址和端口,-v显示详细信息,-x显示
计算器的精确值)
Chain INPUT (policy ACCEPT 35435 packets, 3124082 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36359 packets, 4967682 bytes)
pkts bytes target prot opt in out source destination
[root@Smoke ~]# man iptables(查看iptables的man帮助手册)
TARGET EXTENSIONS(目标扩展)
BALANCE
This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
--to-destination ipaddr-ipaddr
Address range to round-robin over.
CLUSTERIP
This module allows you to configure a simple cluster of nodes that share a certain IP and MAC address without an
explicit load balancer in front of them. Connections are statically distributed between the nodes in this cluster.
--new Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
--hashmode mode
Specify the hashing mode. Has to be one of sourceip, sourceip-sourceport, sourceip-sourceport-destport
--clustermac mac
Specify the ClusterIP MAC address. Has to be a link-layer multicast address
--total-nodes num
Number of total nodes within this cluster.
--local-node num
Local node number within this cluster.
--hash-init rnd
Specify the random seed used for hash initialization.
CONNMARK(设定连接标记)
This module sets the netfilter mark value associated with a connection
--set-mark mark[/mask]
Set connection mark. If a mask is specified then only those bits set in the mask is modified.
--save-mark [--mask mask]
Copy the netfilter packet mark value to the connection mark. If a mask is specified then only those bits are
copied.
--restore-mark [--mask mask]
Copy the connection mark value to the packet. If a mask is specified then only those bits are copied. This is
only valid in the mangle table.
DNAT(目标地址转换)
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only
called from those chains. It specifies that the destination address of the packet should be modified (and all future
packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:
--to-destination ipaddr[-ipaddr][:port-port]
which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a
port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified,
then the destination port will never be modified.
In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more
than one destination address, either via an address range or multiple --to-destination options, a simple round-
robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (>=
2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.
IPMARK
Allows you to mark a received packet basing on its IP address. This can replace many mangle/mark entries with only one,
if you use firewall based classifier.
This target is to be used inside the mangle table, in the PREROUTING, POSTROUTING or FORWARD hooks.
--addr src/dst
Use source or destination IP address.
--and-mask mask
Perform bitwise 'and' on the IP address and this mask.
--or-mask mask
Perform bitwise 'or' on the IP address and this mask.
The order of IP address bytes is reversed to meet "human order of bytes": 192.168.0.1 is 0xc0a80001. At first the 'and'
operation is performed, then 'or'.
Examples:
We create a queue for each user, the queue number is adequate to the IP address of the user, e.g.: all packets going
to/from 192.168.5.2 are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
We have one classifier rule:
tc filter add dev eth3 parent 1:0 protocol ip fw
Earlier we had many rules just like below:
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK --set-mark 0x10502
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK --set-mark 0x10503
Using IPMARK target we can replace all the mangle/mark rules with only one:
iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x10000
On the routers with hundreds of users there should be significant load decrease (e.g. twice).
LOG
Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some
information on all matching packets (like most IP header fields) via the kernel log (where it can be read with dmesg or
syslogd(8)). This is a "non-terminating target", i.e. rule traversal continues at the next rule. So if you want to
LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP
(or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in
the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
MARK(设定标记)
This is used to set the netfilter mark value associated with the packet. It is only valid in the mangle table. It can
for example be used in conjunction with iproute2.
--set-mark mark
MASQUERADE(地址伪装)
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned(用于POSTROUT
ING链实现源地址转换)
IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent
to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that con-
nections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to
have the same interface address (and hence any established connections are lost anyway). It takes one option:
--to-ports port[-port]
This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics (see
above). This is only valid if the rule also specifies -p tcp or -p udp.
MIRROR
This is an experimental demonstration target which inverts the source and destination fields in the IP header and
retransmits the packet. It is only valid in the INPUT, FORWARD and PREROUTING chains, and user-defined chains which
are only called from those chains. Note that the outgoing packets are NOT seen by any packet filtering chains, connec-
tion tracking or NAT, to avoid loops and other problems.
NOTRACK(不做任何追踪)
This target disables connection tracking for all packets matching that rule.
It can only be used in the
raw table.
SET
This modules adds and/or deletes entries from IP sets which can be defined by ipset(8).
--add-set setname flag[,flag...]
add the address(es)/port(s) of the packet to the sets
--del-set setname flag[,flag...]
delete the address(es)/port(s) of the packet from the sets, where flags are src and/or dst and there can be no
more than six of them.
The bindings to follow must previously be defined in order to use
multilevel adding/deleting by the SET target.
TCPMSS(设定TCP相关标记位)
This target allows to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually
limiting it to your outgoing interface's MTU minus 40). Of course, it can only be used in conjunction with -p tcp. It
is only valid in the mangle table.
This target is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets.
The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can
never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your firewall configuration like:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
--set-mss value
Explicitly set MSS option to specified value.
--clamp-mss-to-pmtu
Automatically clamp MSS value to (path_MTU - 40).
These options are mutually exclusive.
TTL
This is used to modify the IPv4 TTL header field. The TTL field determines how many hops (routers) a packet can tra-
verse until it's time to live is exceeded.
Setting or incrementing the TTL field can potentially be very dangerous,
so it should be avoided at any cost.
Don't ever set or increment the value on packets that leave your local network!
mangle table.
--ttl-set value
Set the TTL value to 'value'.
--ttl-dec value
Decrement the TTL value 'value' times.
--ttl-inc value
Increment the TTL value 'value' times.
--tcp-flags [!] mask comp
Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as
a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags
are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
/tcp-flag
[root@Smoke ~]# service iptables status(查看iptables服务状态)
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: raw
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@Smoke ~]# lsmod(显示已经加载到内核中的模块的状态信息)
Module Size Used by
iptable_mangle 6849 0(iptables启动以后这些服务模块都会显示)
iptable_nat 10949 0 (iptables启动以后这些服务模块都会显示)
ip_nat 20973 1 iptable_nat(iptables启动以后这些服务模块都会显示)
ip_conntrack 53409 2 iptable_nat,ip_nat(iptables启动以后这些服务模块都会显示)
nfnetlink 10713 2 ip_nat,ip_conntrack
iptable_raw 6209 0
nfsd 205233 17
exportfs 9665 1 nfsd
nfs_acl 7617 1 nfsd
auth_rpcgss 43105 1 nfsd
vfat 15937 1
fat 51037 1 vfat
usb_storage 80929 1
hfsplus 75589 0
iptable_filter 7105 0
ip_tables 17029 4 iptable_mangle,iptable_nat,iptable_raw,iptable_filter(iptables启动以后这些服务模块都会显示)
x_tables 17349 2 iptable_nat,ip_tables
nls_utf8 6209 1
autofs4 28741 3
hidp 22977 2
rfcomm 42457 0
l2cap 29761 10 hidp,rfcomm
lockd 63209 2 nfsd
sunrpc 149245 9 nfsd,nfs_acl,auth_rpcgss,lockd
be2iscsi 59605 0
ib_iser 35609 0
rdma_cm 35705 1 ib_iser
ib_cm 39213 1 rdma_cm
iw_cm 13125 1 rdma_cm
ib_sa 39093 2 rdma_cm,ib_cm
ib_mad 37717 2 ib_cm,ib_sa
ib_core 63557 6 ib_iser,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad
ib_addr 11717 1 rdma_cm
iscsi_tcp 20041 0
bnx2i 46557 0
cnic 51029 1 bnx2i
ipv6 272545 19 cnic
xfrm_nalgo 13381 1 ipv6
crypto_api 12609 1 xfrm_nalgo
uio 14793 1 cnic
cxgb3i 31177 0
libcxgbi 54477 1 cxgb3i
cxgb3 167705 1 cxgb3i
8021q 25929 1 cxgb3
libiscsi_tcp 22213 3 iscsi_tcp,cxgb3i,libcxgbi
libiscsi2 42693 7 be2iscsi,ib_iser,iscsi_tcp,bnx2i,cxgb3i,libcxgbi,libiscsi_tcp
scsi_transport_iscsi2 37709 8 be2iscsi,ib_iser,iscsi_tcp,bnx2i,libcxgbi,libiscsi2
scsi_transport_iscsi 6085 1 scsi_transport_iscsi2
dm_mirror 24393 0
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
video 21193 0
backlight 10049 1 video
sbs 18533 0
power_meter 16461 0
hwmon 7365 1 power_meter
i2c_ec 9025 1 sbs
dell_wmi 8401 0
wmi 12137 1 dell_wmi
button 10705 0
battery 13637 0
asus_acpi 19289 0
ac 9157 0
lp 15849 0
floppy 57125 0
sr_mod 19813 1
cdrom 36577 1 sr_mod
pcspkr 7105 0
sg 36717 0
snd_ens1371 28513 0
gameport 18505 1 snd_ens1371
serio_raw 10693 0
snd_rawmidi 26561 1 snd_ens1371
snd_ac97_codec 93025 1 snd_ens1371
ac97_bus 6337 1 snd_ac97_codec
snd_seq_dummy 7877 0
snd_seq_oss 32576 0
snd_seq_midi_event 11073 1 snd_seq_oss
snd_seq 49585 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device 11725 4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss 42817 0
snd_mixer_oss 19009 1 snd_pcm_oss
tpm_tis 16713 0
snd_pcm 72133 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
tpm 19041 1 tpm_tis
tpm_bios 11073 1 tpm
snd_timer 24517 2 snd_seq,snd_pcm
snd 55877 10 snd_ens1371,snd_rawmidi,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,
snd_pcm,snd_timer
soundcore 11553 1 snd
snd_page_alloc 14281 1 snd_pcm
hci_usb 20317 2
pcnet32 35141 0
bluetooth 53797 8 hidp,rfcomm,l2cap,hci_usb
i2c_piix4 13133 0
i2c_core 24897 2 i2c_ec,i2c_piix4
parport_pc 29669 1
mii 9409 1 pcnet32
parport 37513 2 lp,parport_pc
dm_raid45 67273 0
dm_message 6977 1 dm_raid45
dm_region_hash 15681 1 dm_raid45
dm_log 14785 3 dm_mirror,dm_raid45,dm_region_hash
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
dm_mem_cache 9537 1 dm_raid45
ahci 38861 1
ata_piix 24261 0
libata 156933 2 ahci,ata_piix
mptspi 24009 3
mptscsih 37953 1 mptspi
mptbase 87109 2 mptspi,mptscsih
scsi_transport_spi 26305 1 mptspi
sd_mod 25409 6
scsi_mod 144277 16 usb_storage,be2iscsi,ib_iser,iscsi_tcp,bnx2i,libcxgbi,libiscsi2,scsi_transport_iscsi2,scsi_dh,sr_mod,
sg,libata,mptspi,mptscsih,scsi_transport_spi,sd_mod
ext3 125769 2
jbd 57705 1 ext3
uhci_hcd 25421 0
ohci_hcd 24937 0
ehci_hcd 34509 0
[root@Smoke ~]# lsmod | grep ip(显示已经加载到内核中的模块的状态信息,将结果送给管道只显示ip相关)
iptable_mangle 6849 0(管理mangle表规则)
iptable_nat 10949 0 (ip实现nat功能补充模块)
ip_nat 20973 1 iptable_nat(管理nat表规则)
ip_conntrack 53409 2 iptable_nat,ip_nat(nat会话记录)
nfnetlink 10713 2 ip_nat,ip_conntrack
iptable_raw 6209 0 (管理raw表规则)
iptable_filter 7105 0 (管理filter表规则)
ip_tables 17029 4 iptable_mangle,iptable_nat,iptable_raw,iptable_filter
x_tables 17349 2 iptable_nat,ip_tables
ipv6 272545 19 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
[root@Smoke ~]# service iptables stop(停止iptables服务)
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle nat raw filter [ OK ]
Unloading iptables modules: [ OK ]
[root@Smoke ~]# lsmod | grep ip(显示已经加载到内核中的模块的状态信息,将结果送给管道只显示ip相关)
ipv6 272545 19 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
提示:停止iptables以后,就是将相关的模块移除到内核,所以iptables实现服务器的启动和停止主要是实现让内核装载iptables相关的模块或卸载iptables相关模块的;
[root@Smoke ~]# service iptables start(启动iptables服务)
[root@Smoke ~]# iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.100.1 -p tcp --dport 22 -j ACCEPT(向filter表的INPUT链附加一条规
则允许源172.16.0.0/16到目的172.16.100.1的tcp端口为22,-A向规则链中添加条目,-s源地址,-d目标地址,-p协议,--dport目标端口,-j动作)
[root@Smoke ~]# iptables -t filter -A OUTPUT -s 172.16.100.1 -d 172.16.0.0/16 -p tcp --sport 22 -j ACCEPT(向filter表的OUTPUT链附加一条
规则允许源172.16.10.1的tcp的22号端口到172.16.0.0/16,-A向规则链中添加条目,-s源地址,-d目标地址,-p协议,--sport源端口,-j动作)
[root@Smoke ~]# iptables -t filter -L -n(查看filter表的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.16.0.0/16 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.16.100.1 172.16.0.0/16 tcp spt:22
[root@Smoke ~]# iptables -t filter -L -n -v(查看filter表的详细规则并以数字显示,-L显示指定表中的规则,-n以数字显示,-v显示详细信息)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
220 15752 ACCEPT tcp -- * * 172.16.0.0/16 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 104 packets, 9496 bytes)
pkts bytes target prot opt in out source destination
51 4860 ACCEPT tcp -- * * 172.16.100.1 172.16.0.0/16 tcp spt:22
[root@Smoke ~]# iptables -t filter -L -n -vv(查看filter表的更详细规则并以数字显示,-L显示指定表中的规则,-n以数字显示,-vv显示更详细信息)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
233 16464 ACCEPT tcp -- * * 172.16.0.0/16 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 104 packets, 9496 bytes)
pkts bytes target prot opt in out source destination
68 6944 ACCEPT tcp -- * * 172.16.100.1 172.16.0.0/16 tcp spt:22
[root@Smoke ~]# iptables -t filter -L -n -vvv(查看filter表中更更详细规则并以数字显示,-L显示指定表中的规则,-n以数字显示,-vvv显示更更详细信息)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
248 17308 ACCEPT tcp -- * * 172.16.0.0/16 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 104 packets, 9496 bytes)
pkts bytes target prot opt in out source destination
86 9120 ACCEPT tcp -- * * 172.16.100.1 172.16.0.0/16 tcp spt:22
[root@Smoke ~]# yum -y install httpd vsftpd mysql-server(通过yum安装httpd、vsftpd、mysql-server软件)
[root@Smoke ~]# service httpd start(启动httpd服务)
Starting httpd: [ OK ]
[root@Smoke ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3494/./hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1142/mysqld
tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 19499/rpc.rquotad
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3175/portmap
tcp 0 0 0.0.0.0:852 0.0.0.0:* LISTEN 3214/rpc.statd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1624/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3515/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3527/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3564/sendmail
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 19667/sshd
