行业资讯

关于linux防火墙netfilter 详解

发布时间:2020-07-31 12:33:08 作者:Dockerhadoop
来源:网络 阅读:520

关于linux内核防火墙netfilter详解

信息流经过linux主机时的一般处理流程:

信息流报文---->报文到达主机时---->做一些预处理prerouting-----> 路由转换,--->审核--->postrouting--->路由选择---->转发出去--->

原理netfilter能实现防火墙功能是基于linux内核调度实现。

[root@lib ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@lib ~]# systemctl start firewalld

查看其全部默认规则

[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 5656 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 286 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 42 packets, 4480 bytes)
pkts bytes target prot opt in out source destination
42 4480 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination

Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination

Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0

Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination

Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
3 390 IN_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]

Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination

Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
3 390 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
3 390 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 390 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
1 104 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW

Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@lib ~]#

[root@lib ~]# yum install firewall-config

打开图形防火墙配置命令
[root@lib ~]# firewall-config

neifilter功能模块详解

   报文经过的过程:
    hook function:
        prerouting      
        input 
        output 
        forward 
        postrouting

链(内置): chian
    PREROUTING
    INPUT
    FORWARD
    OUTPUT
    POSTROUTING

功能:
    filter:过滤,防火墙;
    nat:network address translation;用于修改源IP或目标IP,也可以改端口;
    mangle:拆解报文,做出修改,并重新封装起来;
    raw:关闭nat表上启用的连接追踪机制;

功能<--链:
高  raw:PREROUTING, OUTPUT
|   mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
    nat:PREROUTING,[INPUT,]OUTPUT,POSTROUTING
低   filter:INPUT,FORWARD,OUTPUT

报文流向:
    流入本机:PREROUTING --> INPUT
    由本机流出:OUTPUT --> POSTROUTING
    转发:PREROUTING --> FORWARD --> POSTROUTING

    netfilter 防火墙规则可以通过iptables命令去管理

    访问量多的放前面
    规范小的放前面
    iptables/netfilter

    规则:
        组成部分:根据规则匹配条件来尝试匹配报文,一旦匹配成功,就由规则定义的处理动作作出处理;
            匹配条件:
                基本匹配条件:内建
                扩展匹配条件:由扩展模块定义;
            处理动作:
                基本处理动作:内建
                扩展处理动作:由扩展模块定义;
                自定义处理机制:自定义链

        iptables的链:内置链和自定义链
            内置链:对应于hook function
            自定义链接:用于内置链的扩展和补充,可实现更灵活的规则管理机制;

    添加规则时的考量点:
        (1) 要实现哪种功能:判断添加到哪个表上;
        (2) 报文流经的路径:判断添加到哪个链上;

        链:链上的规则次序,即为检查的次序;因此,隐含一定的应用法则:
            (1) 同类规则(访问同一应用),匹配范围小的放上面;
            (2) 不同类的规则(访问不同应用),匹配到报文频率较大的放在上面;
            (3) 将那些可由一条规则描述的多个规则合并起来;
            (4) 设置默认策略;

    iptables命令:
        高度模块化,由诸多扩展模块实现其检查条件或处理动作的定义;
            /usr/lib64/xtables/
                IPv6:libip6t_
                IPv4:libipt_, libxt_

iptables命令:
    iptables [-t table] COMMAND chain [rulenum] [-m machename [per-match-options]] [-j targetname [per-target-options]] [options]
        匹配条件:
            基本匹配条件:
                -s, -d, -p, -i, -o
            扩展匹配条件:
                -m matchname per-match-options
        处理动作:
            基本处理动作:ACCEPT, DROP
            扩展处理动作:REJECT,RETURN,LOG,REDIRECT,...
            用户自定义链:

            COMMAND:
        链管理:-N,-X,-E,-P,-F,-Z
        规则管理:-A,-I,-R,-D
        查看:-L,-n, -v, -x, --line-numbers    

    iptables/netfilter

    规则:
        组成部分:根据规则匹配条件来尝试匹配报文,一旦匹配成功,就由规则定义的处理动作作出处理;
            匹配条件:
                基本匹配条件:内建
                扩展匹配条件:由扩展模块定义;
            处理动作:
                基本处理动作:内建
                扩展处理动作:由扩展模块定义;
                自定义处理机制:自定义链

        iptables的链:内置链和自定义链
            内置链:对应于hook function
            自定义链接:用于内置链的扩展和补充,可实现更灵活的规则管理机制;

    添加规则时的考量点:
        (1) 要实现哪种功能:判断添加到哪个表上;
        (2) 报文流经的路径:判断添加到哪个链上;

        链:链上的规则次序,即为检查的次序;因此,隐含一定的应用法则:
            (1) 同类规则(访问同一应用),匹配范围小的放上面;
            (2) 不同类的规则(访问不同应用),匹配到报文频率较大的放在上面;
            (3) 将那些可由一条规则描述的多个规则合并起来;
            (4) 设置默认策略;

    iptables命令:
        高度模块化,由诸多扩展模块实现其检查条件或处理动作的定义;
            /usr/lib64/xtables/
                IPv6:libip6t_
                IPv4:libipt_, libxt_

        iptables [-t table] {-A|-C|-D} chain rule-specification

        iptables [-t table] -I chain [rulenum] rule-specification

        iptables [-t table] -R chain rulenum rule-specification

        iptables [-t table] -D chain rulenum

        iptables [-t table] -S [chain [rulenum]]

        iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]

        iptables [-t table] -N chain

        iptables [-t table] -X  [chain]

        iptables [-t table] -P chain target

        iptables [-t table] -E old-chain-name new-chain-name

        rule-specification = [matches...]  [target]

        match = -m matchname [per-match-options]

        target = -j targetname [per-target-options]

        规则格式:iptables   [-t table]   COMMAND   chain   [-m matchname [per-match-options]]   -j targetname [per-target-options]

            -t table:
                raw, mangle, nat, [filter]

            COMMAND:
                链管理:
                    -N:new, 自定义一条新的规则链;

