RHEL7默认使用firewalld作为防火墙,但是底层还是调用包过滤防火墙iptables
# systemctl stop firewalld
# systemctl disable firewalld
# yum install iptables-services
# systemctl start iptables
# systemctl status iptables
iptables的4个表(区分大小写):iptables服务功能分类
raw表(状态跟踪表)
mangle表(包标记表)
nat表(地址转换表)-修改ip包的源地址 目标地址
filter表(数据过滤表)
iptables的5个链(区分大小写):ip包传输的方向
INPUT链(入站规则)匹配进入防火墙方向的ip包
OUTPUT链(出站规则)匹配从通过防火墙出去的ip包
FORWARD链(转发规则)匹配经过防火墙的ip包
PREROUTING链(路由前规则)转发前可以更改目标地址
POSTROUTING链(路由后规则)
| raw表-状态跟踪表 | mangle表-包标记表 | nat表-地址转换表 | filter表-过滤表 |
|---|---|---|---|
| PREROUTING链 | PREROUTING链 | PREROUTING链 | - |
| OUTPUT链 | POSTROUTING链 | POSTROUTING链 | - |
| - | INPUT链 | - | INPUT链 |
| - | OUTPUT链 | OUTPUT链 | OUTPUT链 |
| - | FORWARD链 | - | FORWARD链 |
*iptables默认表filter
数据流向及匹配
规则链之间的顺序
~入站:PREROUTING->INPUT
~出站:OUTPUT->POSTROUTING
~转发:PREROUTING->FORWARD->POSTROUTING
规则链内的匹配顺序
~顺序比对,匹配即停止(LOG除外)
~若无任何匹配,则按该链的默认策略处理
iptables [-t 表名] 选项 [链名] [条件] [-j 目标操作]
iptables -t fliter -I INPUT -p icmp -j REJECT
注意事项与规律:
可以不指定表,默认为filter表
可以不指定链,默认为对应表的所有链
如果没有找到匹配条件,则执行防火墙默认规则
链名/选项/目标操作用大写字母,其余都小写
目标操作:
ACCEPT:允许通过/放行
DROP:直接丢弃,不给出任何回应
REJECT:拒绝通过,必要时会给出提示
LOG:记录日志,然后传给下一条规则 #匹配停止规律的例外
常用管理选项
| 类别 | 选项 | 用途 |
|---|---|---|
| 添加规则 | -A | 在链的末尾追加一条规则 |
| -I | 在链的开头(或指定的序号)插入一条规则 | |
| 查看规则 | -L | 列出所有的规则条目 |
| -n | 以数字的形式显示地址、端口等信息 | |
| --line-numbers | 查看规则时,显示规则的序号 | |
| 删除规则 | -D | 删除链内指定序号(或内容)的一条规则 |
| -F | 清空所有规则 | |
| 默认策略 | -P | 为指定的链设置默认策略 |
n51 eth0:192.168.4.51/24
n52 eth0:192.168.4.52/24
eth1:192.168.2.52/24
n53 eth1:192.168.2.53/24
# iptables -L #看的是默认filter表规则
Chain INPUT (policy ACCEPT)
target prot opt source destination #一条就是一个规则
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -L -t nat
# iptables -nL --line-numbers
# iptables -t filter -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
# iptables -t mangle -D POSTROUTING 1
# iptables -t nat -F POSTROUTING
修改规则服务重起失效
# iptables-save #保存默认输出到命令行
# iptables -t filter -P INPUT DROP
防护类型及条件
根据保护对象(本机、其他主机)区分
主机型防护、网络型防护
通用匹配
~可直接使用,不依赖于其他条件或扩展
~包括网络协议、IP地址、网络接口等条件
隐含匹配
~要求以特定的协议匹配作为前提
~包括端口、TCP标记、ICMP类型等条件
匹配条件
| 类别 | 选项 | 用户 |
|---|---|---|
| 通用匹配 | 协议匹配 | -p协议名 |
| 地址匹配 | -s源ip地址-d目标ip地址 | |
| 接口匹配 | -i 收数据网卡-o 发数据网卡 | |
| 隐含匹配 | 端口匹配 | --sport源端口--dport目标端口 |
| ICMP类型匹配 | --icmp-type ICMP类型 |
*取反用!