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 20415/sshd
tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 19515/rpc.mountd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3499/python
tcp 0 0 :::80 :::* LISTEN 20520/httpd
tcp 0 0 :::22 :::* LISTEN 3515/sshd
tcp 0 0 ::1:6010 :::* LISTEN 19667/sshd
tcp 0 0 ::1:6011 :::* LISTEN 20415/sshd
[root@Smoke ~]# setenforce 0(关闭selinux)
[root@Smoke ~]# service httpd restart(重启httpd服务)
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,可以正常访问;
[root@Smoke ~]# iptables -t filter -P INPUT DROP(更改filter表的INPUT链默认策略为DROP) [root@Smoke ~]# iptables -t filter -P OUTPUT DROP(更改filter表的OUTPUT链的默认策略为DROP) [root@Smoke ~]# iptables -t filter -P FORWARD DROP(更改filter表的FORWARD链的默认策略为DROP) [root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则,-L查看指定表中的规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 172.16.0.0/16 172.16.100.1 tcp dpt:22 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 172.16.100.1 172.16.0.0/16 tcp spt:22 提示:默认策略都改为DROP,但是远程连接正常,因为刚才新建的两条规则已经放行了SSH;
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,无法访问;
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,无法PING通;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[root@Smoke ~]# iptables -t filter -I INPUT -d 172.16.100.1 -p tcp --dport 80 -j ACCEPT(向filter表中INPUT链插入一条规则允许任何到目标172.16.100 .1的tcp协议80端口,-I插入规则,默认插入为第一条,-I向规则链中插入条目,-d目标地址,-p协议,--dport目标端口,-j动作) [root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 ACCEPT tcp -- 172.16.0.0/16 172.16.100.1 tcp dpt:22 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 172.16.100.1 172.16.0.0/16 tcp spt:22
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,无法访问,报文能进来,但是不能出去;
[root@Smoke ~]# iptables -t filter -I OUTPUT -s 172.16.100.1 -p tcp --sport 80 -j ACCEPT(向filter表的OUTPUT插入一条规则允许172.16.100.1的tcp 协议80端口,-I向规则链中插入条目,-s源地址,-p协议,--sport源端口,-j动作)
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,正常访问;
[root@Smoke ~]# echo hello > /var/www/html/index.html(显示hello将结果输出到index.html文件)
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,正常访问;
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,无法PING通,因为PING请求用的是ICMP协议;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[root@Smoke ~]# ping 127.0.0.1(ping测试127.0.0.1) PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- 127.0.0.1 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3000ms [root@Smoke ~]# iptables -t filter -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT(向filter表的INPUT链添加一条规则允许源127.0.0.1到目的127. 0.0.1数据包从接口lo0进入,-A向规则链中添加条目,-s源地址,-d目标地址,-i进入接口,-j动作) [root@Smoke ~]# iptables -t filter -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT(向filter表的OUTPUT链添加一条规则允许源127.0.0.1到目的的 127.0.0.1数据从接口lo0出去,-A向规则链中添加条目,-s源地址,-d目标地址,-o流出接口,-j动作) [root@Smoke ~]# ping 127.0.0.1(ping测试127.0.0.1) PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.114 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.043 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.043/0.067/0.114/0.033 ms
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,无法PING通;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[root@Smoke ~]# ping 172.16.100.254(ping测试172.16.100.254)
PING 172.16.100.254 (172.16.100.254) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 172.16.100.254 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2002ms
[root@Smoke ~]# iptables -t filter -A OUTPUT -s 172.16.100.1 -p icmp --icmp-type 8 -j ACCEPT(向filter表的OUTPUT链添加一条规则允许源172.16.100.1 的icmp协议类型echo-request,-A向规则链中添加条目,-s源地址,-p协议,--icmp-type协议类型,-j动作) [root@Smoke ~]# ping 172.16.100.254(ping测试172.16.100.254) PING 172.16.100.254 (172.16.100.254) 56(84) bytes of data. --- 172.16.100.254 ping statistics --- 17 packets transmitted, 0 received, 100% packet loss, time 16018ms [root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p icmp --icmp-type 0 -j ACCEPT(向filter表中的INPUT链添加一条规则允许到172.16.100.1 的icmp协议类型echo-reply,-A向规则链中添加条目,-d目标地址,-p协议,--icmp-type协议类型,-j动作) [root@Smoke ~]# ping 172.16.100.254(ping测试172.16.100.254) PING 172.16.100.254 (172.16.100.254) 56(84) bytes of data. 64 bytes from 172.16.100.254: icmp_seq=1 ttl=64 time=0.171 ms 64 bytes from 172.16.100.254: icmp_seq=2 ttl=64 time=0.233 ms 64 bytes from 172.16.100.254: icmp_seq=3 ttl=64 time=1.13 ms --- 172.16.100.254 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.171/0.511/1.131/0.439 ms
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,无法PING通;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[root@Smoke ~]# modprobe ip_conntrack(装载ip_conntrack模块)
[root@Smoke ~]# cat /proc/net/ip_conntrack(查看ip_conntrack文件内容)
tcp 6 109 TIME_WAIT src=172.16.100.254 dst=172.16.100.1 sport=4734 dport=80 packets=5 bytes=707 src=172.16.100.1 dst=172.16.100.254
sport=80 dport=4734 packets=5 bytes=355 [ASSURED] mark=0 secmark=0 use=1
tcp 6 431999 ESTABLISHED src=172.16.100.1 dst=172.16.100.254 sport=22 dport=1497 packets=1364 bytes=124844 src=172.16.100.254 dst=17
2.16.100.1 sport=1497 dport=22 packets=1788 bytes=130492 [ASSURED] mark=0 secmark=0 use=1
提示:这个文件保存有当前系统上每一个其它主机和当前主机所建立的连接关系;
[root@Smoke ~]# iptstate(查看iptables的工作状态)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Source Destination Proto State TTL
127.0.0.1:55780 127.0.0.1:53 udp 0:00:08
127.0.0.1:47529 127.0.0.1:53 udp 0:00:08
172.16.100.1:22 172.16.100.254:1497 tcp TIME_WAIT 0:01:33
172.16.100.254:4750 172.16.100.1:22 tcp ESTABLISHED 119:59:06
172.16.100.254:4755 172.16.100.1:22 tcp ESTABLISHED 119:59:59
[root@Smoke ~]# man iptstate(查看iptstate的man帮助)
iptstate - A top-like display of IP Tables state table entries(一个像top表的IP表状态条目显示工具)
[root@Smoke ~]# iptstate -t(查看iptables的工作状态,-t显示连接的个数)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Total States: 2 -- TCP: 2 UDP: 0 ICMP: 0 OTHER: 0
Source Destination Proto State TTL
172.16.100.254:4750 172.16.100.1:22 tcp ESTABLISHED 119:59:25
172.16.100.254:4755 172.16.100.1:22 tcp ESTABLISHED 119:59:59
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,无法PING通;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[root@Smoke ~]# iptstate -t(查看iptables的工作状态,-t显示连接的个数)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Total States: 2 -- TCP: 2 UDP: 0 ICMP: 0 OTHER: 0
Source Destination Proto State TTL
172.16.100.254:4750 172.16.100.1:22 tcp ESTABLISHED 119:59:25
172.16.100.254:4755 172.16.100.1:22 tcp ESTABLISHED 119:59:59
[root@Smoke ~]# ping 172.16.100.254
PING 172.16.100.254 (172.16.100.254) 56(84) bytes of data.
64 bytes from 172.16.100.254: icmp_seq=1 ttl=64 time=1.87 ms
64 bytes from 172.16.100.254: icmp_seq=2 ttl=64 time=0.301 ms
64 bytes from 172.16.100.254: icmp_seq=3 ttl=64 time=0.251 ms
--- 172.16.100.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.251/0.810/1.879/0.756 ms
[root@Smoke ~]# iptstate -t(查看iptables的工作状态,-t显示连接的个数)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Total States: 3 -- TCP: 2 UDP: 0 ICMP: 1 OTHER: 0
Source Destination Proto State TTL
172.16.100.1 172.16.100.1 icmp 8/0 0:00:12
172.16.100.254:4750 172.16.100.1:22 tcp ESTABLISHED 119:59:46
172.16.100.254:4755 172.16.100.1:22 tcp ESTABLISHED 119:59:59
提示:只保留的tcp连接相关信息,ip_conntrack是根据ip地址来追踪的,不仅能追踪tcp协议还能追踪udp和icmp协议;
[root@Smoke ~]# lsmod | grep ip(查看内核已经加载的模块将结果送给管道只显示ip相关)
iptable_nat 10949 0
ip_nat 20973 1 iptable_nat
ip_conntrack 53409 2 iptable_nat,ip_nat
nfnetlink 10713 2 ip_nat,ip_conntrack
iptable_filter 7105 1
ip_tables 17029 2 iptable_nat,iptable_filter
x_tables 17349 3 iptable_nat,ip_tables,xt_tcpudp
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
[root@Smoke ~]# lsmod | grep ip
iptable_nat 10949 0
ip_nat 20973 1 iptable_nat
ip_conntrack 53409 2 iptable_nat,ip_nat
nfnetlink 10713 2 ip_nat,ip_conntrack
iptable_filter 7105 1
ip_tables 17029 2 iptable_nat,iptable_filter
x_tables 17349 3 iptable_nat,ip_tables,xt_tcpudp
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
提示:ip_conntrack是靠内核模块来实现的;
[root@Smoke ~]# modprobe -r ip_conntrack(卸载ip_conntrack模块)
FATAL: Module ip_conntrack is in use.(ip_conntrack模块使用)
[root@Smoke ~]# man modprobe(查看modprobe的man帮助)
-r --remove(移除模块)
This option causes modprobe to remove, rather than insert a module. If the modules it depends on are also
unused, modprobe will try to remove them, too. Unlike insertion, more than one module can be specified on
the command line (it does not make sense to specify module parameters when removing modules).
There is usually no reason to remove modules, but some buggy modules require it. Your kernel may not sup-
port removal of modules.
-f --force(强制移除模块)
Try to strip any versioning information from the module, which might otherwise stop it from loading: this is
the same as using both --force-vermagic and --force-modversion. Naturally, these checks are there for your
protection, so using this option is dangerous.
This applies to any modules inserted: both the module (or alias) on the command line, and any modules it
depends on.
[root@Smoke ~]# modprobe -r -f ip_conntrack(强制移除ip_conntrack模块,-r移除模块,-f强制移除)
FATAL: Module ip_conntrack is in use.(ip_conntrack模块使用)
提示:这里的强制不能这么来使用;
[root@Smoke ~]# man modprobe(查看modprobe的man帮助)
[root@Smoke ~]# lsmod | grep ip(查看内核已经加载的模块将结果送给管道只显示ip相关)
iptable_nat 10949 0
ip_nat 20973 1 iptable_nat
ip_conntrack 53409 2 iptable_nat,ip_nat
nfnetlink 10713 2 ip_nat,ip_conntrack
iptable_filter 7105 1
ip_tables 17029 2 iptable_nat,iptable_filter
x_tables 17349 3 iptable_nat,ip_tables,xt_tcpudp
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
提示:查看模块间的依赖关系,ip_conntrack被别人依赖;
[root@Smoke ~]# modprobe -r nfnetlink(移除nfnetlink模块,-r移除模块)
FATAL: Module nfnetlink is in use.
[root@Smoke ~]# service iptables stop(停止iptables服务)
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat filter [ OK ]
Unloading iptables modules: [ OK ]
[root@Smoke ~]# lsmod | grep ip(查看内核已经加载的模块将结果送给管道只显示ip相关)
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
提示:iptables相关模块统统被移除;
[root@Smoke ~]# cat /proc/net/ip_conntrack(查看ip_conntrack文件内容)
cat: /proc/net/ip_conn: No such file or directory
提示:追踪表文件没有了;
[root@Smoke ~]# modprobe ip_conntrack(装载ip_conntrack模块)
[root@Smoke ~]# cat /proc/net/ip_conntrack(查看ip_conntrack文件内容)
tcp 6 431999 ESTABLISHED src=172.16.100.254 dst=172.16.100.1 sport=4750 dport=22 packets=29 bytes=1160 src=172.16.100.1 dst=172.16.1
00.254 sport=22 dport=4750 packets=28 bytes=3920 [ASSURED] mark=0 secmark=0 use=1
tcp 6 431999 ESTABLISHED src=172.16.100.1 dst=172.16.100.254 sport=22 dport=4755 packets=23 bytes=2044 src=172.16.100.254 dst=172.16
.100.1 sport=4755 dport=22 packets=36 bytes=2464 [ASSURED] mark=0 secmark=0 use=1
提示:ip_conntrack是个文件,它能追踪每一个客户端的连接请求,如果有一万个客户端,这就意味着会有一万个条目,如果有十万个请求,会有十万个条目,它又是内存空间,内存空
间总然是有限的,所以不能允许它随意吞吃我们的内存空间的,这个文件里面到底可以保存多少个条目,每一个客户端它的独立请求都有一个追踪,它只要是独立请求,所以使用多线程的
浏览器同时发起四个请求,这里面就有四个条目,所以一个客户端主机,它也有可能在这里面生成多个条目,这要看它发起多少个同时的并发请求,内存空间是有限的,它又不能随意的让
我们去建立多个条目,最终能够给我们存储多少个;
[root@Smoke ~]# cat /proc/sys/net/ipv4/ip_conntrack_max(查看ip_conntrack_max文件内容)
32768
提示:/proc/net/ip_conntrack文件最多能够保存多少个条目是在/proc/sys/net/ipv4/ip_conntrack_max文件中定义的,默认为32768个,如果超出这个数目那些连接都会因
为超时而被丢弃,一旦服务器很繁忙如果这个数值定义过小,后序用户的请求都会被丢弃,都会带来大量超时,这时候服务器就会满足不了那么多的请求,所以这么模块一旦装载它就会主
动追踪的;
[root@Smoke ~]# lsmod(查看内核已经加载的模块)
Module Size Used by
ip_conntrack 53409 0
nfnetlink 10713 1 ip_conntrack
xt_tcpudp 7105 0
x_tables 17349 1 xt_tcpudp
nfsd 205233 17
exportfs 9665 1 nfsd
nfs_acl 7617 1 nfsd
auth_rpcgss 43105 1 nfsd
vfat 15937 1
fat 51037 1 vfat
usb_storage 80929 1
hfsplus 75589 0
nls_utf8 6209 1
autofs4 28741 3
hidp 22977 2
rfcomm 42457 0
l2cap 29761 10 hidp,rfcomm
lockd 63209 2 nfsd
sunrpc 149245 9 nfsd,nfs_acl,auth_rpcgss,lockd
be2iscsi 59605 0
ib_iser 35609 0
rdma_cm 35705 1 ib_iser
ib_cm 39213 1 rdma_cm
iw_cm 13125 1 rdma_cm
ib_sa 39093 2 rdma_cm,ib_cm
ib_mad 37717 2 ib_cm,ib_sa
ib_core 63557 6 ib_iser,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad
ib_addr 11717 1 rdma_cm
iscsi_tcp 20041 0
bnx2i 46557 0
cnic 51029 1 bnx2i
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
crypto_api 12609 1 xfrm_nalgo
uio 14793 1 cnic
cxgb3i 31177 0
libcxgbi 54477 1 cxgb3i
cxgb3 167705 1 cxgb3i
8021q 25929 1 cxgb3
libiscsi_tcp 22213 3 iscsi_tcp,cxgb3i,libcxgbi
libiscsi2 42693 7 be2iscsi,ib_iser,iscsi_tcp,bnx2i,cxgb3i,libcxgbi,libiscsi_tcp
scsi_transport_iscsi2 37709 8 be2iscsi,ib_iser,iscsi_tcp,bnx2i,libcxgbi,libiscsi2
scsi_transport_iscsi 6085 1 scsi_transport_iscsi2
dm_mirror 24393 0
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
video 21193 0
backlight 10049 1 video
sbs 18533 0
power_meter 16461 0
hwmon 7365 1 power_meter
i2c_ec 9025 1 sbs
dell_wmi 8401 0
wmi 12137 1 dell_wmi
button 10705 0
battery 13637 0
asus_acpi 19289 0
ac 9157 0
lp 15849 0
floppy 57125 0
sr_mod 19813 1
cdrom 36577 1 sr_mod
pcspkr 7105 0
sg 36717 0
snd_ens1371 28513 0
gameport 18505 1 snd_ens1371
serio_raw 10693 0
snd_rawmidi 26561 1 snd_ens1371
snd_ac97_codec 93025 1 snd_ens1371
ac97_bus 6337 1 snd_ac97_codec
snd_seq_dummy 7877 0
snd_seq_oss 32576 0
snd_seq_midi_event 11073 1 snd_seq_oss
snd_seq 49585 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device 11725 4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss 42817 0
snd_mixer_oss 19009 1 snd_pcm_oss
tpm_tis 16713 0
snd_pcm 72133 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
tpm 19041 1 tpm_tis
tpm_bios 11073 1 tpm
snd_timer 24517 2 snd_seq,snd_pcm
snd 55877 10 snd_ens1371,snd_rawmidi,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_
pcm,snd_timer
soundcore 11553 1 snd
snd_page_alloc 14281 1 snd_pcm
hci_usb 20317 2
pcnet32 35141 0
bluetooth 53797 8 hidp,rfcomm,l2cap,hci_usb
i2c_piix4 13133 0
i2c_core 24897 2 i2c_ec,i2c_piix4
parport_pc 29669 1
mii 9409 1 pcnet32
parport 37513 2 lp,parport_pc
dm_raid45 67273 0
dm_message 6977 1 dm_raid45
dm_region_hash 15681 1 dm_raid45
dm_log 14785 3 dm_mirror,dm_raid45,dm_region_hash
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
dm_mem_cache 9537 1 dm_raid45
ahci 38861 1
ata_piix 24261 0
libata 156933 2 ahci,ata_piix
mptspi 24009 3
mptscsih 37953 1 mptspi
mptbase 87109 2 mptspi,mptscsih
scsi_transport_spi 26305 1 mptspi
sd_mod 25409 6
scsi_mod 144277 16 usb_storage,be2iscsi,ib_iser,iscsi_tcp,bnx2i,libcxgbi,libiscsi2,scsi_transport_iscsi2,scsi_dh,sr_mod,sg,li
bata,mptspi,mptscsih,scsi_transport_spi,sd_mod
ext3 125769 2
jbd 57705 1 ext3
uhci_hcd 25421 0
ohci_hcd 24937 0
ehci_hcd 34509 0
[root@Smoke ~]# lsmod | grep ip_conntrack(查看内核已经加载的模块将结果送给管道只显示ip_conntrack相关)
ip_conntrack 53409 0
nfnetlink 10713 1 ip_conntrack
提示:这个模块一旦装载它会主动追踪所有的条目,如果说这个服务器非常繁忙,一不小心将这个模块装载进来后续的用户请求都统统无法正常建立连接了,这是非常致命的,因此对我们来
讲最好的办法不要触发启动这个模块,如果连接数据不是特别的,可以启动这个模块,并尽量调大他的ip_conntrack_max文件的值;
[root@Smoke ~]# service iptables stop(停止iptables服务)