[root@lib ~]# iptables -vnL in_web_rules
Chain in_web_rules (0 references) 引用计数为0
pkts bytes target prot opt in out source destination
[root@lib ~]#

                    -X: delete,删除自定义的规则链;
                        注意:仅能删除 用户自定义的 引用计数为0的 空的 链;

[root@lib ~]# iptables -X in_web_rules
[root@lib ~]# iptables -vnL in_web_rules
iptables: No chain/target/match by that name.
[root@lib ~]#

                    -P:Policy,设置默认策略;对filter表中的链而言,其默认策略有:
                        ACCEPT:接受
                        DROP:丢弃
                        REJECT:拒绝

[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@lib ~]# iptables -P FORWARD DROP
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy DROP 0 packets, 0 bytes)
[root@lib ~]# iptables -P FORWARD ACCEPT
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@lib ~]#

                    -E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除;
                规则管理:

[root@lib ~]# iptables -vnL in_web_rules
Chain in_web_rules (0 references)
pkts bytes target prot opt in out source destination
[root@lib ~]# iptables -E in_web_rules in_web_rules_new1
[root@lib ~]# iptables -vnL in_web_rules_new1
Chain in_web_rules_new1 (0 references)
pkts bytes target prot opt in out source destination
[root@lib ~]# iptables -vnL in_web_rules
iptables: No chain/target/match by that name.
[root@lib ~]#

                    -A:append,追加;

                    -I:insert, 插入,要指明位置,省略时表示第一条;

                    -D:delete,删除;
                        (1) 指明规则序号;
                        (2) 指明规则本身;

[root@lib ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]# iptables -D FORWARD 8 删除第8条forward规则
[root@lib ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#

                    -R:replace,替换指定链上的指定规则;

                    -F:flush,清空指定的规则链;

[root@lib ~]# iptables -vnL INPUT 查看INPUT链路规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
77 5976 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 1087 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
[root@lib ~]# iptables -F INPUT
[root@lib ~]# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 7 packets, 575 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#

                    -Z:zero,置零;
                        iptables的每条规则都有两个计数器:
                            (1) 匹配到的报文的个数;
                            (2) 匹配到的所有报文的大小之和;

[root@lib ~]# iptables -Z INPUT

                查看:
                    -L:list, 列出指定鏈上的所有规则;
                        -n:numberic,以数字格式显示地址和端口号;

                          -v:verbose,详细信息;
                            -vv, -vvv
                        -x:exactly,显示计数器结果的精确值; 
                        --line-numbers:显示规则的序号;

[root@lib ~]# iptables -L -n

[root@lib ~]# iptables -L --line-numbers -v -n

[root@lib ~]# iptables -L --line-numbers -vv -n

[root@lib ~]# iptables -L --line-numbers -v -n -x

[root@lib ~]# iptables -vnxL --line-number

[root@lib ~]# iptables -vnxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8539 737755 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1168 173260 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#

[root@lib ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@lib ~]#

            chain:
                PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

            匹配条件:
                基本匹配条件:无需加载任何模块,由iptables/netfilter自行提供;
                    [!] -s, --source  address[/mask][,...]:检查报文中的源IP地址是否符合此处指定的地址或范围;
                    [!] -d, --destination address[/mask][,...]:检查报文中的目标IP地址是否符合此处指定的地址或范围;
                        所有地址:0.0.0.0/0
                    [!] -p, --protocol protocol
                        protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or  "all"
                            {tcp|udp|icmp}
                    [!] -i, --in-interface name:数据报文流入的接口;只能应用于数据报文流入的环节,只能应用于PREROUTING,INPUT和FORWARD链;
                    [!] -o, --out-interface name:数据报文流出的接口;只能应用于数据报文流出的环节,只能应用于FORWARD、OUTPUT和POSTROUTING链;     

                        处理动作:
                -j targetname [per-target-options]
                    ACCEPT
                    DROP
                    REJECT

centos 7 有7张表
[root@lib ~]# iptables -L 默认filter表
[root@lib ~]# iptables -t filter -L
[root@lib ~]# iptables -t mangle -L
[root@lib ~]# iptables -t raw -L
[root@lib ~]# iptables -t nat -L
[root@lib ~]# iptables -t security -L

[root@lib ~]# systemctl stop firewalld
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#

例如允许192.168.0.0/24 网访问本机
[root@lib ~]# iptables -t filter -A INPUT -s 192.168.0.0/24 -d 192.168.0.103 -p tcp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 432 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4 packets, 592 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#

允许本机访问192.168.0.0/24网段
[root@lib ~]# iptables -t filter -A OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
254 18424 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 592 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#

-d , -p 不写代表所有

[root@lib ~]# iptables -P INPUT DROP
[root@lib ~]# iptables -P FORWARD DROP
[root@lib ~]# iptables -P OUTPUT DROP

DROP后建立起了白名单
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
381 27776 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 9064 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#

192.168.0.101ping 不通了192.168.0.103 ,英文其INPUT只开放了tcp 协议流经过,ping是ICMP协议
C:\Users\kerberos>ping 192.168.0.103

Pinging 192.168.0.103 with 32 bytes of data:
Request timed out.

放其进来
[root@lib ~]# iptables -t filter -A INPUT -s 192.168.0.101 -d 192.168.0.103 -p icmp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
766 57344 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
0 0 ACCEPT icmp -- 192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
320 36208 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#

还是ping不通,因为没有放其出去
C:\Users\kerberos>ping 192.168.0.103

Pinging 192.168.0.103 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.103:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\kerberos>

抓包可以看的出
[root@lib ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:18:21.075645 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 347, length 40
16:18:26.077079 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 348, length 40
16:18:31.079188 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 349, length 40

加一条规则,放其出去
[root@lib ~]# iptables -t filter -A OUTPUT -s 192.168.0.103 -d 192.168.0.101 -p icmp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1070 79152 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
6 360 ACCEPT icmp -- 192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
484 53984 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
0 0 ACCEPT icmp -- 192.168.0.103 192.168.0.101
[root@lib ~]#

再ping
C:\Users\kerberos>ping 192.168.0.103

Pinging 192.168.0.103 with 32 bytes of data:
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\kerberos>

