Firewall:防火墙,隔离工具;工作于主机或网络边缘,对于进出本主机或本网络的报文根据事先定义的检查规则作匹配检测,对于能够被规则匹配到的报文作出相应处理的组件;

将要介绍的防火墙工具iptables,内核实现的软件防火墙,内核根据iptables的规则实现netfilter。先来看看防火墙的流程介绍。

Linux 防火墙_第1张图片

主要由4表5链构成:

  1. filter:过滤,防火墙;
  2. nat:network address translation;用于修改源IP或目标IP,也可以改端口;
  3. mangle:拆解报文,做出修改,并重新封装起来;
  4. raw:关闭nat表上启用的连接追踪机制;

大概意思就是:在每条链上添加上述4表的规则,来实现报文过滤转发等功能。


主机防火墙介绍

上图的上部分就是主机防火墙的工作流程。
1、常用操作

#查看
[root@node3 ~]# iptables -vnL  [--line-numbers]   #  v vv vvv
#清空数据
[root@node3 ~]# iptables -Z [chain]
#删除 规则
[root@node3 ~]# iptables -D chain num
#清空所有规则
[root@node3 ~]# iptables -F [chain]

#创建删除自定义chain    不能删除被正在被引用的chain
[root@localhost ~]# iptables -N in_web_rule
[root@localhost ~]# iptables -t in_web_rule
[root@localhost ~]# iptables -X in_web_rule 

1.1 初始化 开放ssh,设置白名单

[root@node3 ~]# iptables -I INPUT -p tcp  --dport 22  -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT -p tcp  --sport 22 -j ACCEPT

[root@node3 ~]# iptables -P FORWARD  DROP

[root@node3 ~]# iptables -A INPUT  -j REJECT
[root@node3 ~]# iptables -A OUTPUT -j REJECT
或者修改策略  还是前者比较好,或者会屏蔽 本地回环地址,还要其他操作开通
[root@node3 ~]# iptables -P INPUT  DROP
[root@node3 ~]# iptables -P OUTPUT DROP

1.2 非状态规则添加
80服务器

[root@node3 ~]# iptables -I INPUT  -p tcp --dport 80 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT -p tcp --sport 80 -j ACCEPT
[root@node2 ~]# curl http://192.168.1.202

It works!

#正式环境不要用,测试环境需要安装yum之类 [root@node3 ~]# iptables -I INPUT -p tcp --sport 80 -j ACCEPT [root@node3 ~]# iptables -I OUTPUT -p tcp --dport 80 -j ACCEPT

443服务器

[root@node3 ~]# iptables -I INPUT  -p tcp --dport 443 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT -p tcp --sport 443 -j ACCEPT

#正式环境不要用,测试环境需要安装yum之类
[root@node3 ~]# iptables -I INPUT  -p tcp --sport 443 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT  -p tcp --dport 443 -j ACCEPT

dns

#域名解析  一般也不用开放  测试环境需要安装yum之类
[root@node3 ~]# iptables -I OUTPUT   -p udp --dport 53 -j ACCEPT
[root@node3 ~]# iptables -I INPUT  -p udp --sport 53 -j ACCEPT
[root@node3 ~]# ping baidu.com
PING baidu.com (123.125.115.110) 56(84) bytes of data.
64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=1 ttl=51 time=37.1 ms

#dns服务器
[root@node3 ~]# iptables -I OUTPUT   -p tcp --dport 53 -j ACCEPT
[root@node3 ~]# iptables -I INPUT  -p tcp --sport 53 -j ACCEPT

ping

#往外ping
[root@node3 ~]# iptables -I INPUT  -i ens34 -p icmp --icmp-type 0 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT  -o ens34 -p icmp --icmp-type 8 -j ACCEPT

#被ping
[root@node3 ~]# iptables -I INPUT   -i ens34 -p icmp --icmp-type 8 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT  -o ens34 -p icmp --icmp-type 0 -j ACCEPT

ftp

#[root@localhost ~]# modinfo nf_conntrack_ftp
#[root@localhost ~]# lsmod |grep nf_conntrack_ftp