[root@Smoke ~]# lsmod | grep ip_conntrack(查看内核已经加载的模块将结果送给管道只显示ip_conntrack相关)
ip_conntrack 53409 0
nfnetlink 10713 1 ip_conntrack
[root@Smoke ~]# modprobe -r ip_conntrack(卸载ip_conntrack模块,-r卸载模块)
[root@Smoke ~]# service iptables start(启动iptables服务)
[root@Smoke ~]# service iptables stop(停止iptables服务)
[root@Smoke ~]# lsmod | grep ip_conntrack(查看内核已经加载的模块将结果送给管道只显示ip_conntrack相关)
[root@Smoke ~]# service iptables restart(重启iptables服务)
[root@Smoke ~]# service iptables stop(停止iptables服务)
[root@Smoke ~]# lsmod | grep ip(查看内核已经加载的模块将结果送给管道只显示ip相关)
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
[root@Smoke ~]# iptables -t nat -L(查看nat表中的规则,-L查看指定表中规则)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# lsmod | grep ip(查看内核已经加载的模块将结果送给管道只显示ip相关)
iptable_nat 10949 0
ip_nat 20973 1 iptable_nat
ip_conntrack 53409 2 iptable_nat,ip_nat
nfnetlink 10713 2 ip_nat,ip_conntrack
ip_tables 17029 1 iptable_nat
x_tables 17349 3 iptable_nat,ip_tables,xt_tcpudp
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
提示:只要执行iptables -t nat -L查看这张表,ip_conntrack被自动装载,因为-t nat将会激活iptables_nat和ip_nat,而它们彼此间会有依赖关系的将会激活ip_conntra
ck模块,ip_conntrack激活会马上建立模版了;
[root@Smoke ~]# rpm -ql iptables(查看安装iptables生成那些文件)
/etc/rc.d/init.d/iptables
/etc/sysconfig/iptables-config
/lib/iptables
/lib/iptables/libipt_CLASSIFY.so
/lib/iptables/libipt_CLUSTERIP.so
/lib/iptables/libipt_CONNMARK.so
/lib/iptables/libipt_DNAT.so
/lib/iptables/libipt_DSCP.so
/lib/iptables/libipt_ECN.so
/lib/iptables/libipt_LOG.so
/lib/iptables/libipt_MARK.so
/lib/iptables/libipt_MASQUERADE.so
/lib/iptables/libipt_MIRROR.so
/lib/iptables/libipt_NETMAP.so
/lib/iptables/libipt_NFQUEUE.so
/lib/iptables/libipt_NOTRACK.so
/lib/iptables/libipt_REDIRECT.so
/lib/iptables/libipt_REJECT.so
/lib/iptables/libipt_SAME.so
/lib/iptables/libipt_SNAT.so
/lib/iptables/libipt_TARPIT.so
/lib/iptables/libipt_TCPMSS.so
/lib/iptables/libipt_TOS.so
/lib/iptables/libipt_TRACE.so
/lib/iptables/libipt_TTL.so
/lib/iptables/libipt_ULOG.so
/lib/iptables/libipt_addrtype.so
/lib/iptables/libipt_ah.so
/lib/iptables/libipt_comment.so
/lib/iptables/libipt_connlimit.so
/lib/iptables/libipt_connmark.so
/lib/iptables/libipt_conntrack.so
/lib/iptables/libipt_dccp.so
/lib/iptables/libipt_dscp.so
/lib/iptables/libipt_ecn.so
/lib/iptables/libipt_esp.so
/lib/iptables/libipt_hashlimit.so
/lib/iptables/libipt_helper.so
/lib/iptables/libipt_icmp.so
/lib/iptables/libipt_iprange.so
/lib/iptables/libipt_length.so
/lib/iptables/libipt_limit.so
/lib/iptables/libipt_mac.so
/lib/iptables/libipt_mark.so
/lib/iptables/libipt_multiport.so
/lib/iptables/libipt_owner.so
/lib/iptables/libipt_physdev.so
/lib/iptables/libipt_pkttype.so
/lib/iptables/libipt_policy.so
/lib/iptables/libipt_realm.so
/lib/iptables/libipt_recent.so
/lib/iptables/libipt_rpc.so
/lib/iptables/libipt_sctp.so
/lib/iptables/libipt_standard.so
/lib/iptables/libipt_state.so
/lib/iptables/libipt_statistic.so
/lib/iptables/libipt_string.so
/lib/iptables/libipt_tcp.so
/lib/iptables/libipt_tcpmss.so
/lib/iptables/libipt_tos.so
/lib/iptables/libipt_ttl.so
/lib/iptables/libipt_udp.so
/lib/iptables/libipt_unclean.so
/sbin/iptables
/sbin/iptables-restore
/sbin/iptables-save
/usr/share/doc/iptables-1.3.5
/usr/share/doc/iptables-1.3.5/COPYING
/usr/share/doc/iptables-1.3.5/INCOMPATIBILITIES
/usr/share/doc/iptables-1.3.5/INSTALL
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables.8.gz
[root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L查看指定表中的规则,-n以数字显示)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p tcp --dport 22 -j ACCEPT(向filter表的INPUT链添加一条规则允许到172.16.100.1的
tcp协议22号端口)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L查看指定表中的规则,-n以数字显示)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# iptables -L -n -v(查看filter表中的规则并以数字显示,-L查看指定表中的规则,-n以数字显示,-v显示详细信息)
Chain INPUT (policy ACCEPT 455 packets, 34352 bytes)
pkts bytes target prot opt in out source destination
107 5288 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 538 packets, 54304 bytes)
pkts bytes target prot opt in out source destination
[root@Smoke ~]# service iptables restart(重启iptables服务)
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat [ OK ]
Unloading iptables modules: [ OK ]
[root@Smoke ~]# cat /etc/sysconfig/iptables(查看iptables文件内容)
cat: /etc/sysconfig/iptables: No such file or directory
提示:启动iptables会加载/etc/sysconfig/iptables文件,这个文件保存有此前写过的所有规则,如果规则没有保存,在启动的时候就是读取这个配置文件设定规则的,如果文件
就没有就无法生效规则;
[root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p tcp --dport 22 -j ACCEPT(向filter表的INPUT链添加一条规则允许到172.16.100.1的
tcp协议22号端口)
[root@Smoke ~]# service iptables save(保存iptables中的规则)
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@Smoke ~]# cat /etc/sysconfig/iptables(查看iptables文件中的内容)
# Generated by iptables-save v1.3.5 on Sun Nov 23 23:26:55 2014
*filter
:INPUT ACCEPT [64:5376]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:14576]
-A INPUT -d 172.16.100.1 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sun Nov 23 23:26:55 2014
[root@Smoke ~]# service iptables restart(重启iptables服务)
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
[root@Smoke ~]# iptables -L -n -v(查看filter表中的规则详细信息并以数字显示,-L查看指定表中的规则,-n以数字显示,-v显示详细信息)
Chain INPUT (policy ACCEPT 52 packets, 4368 bytes)
pkts bytes target prot opt in out source destination
58 3292 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 117 packets, 11624 bytes)
pkts bytes target prot opt in out source destination
[root@Smoke ~]# iptables -F(清空链中的条目)
[root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT(向filter表的INPUT
连添加一条规则允许任何到172.16.100.1的tcp协议22号端口状态为NEW,ESTABLISHED的连接,-A附加规则,-d目标地址,-p协议,--dport目标端口,-m显示扩展,--state状态
扩展,-j动作)
[root@Smoke ~]# lsmod | grep ip(查看内核已经加载的模块,将结果送给管道只显示ip相关)
ip_conntrack_netbios_ns 6977 0
ip_conntrack 53409 2 xt_state,ip_conntrack_netbios_ns
nfnetlink 10713 1 ip_conntrack
iptable_filter 7105 1
ip_tables 17029 1 iptable_filter
x_tables 17349 3 xt_state,ip_tables,xt_tcpudp
ipv6 272545 29 cnic
xfrm_nalgo 13381 1 ipv6
dm_multipath 27213 0
scsi_dh 12481 1 dm_multipath
dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log
提示:ip_conntrack模块已经被加载进来;
[root@Smoke ~]# iptables -t filter -A OUTPUT -s 172.16.100.1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT(向filter表的OUTPUT链
添加一条规则允许172.16.100.1的tcp协议端口为22状态为ESTABLISHED的连接,-A附加规则,-s源地址,-p协议,--sport源端口,-m显示扩展,--state状态扩展,-j动作)
[root@Smoke ~]# iptables -t filter -P INPUT DROP(修改filter表的INPUT链默认策略为DROP,-P修改默认策略)
[root@Smoke ~]# iptables -t filter -P OUTPUT DROP(修改filter表的OUTPUT链默认策略为DROP,-P修改默认策略)
[root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:22 state ESTABLISHED
[root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT(向filter表的INPUT
链添加一条规则允许任何到达172.16.100.1的tcp协议端口80状态为NEW,ESTABLISHED的连接,-A附加规则,-d目标地址,-p协议,--dport目标端口,-m显示扩展,--state状
态扩展,-j动作)
[root@Smoke ~]# iptables -t filter -A OUTPUT -s 172.16.100.1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT(向filter表的OUTPUT
链添加一条规则允许172.16.100.1的tcp协议端口80状态为ESTABLISHED的连接,-A附加规则,-s源地址,-p协议,--sport源端口,-m显示扩展,--state状态扩展,-j动作)
[root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:22 state ESTABLISHED
ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:80 state ESTABLISHED
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,可以正常访问;
[root@Smoke ~]# iptstate(查看iptables的工作状态)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Source Destination Proto State TTL
172.16.100.254:1701 172.16.100.1:22 tcp ESTABLISHED 119:59:11
172.16.100.254:3583 172.16.100.1:80 tcp TIME_WAIT 0:01:13
172.16.100.254:3585 172.16.100.1:80 tcp TIME_WAIT 0:01:20
172.16.100.254:1525 172.16.100.1:22 tcp ESTABLISHED 119:59:59
[root@Smoke ~]# sysctl -w net.ipv4.ip_conntrack_max=65536(更改内核运行参数ip_conntrack_max最大连接为65536,-w改变内核参数)
net.ipv4.ip_conntrack_max = 65536
[root@Smoke ~]# cat /proc/sys/net/ipv4/ip_conntrack_max(查看ip_conntrack_max文件内容)
65536
[root@Smoke ~]# iptstate(查看iptables工作状态)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Source Destination Proto State TTL
172.16.100.254:1701 172.16.100.1:22 tcp ESTABLISHED 119:59:20
(ESTABLISHED状态的超时时间为120小时,太长了)
172.16.100.254:1525 172.16.100.1:22 tcp ESTABLISHED 119:59:59
[root@Smoke ~]# ls /proc/sys/net/ipv4/netfilter/(查看/proc/sys/net/ipv4/netfilter目录文件及子目录)
ip_conntrack_buckets ip_conntrack_max ip_conntrack_tcp_timeout_established ip_conntrack_tcp_timeout_time_wait
ip_conntrack_checksum ip_conntrack_tcp_be_liberal ip_conntrack_tcp_timeout_fin_wait ip_conntrack_udp_timeout
ip_conntrack_count ip_conntrack_tcp_loose ip_conntrack_tcp_timeout_last_ack ip_conntrack_udp_timeout_stream
ip_conntrack_generic_timeout ip_conntrack_tcp_max_retrans ip_conntrack_tcp_timeout_max_retrans
ip_conntrack_icmp_timeout ip_conntrack_tcp_timeout_close ip_conntrack_tcp_timeout_syn_recv
ip_conntrack_log_invalid ip_conntrack_tcp_timeout_close_wait ip_conntrack_tcp_timeout_syn_sent
提示:所有相关ip_conntrack时间的文件都在/proc/sys/net/ipv4/netfilter目录下;
[root@Smoke ~]# cat /proc//sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout(查看ip_conntrack_icmp_timeout文件内容,icmp超时时间)
30
提示:icmp的超时时间为30秒
[root@Smoke ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established(查看ip_conntrack_tcp_established文件内容,tcp的establis
hed状态的超时时间)
432000
提示:tcp的established状态超时时间为5天;
[root@Smoke ~]# vim /etc/sysctl.conf(编辑sysctl.conf配置文件)
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456
提示:要想修改ip_conntrack相关的协议超时时间使用sysctl -w修改不会永久有效,要想永久有效写在内核参数配置文件sysctl.conf文件中;
[root@Smoke ~]# ls /proc/sys/net/ipv4/netfilter/(查看/proc/sys/net/ipv4/netfilter目录文件及子目录)
ip_conntrack_buckets ip_conntrack_max ip_conntrack_tcp_timeout_established ip_conntrack_tcp_timeout_time_wait
ip_conntrack_checksum ip_conntrack_tcp_be_liberal ip_conntrack_tcp_timeout_fin_wait ip_conntrack_udp_timeout
ip_conntrack_count ip_conntrack_tcp_loose ip_conntrack_tcp_timeout_last_ack ip_conntrack_udp_timeout_stream
ip_conntrack_generic_timeout ip_conntrack_tcp_max_retrans ip_conntrack_tcp_timeout_max_retrans
ip_conntrack_icmp_timeout ip_conntrack_tcp_timeout_close ip_conntrack_tcp_timeout_syn_recv
ip_conntrack_log_invalid ip_conntrack_tcp_timeout_close_wait ip_conntrack_tcp_timeout_syn_sent
提示:所有相关ip_conntrack时间的文件都在/proc/sys/net/ipv4/netfilter目录下;
[root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT(向filter表的IN
PUT链添加规则允许任何到172.16.100.1的icmp协议类型为echo-request状态为NEW,ESTABLISHED连接,-A附加规则,-d目标地址,-p协议,--icmp-type协议类型,-m显示扩展
,--state状态扩展,-j动作)
[root@Smoke ~]# iptables -t filter -A OUTPUT -s 172.16.100.1 -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT(向filter表的OUTPU
T链添加规则允许172.16.100.1的icmp协议类型为echo-reply状态为ESTABLISHED连接,-A附加规则,-s源地址,-p协议,--icmp-type协议类型,-m显示扩展,--state状态扩展
,-j动作)
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,可以PING通;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
[root@Smoke ~]# iptstate(查看iptables的连接状态)
IPTables - State Top
Version: 1.4 Sort: SrcIP s to change sorting
Source Destination Proto State TTL
172.16.100.254:1701 172.16.100.1:22 tcp ESTABLISHED 119:59:01
172.16.100.254:1525 172.16.100.1:22 tcp ESTABLISHED 119:59:59
提示:iptstate不会显示icmp、udp协议,但是状态追踪是可以实现的;
[root@Smoke ~]# iptables -L -n --line-number(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号)
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
2 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:22 state ESTABLISHED
2 ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:80 state ESTABLISHED
3 ACCEPT icmp -- 172.16.100.1 0.0.0.0/0 icmp type 0 state ESTABLISHED
[root@Smoke ~]# iptables -t filter -I OUTPUT -s 172.16.100.1 -m state --state ESTABLISHED -j ACCEPT(向filter表的OUTPUT链插入规则允许172.16.1
00.1的状态为ESTABLISHED状态连接,-I插入规则,默认插入为第一条,-s源地址,-m显示扩展,--state状态扩展,-j动作)
[root@Smoke ~]# iptables -t filter -L -n --line-number(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号)
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
2 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 172.16.100.1 0.0.0.0/0 state ESTABLISHED
2 ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:22 state ESTABLISHED
3 ACCEPT tcp -- 172.16.100.1 0.0.0.0/0 tcp spt:80 state ESTABLISHED
4 ACCEPT icmp -- 172.16.100.1 0.0.0.0/0 icmp type 0 state ESTABLISHED
[root@Smoke ~]# iptables -t filter -L -n --line-number -v(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号
,-v显示详细信息)
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2937 210K ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
2 20 2632 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
3 4 240 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 77 7380 ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state ESTABLISHED
2 2094 208K ACCEPT tcp -- * * 172.16.100.1 0.0.0.0/0 tcp spt:22 state ESTABLISHED
3 20 1744 ACCEPT tcp -- * * 172.16.100.1 0.0.0.0/0 tcp spt:80 state ESTABLISHED
4 4 240 ACCEPT icmp -- * * 172.16.100.1 0.0.0.0/0 icmp type 0 state ESTABLISHED
[root@Smoke ~]# iptables -D OUTPUT 2(删除filter表的OUTPUT链的第2条规则)
[root@Smoke ~]# iptables -D OUTPUT 2(删除filter表的OUTPUT链的第2条规则)
[root@Smoke ~]# iptables -D OUTPUT 2(删除filter表的OUTPUT链的第2条规则)
[root@Smoke ~]# iptables -t filter -L -n --line-number -v(查看filter表的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号,
-v显示详细信息)
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 3045 216K ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
2 20 2632 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
3 4 240 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 210 25464 ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state ESTABLISHED
测试:通过windows的ie浏览器输入httpd://172.16.100.1访问页面,可以正常访问;
测试:通过windows系统的command(命令提示符)PING测试到达172.16.100.1能否访问,可以PING通;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
[root@Smoke ~]# iptables -t filter -L -n --line-number -v(查看filter表的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号, -v显示详细信息) Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 3045 216K ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED 2 20 2632 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED 3 4 240 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 210 25464 ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state ESTABLISHED [root@Smoke ~]# iptables -t filter -A INPUT -d 172.16.100.1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT(向filter表的INPUT 链中添加规则允许任何到达172.16.100.1的tcp协议端口为21状态为NEW,ESTABLISHED连接,-A附加规则,-d目标地址,-p协议,--dport目标端口,-m显示扩展,--state状态扩展 ,-j动作)
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,用户验证无法通过,因为本机它要通过mysql服务器去检索用户帐号密码,此前创建的vsftpd基于mysql认证的,而我们从本地端口到本地端口没有允许放行;
C:\Users\Smoke>ftp 172.16.100.1 连接到 172.16.100.1。 220 (vsFTPd 2.0.5) 用户(172.16.100.1:(none)): tom(虚拟用户) 331 Please specify the password. 密码: 530 Login incorrect. 登录失败。 ftp> bye(退出) 421 Timeout.