抓包
[root@lib ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:21:09.433967 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 352, length 40
16:21:09.434011 IP 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 352, length 40
16:21:10.442321 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 353, length 40
16:21:10.442357 IP 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 353, length 40

防火墙定制机制: 一般使用白名单机制,拒绝所有,允许特定。
[root@lib ~]# systemctl status firewalld

    练习:本机地址172.16.0.67
        1、开放本机的所有tcp服务给所有主机;
            # iptables -I INPUT  -d 172.16.0.67 -p tcp -j ACCEPT
            # iptables -I OUTPUT  -s 172.16.0.67 -p tcp -j ACCEPT 
        2、开放本机的所有udp服务给172.16.0.0/16网络中的主机,但不包含172.16.0.200;
            # iptables -I INPUT 2 -d 172.16.0.67 -s 172.16.0.200 -p udp -j REJECT
            # iptables -I INPUT 3 -d 172.16.0.67 -s 172.16.0.0/16 -p udp -j ACCEPT
            # iptables -I OUTPUT 2 -s 172.16.0.67 -d 172.16.0.0/16 -p udp -j ACCEPT
        3、默认策略为REJECT;
        扩展:
        1、仅开放本机的ssh服务给172.16.0.0/16中的主机,而且不包含172.16.0.200;

iptables/netfilter
framework: netfilter
五链:
PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

    filter:包过滤;
    nat:地址转换;
    mangle:报文修改;
    raw:关闭nat表上启用的连接追踪机制;
    security:

    filter:INPUT,FORWARD,OUTPUT
    nat:PREROUTING,INPUT,OUTPUT,POSTROUTING
    mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
    raw:OUTPUT,PREROUTING

iptables命令:
    iptables [-t table] COMMAND chain [rulenum] [-m machename [per-match-options]] [-j targetname [per-target-options]] [options]
        匹配条件:
            基本匹配条件:
                -s, -d, -p, -i, -o
            扩展匹配条件:
                -m matchname per-match-options
        处理动作:
            基本处理动作:ACCEPT, DROP
            扩展处理动作:REJECT,RETURN,LOG,REDIRECT,...
            用户自定义链:

    COMMAND:
        链管理:-N,-X,-E,-P,-F,-Z
        规则管理:-A,-I,-R,-D
        查看:-L,-n, -v, -x, --line-numbers

大写处理
小写条件匹配

[root@lib ~]# rpm -ql iptables | grep -i -E 'tcp|icmp|upd'
/usr/lib64/xtables/libip6t_icmp6.so
/usr/lib64/xtables/libipt_icmp.so
/usr/lib64/xtables/libxt_TCPMSS.so
/usr/lib64/xtables/libxt_TCPOPTSTRIP.so
/usr/lib64/xtables/libxt_tcp.so
/usr/lib64/xtables/libxt_tcpmss.so
[root@lib ~]#

iptables(2)
iptables [-t table] COMMAND [chain] [PARAMETERS] [-m matchname [per-match-options]] [-j targetname [per-target-options]]

    匹配条件:
        基本匹配条件:PARAMETERS
        扩展匹配条件:
            隐式扩展:在使用-p选项指明了特定的协议时,无需再同时使用-m选项指明扩展模块的扩展机制;
            显式扩展:必须使用-m选项指明要调用的扩展模块的扩展机制;

                隐式扩展:不需要手动加载扩展模块;因为它们是对协议的扩展,所以,但凡使用-p指明了协议,就表示已经指明了要扩展的模块;
                    tcp:
                        [!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围;
                        [!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围;
                        [!] --tcp-flags  mask  comp
                                mask is the flags which we should examine,  written as a comma-separated list,例如 SYN,ACK,FIN,RST
                                comp is a comma-separated list  of  flags  which must be set,例如SYN
                                例如:“--tcp-flags  SYN,ACK,FIN,RST  SYN”表示,要检查的标志位为SYN,ACK,FIN,RST四个,其中SYN必须为1,余下的必须为0;
                        [!] --syn:用于匹配第一次握手,相当于”--tcp-flags  SYN,ACK,FIN,RST  SYN“;

允许 192.168.0.0/24访问192.168.0.103 22端口服务
[root@lib ~]# iptables -I INPUT -s 192.168.0.0/24 -d 192.168.0.103 -p tcp --dport 22 -j ACCEPT I表示插入
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127 9148 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2221 175K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
10 600 ACCEPT icmp -- 192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp dpt:22
1391 152K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
[root@lib ~]#

ssh 无法连接了,有问题,貌似是客户端连接ssh显示端口不是22,而是一个随机端口,不是这个原因,是上面OUTPUT 出口应该是--sport 22
删除重新配置
[root@lib ~]#iptables -D OUTPUT 1
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp --sport 22 -j ACCEPT

此时如果执行 [root@lib ~]# iptables -F 就清理策略,就只剩默认策略了,也就是 policy DROP
ssh 就连不上了

为了去除上面风险

指定下面规则,相当于默认策略 DROP ,但又没有上面 iptables —F的风险
[root@lib ~]#iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]#iptables -A OUTPUT -s 192.168.0.103 -j REJECT

[root@lib ~]#iptables -P INPUT ACCEPT
[root@lib ~]#iptables -P OUTPUT ACCEPT

相当于默认策略的DROP

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 18 packets, 2660 bytes)
num pkts bytes target prot opt in out source destination
1 619 52768 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2 31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
3 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 215 39652 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
2 4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
3 30 2460 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

ping 自己 可以通
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.027/0.031/0.035/0.004 ms

回到之前的默认策略
[root@lib ~]# iptables -P INPUT DROP
[root@lib ~]# iptables -P OUTPUT DROP
[root@lib ~]# iptables -D INPUT 3
[root@lib ~]# iptables -D OUTPUT 3

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 953 77040 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2 31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 396 60380 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
2 4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101

ping自己,ping不同,过分紧张了
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

[root@lib ~]#

再回到production 模式
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]#
[root@lib ~]# iptables -P INPUT ACCEPT
[root@lib ~]# iptables -P OUTPUT ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1902 148K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
955 132K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