# iptables -t filter -A INPUT -p tcp -dport 22 -j ACCEPT
//允许访问目标主机22端口
# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
# curl 192.168.4.51 #其他主机无法访问
# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
//允许访问目标主机80端口
# iptables -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
# curl 192.168.4.51 #其他主机可以访问80
# iptables -t filter -I INPUT -p icmp -j ACCEPT #允许所有主机ping
# iptables -t filter -I INPUT 1 -s 192.168.4.52 -p icmp -j DROP
//不允许52ping,此规则必须在允许所有主机ping的前面
# iptables -t filter -nL INPUT --line-number
Chain INPUT (policy DROP)
num target prot opt source destination
1 DROP icmp -- 192.168.4.52 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
51主机可以ping其他主机,但其他主机不能ping51主机
# iptables -t filter -D INPUT 1
# iptables -t filter -D INPUT 1
# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
# iptables -t filter -I INPUT -p icmp --help
--icmp-type typename match icmp type
Valid ICMP Types:
echo-reply (pong) #返回ping包
# iptables -t filter -I INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
[root@n51 ~]# ping 192.168.4.52 #可ping通
[root@n52 ~]# ping 192.168.4.51 #ping不通
扩展匹配
需要对应的防火墙模块支持
-m 扩展模块 --扩展条件 条件值
-m mac --mac-source 00:0C:29:74:BE:21
常见的扩展条件类型
| 类别 | 选项 | 用法 |
|---|---|---|
| 扩展匹配 | MAC地址匹配 | -m mac --mac-source MAC地址 |
| 多端口匹配 | -m multiport --sports 源端口列表 | |
| -m multiport --dports 目标端口列表 | ||
| IP范围匹配 | -m iprange --src-range IP1-IP2 | |
| -m iprange --dst-range IP1-IP2 |
# arp 192.168.4.52 #查52mac地址
Address HWtype HWaddress Flags Mask Iface
192.168.4.52 ether 52:54:00:ed:27:08 C eth0
# iptables -t filter -A INPUT -p icmp -m mac --mac-source 52:54:00:ed:27:08 -j DROP
# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 MAC 52:54:00:ED:27:08
[root@n52 ~]# ping 192.168.4.51 #ping不通
用多端口进行限制
# iptables -t filter -I INPUT -p tcp -m multiport --dports 80,8080 -j DROP
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere multiport dports http,webcache
根据IP范围进行限制
# iptables -t filter -A INPUT -p icmp -m iprange --src-range 192.168.4.100-192.168.4.200 -j DROP
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
DROP icmp -- anywhere anywhere source IP range 192.168.4.100-192.168.4.200
[root@n52 ~]# ping 192.168.4.51 #ping不通
[root@room9pc01 ~]# ping 192.168.4.51 #可ping通
# iptables -t filter -A INPUT -p icmp -s 192.168.4.0/24 -j DROP
网络型防火墙
# iptables-save > /etc/sysconfig/iptables #策略永久生效
[51]
# systemctl stop NetworkManager
# route add default gw 192.168.4.52 #删除网关del
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.4.52 0.0.0.0 UG 0 0 0 eth0
192.168.4.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
[53]
# systemctl stop NetworkManager
# route add default gw 192.168.2.52
# route -n
[52]
# sysctl -a |grep forward #所有内核参数过滤有关转发参数
net.ipv4.ip_forward = 1
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_forward = 1
[root@n51 ~]# ping 192.168.2.53 #可ping通
[52]
# iptables -t filter -A FORWARD -p tcp -m multiport --dports 80,8080,22 -j DROP
# iptables -t filter -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere multiport dports http,webcache,ssh
[53]
# curl 192.168.4.51
# curl 192.168.4.51:8080
# ssh 192.168.4.51
当FORWARD链的默认策略是DROP时,放行ip包规则怎么写
[52]
# iptables -F FORWARD
# iptables -P FORWARD DROP
# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
# iptables -A FORWARD -p tcp -m multiport --dports 80,8080,22 -j ACCEPT
# iptables -A FORWARD -p tcp -m multiport --sports 80,8080,22 -j ACCEPT
# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports http,webcache,ssh
ACCEPT tcp -- anywhere anywhere multiport sports http,webcache,ssh
# iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
练习:53可以ping通51,51不能ping通53
1、[52]
# iptables -A FORWARD -s 192.168.2.53 -p icmp --icmp-type echo-request -j ACCEPT
//53是源时可以发送ping
# iptables -A FORWARD -d 192.168.2.53 -p icmp --icmp-type echo-reply -j ACCEPT
//53时目标可以接受pong
# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- 192.168.2.53 anywhere icmp echo-request
ACCEPT icmp -- anywhere 192.168.2.53 icmp echo-reply
2、[52]
# iptables -t filter -I FORWARD -s 192.168.4.51 -p icmp --icmp-type echo-request -j DROP
//把源地址为51的ping请求丢掉
# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- 192.168.4.51 anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
NAT转换
[root@n51 ~]# route del default gw 192.168.4.52
SNAT源地址转换(Source Network Address Translation)
修改数据包的源地址
仅用于nat表的POSTROUTING链
配置关键策略
选择路由后,针对来自局域网、即将从外网接口发出去的包,将源IP地址修改为网关的公网IP地址
[52]
# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -p tcp --dport 80 -j SNAT --to-source 192.168.4.52
# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 192.168.2.0/24 anywhere tcp dpt:http to:192.168.4.52
[53]
# curl 192.168.4.51
[51]
# tail -f /var/log/httpd/access.log #查看是否使用192.168.4.52进行访问
# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -p tcp -m multiport --dports 80,8080,22 -j SNAT --to-source 192.168.4.52
//配置开启80,8080,22端口