[root@Smoke ~]# iptables -t filter -A INPUT -i lo -j ACCEPT(向filter表的INPUT链附加规则允许通过lo接口进入,-A附加规则,-i指定进入接口,-j动作) [root@Smoke ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT(向filter表的OUTPUT链附加规则允许通过lo接口出去,-A附加规则,-o指定出去接口,-j动作) [root@Smoke ~]# ping 127.0.0.1(ping测试127.0.0.1) PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.090 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.054 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.051 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.051/0.065/0.090/0.017 ms
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,用户验证无法通过,可能跟别的有关系;
C:\Users\Smoke>ftp 172.16.100.1 连接到 172.16.100.1。 220 (vsFTPd 2.0.5) 用户(172.16.100.1:(none)): tom 331 Please specify the password. 密码: 530 Login incorrect. 登录失败。 ftp> bye 221 Goodbye.
[root@Smoke ~]# vim /etc/vsftpd/vsftpd.conf(编辑vsftpd.conf配置文件) [root@Smoke ~]# cd /etc/vsftpd/(切换到/etc/vsftpd目录) [root@Smoke vsftpd]# ls(查看当前目录文件及子目录) chroot_list ftpusers ssl user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh vusers [root@Smoke vsftpd]# mv vsftpd.conf vsftpd.conf.virt(重命名vsftpd.conf为vsftpd.conf.virt) [root@Smoke vsftpd]# cp vsftpd.conf.bak vsftpd.conf(复制vsftpd.conf.bak为vsftpd.conf) [root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务) Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,通过匿名用户登录成功,但是使用命令无法显示ftp根目录,因为无法建立数据连接,命令连接使用的是主动模式,数据连接使用的是被动模式,要使用被动模式就意味着服务器要接受客户端连接它的一个随机端口,服务器发送给客户端一个随机端口,但是随机端口没有开放,最简单开放大于1023的所有端口,但这样开放防火墙就没意义了,可以使用状态追踪;
C:\Users\Smoke>ftp 172.16.100.1 连接到 172.16.100.1。 220 (vsFTPd 2.0.5) 用户(172.16.100.1:(none)): ftp(匿名用户) 331 Please specify the password. 密码: 230 Login successful. ftp> ls(查看当前目录文件及子目录) 200 PORT command successful. Consider using PASV.(数据连接在被动模式下,PORT表示主动模式,PASV标识被动模式) ftp> bye(退出) 421 Timeout.
[root@Smoke vsftpd]# iptables -t filter -A INPUT -d 172.16.100.1 -p tcp -m state --state RELATED -j ACCEPT(向filter表的INPUT链添加规则允许 到达172.16.100.1的tcp连接状态为RELATED连接,-A附加规则,-d目标地址,-p协议,-m显示扩展,--state状态扩展,-j动作) [root@Smoke vsftpd]# iptables -t filter -L -n(查看filter表的规则并以数字显示,-L显示指定表中规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 172.16.100.1 0.0.0.0/0 state ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@Smoke vsftpd]# iptables -t filter -R OUTPUT 1 -s 172.16.100.1 -m state --state ESTABLISHED,RELATED -j ACCEPT(替换filter表的OUTPUT链 的第一条规则允许172.16.100.1状态为ESTABLISHED,RELATED连接,-R替换规则,-s源地址,-m显示扩展,--state状态扩展,-j动作)
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,通过匿名用户登录成功,数据连接还是无法建立,其实第一次的用户请求第一次也是NEW的;
用户(172.16.100.1:(none)): ftp(匿名用户) 331 Please specify the password. 密码: 230 Login successful. ftp> ls(查看当前目录文件及子目录) 200 PORT command successful. Consider using PASV. ftp> bye(退出) 421 Timeout.
[root@Smoke vsftpd]# iptables -t filter -L -n --line-number(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号) Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED 2 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED 3 ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED 4 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 6 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@Smoke vsftpd]# iptables -t filter -R INPUT 6 -d 172.16.100.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT(替换filter表的INPUT 链第六条规则允许任何到172.16.100.1的tcp状态为ESTABLISHED,RELATED连接,-R替换规则,-d目标地址,-p协议,-m显示扩展,--state状态扩展,-j动作)
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,通过匿名用户登录成功,数据连接还是无法建立;
用户(172.16.100.1:(none)): ftp(匿名用户) 331 Please specify the password. 密码: 230 Login successful. ftp> ls(查看当前目录文件及子目录) 200 PORT command successful. Consider using PASV. ftp> bye(退出) 421 Timeout.
[root@Smoke vsftpd]# iptables -t filter -R INPUT 6 -d 172.16.100.1 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT(替换filter表的 INPUT链第六条规则允许任何到172.16.100.1的tcp状态为NEW,ESTABLISHED,RELATED连接,-R替换规则,-d目标地址,-p协议,-m显示扩展,--state状态扩展,-j动作)
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,通过匿名用户登录成功,数据连接还是无法建立;
用户(172.16.100.1:(none)): ftp(匿名用户) 331 Please specify the password. 密码: 230 Login successful. ftp> ls(查看当前目录文件及子目录) 200 PORT command successful. Consider using PASV. ftp> bye(退出) 421 Timeout.
[root@Smoke vsftpd]# iptables -D INPUT 6(删除filter表的INPUT链第6条规则,-D删除指定链中规则) [root@Smoke vsftpd]# iptables -t filter -I INPUT 1 -d 172.16.100.1 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT(向filter表的INPU T链插入规则允许任何到172.16.100.1的tcp状态为NEW,ESTABLISHED,RELATED连接,-I插入规则,默认插入第1条,-d目标地址,-p协议,-m显示扩展,--state状态扩展,-j动作)
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,通过匿名用户登录成功,数据连接还是无法建立;
用户(172.16.100.1:(none)): ftp(匿名用户) 331 Please specify the password. 密码: 230 Login successful. ftp> ls(查看当前目录文件及子目录) 200 PORT command successful. Consider using PASV. ftp> bye(退出) 421 Timeout.
[root@Smoke vsftpd]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 原因:其实只需要放行ESTABLISHED,RELATED状态就可以了,原因是没有装载ip_conntrack_ftp和ip_nat_ftp模块; [root@Smoke vsftpd]# iptables -t filter -D INPUT 1(删除filter表INPUT链的第一条规则,D删除指令链的规则) [root@Smoke vsftpd]# iptables -A INPUT -d 172.16.100.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT [root@Smoke vsftpd]# modprobe ip_conntrack_ftp(装载ip_conntrack_ftp模块) [root@Smoke vsftpd]# modprobe ip_nat_ftp(装载ip_nat_ftp模块) [root@Smoke vsftpd]# lsmod | grep ip(查看内核已经加载的模块将结果送给管道只显示ip相关) ip_nat_ftp 7361 0 ip_nat 20973 1 ip_nat_ftp ip_conntrack_ftp 11569 1 ip_nat_ftp ip_conntrack_netbios_ns 6977 0 ip_conntrack 53409 5 ip_nat_ftp,ip_nat,ip_conntrack_ftp,xt_state,ip_conntrack_netbios_ns nfnetlink 10713 2 ip_nat,ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter x_tables 17349 3 xt_state,ip_tables,xt_tcpudp ipv6 272545 29 cnic xfrm_nalgo 13381 1 ipv6 dm_multipath 27213 0 scsi_dh 12481 1 dm_multipath dm_mod 63993 4 dm_mirror,dm_multipath,dm_raid45,dm_log [root@Smoke vsftpd]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
测试:通过windows系统的command(命令提示符)连接172.16.100.1的ftp服务器,命令连接及数据连接均正常;
C:\Users\Smoke>ftp 172.16.100.1 连接到 172.16.100.1。 220 (vsFTPd 2.0.5) 用户(172.16.100.1:(none)): ftp 331 Please specify the password. 密码: 230 Login successful. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. pub upload 226 Directory send OK. ftp: 收到 13 字节,用时 0.00秒 13.00千字节/秒。 ftp> bye 221 Goodbye.
[root@Smoke vsftpd]# vim /etc/sysconfig/iptables-config(编辑iptables-config文件)
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp ip_conntrack_netbios_ns"(装载ip_nat_ftp和ip_conntrack_ftp模块)
[root@Smoke vsftpd]# cd(切换到用户家目录)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# service iptables save(保存iptables中的规则)
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@Smoke ~]# iptables -L -n(查看filter表中规则并以数字显示,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# iptables -t filter -I INPUT -d 172.16.100.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT(向filter表的INPUT链插入规则
允许任何到172.16.100.1的tcp协议状态为ESTABLISHED,RELATED连接,-I插入规则,默认插入第一条,-d目标地址,-p协议,-m显示扩展,--state状态扩展,-j动作)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# iptables -t filter -D INPUT 7(删除filter表INPUT链的第7条规则,-D删除指定链的规则)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# service iptables save(保存iptables规则)
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@Smoke ~]# vim /etc/sysconfig/iptables(编辑iptables文件)
# Generated by iptables-save v1.3.5 on Mon Nov 24 06:38:17 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [49:3014]
-A INPUT -d 172.16.100.1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 172.16.100.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -d 172.16.100.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 172.16.100.1 -p icmp -m icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 172.16.100.1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -s 172.16.100.1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Nov 24 06:38:17 2014
提示:由于第2、3、5中tcp状态为ESTBLISHED状态的规则可以被第一条规则匹配到,所以去掉2、3、5规则中的ESTABLISHED状态,只保留NES状态;
[root@Smoke ~]# service iptables reload(重新加载iptables)
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_nat_ftp ip_conntrac[ OK ]_conntrack_netbios_ns
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字线四惠,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# man iptables(查看iptables的man帮助)
multiport(多端口扩展)
This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as
two ports. It can
only be used in conjunction with -p tcp or -p udp.
--source-ports [!] port[,port[,port:port...]](源端口)
Match if the source port is one of the given ports. The flag --sports is a convenient alias for this option.
--destination-ports [!] port[,port[,port:port...]](目标端口)
Match if the destination port is one of the given ports. The flag --dports is a convenient alias for this option.
--ports [!] port[,port[,port:port...]](同时匹配源和目标端口)
Match if either the source or destination ports are equal to one of the given ports.
/multiport
[root@Smoke ~]# iptables -L -n(查看filter表中的规则)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# iptables -I INPUT 2 -d 172.16.100.1 -p tcp -m multiport --destination-ports 21,22,80 -m state --state NEW -j ACCEPT(向fil
ter表的INPUT链插入到第二条规则允许任何到目的172.16.100.1协议tcp端口号为21,22,80状态为NEW的连接,-I插入规则,默认插入第一条,-d目标地址,-p协议,-m显示扩展,
--destination-ports目标多端口扩展,--state状态扩展,-j动作)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:21 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# iptables -D INPUT 3(删除filter表INPUT链中第3条规则,-D删除指定链规则)
[root@Smoke ~]# iptables -D INPUT 3(删除filter表INPUT链中第3条规则,-D删除指定链规则)
[root@Smoke ~]# iptables -D INPUT 4(删除filter表INPUT链中第4条规则,-D删除指定链规则)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
扩展匹配
隐含扩展
-p tcp
--sport PORT[-PORT]: 源端口
--dport PORT[-PORT]: 目标端口
--tcp-flags mask comp: 只检查mask指定的标志位,是逗号分隔的标志位列表,comp此列表中出现的标记位必须为1,comp中没出现,而mask中出现的,必须为0)
--tcp-flags SYN,FIN,ACK,RST SYN = --syn (检查TCP报文的SYN,FIN,ACK,RST四个标志位,而四个标志位只能是SYN置为1,剩下的都必须为0)
--syn:专门匹配TCP三次握手的第一次;
-p icmp
--icmp-type:ICMP报文协议类型;
0: echo-reply(ICMP响应报文)
8: echo-request(ICMP请求报文)
-p udp
--sport PORT[-PORT]:源端口
--dport PORT[-PORT]: 目标端口
-p tcp -m tcp --dport
显示扩展: 使用额外的匹配机制
-m EXTESTION --spe-opt: 指定显示扩展;
state:状态扩展
结合ip_conntrack追踪会话的状态
NEW:发起的新的连接请求,例如tcp的第一次握手;
ESTABLISHED: 已建立的连接,例如tcp完成三次握手;
INVLID: 非法连接,SYN=1,FIN=1;
RELATED: 相关联的连接,比如FTP;
-m state --state NEW,ESTABLISHED -j ACCEPT(只检查状态为NEW和ESTABLISHED,都允许通过)
首先要装载ip_conntrack_ftp和ip_nat_ftp模块
iptables -A INPUT -d 172.16.100.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
multiport: 离散的多端口匹配扩展
--source-port: 匹配多个离散的源端口,离散端口使用,逗号隔开,连续端口使用:冒号隔开;
--destination-port: 匹配多个离散的目标端口,离散端口使用,逗号隔开,连续端口使用:冒号隔开;
--ports: 同时匹配源和目标离散多个端口,离散端口使用,逗号隔开,连续端口使用:冒号隔开;
-m multiport --destination-ports 21,22,80 -j ACCEPT(表示目的端口为21,22,80)
-m multiport --destination-ports 21:23,80 -j ACCEPT(表示目的端口为21,22,23,80)
-m iprange: 地址扩展;
--src-range: 源地址IP-IP范围,可以通过!叹号取反;
--dst-range: 目标地址IP-IP范围,可以通过!叹号取反;
-s, -d
-s IP, NET
172.16.0.0/16, 172.16.100.3-172.16.100.100
iptables -A INPUT -p tcp -m iprange --src-range 172.16.100.3-172.16.100.100 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-m connlimit: 连接数限定;
! --connlimit-above n: 指定连接上限;
iptables -A INPUT -d 172.16.100.1 -p tcp --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT(允许到达172.16.100.1的tcp协议80端口没有达到2个连接数的连接)
-m limit: 限速;
--limit RATE:速率
--limite-burst: 上限
-m string:内容匹配;
--algo {be|kmp}: 字符传匹配算法;
--string "STRING": 匹配一个字符串,如果用户请求的内容包含这种字符就拒绝;
-j TARGET(目标)
LOG: 记录日志信息;
--log-level LEVEL: 日志级别
--log-prefix "STRING": 日志前缀,自定义描述区分日志内容;
--log-tcp-squence: tcp序列号
--log-tcp-options: tcp选项
--log-ip-options: ip选项
--log-log-uid: 用户UID;
NAT
FORWARD
[root@Smoke ~]# man iptables(查看iptables的man帮助文档)
iprange(地址扩展,ip范围)
This matches on a given arbitrary range of IPv4 addresses
[!]--src-range ip-ip(指定源地址范围)
Match source IP in the specified range.