又或者可以这样设置,对网卡进行设置
[root@lib ~]# iptables -A INPUT -i ens33 -j REJECT
[root@lib ~]# iptables -A OUTPUT -o ens33 -j REJECT

[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2135 165K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
1 143 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1082 147K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

此时可以把第三条配置删了

[root@lib ~]# iptables -D INPUT 3
[root@lib ~]# iptables -D OUTPUT 3
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2217 171K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
3 429 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1127 153K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.031/0.041/0.052/0.012 ms
[root@lib ~]#

                    samba 137,138  udp        dns tcp53或者upd53
                           139,445 tcp

                    udp 
                        [!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围;
                        [!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围;

                    icmp 
                        [!] --icmp-type {type[/code]|typename}
                                echo-request:8
                                echo-reply:0

[root@lib ~]# iptables -D INPUT 2
[root@lib ~]# iptables -D OUTPUT 2
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2453 187K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
38 5520 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1299 188K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
462 42904 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

[root@lib ~]# ping 192.168.0.101
PING 192.168.0.101 (192.168.0.101) 56(84) bytes of data.
From 192.168.0.103 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.0.103 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.0.101 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms

[root@lib ~]#

添加规则
放其出去
[root@lib ~]# iptables -I OUTPUT 2 -s 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3041 236K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
55 9273 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1715 235K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
0 0 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
486 50288 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

试着ping,可以ping出去,只是收不到reply而已,因为没有配置

[root@lib ~]# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.

[root@lamp ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:21:25.826655 IP 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 81, length 64
20:21:25.826691 IP 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 81, length 64
20:21:26.826886 IP 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 82, length 64
20:21:26.826909 IP 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 82, length 64

在给一条配置,可以接受reply

[root@lib ~]# iptables -I INPUT 2 -d 192.168.0.103 -p icmp --icmp-type 0/0 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3412 266K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
240 27642 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1923 271K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
679 79464 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

[root@lib ~]# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.526 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.325 ms
^C
--- 192.168.0.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.325/0.425/0.526/0.102 ms
[root@lib ~]#

成功

别人ping其实不通的,因为没有配置
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
^C
--- 192.168.0.103 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms

[root@lamp ~]#

再配置
[root@lib ~]# iptables -I INPUT 3 -d 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT 3 -s 192.168.0.103 -p icmp --icmp-type 0/0 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4417 349K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
264 30983 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2599 346K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
712 89640 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.341 ms
64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.317 ms
^C
--- 192.168.0.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.317/0.329/0.341/0.012 ms
[root@lamp ~]#

配置samba 共享服务器规则
[root@lib ~]# iptables -I INPUT -d 192.168.0.103 -p udp --dport 137:138 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -p udp --sport 137:138 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1 packets, 356 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138
5246 420K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
857 119K REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 356 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 udp spts:137:138
3057 430K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
1257 253K REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

配置后还是无法telnet

[root@lamp ~]# telnet 192.168.0.103 137
Trying 192.168.0.103...
^C
[root@lamp ~]# telnet 192.168.0.103 138
Trying 192.168.0.103...
^C
[root@lamp ~]#

[root@lamp ~]# smbclient //192.168.0.103/HRDept -U smbuser4
Connection to 192.168.0.103 failed (Error NT_STATUS_IO_TIMEOUT)
[root@lamp ~]#

139 和445端口

显式扩展:必须要手动加载扩展模块, [-m matchname [per-match-options]]; 

        显式扩展:必须使用-m选项指明要调用的扩展模块的扩展机制;
            1、multiport
                This  module  matches  a  set  of  source  or  destination  ports. Up  to 15 ports can be specified.  A port range (port:port) counts as two ports.  It can only be used in conjunction with one of the following protocols: tcp,  udp, udplite, dccp and sctp.

                以离散或连续的 方式定义多端口匹配条件,最多15个;

                [!] --source-ports,--sports port[,port|,port:port]...:指定多个源端口;
                [!] --destination-ports,--dports port[,port|,port:port]...:指定多个目标端口;

                # iptables -I INPUT  -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -j ACCEPT

-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve
to multiple addresses, the command will fail. Rules are numbered starting at 1.

[root@lib ~]# iptables -R INPUT 2 -d 192.168.0.103 -p tcp -m multiport --dports 22,80,139,445 -j ACCEPT
[root@lib ~]# iptables -R OUTPUT 2 -s 192.168.0.103 -p tcp -m multiport --sport 22,80,139,445 -j ACCEPT
[root@lib ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138
152 10960 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22,80,139,445
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
3609 557K REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
249 54072 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 udp spts:137:138
9 1480 ACCEPT tcp -- 192.168.0.103 0.0.0.0/0 multiport sports 22,80,139,445
1 84 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
2645 863K REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# smbclient -L 192.168.0.103
Enter SAMBA\root's password:
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    HRDept          Disk      HR share file
    IPC$            IPC       IPC Service (Samba 4.8.3)

Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    SAMBA                LIB

[root@lamp ~]#

            2、iprange
                以连续地址块的方式来指明多IP地址匹配条件;
                [!] --src-range from[-to]
                [!] --dst-range from[-to]

                # iptables -I INPUT -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -j REJECT

                # iptables -I OUTPUT -s 172.16.0.7 -p tcp -m multiport --sports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -j REJECT

            3、time
                This  matches  if the packet arrival time/date is within a given range.

                 --timestart hh:mm[:ss]
                 --timestop hh:mm[:ss]

                 [!] --weekdays day[,day...]

                 [!] --monthdays day[,day...]

                --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
                --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

                 --kerneltz:使用内核配置的时区而非默认的UTC;

iptables -R INPUT 3 -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -m time --timestart 10:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j REJECT

iptables -R INPUT 3 -s 172.16.0.7 -p tcp -m multiport --sports 22,80,139,445,3306 -m iprange --dst-range 172.16.0.61-172.16.0.70 -m time --timestart 10:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j REJECT

            4、string 检查字符编码后的字符是否匹配
                This modules matches a given string by using some pattern matching strategy. 

