2020-09-19

### 1、拒绝所有主机ping当前的主机。

```shell

#查看当前系统iptables规则

[root@centos8 ~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

#添加规则

[root@centos8 ~]# iptables -A INPUT -p icmp -j REJECT

```

验证：

```shell

[root@centos7 ~]# ping 10.0.0.24

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

From 10.0.0.24 icmp_seq=1 Destination Port Unreachable

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

--- 10.0.0.24 ping statistics ---

2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 10ms

```

### 2、本机能够访问别的机器的HTTP服务，但是别的机器无法访问本机

```shell

#环境准备，本主机

[root@centos8 ~]# iptables -F

[root@centos8 ~]# dnf install -y httpd

[root@centos8 ~]# echo "This is a test page,`date`!" > /var/www/html/index.html

[root@centos8 ~]# systemctl start httpd

#环境准备，其他主机

[root@centos8-mini ~]# curl 10.0.0.24

This is a test page,Sat Sep 19 09:48:20 CST 2020!

#添加规则

[root@centos8-mini ~]# iptables -F

[root@centos8-mini ~]# dnf install -y httpd

[root@centos8-mini ~]# echo "Who travels for love finds a thousand miles not loger than one." > /var/www/html/index.html

[root@centos8-mini ~]# systemctl start httpd

```

```shell

[root@centos8 ~]# iptables -A INPUT -p tcp --dport 80 -j REJECT

#验证

[root@centos8 ~]# curl 10.0.0.23

Who travels for love finds a thousand miles not loger than one.

[root@centos8-mini ~]# curl 10.0.0.24

curl: (7) Failed to connect to 10.0.0.24 port 80: Connection refused

```

### 3、实现最大并发控制

当我们发现有 ip 恶意攻击我们得时候，我们可以通过对防火墙设定规则来进行控制。所以我们可以

添加connlimit模块来实现对最大并发的控制。

```shell

[root@centos8 ~]# iptables -F

[root@centos8 ~]# iptables -A INPUT -s 10.0.0.1 -j ACCEPT

[root@centos8 ~]# iptables -A INPUT -m connlimit --connlimit-above 8 -j REJECT

[root@centos8 ~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

284 17472 ACCEPT all -- * * 10.0.0.1 0.0.0.0/0

282 23688 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 8 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

```

验证：

```shell

#客户端同时发起10个ping

[root@centos8-mini ~]# for i in {1..10}; do

> ping -c5 10.0.0.24 &

> done

[1] 1938

[2] 1939

[3] 1940

[4] 1941

[5] 1942

[6] 1943

[7] 1944

[8] 1945

[9] 1946

[10] 1947

[root@centos8-mini ~]# PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.355 ms

From 10.0.0.24 icmp_seq=1 Destination Port Unreachable

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.245 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.408 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=36.10 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.673 ms

From 10.0.0.24 icmp_seq=1 Destination Port Unreachable

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=1.97 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.274 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.302 ms

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

From 10.0.0.24 icmp_seq=3 Destination Port Unreachable

From 10.0.0.24 icmp_seq=4 Destination Port Unreachable

From 10.0.0.24 icmp_seq=5 Destination Port Unreachable

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 19ms

rtt min/avg/max/mdev = 36.962/36.962/36.962/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 15ms

rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 13ms

rtt min/avg/max/mdev = 0.408/0.408/0.408/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, 80% packet loss, time 11ms

rtt min/avg/max/mdev = 1.973/1.973/1.973/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 14ms

rtt min/avg/max/mdev = 0.673/0.673/0.673/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, 80% packet loss, time 15ms

rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, 80% packet loss, time 17ms

rtt min/avg/max/mdev = 0.245/0.245/0.245/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +3 errors, 80% packet loss, time 18ms

rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 0 received, +2 errors, 100% packet loss, time 14ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 0 received, +1 errors, 100% packet loss, time 24ms

[1] Exit 1 ping -c5 10.0.0.24

[2] Done ping -c5 10.0.0.24

[3] Done ping -c5 10.0.0.24

[4] Done ping -c5 10.0.0.24

[5] Exit 1 ping -c5 10.0.0.24

[6] Done ping -c5 10.0.0.24

[7] Done ping -c5 10.0.0.24

[8] Done ping -c5 10.0.0.24

[9]- Done ping -c5 10.0.0.24

[10]+ Done ping -c5 10.0.0.24