[!]--dst-range ip-ip(指定目标地址范围)
Match destination IP in the specified range.
connlimit(连接限定)
Allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
[!] --connlimit-above n(指定连接上限)
match if the number of existing tcp connections is (not) above n
--connlimit-mask bits
group hosts using mask
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
limit(流量整型)
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached
(unless the '!' flag is used). It can be used in combination with the LOG target to give limited logging, for example.(令牌桶机制)
--limit rate(速率,单位时间内最多允许多少人进来)
Maximum average matching rate: specified as a number, with an optional '/second', '/minute', '/hour', or '/day' suffix; the default
is 3/hour.
--limit-burst number(最大数量,蜂拥而至的人流)
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached,
up to this number; the default is 5.
/iprange
/connlimit
/limit
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-F查看指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# iptables -I INPUT -d 172.16.100.1 -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 3 -j ACCEPT(向filter表的INPUT
链插入规则允许任何到172.16.100.1的tcp协议端口为22限定每分钟最多3个请求最大上限连接为3个,-I插入规则,默认插入第一条,-d目标地址,-p协议,--dport目标端口,-m
显示扩展,--limit速率,--limit-burst最大上限,-j动作)
[root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 limit: avg 3/min burst 3
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
测试:使用windows的工具Xshell通过ssh多次连接172.16.100.1服务器,没有限制住;
[root@Smoke ~]# iptables -t filter -L -n -v(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,-v详细信息)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19 1345 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 limit: avg 3/min burst 3
1632 137K ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
10 520 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED
48 4176 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1476 207K ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
48 4176 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# iptables -D INPUT 1(删除filter表INPUT链的第一条规则,-D删除指定链的规则)
测试:通过windows的command(命令提示符)PING测试到达172.16.100.1主机连通性;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
[root@Smoke ~]# iptables -R INPUT 3 -d 172.16.100.1 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -m limit --limit 1/second -j ACCEPT(替换filter表的INPUT链第四条规则允许任何到达172.16.100.1的icmp协议类型为echo-request状态为NEW,ESTABLISHED每秒钟1个连接,-R替换规则,-d目标地址 ,-p协议,--icmp-type协议类型,-m显示扩展,--state状态扩展,--limit速率,-j动作) [root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 1/sec burst 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
测试:通过windows的command(命令提示符)PING测试到达172.16.100.1主机连通性,长期PING测试,没有限定ICMP协议;
C:\Users\Smoke>ping 172.16.100.1 -t
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 7,已接收 = 7,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
[root@Smoke ~]# iptables -R INPUT 3 -d 172.16.100.1 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -m limit --limit 5/minute -j ACCEPT(替换filter表的INPUT链第四条规则允许任何到达172.16.100.1的icmp协议类型为echo-request状态为NEW,ESTABLISHED每分钟5个连接,-R替换规则,-d目标地址 ,-p协议,--icmp-type协议类型,-m显示扩展,--state状态扩展,--limit速率,-j动作)
测试:通过windows的command(命令提示符)PING测试到达172.16.100.1主机连通性,长期PING测试,限定ICMP协议成功;
C:\Users\Smoke>ping 172.16.100.1 -t
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
请求超时。
请求超时。
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 9,已接收 = 6,丢失 = 3 (33% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
[root@Smoke ~]# iptables -R INPUT 3 -d 172.16.100.1 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -m limit --limit 5/minute --limit-burst 6 -j ACCEPT(替换filter表的INPUT链第四条规则允许任何到达172.16.100.1的icmp协议类型为echo-request状态为NEW,ESTABLISHED每分钟5个连接, 最多上限为6个连接,-R替换规则,-d目标地址,-p协议,--icmp-type协议类型,-m显示扩展,--state状态扩展,--limit速率,-j动作)
测试:通过windows的command(命令提示符)PING测试到达172.16.100.1主机连通性,长期PING测试,限定ICMP协议成功;
C:\Users\Smoke>ping 172.16.100.1 -t
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
请求超时。
请求超时。
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
请求超时。
请求超时。
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 11,已接收 = 7,丢失 = 4 (36% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
[root@Smoke ~]# iptables -L -n(查看filter表中的规则)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke ~]# man iptables(查看iptables的man帮助)
string
This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.(使用某种模式来完
成对某种匹配策略的检查,只有在2.6.14内核版本以后支持)
--algo bm|kmp(字符串匹配算法,匹配算法有bm、kmp两种)
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
--string pattern(匹配那一个字符串,如果用户请求的内容中包含这种字符统统拒绝)
Matches the given pattern. --hex-string pattern Matches the given pattern in hex notation.(--hex-string将字符串先编译为十六进制
的格式)
/string
[root@Smoke ~]# vim /var/www/html/test.html(编辑test.html文件)
h7n9
hello world
测试:通过windows系统的ie浏览器访问http://172.16.100.1/,正常访问;
测试:通过windows系统的ie浏览器访问http://172.16.100.1/test.html页面,正常访问;
[root@Smoke ~]# iptables -I INPUT -d 172.16.100.1 -m string --algo kmp --string "h7n9" -j REJECT(向filter表的INPUT链插入规则拒绝任何主机访问 172.16.100.1包含字符串h7n9的内容,-I插入规则,默认插入第一条,-d目标地址,-m显示扩展,--algo字符匹配算法,--string匹配字符串,-j动作) [root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
测试:通过windows系统的ie浏览器访问http://172.16.100.1/,正常访问;
测试:通过windows系统的ie浏览器访问http://172.16.100.1/test.html页面,正常访问;
[root@Smoke ~]# iptables -L -n -v(查看filter表中规则并以数字显示,-L显示指定表中规则,-n以数字显示,-v详细信息)
Chain INPUT (policy DROP 58 packets, 3480 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-
with icmp-port-unreachable
679 53437 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
6 312 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
7 420 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min
burst 6
8 696 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
567 73509 ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
8 696 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 提示:第一条规则没有匹配到任何数据包;
[root@Smoke ~]# cd /var/www/html/(切换到/var/www/html目录)
[root@Smoke html]# ls(查看当前目录文件及子目录)
index.html test.html
[root@Smoke html]# mv test.html h7n9.html(重命名test.html为h7n9.html)
测试:通过windows系统的ie浏览器访问http://172.16.100.1/h7n9.html页面,无法访问,因为逻辑问题,当用户请求页面过来的时候,响应的报文从OUTPUT出去,我们限定的是INPUT不能出现h7n9,所以应该将规则写在OUTPUT上;
[root@Smoke html]# iptables -I OUTPUT -s 172.16.100.1 -m string --algo kmp --string "h7n9" -j REJECT(向filter表的OUTPUT链插入规则拒绝172.16.10 0.1包含h7n9的字符串,-I插入规则,默认插入第一条,-s源地址,-m显示扩展,--algo字符匹配算法,--string匹配字符串,-j动作) [root@Smoke html]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@Smoke html]# mv h7n9.html test.html(重命名h7n9.html叫test.html)
测试:通过windows系统的ie浏览器访问http://172.16.100.1/test.html页面,正常访问;
[root@Smoke html]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke html]# iptables -L -n -v(查看filter表中的规则并以数字显示,-L显示指定表中规则,-n以数字显示,-v详细信息)
Chain INPUT (policy DROP 58 packets, 3480 bytes)
pkts bytes target prot opt in out source destination
44 19612 REJECT all -- * * 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-
with icmp-port-unreachable
1162 86856 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
14 728 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
7 420 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min
burst 6
8 696 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 2892 REJECT all -- * * 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-
with icmp-port-unreachable
990 128K ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
8 696 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
测试:通过windows系统的ie浏览器访问http://172.16.100.1/test.html页面,清理缓存后,无法访问;
[root@Smoke html]# iptables -L -n -v(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,-v详细信息)
Chain INPUT (policy DROP 58 packets, 3480 bytes)
pkts bytes target prot opt in out source destination
44 19612 REJECT all -- * * 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-w
ith icmp-port-unreachable
1321 98317 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
22 1144 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
7 420 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min
burst 6
8 696 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 4890 REJECT all -- * * 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with
icmp-port-unreachable
1221 161K ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
8 696 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 提示:可以匹配到报文;
[root@Smoke html]# man iptables(查看iptables的man帮助)
LOG
Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will
print some information on all matching packets (like most IP header fields) via the kernel log (where it
can be read with dmesg or syslogd(8)). This is a "non-terminating target", i.e. rule traversal continues
at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same
matching criteria, first using target LOG then DROP (or REJECT).
--log-level level(日志级别)
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix(日志前缀)
Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguish-
ing messages in the logs.
--log-tcp-sequence(tcp序列号)
Log TCP sequence numbers. This is a security risk if the log is readable by users.
--log-tcp-options(tcp选项)
Log options from the TCP packet header.
--log-ip-options(ip选项)
Log options from the IP packet header.
--log-uid(用户uid)
Log the userid of the process which generated the packet.
/LOG
[root@Smoke html]# iptables -L -n(查看filter表规则并以数字显示,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
提示: LOG跟DROP或ACCEPT甚至REJECT动作一块用的时候一定要放在对应策略的前面;
[root@Smoke html]# iptables -L -n --line-number(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号)
Chain INPUT (policy DROP)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
2 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
4 ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
2 ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@Smoke html]# iptables -I INPUT 4 -d 172.16.100.1 -p icmp --icmp-type 8 -j LOG --log-prefix "--firewall log for icmp--"(向filter表INPUT
链插入规则插入到第4条,任何到172.16.100.1的icmp协议类型为echo-request记录日志,-I插入规则,默认插入第一行,-d目标地址,-p协议,--icmp-type类型,-j动作)
测试:通过windows的command(命令提示符)PING测试到达172.16.100.1主机连通性;
C:\Users\Smoke>ping 172.16.100.1
正在 Ping 172.16.100.1 具有 32 字节的数据:
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间=1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
来自 172.16.100.1 的回复: 字节=32 时间<1ms TTL=64
172.16.100.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
[root@Smoke html]# tail /var/log/messages(查看message日志文件后10行内容) Nov 24 08:24:31 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device Nov 24 08:24:31 localhost kernel: FAT: Directory bread(block 16389) failed Nov 24 08:24:31 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device Nov 24 08:24:31 localhost kernel: FAT: Directory bread(block 16390) failed Nov 24 08:24:31 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device Nov 24 08:24:31 localhost kernel: FAT: Directory bread(block 16391) failed Nov 24 09:46:22 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2816 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1 Nov 24 09:46:23 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2817 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2 Nov 24 09:46:24 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2818 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3 Nov 24 09:46:25 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2819 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=4 [root@Smoke html]# tail -f /var/log/message(查看message日志文件内容,-f追加显示) Nov 24 09:46:22 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2816 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1 Nov 24 09:46:23 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2817 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2 Nov 24 09:46:24 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2818 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3 Nov 24 09:46:25 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2819 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=4 [root@Smoke html]# tail -f /var/log/messages Nov 24 08:24:31 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device Nov 24 08:24:31 localhost kernel: FAT: Directory bread(block 16389) failed Nov 24 08:24:31 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device Nov 24 08:24:31 localhost kernel: FAT: Directory bread(block 16390) failed Nov 24 08:24:31 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device Nov 24 08:24:31 localhost kernel: FAT: Directory bread(block 16391) failed Nov 24 09:46:22 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2816 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1 Nov 24 09:46:23 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2817 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2 Nov 24 09:46:24 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2818 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3 Nov 24 09:46:25 localhost kernel: --firewall log for icmp--IN=eth0 OUT= MAC=00:0c:29:cc:fa:ae:02:00:4c:4f:4f:50:08:00 SRC=172.16.100.254 DST=172.16.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2819 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=4
练习:判断下述规则的意义:
# iptables -N clean_in
# iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
# iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
# iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP
# iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP
# iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP
# iptables -A clean_in -d 172.16.100.7 -j RETURN
# iptables -A INPUT -d 172.16.100.7 -j clean_in
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -i eth0 -m multiport -p tcp --dports 53,113,135,137,139,445 -j DROP
# iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
# iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROP
# iptables -A INPUT -i eth0 -m multiport -p tcp --dports 1433,4899 -j DROP
# iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
利用iptables的recent模块来抵御DOS攻击
ssh: 远程连接,
iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 3 -j DROP(向filter表的INPUT链插入规则拒绝tcp协议22号端口同一个ip地址连接次数最多3次,-I插入规则,默认插入第一条,-p协议,--dport目标端口,-m显示扩展,--connlimit-above指定连接上限,-j动作)
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH(向filter表的INPUT链插入规则记录tcp协议22好端口状态为NEW的客户端ip地址,-I插入规则,默认插入第一条,-p协议,--dport目标端口,--state状态扩展,--set记录数据包的源地址,如果已存在记录则更新,--name指定使用的命令列表,如果没有名字就使用默认名字, -m recent最近的,能够将最近的对我们服务器上的某个服务发起请求连接的IP地址记录下来)
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP(向filter表的INPUT链插入规则记录tcp协议端口22状态为NEW的连接,并且在300秒内用户的请求超过3次就丢弃,-I插入规则,默认插入第一条,--dport目标端口,-m显示扩展,--state状态扩展,--update查看登录时间是否与记录模版中的时间匹配,--seconds限定时间,--hitcont限定次数,--name模版名字,-j动作)
1.利用connlimit模块将单IP的并发设置为3;会误杀使用NAT上网的用户,可以根据实际情况增大该值;
2.利用recent和state模块限制单IP在300s内只能与本机建立3个新连接。被限制五分钟后即可恢复访问。
下面对最后两句做一个说明:
1.第二句是记录访问tcp 22端口的新连接,记录名称为SSH
--set 记录数据包的来源IP,如果IP已经存在将更新已经存在的条目
2.第三句是指SSH记录中的IP,300s内发起超过3次连接则拒绝此IP的连接。
--update 是指每次建立连接都更新列表;
--seconds必须与--rcheck或者--update同时使用
--hitcount必须与--rcheck或者--update同时使用
3.iptables的记录:/proc/net/ipt_recent/SSH
也可以使用下面的这句记录日志:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --second 300 --hitcount 3 -j LOG --log-prefix "SSH Attack"
NAT: Network Address Translation
DNAT: 目标地址转换;
SNAT: 源地址转换(POSTROUTING,OUTPUT);
ip_forward
/proc/sys/net/ipv4/ip_forward: 设置为1支持多块网卡之间转发;
-j SNAT
--to-source: 将源地址转换成什么地址;
-j MASQUERADE: 用于外网接口为动态获取IP地址的SNAT转换;
ASDL: 123.2.3.2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j SNAT --to-source 123.2.3.2-123.2.3.5