                --algo {bm|kmp}  算法
                [!] --string pattern
                [!] --hex-string pattern

                --from offset
                --to offset

                ~]# iptables -I OUTPUT -m string --algo bm  --string "gay" -j REJECT

The string pattern can be used for simple text characters.

          iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG

          # The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
          iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|net‐
          filter|03|org|00|'

            5、connlimit    拒绝服务***,限制单客户端访问并发数
                Allows  you  to  restrict  the  number  of parallel connections to a server per client IP address (or client address block).

                --connlimit-upto n
                --connlimit-above n

                防火墙的默认规则是拒绝的,所以低于就允许,

                ~]# iptables -I INPUT -d 172.16.0.7 -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT

[root@lib ~]# systemctl start mariadb
[root@lib ~]#
[root@lib ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
MariaDB [(none)]> create user 'test'@'%' IDENTIFIED BY 'test';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> select user,host from mysql.user where user = 'test';
+------+------+
| user | host |
+------+------+
| test | % |
+------+------+
1 row in set (0.00 sec)

MariaDB [(none)]>

访问不了
[root@lamp ~]# mysql -u test -h 192.168.0.103 -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.103' (110)
[root@lamp ~]#

添加防火墙规则
[root@lib ~]# iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.103 -p tcp --dport 3306 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT 2 -d 192.168.0.0/24 -s 192.168.0.103 -p tcp --sport 3306 -j ACCEPT
[root@lib ~]# iptables -vnL | grep 3306
1 60 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:3306
0 0 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:3306
[root@lib ~]#

[root@lamp ~]# mysql -u test -h 192.168.0.103 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

修改第一条进站规则,同一个客户端连接大于2条,就拒绝多余的连接,就是检查其TCP3次握手次数
[root@lib ~]# iptables -R INPUT 2 -d 192.168.0.103 -s 192.168.0.0/24 -p tcp --dport 3306 -m connlimit --connlimit-upto 2 -j ACCEPT
[root@lib ~]# iptables -vnL | grep 3306
0 0 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:3306 #conn src/32 <= 2
11 952 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:3306
[root@lib ~]#

            6、limit   从报文发包速率来限制,令牌方式
                This  module  matches  at  a limited rate using a token bucket filter. 

                --limit rate[/second|/minute|/hour|/day]
                --limit-burst number    可以收集多少个令牌环

                ~]# iptables -I OUTPUT -s 172.16.0.7 -p icmp --icmp-type 0 -j ACCEPT

                限制本机某tcp服务接收新请求的速率:--syn, -m limit

[root@lamp ~]# wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home%3A/matthewdva%3A/build%3A/EPEL%3A/el7/CentOS_7/x86_64/hping3-0.0.20051105-24.el7.x86_64.rpm

[root@lamp ~]# yum intall hping3-0.0.20051105-24.el7.x86_64.rpm

[root@lamp ~]# rpm -ql hping3
/usr/sbin/hping
/usr/sbin/hping2
/usr/sbin/hping3

#iptables -I INPUT 6 -d 192.168.0.103 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 20/minute -j ACCEPT
#iptables -I OUTPUT 6 -s 192.168.0.103 -p icmp --icmp-type 0 -j ACCEPT

对于web 新请求数进行限制 限制本机某tcp服务接收新请求的速率:--syn, -m limit

            7、state
                The "state" extension is a subset of the "conntrack" module.  "state" allows access to the connection tracking state for this packet.

                [!] --state state
                    INVALID, ESTABLISHED, NEW, RELATED or UNTRACKED.

                    NEW: 新连接请求;
                    ESTABLISHED:已建立的连接;
                    INVALID:无法识别的连接;
                    RELATED:相关联的连接,当前连接是一个新请求,但附属于某个已存在的连接;
                    UNTRACKED:未追踪的连接;

链接追踪,查询在内存中记录

                    state扩展:
                        内核模块装载:
                            nf_conntrack
                            nf_conntrack_ipv4

                            手动装载:
                                nf_conntrack_ftp 

                追踪到的连接:   在并发访问量大的模式中,不建议开启
                    /proc/net/nf_conntrack

[root@lib ~]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.0.103 dst=192.168.0.101 sport=22 dport=56005 src=192.168.0.101 dst=192.168.0.103 sport=56005 dport=22 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.0.101 dst=192.168.0.103 sport=53484 dport=80 src=192.168.0.103 dst=192.168.0.101 sport=80 dport=53484 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.0.101 dst=192.168.0.103 sport=53483 dport=80 src=192.168.0.103 dst=192.168.0.101 sport=80 dport=53483 [ASSURED] mark=0 zone=0 use=2
[root@lib ~]#

                调整可记录的连接数量最大值:
                    /proc/sys/net/nf_conntrack_max

[root@lib ~]# cat /proc/sys/net/nf_conntrack_max
25432
[root@lib ~]# 

                超时时长:   不同协议,超时时长不同
                    /proc/sys/net/netfilter/*timeout*

[root@lib ~]# cat /proc/sys/net/netfilter/timeout
15
600
30
10
60
432000
120
30
300
60
120
120
300
30
180
[root@lib ~]# ls -lt /proc/sys/net/netfilter/
total 0
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_acct
-r--r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_buckets
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_checksum
-r--r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_count
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_events
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_events_retry_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_expect_max
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_generic_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_helper
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_icmp_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_log_invalid
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_max
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_be_liberal
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_loose
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_max_retrans
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_close
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_close_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_established
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_fin_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_last_ack
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_max_retrans
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_syn_recv
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_syn_sent
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_time_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_unacknowledged
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_timestamp
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_udp_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_udp_timeout_stream
dr-xr-xr-x 1 root root 0 Aug 4 21:53 nf_log
[root@lib ~]#

清空所有规则
[root@lib ~]# iptables -F
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#

-I 默认插入第一规则, -A 在前面规则后追加规则

建立规则
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -p tcp -m multiport --dports 22:23,80,139,445,3306 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -I INPUT -d 192.168.0.103 -m state --state ESTABLISHED -j ACCEPT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -m state --state ESTABLISHED -j ACCEPT
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -j REJECT