```

### 4、实践题

**实验前提需求：**

| 主机名 | IP地址 | 充当角色 |

| ------ | ------------------------------------------------------------ | ------------- |

| A7 | 192.168.72.130（仅主机）eth0 | 互联网服务器 |

| A8 | 192.168.72.128（仅主机）/eth1 10.0.0.13（NAT）/eth0 NAT设备他有一个是链接外网的ip有一个是链接内网的ip | 防火墙NAT设备 |

| B8 | 10.0.0.24（NAT）eth0 | 局域网服务器 |

**业务需求：**

现在我在外地出差使用A7互联网主机，但是现在由于公司有业务需要我 ssh 链接到内网、这时候

我就联系我们公司同事在防火墙上配置相关规则让我链接进公司内网

##### 4.1 模拟业务场景环境

```shell

#A7主机

[root@iA7 ~]# hostname -I

192.168.72.130

[root@A7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

NAME=eth0

BOOTOPROTO=static

IPADDR=192.168.72.130

PREFIX=24

GATEWAY=192.168.72.128

ONBOOT=yes

[root@A7 ~]# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.72.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

0.0.0.0 192.168.72.128 0.0.0.0 UG 0 0 0 eth0

#A8主机

[root@A8 ~]# hostname -I

10.0.0.13 192.168.72.128

[root@A8 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

NAME=eth1

BOOTPROTO=static

IPADDR=192.168.72.128

PREFIX=24

GATEWAY=

ONBOOT=yes

[root@A8 ~]# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 10.0.0.2 0.0.0.0 UG 102 0 0 eth0

10.0.0.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0

192.168.72.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1

#B8主机

[root@B8 ~]# hostname -I

10.0.0.24

[root@B8 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

NAME=eth0

BOOTPROTO=static

IPADDR=10.0.0.24

PREFIX=24

GATEWAY=10.0.0.13

DNS1=10.0.0.13

DNS2=114.114.114.114

ONBOOT=yes

```

##### 4.2 测试三台主机是否互通

```shell

#A7

[root@A7]# ping 10.0.0.24 -c1

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

64 bytes from 10.0.0.24: icmp_seq=1 ttl=63 time=1.21 ms

--- 10.0.0.24 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 1ms

rtt min/avg/max/mdev = 1.219/1.219/1.219/0.000 ms

#B8

[root@B8 ~]# ping baidu.com -c1

PING baidu.com (39.156.69.79) 56(84) bytes of data.

64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=128 time=16.10 ms

--- baidu.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 16.994/16.994/16.994/0.000 ms

[root@B8 ~]# ping 192.168.72.130 -c1

PING 192.168.72.130 (192.168.72.130) 56(84) bytes of data.

64 bytes from 192.168.72.130: icmp_seq=1 ttl=63 time=0.475 ms

--- 192.168.72.130 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.475/0.475/0.475/0.000 ms

```

##### 4.3 相关配置实现业务需要

```shell

#A8开启数据转发功能

[root@A8 ~]# vim /etc/sysctl.conf

net.ipv4.ip_forward=1

[root@A8 ~]# sysctl -p

net.ipv4.ip_forward = 1

#A8设置相关防火墙，只允许A7 ssh连接B8

[root@A8 ~]# iptables -A FORWARD -j REJECT

[root@A8 ~]# iptables -I FORWARD -s 192.168.72.0/24 -p tcp --dport 22 -j ACCEPT

[root@A8 ~]# iptables -I FORWARD 2 -d 192.168.72.0/24 -p tcp --sport 22 -j ACCEPT

[root@A8 ~]# iptables -vnL

Chain INPUT (policy ACCEPT 30 packets, 1776 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

28 3573 ACCEPT tcp -- * * 192.168.72.0/24 0.0.0.0/0 tcp dpt:22

17 4569 ACCEPT tcp -- * * 0.0.0.0/0 192.168.72.0/24 tcp spt:22

30 2104 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 26 packets, 2148 bytes)

pkts bytes target prot opt in out source destination

```

验证：

```shell

[root@A7 ~]# ssh 10.0.0.24

ssh: connect to host 10.0.0.24 port 22: Connection timed out

[root@A7]# ssh 10.0.0.24

The authenticity of host '10.0.0.24 (10.0.0.24)' can't be established.

RSA key fingerprint is 23:cf:76:41:d8:73:dc:36:e5:2e:70:b2:ef:f3:36:3a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.0.0.24' (RSA) to the list of known hosts.

root@10.0.0.24's password:

Last login: Sat Sep 19 15:45:12 2020 from 10.0.0.1

[root@B8 ~]# hostname -I

10.0.0.24

```

2020-09-19

友情链接更多精彩内容