192.168.0.223 192.168.0.254 www.magedu.com
-j DNAT
--to-destination IP[:port]:公网地址转换成内网服务器地址;
PNAT: Port NAT,端口转换;
[root@Smoke html]# cd(切换到用户家目录) [root@Smoke ~]# iptables -N clean_in(自定义链clean_in) [root@Smoke ~]# iptables -L -n(查看filter表中规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy DROP) target prot opt source destination REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW LOG icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall log for icmp--' ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain clean_in (0 references)(有多少个引用) target prot opt source destination [root@Smoke ~]# iptables -t filter -A clean_in -d 255.255.255.255 -p icmp -j DROP(向filter表的clean_in链添加规则拒绝任何到255.255.255.255的 icmp协议,-A附加规则,-d目标地址,-p协议,-j动作) [root@Smoke ~]# iptables -L -n --line-number(查看filter表中的规则并以数字显示,-L列出规则,-n以数字显示,--line-number显示行号) Chain INPUT (policy DROP) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unre achable 2 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW 4 LOG icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall log for icmp--' 5 ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy DROP) num target prot opt source destination 1 REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unre achable 2 ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain clean_in (0 references) num target prot opt source destination 1 DROP icmp -- 0.0.0.0/0 255.255.255.255 [root@Smoke ~]# iptables -t filter -A clean_in -d 172.16.255.255 -p icmp -j DROP(向filter表的clean_in链添加规则拒绝任何到172.16.255.255的 icmp协议,-A附加规则,-d目标地址,-p协议,-j动作) [root@Smoke ~]# iptables -t filter -A clean_in -p tcp ! --syn -m state --state NEW -j DROP(向filter表clean_in链添加规则拒绝tcp协议非syn请 求状态为NEW的连接,-A附加规则,-p协议,--syn tcp三次握手的syn请求,-m显示扩展,--state状态扩展,-j动作) [root@Smoke ~]# iptables -t filter -A clean_in -p tcp --tcp-flags ALL ALL -j DROP(向filter表clean_in链添加规则拒绝tcp协议的五个标志位syn,fl ush,push,ack,urg都为1的连接,-A附加规则,-p协议,--tcp-flags tcp的标志位,-j动作) [root@Smoke ~]# iptables -t filter -A clean_in -d 172.16.100.1 -j RETURN(向filter表的clean_in链添加规则任何到172.16.100.1的连接返回到主链上, -A附加规则,-d目标地址,-j动作) [root@Smoke ~]# iptables -I INPUT -j clean_in(向filter表的INPUT链插入规则跳转到clean_in自定义链,-I插入规则,默认插入第一条,-j动作) [root@Smoke ~]# iptables -L -n --line-number(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示,--line-number显示行号) Chain INPUT (policy DROP) num target prot opt source destination 1 clean_in all -- 0.0.0.0/0 0.0.0.0/0 2 REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreach able 3 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED 4 ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW 5 LOG icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall log for icmp--' 6 ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy DROP) num target prot opt source destination 1 REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable 2 ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain clean_in (1 references)(有一个引用) num target prot opt source destination 1 DROP icmp -- 0.0.0.0/0 255.255.255.255 2 DROP icmp -- 0.0.0.0/0 172.16.255.255 3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW 4 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 5 RETURN all -- 0.0.0.0/0 172.16.100.1 [root@Smoke ~]# ping 172.16.255.255(ping测试到达172.16.255.255. connect: Network is unreachable 提示: 本机不让PING;
提示:通过windows的command(命令提示符)PING测试172.16.255.255,无法PING通;
C:\Users\Smoke>ping 172.16.255.255
正在 Ping 172.16.255.255 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
172.16.255.255 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[root@Smoke ~]# iptables -L -n(查看filter表中的规则,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
clean_in all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
LOG icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall log for icmp--'
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain clean_in (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 255.255.255.255
DROP icmp -- 0.0.0.0/0 172.16.255.255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
RETURN all -- 0.0.0.0/0 172.16.100.1
[root@Smoke ~]# iptables -X clean_in(删除自定义链clean_in)
iptables: Too many links
提示:无法删除,因为clean_in为非空链;
[root@Smoke ~]# iptables -L(查看filter表的内容,-L查看指定表的内容)
Chain INPUT (policy DROP)
target prot opt source destination
clean_in all -- anywhere anywhere
REJECT all -- anywhere 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 172.16.100.1 multiport dports ftp,ssh,http state NEW
LOG icmp -- anywhere 172.16.100.1 icmp echo-request LOG level warning prefix `--firewall log for icmp--'
ACCEPT icmp -- anywhere 172.16.100.1 icmp echo-request state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- 172.16.100.1 anywhere STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT all -- 172.16.100.1 anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain clean_in (1 references)
target prot opt source destination
DROP icmp -- anywhere 255.255.255.255
DROP icmp -- anywhere 172.16.255.255
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
RETURN all -- anywhere 172.16.100.1
[root@Smoke ~]# iptables -t filter -I INPUT 2 -d 172.16.100.1 -p tcp --dport 22 -m connlimit --connlimit-above 3 -j DROP(向filter表的INP
UT链插入规则,插入到第二条,拒绝到达172.16.100.1的tcp协议22号端口同一个ip地址连接次数最多3次,-I插入规则,默认插入第一条,-p协议,--dport目标端口,-m显示扩展
,--connlimit-above指定连接上限,-j动作)
[root@Smoke ~]# iptables -t filter -I INPUT 3 -d 172.16.100.1 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH(向filte
r表的INPUT链插入规则,插入到第三条,记录到达172.16。100.1的tcp协议22号端口状态为NEW的客户端ip地址,-I插入规则,默认插入第一条,-p协议,--dport目标端口,--
state状态扩展,--set记录数据包的源地址,如果已存在记录则更新,--name指定记录模版名字,-m recent最近的,能够将最近对我们服务器上的某个服务发起请求连接的IP地址
记录下来)
[root@Smoke ~]# iptables -t filter -I INPUT 4 -d 172.16.100.1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 -
-hitcount 3 --name SSH -j DROP(向filter表的INPUT链插入规则,插入到第四条,记录到达172.16.100.1的tcp协议22号端口状态为NEW的连接,并且在300秒内用户的请
求超过3次就丢弃,并锁定300秒钟,-I插入规则,默认插入第一条,--dport目标端口,-m显示扩展,--state状态扩展,--update查看登录时间是否与记录模版的时间匹配,--se
conds限定时间,--hitcont限定次数,--name记录模版名字,-j动作)
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
clean_in all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 #conn/32 > 3
tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW recent: SET name: SSH side: source
DROP tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW recent: UPDATE seconds: 300 hit_count: 3 name: SSH side: source
REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
LOG icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall log for icmp--'
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain clean_in (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 255.255.255.255
DROP icmp -- 0.0.0.0/0 172.16.255.255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
RETURN all -- 0.0.0.0/0 172.16.100.1
测试:通过windows的工具Xshell向172.16.100.1发起多个SSH连接请求,到第4个请求就无法连接;
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy DROP)
target prot opt source destination
clean_in all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 #conn/32 > 3
tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW recent: SET name: SSH side: source
DROP tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW recent: UPDATE seconds: 300 hit_count: 3 name: SSH sid
e: source
REJECT all -- 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
LOG icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall log for icmp--'
ACCEPT icmp -- 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min burst 6
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
REJECT all -- 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-with icmp-port-unreachable
ACCEPT all -- 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain clean_in (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 255.255.255.255
DROP icmp -- 0.0.0.0/0 172.16.255.255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
RETURN all -- 0.0.0.0/0 172.16.100.1
[root@Smoke ~]# iptables -L -n -v(查看filter表中的内容并以数字显示,-L显示指定表中的内容,-n以数字显示,-v详细信息)
Chain INPUT (policy DROP 59 packets, 3520 bytes)
pkts bytes target prot opt in out source destination
1840 132K clean_in all -- * * 0.0.0.0/0 0.0.0.0/0
6 304 DROP tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 #conn/32 > 3
1 52 tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW recent: SET name: SSH side:
source
0 0 DROP tcp -- * * 0.0.0.0/0 172.16.100.1 tcp dpt:22 state NEW recent: UPDATE seconds: 300
hit_count: 3 name: SSH side: source
0 0 REJECT all -- * * 0.0.0.0/0 172.16.100.1 STRING match "h7n9" ALGO name kmp TO 65535reject-
with icmp-port-unreachable
1966 137K ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 state RELATED,ESTABLISHED
5 260 ACCEPT tcp -- * * 0.0.0.0/0 172.16.100.1 multiport dports 21,22,80 state NEW
7 420 LOG icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 LOG flags 0 level 4 prefix `--firewall
log for icmp--'
7 420 ACCEPT icmp -- * * 0.0.0.0/0 172.16.100.1 icmp type 8 state NEW,ESTABLISHED limit: avg 5/min
burst 6
60 5160 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 172.16.100.1 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535reject-wi
th icmp-port-unreachable
2049 275K ACCEPT all -- * * 172.16.100.1 0.0.0.0/0 state RELATED,ESTABLISHED
60 5160 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain clean_in (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP icmp -- * * 0.0.0.0/0 172.16.255.255
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
1959 136K RETURN all -- * * 0.0.0.0/0 172.16.100.1 [root@Smoke ~]# iptables -t filter -R INPUT 2 -d 172.16.100
.1 -p tcp --dport 22 -m connlimit --connlimit-above 6 -j DROP(替换filter表的INPUT链的第二条规则,拒绝到达172.16.100.1的tcp协议22号端口同一个ip地址连
接次数最多6次,-R替换指定表中的规则,-p协议,--dport目标端口,-m显示扩展,--connlimit-above指定连接上限,-j动作)
测试:通过windows的on根据Xshell向172.16.100.1发起多个SSH连接请求,多次连接后就会连接失败;
实现环境:启动三台虚拟机,一台Linux系统的虚拟机作为Firewall,有两块网卡,其中eht0的IP地址为172.16.100.1,eht1网卡地址为192.168.10.1,另一台Linux系统的虚拟机作为其中一台测试机eth0网卡IP地址为172.16.100.2,还有一台Windows XP虚拟机作为另一台测试机网卡地址为192.168.10.2,网关为192.168.10.1;
Firewall:
[root@Smoke ~]# ifconfig(显示网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:91254 errors:0 dropped:0 overruns:0 frame:0
TX packets:82816 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7954331 (7.5 MiB) TX bytes:11446617 (10.9 MiB)
Interrupt:67 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:B8
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:fab8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5417 errors:0 dropped:0 overruns:0 frame:0
TX packets:3947 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:510865 (498.8 KiB) TX bytes:209535 (204.6 KiB)
Interrupt:83 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20076 errors:0 dropped:0 overruns:0 frame:0
TX packets:20076 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2004939 (1.9 MiB) TX bytes:2004939 (1.9 MiB)
Linux:
[root@localhost ~]# ifconfig(显示网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:B8:44:39
inet addr:172.16.100.2 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:feb8:4439/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10947 errors:0 dropped:0 overruns:0 frame:0
TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:949104 (926.8 KiB) TX bytes:1468856 (1.4 MiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:237 errors:0 dropped:0 overruns:0 frame:0
TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24554 (23.9 KiB) TX bytes:24554 (23.9 KiB)
Windows XP:
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::20c:29ff:fe7f:4868%4
Default Gateway . . . . . . . . . : 192.168.10.1
C:\Documents and Settings\Administrator>route PRINT
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 7f 48 68 ...... VMware Accelerated AMD PCNet Adapter - iNode FIL
TER
0x3 ...02 50 f2 00 00 02 ...... iNode VPN Virtual NIC - iNode FILTER
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.2 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.2 192.168.10.2 10
192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 10
224.0.0.0 240.0.0.0 192.168.10.2 192.168.10.2 10
255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1
255.255.255.255 255.255.255.255 192.168.10.2 3 1
Default Gateway: 192.168.10.1
===========================================================================
Persistent Routes:
None
Firewall:
[root@Smoke ~]# iptables -P INPUT ACCEPT(将filter表的INPUT链的默认策略改为ACCEPT) [root@Smoke ~]# iptables -P OUTPUT ACCEPT(将filter表的OUTPUT链的默认策略该为ACCEPT) [root@Smoke ~]# iptables -F(情况filter表所有规则) [root@Smoke ~]# iptables -L -n(查看filter表的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain clean_in (0 references) target prot opt source destination [root@Smoke ~]# iptables -X clean_in(情况自定义链clean_in) [root@Smoke ~]# service iptables save(保存iptables规则) Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Windows XP:
C:\Documents and Settings\Administrator>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
提示:通过windows xp的主机ping测试到达网关192.168.10.1可达;
Firewall:
[root@Smoke ~]# cat /proc/sys/net/ipv4/ip_forward(查看ip_forward文件内容) 0 提示:firewall网卡之间的转发功能没有打开;
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.1
Pinging 172.16.100.1 with 32 bytes of data:
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Ping statistics for 172.16.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
提示:通过windows xp的主机ping测试到达firewall的eth1网卡可达,因为对于linux主机来讲地址是属于主机的不属于网卡,所以ping同一台主机无论有多少地址,无论在那个网卡
上都属于同一个主机地址,都可以ping通,这并不涉及到转发;
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
提示:通过windows xp主机ping测试到达linux主机不可达,因为这个数据报文不能送到172.16.100.2,报文可以送到网关,但是网关没有打开转发功能;
Firewall:
[root@Smoke ~]# echo 1 > /proc/sys/net/ipv4/ip_forward(显示1输出到ip_forward文件) 提示:打开firewall网卡之间的转发功能; [root@Smoke ~]# vim /etc/sysctl.conf(编辑sysctl.conf内核参数配置文件) net.ipv4.ip_forward = 1 提示:通过/etc/sysctl.conf内核参数配置文件将net.ipv4.ip_forward =1打开网卡之间转发功能永久有效; [root@Smoke ~]# sysctl -p(从配置文件/etc/sysctl.conf加载内核参数设置) net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
提示:通过windows主机ping测试到达linux主机不可达,这个报文可以送到172.16.100.2主机,但是linxu主机172.16.100.2没有网关,因此无法回应报文;
Linux:
[root@localhost ~]# route del -net 0.0.0.0(删除默认网关) [root@localhost ~]# route add default gw 172.16.100.1(设置默认网关为172.16.100.1)
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
提示:通过windows主机ping测试到达linux主机可达;
Linux:
[root@localhost ~]# ping 192.168.10.1 PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data. 64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.541 ms 64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.198 ms 64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.182 ms 64 bytes from 192.168.10.1: icmp_seq=4 ttl=64 time=0.201 ms --- 192.168.10.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.182/0.280/0.541/0.151 ms 提示:通过linux主机ping测试到达Firewall可达; [root@localhost ~]# ping 192.168.10.2 PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data. 64 bytes from 192.168.10.2: icmp_seq=1 ttl=127 time=9.52 ms 64 bytes from 192.168.10.2: icmp_seq=2 ttl=127 time=0.399 ms 64 bytes from 192.168.10.2: icmp_seq=3 ttl=127 time=0.342 ms 64 bytes from 192.168.10.2: icmp_seq=4 ttl=127 time=0.462 ms --- 192.168.10.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 0.342/2.681/9.524/3.951 ms 提示:通过linux主机ping测试到达Windows XP主机可达;
Linux:
[root@localhost ~]# netstat -tnlp(查看系统服务,-t表示tcp,-n以数字显示,-l监听端口,-p协议名称) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3443/./hpiod tcp 0 0 0.0.0.0:772 0.0.0.0:* LISTEN 3134/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3093/portmap tcp 0 0 0.0.0.0:51953 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3466/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3480/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3521/sendmail tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 17321/sshd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3448/python tcp 0 0 :::22 :::* LISTEN 3466/sshd tcp 0 0 ::1:6010 :::* LISTEN 17321/sshd [root@localhost ~]# yum -y install httpd(通过yum源安装httpd服务) [root@localhost ~]# wget ftp://172.16.0.1/pub/gls/server.repo -o /etc/yum.repos.d/server.repo(通过互联网下载server.repo,-o更改保存目录) [root@localhost ~]# yum -y install httpd(通过yum源安装httpd服务) [root@localhost ~]# lftp 172.16.0.1(连接ftp服务器) lftp 172.16.0.1:~> cd pub/(切换到pub目录) lftp 172.16.0.1:/pub> cd Server/(切换到Server目录) lftp 172.16.0.1:/pub/Server> get httpd-2.2.3-63.el5.i386.rpm(下载httpd-2.2.3) 1287803 bytes transferred lftp 172.16.0.1:/pub/Server> bye(退出) [root@localhost ~]# ls(查看当前目录文件及子目录) anaconda-ks.cfg httpd-2.2.3-63.el5.i386.rpm install.log install.log.syslog [root@localhost ~]# rpm -ivh httpd-2.2.3-63.el5.i386.rpm [root@localhost ~]# ps aux | grep yum(查看所有终端进程,将结果送给管道只显示yum相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# kill 3633(杀死3633进程) [root@localhost ~]# kill 4135(杀死4135进程) [root@localhost ~]# ps aux | grep rpm(查看所有终端进程,将结果送给管道只显示rpm相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# kill 4173(杀死4173进程) [root@localhost ~]# ps aux | grep yum(查看所有终端进程,将结果送给管道只显示yum相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# kill -9 4135(强制杀死4135进程) [root@localhost ~]# kill -9 4137(强制杀死4137进程) [root@localhost ~]# ps aux | grep grep yum查看所有终端进程,将结果送给管道只显示yum相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端 机来区分) [root@localhost ~]# ps aux | grep rpm(查看所有终端进程,将结果送给管道只显示rpm相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# kill -9 4173(强制杀死4173进程) [root@localhost ~]# ps aux | grep rpm(查看所有终端进程,将结果送给管道只显示rpm相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# rpm -ivh httpd-2.2.3-63.el5.i386.rpm(通过rpm软件包安装httpd-2.2.3软件,-i安装,-v显示过程,-h显示进度条) [root@localhost ~]# ps aux | grep yum(查看所有终端进程,将结果送给管道只显示yum相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# kill -9 4220(强制杀死4220进程) [root@localhost ~]# ps aux | grep rpm(查看所有终端进程,将结果送给管道只显示rpm相关,a所有终端,u以用户为主的格式来显示程序状况,x显示所有程序,不以终端机来 区分) [root@localhost ~]# rpm --force -ivh httpd-2.2.3-63.el5.i386.rpm(通过rpm软件包强制安装httpd-2.2.3软件,--force 强制安装,-i安装,-v显示过程,-h显示 进度条) [root@localhost ~]# service httpd start(启动httpd服务) 启动 httpd: [确定] [root@localhost ~]# tcpdump -i eth0 -nn -X icmp(抓包分析eth0口的icmp协议,-i指定在那个网卡抓包,-nn即不反解主机名也不反解端口号,-X以16进制格式和ASCII码 显示报文内容) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=2ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
提示:通过windows xp主机ping测试linux主机可达;
Linux:
[root@localhost ~]# tcpdump -i eth0 -nn -X icmp(抓包分析eth0的icmp协议,-i指定在那个网卡抓包,-nn即不反解主机名也不反解端口号,-X以16进程格式和ASCII 码显示报文内容) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:54:49.831339 IP 192.168.10.2 > 172.16.100.2: ICMP echo request, id 512, seq 12032, length 40(源地址192.168.10.2发送echo request请求) 0x0000: 4500 003c 101d 0000 7f01 50e7 c0a8 0a02 E..<......P..... 0x0010: ac10 6402 0800 1c5c 0200 2f00 6162 6364 ..d....\../.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:49.852027 IP 172.16.100.2 > 192.168.10.2: ICMP echo reply, id 512, seq 12032, length 40(目标地址172.16.100.2发送echo replay回复) 0x0000: 4500 003c 0b26 0000 4001 94de ac10 6402 E..<.&..@.....d. 0x0010: c0a8 0a02 0000 245c 0200 2f00 6162 6364 ......$\../.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:50.822526 IP 192.168.10.2 > 172.16.100.2: ICMP echo request, id 512, seq 12288, length 40 0x0000: 4500 003c 101e 0000 7f01 50e6 c0a8 0a02 E..<......P..... 0x0010: ac10 6402 0800 1b5c 0200 3000 6162 6364 ..d....\..0.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:50.822693 IP 172.16.100.2 > 192.168.10.2: ICMP echo reply, id 512, seq 12288, length 40 0x0000: 4500 003c 0b27 0000 4001 94dd ac10 6402 E..<.'..@.....d. 0x0010: c0a8 0a02 0000 235c 0200 3000 6162 6364 ......#\..0.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:51.822727 IP 192.168.10.2 > 172.16.100.2: ICMP echo request, id 512, seq 12544, length 40 0x0000: 4500 003c 101f 0000 7f01 50e5 c0a8 0a02 E..<......P..... 0x0010: ac10 6402 0800 1a5c 0200 3100 6162 6364 ..d....\..1.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:51.822834 IP 172.16.100.2 > 192.168.10.2: ICMP echo reply, id 512, seq 12544, length 40 0x0000: 4500 003c 0b28 0000 4001 94dc ac10 6402 E..<.(..@.....d. 0x0010: c0a8 0a02 0000 225c 0200 3100 6162 6364 ......"\..1.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:52.822729 IP 192.168.10.2 > 172.16.100.2: ICMP echo request, id 512, seq 12800, length 40 0x0000: 4500 003c 1020 0000 7f01 50e4 c0a8 0a02 E..<......P..... 0x0010: ac10 6402 0800 195c 0200 3200 6162 6364 ..d....\..2.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 13:54:52.822807 IP 172.16.100.2 > 192.168.10.2: ICMP echo reply, id 512, seq 12800, length 40 0x0000: 4500 003c 0b29 0000 4001 94db ac10 6402 E..<.)..@.....d. 0x0010: c0a8 0a02 0000 215c 0200 3200 6162 6364 ......!\..2.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi
Windows:
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::20c:29ff:fe7f:4868%4
Default Gateway . . . . . . . . . : 192.168.10.1
Firewall:
[root@Smoke ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.100.1(向nat表的POSTROUTING链添加规则源为192.168. 10.0/24做源地址转换为172.16.100.1,-A附加规则,-s源地址,-j动作,--to-source转换后的地址) [root@Smoke ~]# iptables -t nat -L -n(查看nat表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.10.0/24 0.0.0.0/0 to:172.16.100.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=8ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
提示:通过windows xp主机ping测试到达linux主机可达;
Linux:
[root@localhost ~]# tcpdump -i eth0 -nn -X icmp(抓包分析eth0的icmp协议,-i指定在那个网卡抓包,-nn即不反解主机名也不反解端口号,-X以16进制和ASCII码显示报 文内容) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 14:03:15.059563 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 13056, length 40(源地址172.16.100.1发送echo request消息) 0x0000: 4500 003c 1023 0000 7f01 0b7a ac10 6401 E..<.#.....z..d. 0x0010: ac10 6402 0800 185c 0200 3300 6162 6364 ..d....\..3.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:15.063310 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 13056, length 40(目标地址172.16.100.2发送echo replay消息) 0x0000: 4500 003c cce2 0000 4001 8dba ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 205c 0200 3300 6162 6364 ..d....\..3.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:16.056826 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 13312, length 40 0x0000: 4500 003c 1024 0000 7f01 0b79 ac10 6401 E..<.$.....y..d. 0x0010: ac10 6402 0800 175c 0200 3400 6162 6364 ..d....\..4.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:16.056871 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 13312, length 40 0x0000: 4500 003c cce3 0000 4001 8db9 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 1f5c 0200 3400 6162 6364 ..d....\..4.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:17.057033 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 13568, length 40 0x0000: 4500 003c 1025 0000 7f01 0b78 ac10 6401 E..<.%.....x..d. 0x0010: ac10 6402 0800 165c 0200 3500 6162 6364 ..d....\..5.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:17.057097 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 13568, length 40 0x0000: 4500 003c cce4 0000 4001 8db8 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 1e5c 0200 3500 6162 6364 ..d....\..5.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:18.057129 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 13824, length 40 0x0000: 4500 003c 1026 0000 7f01 0b77 ac10 6401 E..<.&.....w..d. 0x0010: ac10 6402 0800 155c 0200 3600 6162 6364 ..d....\..6.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 14:03:18.057174 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 13824, length 40 0x0000: 4500 003c cce5 0000 4001 8db7 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 1d5c 0200 3600 6162 6364 ..d....\..6.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi
Firewall:
[root@Smoke ~]# ifconfig(显示网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:93870 errors:0 dropped:0 overruns:0 frame:0
TX packets:84951 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8170645 (7.7 MiB) TX bytes:11608655 (11.0 MiB)
Interrupt:67 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:B8
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:fab8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5835 errors:0 dropped:0 overruns:0 frame:0
TX packets:4053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:555038 (542.0 KiB) TX bytes:216475 (211.4 KiB)
Interrupt:83 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20084 errors:0 dropped:0 overruns:0 frame:0
TX packets:20084 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2005635 (1.9 MiB) TX bytes:2005635 (1.9 MiB)
Linux:
[root@localhost ~]# route -n(查看路由表并以数字显示,-n以数字显示) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 172.16.100.1 0.0.0.0 UG 0 0 0 eth0 [root@localhost ~]# route del -net 0.0.0.0(删除默认网关) [root@localhost ~]# route -n(查看路由表并以数字显示,-n以数字显示) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=2ms TTL=63
Reply from 172.16.100.2: bytes=32 time=4ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time=8ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 3ms
提示:通过windows xp主机ping测试到达linux主机可达,因为对于linux主机来说它的请求者是172.16.100.1;
Linux:
[root@localhost ~]# tcpdump -i eth0 -nn -X icmp(抓包分析eth0的icmp协议,-i指定在那个网卡抓包,-nn即不反解主机名也不反解端口号,-X以16进制格式和ASCII 码显示报文内容) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:55:26.304391 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 15104, length 40 0x0000: 4500 003c 105d 0000 7f01 0b40 ac10 6401 E..<.].....@..d. 0x0010: ac10 6402 0800 105c 0200 3b00 6162 6364 ..d....\..;.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:26.304613 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 15104, length 40 0x0000: 4500 003c cce6 0000 4001 8db6 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 185c 0200 3b00 6162 6364 ..d....\..;.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:27.294112 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 15360, length 40 0x0000: 4500 003c 105e 0000 7f01 0b3f ac10 6401 E..<.^.....?..d. 0x0010: ac10 6402 0800 0f5c 0200 3c00 6162 6364 ..d....\..<.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:27.294172 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 15360, length 40 0x0000: 4500 003c cce7 0000 4001 8db5 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 175c 0200 3c00 6162 6364 ..d....\..<.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:28.293604 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 15616, length 40 0x0000: 4500 003c 105f 0000 7f01 0b3e ac10 6401 E..<._.....>..d. 0x0010: ac10 6402 0800 0e5c 0200 3d00 6162 6364 ..d....\..=.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:28.293666 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 15616, length 40 0x0000: 4500 003c cce8 0000 4001 8db4 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 165c 0200 3d00 6162 6364 ..d....\..=.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:29.293820 IP 172.16.100.1 > 172.16.100.2: ICMP echo request, id 512, seq 15872, length 40 0x0000: 4500 003c 1060 0000 7f01 0b3d ac10 6401 E..<.`.....=..d. 0x0010: ac10 6402 0800 0d5c 0200 3e00 6162 6364 ..d....\..>.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 17:55:29.293864 IP 172.16.100.2 > 172.16.100.1: ICMP echo reply, id 512, seq 15872, length 40 0x0000: 4500 003c cce9 0000 4001 8db3 ac10 6402 E..<....@.....d. 0x0010: ac10 6401 0000 155c 0200 3e00 6162 6364 ..d....\..>.abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi
Firewall:
[root@Smoke ~]# man iptables
.skipping...
SNAT
This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be
modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one
type of option:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above. Where possible, no port alteration will occur.
In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source
address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle)
takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges any-
more.
/SNAT
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=2ms TTL=63
Reply from 172.16.100.2: bytes=32 time=1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
提示:通过windows xp主机ping测试到达linux主机可达;
Firewall:
[root@Smoke ~]# iptables -t filter -A FORWARD -s 192.168.0.0/24 -p icmp -j REJECT(向filter表的FORWARD链添加规则拒绝192.168.0.0/24的icmp协议, -A附加规则,-s源地址,-p协议,-j动作)
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=2ms TTL=63
Reply from 172.16.100.2: bytes=32 time=1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
提示:通过windows xp主机ping测试到达linux主机可达,防火墙过滤规则有问题;
Firewall:
[root@Smoke ~]# iptables -t filter -A FORWARD -s 192.168.10.0/24 -p icmp -j REJECT(向filter表的FORWARD链添加规则拒绝192.168.10.0的icmp协议,
-A附加规则,-s源地址,-p协议,-j动作)
[root@Smoke ~]# ifconfig(查看网卡接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:94631 errors:0 dropped:0 overruns:0 frame:0
TX packets:85536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8234581 (7.8 MiB) TX bytes:11745273 (11.2 MiB)
Interrupt:67 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:B8
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:fab8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5886 errors:0 dropped:0 overruns:0 frame:0
TX packets:4080 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:560051 (546.9 KiB) TX bytes:218197 (213.0 KiB)
Interrupt:83 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20084 errors:0 dropped:0 overruns:0 frame:0
TX packets:20084 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2005635 (1.9 MiB) TX bytes:2005635 (1.9 MiB)
[root@Smoke ~]# iptables -D FORWARD 1(删除filter表的FORWARD链第一条规则,-D删除指定链中规则)
[root@Smoke ~]# iptables -L -n(查看filter表中规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT icmp -- 192.168.10.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 192.168.10.1: Destination port unreachable.
Reply from 192.168.10.1: Destination port unreachable.
Reply from 192.168.10.1: Destination port unreachable.
Reply from 192.168.10.1: Destination port unreachable.
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
提示:通过windows xp主机ping测试到达linux主机不可达;
Linux:
[root@localhost ~]# ls(查看当前目录文件及子目录) anaconda-ks.cfg httpd-2.2.3-63.el5.i386.rpm install.log install.log.syslog [root@localhost ~]# rpm -ivh httpd-2.2.3-63.el5.i386.rpm(安装httd-2.2.3的rpm软件包,-i安装,-v显示安装过程,-h显示进度条) [root@localhost ~]# shutdown -r now(立即重启主机) [root@localhost ~]# wget ftp://172.16.0.1/pub/gls/server.repo -o /etc/yum.repos.d/server.repo(通过互联网下载server.repo文件并保存到/etc/yum. repos.d目录,-o更改保存目录) [root@localhost ~]# yum -y install httpd vsftpd(通过yum源安装httpd、vsftpd软件,-y所有询问回答yes) [root@localhost ~]# echo hello > /var/www/html/index.html [root@localhost ~]# service httpd start(启动httpd服务) 启动 httpd: [确定]
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 192.168.10.1: Destination port unreachable.
Reply from 192.168.10.1: Destination port unreachable.
Reply from 192.168.10.1: Destination port unreachable.
Reply from 192.168.10.1: Destination port unreachable.