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 1339 109K ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
3 3 164 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,137,138,139,445,3306 state NEW
4 52 2992 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 773 116K ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 50 4472 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

NTP出站同步时间服务器

[root@lib ~]# iptables -I OUTPUT 2 -s 192.168.0.103 -p udp -m multiport --dports 123,323 -m state --state NEW -j ACCEPT

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2146 181K ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 2 120 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
3 3 164 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,137,138,139,445,3306 state NEW
4 52 2992 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1321 191K ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 50 4472 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

[root@lib ~]# iptables -I INPUT 2 -d 192.168.0.103 -p udp --dport 137:138 -m state --state NEW -j ACCEPT

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 247 22635 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 6 312 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 167 30990 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

samba ssh mysql httpd都可以访问,
[root@lamp ~]# smbclient //192.168.0.103/HRDept -U smbuser4
Enter SAMBA\smbuser4's password:
Try "help" to get a list of possible commands.
smb: \>

[root@lamp ~]# mysql -u test -h 192.168.0.103 -ptest
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

对于ftp 进行定义规则
[root@lib ~]# systemctl start vsftpd
[root@lib ~]#

装载模块,追踪ftp
[root@lib ~]# modinfo nf_conntrack_ftp
filename: /lib/modules/3.10.0-514.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell <rusty@rustcorp.com.au>
license: GPL
rhelversion: 7.3
srcversion: D43BF56A22E3D137BA1227B
depends: nf_conntrack
intree: Y
vermagic: 3.10.0-514.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: D4:88:63:A7:C1:6F:CC:27:41:23:E6:29:8F:74:F0:57:AF:19:FC:54
sig_hashalgo: sha256
parm: ports:array of ushort
parm: loose:bool
[root@lib ~]# lsmod | grep nf_conntrack_ftp
[root@lib ~]# modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp
nf_conntrack_ftp 18638 0
nf_conntrack 111302 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[root@lib ~]#

改造开发21 端口和RELATED 状态的入站规则
[root@lib ~]# iptables -R INPUT 3 -d 192.168.0.103 -p tcp -m multiport --dports 21:23,80,139,445,3306 -m state --state NEW -j ACCEPT

[root@lib ~]# iptables -R INPUT 1 -d 192.168.0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@lib ~]#

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 14 1008 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 182 34934 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

访问ftp成功
[root@lamp ~]# ftp 192.168.0.103
Connected to 192.168.0.103 (192.168.0.103).
220 (vsFTPd 3.0.2)
Name (192.168.0.103:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,103,146,162).
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp>

[root@lamp ~]# yum install telnet-server --downloadonly --downloaddir=/tmp/
[root@lamp ~]# scp -p /tmp/telnet-server-0.17-64.el7.x86_64.rpm 192.168.0.103:/tmp/
root@192.168.0.103's password:
telnet-server-0.17-64.el7.x86_64.rpm 100% 41KB 40.8KB/s 00:00
[root@lamp ~]#

[root@lib vsftpd]# yum install /tmp/telnet-server-0.17-64.el7.x86_64.rpm

启动telnet 服务

[root@lib vsftpd]# systemctl start telnet.socket
[root@lib vsftpd]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Sun 2019-08-04 23:59:04 CST; 5s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0

Aug 04 23:59:04 lib systemd[1]: Listening on Telnet Server Activation Socket.
Aug 04 23:59:04 lib systemd[1]: Starting Telnet Server Activation Socket.
[root@lib vsftpd]#

对telnet加日志规则

[root@lib vsftpd]# iptables -I INPUT 3 -d 192.168.0.103 -p tcp --dport 23 -m state --state NEW -j LOG

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 26 2000 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 191 37230 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

[root@lamp ~]# telnet 192.168.0.103
Trying 192.168.0.103...
Connected to 192.168.0.103.
Escape character is '^]'.

Kernel 3.10.0-514.el7.x86_64 on an x86_64
lib login: test12
Password:
Last login: Mon Aug 5 00:04:03 from lib
[test12@lib ~]$

[root@lib log]# tail -f messages
Aug 5 00:04:01 lib systemd: Started Session 1106 of user root.
Aug 5 00:04:01 lib systemd: Starting Session 1106 of user root.
Aug 5 00:04:03 lib systemd: Created slice user-1050.slice.
Aug 5 00:04:03 lib systemd: Starting user-1050.slice.
Aug 5 00:04:03 lib systemd-logind: New session 1107 of user test12.
Aug 5 00:04:03 lib systemd: Started Session 1107 of user test12.
Aug 5 00:04:03 lib systemd: Starting Session 1107 of user test12.
Aug 5 00:04:17 lib systemd-logind: Removed session 1107.
Aug 5 00:04:17 lib systemd: Removed slice user-1050.slice.
Aug 5 00:04:17 lib systemd: Stopping user-1050.slice.
Aug 5 00:04:31 lib kernel: IN=ens33 OUT= MAC=00:0c:29:b7:65:02:00:0c:29:20:7b:a8:08:00 SRC=192.168.0.102 DST=192.168.0.103 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=43583 DF PROTO=TCP SPT=51302 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 5 00:04:31 lib systemd: Started Telnet Server (192.168.0.102:51302).
Aug 5 00:04:31 lib systemd: Starting Telnet Server (192.168.0.102:51302)...
Aug 5 00:04:36 lib systemd: Created slice user-1050.slice.
Aug 5 00:04:36 lib systemd: Starting user-1050.slice.
Aug 5 00:04:36 lib systemd-logind: New session 1108 of user test12.
Aug 5 00:04:36 lib systemd: Started Session 1108 of user test12.
Aug 5 00:04:36 lib systemd: Starting Session 1108 of user test12.