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
提示:通过windows xp主机ping测试到达linux主机不可达;
测试:通过windows xp的ie浏览器访问http://172.16.100.2,正常访问;
Firewall:
[root@Smoke ~]# iptables -L -n(查看filter表中规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT icmp -- 192.168.10.0/24 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination 提示:filter表的FORWARD默认策略是ACCEPT,这就意味着我们的内网用户访问互联网是畅通无阻的,如果仅允许访问某个已知网络,可以将默认策略改为DROP; [root@Smoke ~]# iptables -t filter -F(情况filter表中的所有规则,-F清空规则) [root@Smoke ~]# iptables -L -n(查看filter表中规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Smoke ~]# iptables -P FORWARD DROP(更改filter表的FORWARD链默认策略为DROP)
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
提示:通过windows xp主机ping测试到达linux主机不可达;
测试:通过windows xp的ie浏览器访问http://172.16.100.2,无法访问;
Firewall:
[root@Smoke ~]# iptables -t filter -A FORWARD -m state --state ESTABLISHED -j ACCEPT(向filter表的FORWARD链添加规则,允许状态为ESTABLISHED连接, -A附加规则,-m显示扩展,--state状态扩展,-j动作) [root@Smoke ~]# iptables -t filter -A FORWARD -s 192.168.10.0/24 -p tcp --dport 80 -m state --state NEW -j ACCEPT(向filter表的FORWARD链添加 规则,允许源192.168.10.0/24的tcp端口80状态为NEW的连接,-A附加规则,-s源地址,-p协议,--dport目标端口,-m显示扩展,--state状态扩展,-j动作)
Windows XP:
测试:通过windows xp的ie浏览器访问http://172.16.100.2,可以访问;
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
提示:通过windows xp主机ping测试到达linux主机不可达;
Firewall:
[root@Smoke ~]# iptables -t filter -A FORWARD -s 192.168.10.0/24 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT(向filter表的FORWARD 添加规则允许192.168.10.0/24的icmp类型为8状态为NEW的连接,-A附加规则,-s源地址,-p协议,--icmp-type协议类型,-m显示扩展,--state状态扩展,-j动作)
Windows XP:
C:\Documents and Settings\Administrator>ping 172.16.100.2
Pinging 172.16.100.2 with 32 bytes of data:
Reply from 172.16.100.2: bytes=32 time=2ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Reply from 172.16.100.2: bytes=32 time<1ms TTL=63
Ping statistics for 172.16.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
提示:通过windows xp主机ping测试到达linux主机可达;
Linux:
[root@localhost ~]# route del -net 0.0.0.0(删除默认路由) [root@localhost ~]# route add default gw 172.16.100.1(设定默认网关为172.16.100.1) [root@localhost ~]# ping 192.168.10.2 PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data. --- 192.168.10.2 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5000ms 提示:linux主机ping测试到达windows xp主机不可达; [root@localhost ~]# service vsftpd start(启动vsftpd服务) 为 vsftpd 启动 vsftpd: [确定]
Firewall:
[root@Smoke ~]# iptables -t filter -A FORWARD -s 192.168.10.0/24 -p tcp --dport 21 -m state --state NEW -j ACCEPT(向filter表的FORWARD链添 加规则,允许源192.168.10.0/24的tcp端口21端口状态为NEW的连接,-A附加规则,-s源地址,-p协议,--dport目标端口,-m显示扩展,--state状态扩展,-j动作)
Windows XP:
测试:通过windows xp的主机访问ftp://172.16.100.2,无法访问
提示:通过windows xp主机访问linux主机上的ftp服务,无法访问,数据连接没开放,只开放了命令连接;
Firewall:
[root@Smoke ~]# iptables -t filter -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 tcp dpt:80 state NEW ACCEPT icmp -- 192.168.10.0/24 0.0.0.0/0 icmp type 8 state NEW ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 tcp dpt:21 state NEW Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Smoke ~]# iptables -t filter -R FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT(替换filter表的FORWARD链的第一条规则,允许状态为 ESTABLISHED,RELATED连接,-R替换规则,-m显示扩展,--state状态扩展,-j动作)
Windows XP:
测试:通过windows xp的主机访问ftp://172.16.100.2,可以访问;
提示:通过windows xp主机访问linux主机上ftp服务,正常访问;
Firewall:
[root@Smoke ~]# vim /etc/sysconfig/iptables-config(编辑iptables-config文件) IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp ip_conntrack_netbios_ns" 提示:要使用RELATED功能需要让内核加载ip_nat_ftp、ip_conntrack_ftp模块; [root@Smoke ~]# lsmod | grep ftp(查看内核已经加载的模块将结果送给管道只显示ftp相关) ip_nat_ftp 7361 0 ip_nat 20973 2 iptable_nat,ip_nat_ftp ip_conntrack_ftp 11569 1 ip_nat_ftp ip_conntrack 53409 7 iptable_nat,xt_connlimit,ip_nat_ftp,ip_nat,ip_conntrack_ftp,xt_state,ip_conntrack_netbios_ns
实现环境:启动三台虚拟机,一台 Linux系统的虚拟机作为Firewall,有两块网卡,其中eth0的IP地址为172.16.100.1,eth1网卡地址为192.168.10.1,另一台Linux系统的虚拟机作为其中一台测试机eth0网卡IP地址为192.168.10.2,网关为192.168.10.1,还有一台Windows XP虚拟机作为另一台测试机网卡地址为172.16.100.2,网关为172.16.100.1;
Windows XP:
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
IP Address. . . . . . . . . . . . : fe80::20c:29ff:fe7f:4868%4
Default Gateway . . . . . . . . . : 172.16.100.1
C:\Documents and Settings\Administrator>ping 172.16.100.1
Pinging 172.16.100.1 with 32 bytes of data:
Reply from 172.16.100.1: bytes=32 time=1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Ping statistics for 172.16.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
提示:通过Windows XP主机ping测试到达Firewall网关172.16.100.1可达;
C:\Documents and Settings\Administrator>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
提示:通过Windows XP主机ping测试到达Firewall网关另一个网卡地址192.168.10.1可达;
Linux:
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0(编辑ifcfg-eth0网卡配置文件) DEVICE=eth0 BOOTPROTO=none HWADDR=00:0C:29:B8:44:39 ONBOOT=yes IPADDR=192.168.10.2 NETMASK=255.255.255.0 GATEWAY=192.168.10.1 [root@localhost ~]# service network restart(重启网卡服务) 正在关闭接口 eth0: [确定] 关闭环回接口: [确定] 弹出环回接口: [确定] 弹出界面 eth0: [确定]
Firewall:
[root@Smoke ~]# iptables -t nat -F(清空nat表中所有规则) [root@Smoke ~]# iptables -t filter -F(情况filter表中所有规则) [root@Smoke ~]# iptables -P FORWARD ACCEPT(修改filter表的默认规则为ACCEPT) [root@Smoke ~]# iptables -t nat -L -n(查看nat表中所有规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Smoke ~]# iptables -t filter -L -n(查看filter表中所有规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Linux:
[root@localhost ~]# ping 172.16.100.2 PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data. 64 bytes from 172.16.100.2: icmp_seq=1 ttl=127 time=5.53 ms 64 bytes from 172.16.100.2: icmp_seq=2 ttl=127 time=0.491 ms 64 bytes from 172.16.100.2: icmp_seq=3 ttl=127 time=0.640 ms 64 bytes from 172.16.100.2: icmp_seq=4 ttl=127 time=0.596 ms --- 172.16.100.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.491/1.816/5.538/2.149 ms 提示:通过Linux主机ping测试到达Windows XP主机可达;
Windows XP:
C:\Documents and Settings\Administrator>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time<1ms TTL=63
Reply from 192.168.10.2: bytes=32 time<1ms TTL=63
Reply from 192.168.10.2: bytes=32 time=5ms TTL=63
Reply from 192.168.10.2: bytes=32 time<1ms TTL=63
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 5ms, Average = 1ms
提示:通过Windows XP主机ping测试到达Linux主机可达;
测试:通过Windows XP主机访问Linux主机的http://192.168.10.2可以访问;
测试:通过Windows XP主机访问Linux主机的ftp://192.168.10.2可以访问;
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
IP Address. . . . . . . . . . . . : fe80::20c:29ff:fe7f:4868%4
Default Gateway . . . . . . . . . :
提示:更改Windows XP的网卡设置,取消网关172.16.100.2;
测试:通过Windows XP主机访问Linux主机的http://192.168.10.2,无法访问;
测试:通过Windows XP主机访问Linux主机的http://172.16.100.1,可以访问;
Firewall:
[root@Smoke ~]# service httpd stop(停止httpd服务) Stopping httpd: [ OK ]
Windows XP:
测试:通过Windows XP主机访问Linux主机的http://172.16.100.1,无法访问;
Firewall:
[root@Smoke ~]# chkconfig httpd off(关闭httpd在相关系统级别开机自动启动) [root@Smoke ~]# service vsftpd stop(关闭vsftpd服务) Shutting down vsftpd: [ OK ] [root@Smoke ~]# chkconfig vsftpd off(关闭vsftpd在相关系统级别开机自动启动)
Windows XP:
测试:通过Windows XP主机访问ftp://172.16.100.1,无法访问;
Firewall:
[root@Smoke ~]# iptables -t nat -A PREROUTING -d 172.16.100.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2(向nat表的PREROUTING表添 加规则到达172.16.100.1的tcp协议80端口做DNAT转换为192.168.10.2,-A附加规则,-d目标地址,-p协议,--dport目标端口,-j动作,--to-destination将公网接口地址转换成 内网服务器地址)
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1,正常访问;
Linux:
[root@localhost ~]# cd /var/www/html/ [root@localhost html]# vim index.html 192.168.10.2
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1,正常访问;
Linux:
[root@localhost html]# tail /var/log/httpd/access_log(查看access_log日志文件后10行) 172.16.100.1 - - [15/Aug/2015:18:34:16 +0800] "GET / HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)" 172.16.100.1 - - [15/Aug/2015:18:34:16 +0800] "GET /favicon.ico HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)" 172.16.100.1 - - [15/Aug/2015:18:51:30 +0800] "GET / HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)" 172.16.100.1 - - [15/Aug/2015:18:51:30 +0800] "GET /favicon.ico HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)" 172.16.100.2 - - [15/Aug/2015:19:57:29 +0800] "GET / HTTP/1.1" 200 6 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0" 172.16.100.2 - - [15/Aug/2015:19:57:30 +0800] "GET /favicon.ico HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0" 172.16.100.2 - - [15/Aug/2015:19:57:30 +0800] "GET /favicon.ico HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0" 172.16.100.2 - - [15/Aug/2015:20:15:55 +0800] "GET / HTTP/1.1" 200 6 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0" 172.16.100.2 - - [15/Aug/2015:20:15:55 +0800] "GET /favicon.ico HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0" 172.16.100.2 - - [15/Aug/2015:20:17:47 +0800] "GET / HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0"
Windows:
C:\Documents and Settings\Administrator>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
提示:通过Windows XP主机ping测试linux主机不可达;
C:\Documents and Settings\Administrator>ping 172.16.100.1
Pinging 172.16.100.1 with 32 bytes of data:
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Reply from 172.16.100.1: bytes=32 time<1ms TTL=64
Ping statistics for 172.16.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
提示:通过Windows XP主机ping测试Firewall的网关可达;
Linux:
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf(编辑httpd配置文件) Listen 8080 /Listen [root@localhost ~]# service httpd restart(重启httpd服务) 停止 httpd: [确定] 启动 httpd: [确定] [root@localhost ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3443/./hpiod tcp 0 0 0.0.0.0:772 0.0.0.0:* LISTEN 3134/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3093/portmap tcp 0 0 0.0.0.0:51953 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 18198/vsftpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3466/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3480/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3521/sendmail tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 19577/sshd tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 17974/sshd tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 18316/sshd tcp 0 0 127.0.0.1:6013 0.0.0.0:* LISTEN 18345/sshd tcp 0 0 127.0.0.1:6014 0.0.0.0:* LISTEN 19606/sshd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3448/python tcp 0 0 :::8080 :::* LISTEN 19664/httpd tcp 0 0 :::22 :::* LISTEN 3466/sshd tcp 0 0 ::1:6010 :::* LISTEN 19577/sshd tcp 0 0 ::1:6011 :::* LISTEN 17974/sshd tcp 0 0 ::1:6012 :::* LISTEN 18316/sshd tcp 0 0 ::1:6013 :::* LISTEN 18345/sshd tcp 0 0 ::1:6014 :::* LISTEN 19606/sshd
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1,无法访问;
Firewall:
[root@Smoke ~]# iptables -t nat -L -n(查看nat表中的中规则,-L显示指定表中的规则,-n以数字显示) Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 to:192.168.10.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Smoke ~]# iptables -t nat -R PREROUTING 1 -d 172.16.100.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:8080(替换nat表中的 PREROUTING链第一条规则,到达172.16.100.1的tcp协议80端口做DNAT,将目标地址转换为192.168.10.2:8080,-R替换规则,-d目标地址,-p协议,--dport目标端口,-j动作 ,--to-destination内网服务器地址) [root@Smoke ~]# iptables -t nat -L -n(查看nat表中规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 172.16.100.1 tcp dpt:80 to:192.168.10.2:8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1,正常访问;
Linux:
[root@localhost ~]# cd /var/www/html/(切换到/var/www/html目录) [root@localhost html]# vim index.html (编辑index.html文件) 192.168.10.2 NEW
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1,正常访问;
Firewall:
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Linux:
[root@localhost html]# vim test.html(编辑test.html文件) h7n9 hello
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1/test.html,正常访问;
Firewall:
[root@Smoke ~]# iptables -t filter -A FORWARD -m string --algo kmp --string "h7n9" -j DROP(向filter表的FORWARD链添加规则拒绝包含字符串h7n9的内容请 求,-A附加规则,-m显示扩展,--algo字符串匹配算法,--string所匹配的字符串,-j动作)
Windows XP:
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1,正常访问;
测试:通过Windows XP主机访问内网服务器Linux主机http://172.16.100.1/test.html,无法访问;
Firewall:
[root@Smoke ~]# iptables -L -n(查看filter表中的规则,并以数字显示,-L显示指定表中的规则,-n以数字显示) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Smoke ~]# iptables -L -n -v(查看filter表中的规则,并以数字显示,-L显示指定表中的规则,-n以数字显示,-v显示详细信息) Chain INPUT (policy ACCEPT 6092 packets, 480K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 221 packets, 18534 bytes) pkts bytes target prot opt in out source destination 10 3110 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "h7n9" ALGO name kmp TO 65535 Chain OUTPUT (policy ACCEPT 4601 packets, 485K bytes) pkts bytes target prot opt in out source destination [root@Smoke ~]# rpm -ql iptables(查看安装iptables生成那些文件) /etc/rc.d/init.d/iptables /etc/sysconfig/iptables-config /lib/iptables /lib/iptables/libipt_CLASSIFY.so /lib/iptables/libipt_CLUSTERIP.so /lib/iptables/libipt_CONNMARK.so /lib/iptables/libipt_DNAT.so /lib/iptables/libipt_DSCP.so /lib/iptables/libipt_ECN.so /lib/iptables/libipt_LOG.so /lib/iptables/libipt_MARK.so /lib/iptables/libipt_MASQUERADE.so /lib/iptables/libipt_MIRROR.so /lib/iptables/libipt_NETMAP.so /lib/iptables/libipt_NFQUEUE.so /lib/iptables/libipt_NOTRACK.so /lib/iptables/libipt_REDIRECT.so /lib/iptables/libipt_REJECT.so /lib/iptables/libipt_SAME.so /lib/iptables/libipt_SNAT.so /lib/iptables/libipt_TARPIT.so /lib/iptables/libipt_TCPMSS.so /lib/iptables/libipt_TOS.so /lib/iptables/libipt_TRACE.so /lib/iptables/libipt_TTL.so /lib/iptables/libipt_ULOG.so /lib/iptables/libipt_addrtype.so /lib/iptables/libipt_ah.so /lib/iptables/libipt_comment.so /lib/iptables/libipt_connlimit.so /lib/iptables/libipt_connmark.so /lib/iptables/libipt_conntrack.so /lib/iptables/libipt_dccp.so /lib/iptables/libipt_dscp.so /lib/iptables/libipt_ecn.so /lib/iptables/libipt_esp.so /lib/iptables/libipt_hashlimit.so /lib/iptables/libipt_helper.so /lib/iptables/libipt_icmp.so /lib/iptables/libipt_iprange.so /lib/iptables/libipt_length.so /lib/iptables/libipt_limit.so /lib/iptables/libipt_mac.so /lib/iptables/libipt_mark.so /lib/iptables/libipt_multiport.so /lib/iptables/libipt_owner.so /lib/iptables/libipt_physdev.so /lib/iptables/libipt_pkttype.so /lib/iptables/libipt_policy.so /lib/iptables/libipt_realm.so /lib/iptables/libipt_recent.so /lib/iptables/libipt_rpc.so /lib/iptables/libipt_sctp.so /lib/iptables/libipt_standard.so /lib/iptables/libipt_state.so /lib/iptables/libipt_statistic.so /lib/iptables/libipt_string.so /lib/iptables/libipt_tcp.so /lib/iptables/libipt_tcpmss.so /lib/iptables/libipt_tos.so /lib/iptables/libipt_ttl.so /lib/iptables/libipt_udp.so /lib/iptables/libipt_unclean.so /sbin/iptables /sbin/iptables-restore /sbin/iptables-save /usr/share/doc/iptables-1.3.5 /usr/share/doc/iptables-1.3.5/COPYING /usr/share/doc/iptables-1.3.5/INCOMPATIBILITIES /usr/share/doc/iptables-1.3.5/INSTALL /usr/share/man/man8/iptables-restore.8.gz /usr/share/man/man8/iptables-save.8.gz /usr/share/man/man8/iptables.8.gz 提示:基于时间的控制模块叫做libbipt_time.so,但是红帽自带的iptables没有支持基于时间做控制的,所以要将iptables卸载,自己编译安装,让他启用新的模块;
浙公网安备 33010602011771号