[root@lib log]# iptables -R INPUT 3 -d 192.168.0.103 -p tcp --dport 23 -m state --state NEW -j LOG --log-prefix "access telnet"
[root@lib log]#

[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37 2872 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 199 39934 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#

日志有前缀了

[root@lib log]# tail -f messages
Aug 5 00:09:10 lib kernel: access telnetIN=ens33 OUT= MAC=00:0c:29:b7:65:02:58:fb:84:0c:97:07:08:00 SRC=192.168.0.101 DST=192.168.0.103 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=14262 DF PROTO=TCP SPT=60250 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 5 00:09:10 lib systemd: Started Telnet Server (192.168.0.101:60250).
Aug 5 00:09:10 lib systemd: Starting Telnet Server (192.168.0.101:60250)...
Aug 5 00:09:13 lib systemd: Created slice user-1050.slice.
Aug 5 00:09:13 lib systemd: Starting user-1050.slice.
Aug 5 00:09:13 lib systemd-logind: New session 1112 of user test12.
Aug 5 00:09:13 lib systemd: Started Session 1112 of user test12.
Aug 5 00:09:13 lib systemd: Starting Session 1112 of user test12.
Aug 5 00:10:01 lib systemd: Started Session 1113 of user root.
Aug 5 00:10:01 lib systemd: Starting Session 1113 of user root.

处理动作(跳转目标):
    -j targetname [per-target-options]
        简单target:
            ACCEPT, DROP

        扩展target:
            REJECT
                This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to  DROP  so it  is  a  terminating  TARGET,  ending  rule traversal.

                --reject-with type
                    The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreach‐ able, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited (*), which return  the  appropriate ICMP  error  message 

                    (icmp-port-unreachable is the default).

            LOG
                Turn  on  kernel  logging of matching packets.

                --log-level
                --log-prefix

                默认日志保存于/var/log/messages

            RETURN:
                返回调用者;

        自定义链做为target:

[root@lib ~]# iptables -N in_ping_rules
[root@lib ~]# iptables -A in_ping_rules -d 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -I in_ping_rules -d 192.168.0.103 -s 192.168.0.101 -p icmp -j REJECT

[root@lib ~]# iptables --line-numbers -vnL
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 69 5272 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 222 45494 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 96 8256 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable

Chain in_ping_rules (0 references) 无效的,需要被调用才行
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- 192.168.0.101 192.168.0.103 reject-with icmp-port-unreachable
2 0 0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
[root@lib ~]#

[root@lib ~]# iptables -I INPUT 5 -d 192.168.0.103 -p icmp -j in_ping_rules
[root@lib ~]# iptables --line-numbers -vnL
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 84 6368 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 in_ping_rules icmp -- 0.0.0.0/0 192.168.0.103
6 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 232 48662 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED 万能的,能进来就能出去
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 96 8256 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable

Chain in_ping_rules (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- 192.168.0.101 192.168.0.103 reject-with icmp-port-unreachable
2 0 0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
[root@lib ~]#

可以ping通
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.604 ms
64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.834 ms
^C
--- 192.168.0.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.604/0.719/0.834/0.115 ms
[root@lamp ~]#

[root@lib ~]# iptables -X in_ping_rules ,这条规则被调用着,不可删除。
iptables: Too many links.
[root@lib ~]#

保存和载入规则:

    保存:iptables-save > /PATH/TO/SOME_RULE_FILE
    重载:iptabls-restore < /PATH/FROM/SOME_RULE_FILE
        -n, --noflush:不清除原有规则
        -t, --test:仅分析生成规则集,但不提交

    CentOS 6:
        保存规则:
            service iptables save
            保存规则于/etc/sysconfig/iptables文件,覆盖保存;
        重载规则:
            service iptables restart
            默认重载/etc/sysconfig/iptables文件中的规则 

        配置文件:/etc/sysconfig/iptables-config

    CentOS 7:
        (1) 自定义Unit File,进行iptables-restore;
        (2) firewalld服务;
        (3) 自定义脚本;

规则优化的思路:
    使用自定义链管理特定应用的相关规则,模块化管理规则;

    (1) 优先放行双方向状态为ESTABLISHED的报文;
    (2) 服务于不同类别的功能的规则,匹配到报文可能性更大的放前面;
    (3) 服务于同一类别的功能的规则,匹配条件较严格的放在前面;
    (4) 设置默认策略:白名单机制
        (a) iptables -P,不建议;
        (b) 建议在规则的最后定义规则做为默认策略;

关闭服务器80 主动往外的链接,即出站不为NEW 状态,只能为ESTABLISHED,防止***

iptables/netfilter:
netfilter: raw 链接追踪,mangle报文修改, nat地址转换, filter
PREROUTING --> INPUT
PREROUTING --> FORWARD --> POSTROUTING
OUTPUT --> POSTROUTING
filter:INPUT,FORWARD,OUTPUT
nat:PREROUTING,INPUT,OUTPUT,POSTROUTING

iptables:
    [-t table] COMMAND [chain] rule-specification
        -m matchname [per-match-options]
        -t targetname [per-target-options]
        [options]

    匹配 条件:
        基本匹配条件:-s, -d, -p, -m, -i, -o
        扩展匹配条件:
            隐式扩展:
                -p tcp: --dport, --sport, --tcp-flags, --syn 
                -p udp:--dport, --sport
                -p imcp: --icmp-type
            显式扩展:
                multiport:--sports, --dports
                iprange:--src-range, --dst-range
                time:--timestart, --timestop, --weekdays, --monthdays, --datestart, --datestop
                string:--algo {bm|kmp}, --string
                connlimit:--connlimit-upto, --connlimit-above
                limit:--limit, --limit-burst
                state:--state
                    NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED

    target:
        -j:
            ACCEPT/DROP
            REJECT:--reject-with
            LOG:--log-level, --log-prefix
            自定义链
                RETURN

iptables-save/iptables-restore

iptables(3)
iptables/netfilter网络防火墙:
(1) 网关;
(2) filter表的FORWARD链;

    要注意的问题:
        (1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性;
        (2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行;

隐藏内网IP地址,内网IP访问外网服务器时,源IP地址都转换位外网网关的IP地址

    NAT: Network Address Translation
        请求报文:由管理员定义;
        响应报文:由NAT的conntrack机制自动实现; 

        请求报文:
            改源地址:SNAT,MASQUERADE
            改目标地址:DNAT

    iptables/netfilter:
        NAT定义在nat表;
            PREROUTING,INPUT,OUTPUT,POSTROUTING

            SNAT:POSTROUTING  改源IP
            DNAT:PREROUTING   改目标IP
            PAT: 改源端口

云端外网IP服务器 ,注意链接追踪数量         

    target:
        SNAT:
            This  target  is only valid in the nat table, in the POSTROUTING and INPUT chains, and user-defined chains which are only called from those chains.

            --to-source [ipaddr[-ipaddr]]

        DNAT:
            This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains  which  are only  called from those chains.

            --to-destination [ipaddr[-ipaddr]][:port[-port]]

         MASQUERADE
            This target is only valid in the nat table, in the POSTROUTING chain.  It  should  only  be  used  with  dynamically assigned  IP (dialup) connections: if you have a static IP address, you should use the SNAT target.

            SNAT场景中应用于POSTROUTING链上的规则实现源地址转换,但外网地址不固定时,使用此target;

        REDIRECT
            This  target  is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.

            --to-ports port[-port]

    layer7

        主机A: 192.168.10.2       服务器C: 172.16.0.67

主机B路由功能 INC1: 192.168.10.254 INC2: 172.16.0.6 开启IPv4 forware功能
添加路由
#route add -net 192.168.10.0/24 gw 172.16.0.6

添加防火墙规则
#iptables -A FORWARD -j REJECT

请求报文出去
#iptables -I FORWARD -s 192.168.10.0/24 -p tcp --dport 80 -j ACCEPT

响应报文回来
#iptables -I FORWARD -d 192.168.10.0/24 -p tcp --sdport 80 -j ACCEPT

####################
使用状态链接 内网主机可以访问外网任何网络服务,外网不能访问内网

#iptables -D FORWARD 1
#iptables -D FORWARD 1

#iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT

#iptables -I FORWARD 2 -s 192.169.10.0/24 -m state --state NEW -j ACCEPT

####################
开放内网一个服务给外网访问
#iptables -I FORWARD 3 -d 192.169.10.0/24 -p tcp --dport 80 -m state --state NEW -j ACCEPT

开放多个服务费外网访问

#iptables -R FORWARD -3 -d 192.168.10.2 -p tcp -m multiport --dports 21:23,80,139,445 -m state --state NEW -j ACCEPT

#iptables -I FORWARD 4 -d 192.168.10.2 -p udp --dport 137:138 -m state --state NEW -j ACCEPT

#modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp
[root@lib ~]#
[root@lib ~]# modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 18638 0
nf_conntrack 111302 1 nf_conntrack_ftp
[root@lib ~]#

开机会失效,

永久有用
[root@lib ~]# diff /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config.bk.20190806
6c6
< IPTABLES_MODULES="nf_conntrack_ftp"

IPTABLES_MODULES=""
[root@lib ~]#

开放ftp访问
#iptables -I FORWARD 5 -d 192.168.10.2 -p tcp -m state --state RELATED -j ACCEPT

#NAT 功能实现

#iptables -F FORWARD

内网主机访问外网服务,隐藏内网IP,通过构建SNAT实现

#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.0.6

DNAT 实现
外网访问内网服务

#iptables -t nat -F

#iptables -t nat -A PREROUTING -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2

PAT 实现 也可以通过DNAT实现
外网访问内网服务80, 实际是访问8080
#iptables -t nat -R PREROUTING 1 -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:8080

#iptables -A FORWARD -s 172.16.0.200 -p tcp --dport 8080 -d 192.168.10.2 -j REJECT

本地端口映射

#iptables -A PREROUTING -t nat -d 192.168.10.2 -p tcp --dport 80 -j REDIRECT --to-ports 8080

tcp_wrapper:

库文件:libwrap.so,tcp包装器;

判断一个服务程序是否能够由tcp_wrapper进行访问控制的方法:
    (1) 动态链接至libwrap.so库;
        ldd  /PATH/TO/PROGRAM
            libwrap.so
    (2) 静态编译libwrap.so库文件至程序中:
        strings /PATH/TO/PGRGRAM 
            hosts_access

配置文件:/etc/hosts.allow, /etc/hosts.deny

     See 'man 5 hosts_options' and 'man 5 hosts_access' for information on rule syntax. 

    配置文件语法:
        daemon_list : client_list[ : option : option ...]

        daemon_list:程序文件名称列表
            (1) 单个应用程序文件名;
            (2) 程序文件名列表,以逗号分隔;
            (3) ALL:所有受tcp_wrapper控制的应用程序文件;

        client_list:
            (1) 单个IP地址或主机名;
            (2) 网络地址:n.n.n.n/m.m.m.m,n.n.n.;
            (3) 内建的ACL:
                ALL:所有客户端主机;
                LOCAL:Matches any host whose name does not contain a dot character.
                UNKNOWN
                KNOWN
                PARANOID

            OPERATORS:
                EXCEPT
                    list1 EXCEPT list2 EXCEPT list3

                    sshd: 172.16. EXCEPT 172.16.100. EXCEPT 172.16.100.68

        [ : option : option ...]

            deny:拒绝,主要用于hosts.allow文件中定义“拒绝”规则;
            allow:允许,主要用于hosts.deny文件中定义”允许“规则;

            spawn:生成,发起,触发执行用户指定的任意命令,此处通常用于记录日志;

                vsftpd: 172.16. : spawn /bin/echo $(date) login attempt from %c to %s >> /var/log/tcp_wrapper.log
推荐阅读:
  1. ForefrontTMG防火墙客户端自动发现
  2. 华为防火墙NAT策略及配置详解

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

netfilter 防火墙 iptables

上一篇:ORACLE ADF11g: 清空TABLE选中的行

下一篇:PHP编译,执行make报错

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
获取短信验证码
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》
产品服务
地区划分
帮助支持
关于我们
行业资讯-文章归档 问答-问答归档
广州亿速云计算有限公司

7*24小时在线电话:400-100-2938

7*24小时在线QQ:800811969

Copyright © Yisu Cloud Ltd. All Rights Reserved. 2018 版权所有
粤ICP备17096448号-1 粤公网安备 44010402001142号