[root@localhost ~]# modprobe nf_conntrack_ftp     #装载
#[root@localhost ~]# modprobe -r nf_conntrack_ftp  #卸载

[root@node3 ~]# iptables -I INPUT -p tcp -m multiport --dports 21 -m state --state NEW -j ACCEPT
[root@node3 ~]# iptables -I INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT   -m state --state ESTABLISHED -j ACCEPT

ntpdate

#请求
[root@node3 ~]# iptables -I OUTPUT  -p udp -m multiport --dports 123,323 -j ACCEPT
[root@node3 ~]# iptables -I INPUT   -p udp -m multiport --sports 123,323 -j ACCEPT

samba

[root@node3 ~]# iptables -I INPUT   -p udp -m multiport --dports 137,138 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT   -p udp -m multiport --sports 137,138 -j ACCEPT

[root@node3 ~]# iptables -I INPUT   -p tcp -m multiport --dports 139,445 -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT   -m state --state ESTABLISHED -j ACCEPT

根据ip控制并发

##最大一次5个,每分钟20个,被ping     配合--syn使用 
[root@localhost ~]# iptables -I INPUT -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 20/minute -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -p icmp --icmp-type 0 -j ACCEPT

2 用状态方式控制

[root@localhost ~]# cat /proc/sys/net/nf_conntrack_max
65536  

[root@localhost ~]# vim /etc/sysctl.conf
#net.nf_conntrack_max = 2097152
net.netfilter.nf_conntrack_tcp_timeout_established = 300
net.netfilter.nf_conntrack_max = 1048576      #最大状态连接数
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.ipv4.conf.default.forwarding = 1
[root@localhost ~]# sysctl -p
[root@node3 ~]# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
[root@node3 ~]# iptables -A OUTPUT   -m state --state ESTABLISHED -j ACCEPT
#tcp 端口
[root@node3 ~]# iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW -j ACCEPT
#udp 端口
#[root@node3 ~]# iptables -A INPUT -p dup -m multiport --dports 22,80,443 -m state --state NEW -j ACCEPT

[root@node3 ~]# iptables -A INPUT  -j REJECT
[root@node3 ~]# iptables -A OUTPUT -j REJECT
[root@node3 ~]# iptables -vnL

#如果需要解析yum
[root@node3 ~]# iptables -I OUTPUT -p udp -m multiport --dports 53 -m state --state NEW -j ACCEPT
[root@node3 ~]# iptables -I OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

python脚本生成规则

目录结构
Linux 防火墙_第2张图片
hostRules.py

#!/root/.virtualenvs/shellenv/bin/python
import os

class generate:

    interface = False
    ip = False

    name = ''
    ssh_port = 22

    #21 or False
    ftp_port = False

    # for server response
    tcp_in_ports = [80]
    udp_in_ports = []

    # for server request
    out_put_enable = False
    tcp_out_ports = []
    udp_out_ports = []

    ping_in = False
    ping_out = False

    first_custom_rules = []
    middle_custom_rules = []
    last_custom_rules = []

    EOL='\n'

    def __init__(self, config_name):
        import yaml
        self.name = config_name
        file_path = 'conf/host-{name}.yaml'.format(name=config_name)
        if not os.path.isfile(file_path):
            print('no config')
            exit(1)

        config = yaml.load(open(file_path))

        if config.get('ssh_port') : self.ssh_port = config.get('ssh_port')
        if config.get('ftp_port') : self.ftp_port = config.get('ftp_port')
        if config.get('tcp_in_ports') : self.tcp_in_ports = config.get('tcp_in_ports')
        if config.get('udp_in_ports') : self.udp_in_ports = config.get('udp_in_ports')
        if config.get('out_put_enable') : self.out_put_enable = config.get('out_put_enable')
        if config.get('tcp_out_ports') : self.tcp_out_ports = config.get('tcp_out_ports')
        if config.get('udp_out_ports') : self.udp_out_ports = config.get('udp_out_ports')
        if config.get('ping_in') : self.ping_in = config.get('ping_in')
        if config.get('ping_out') : self.ping_out = config.get('ping_out')
        if config.get('ip') : self.ip = config.get('ip')
        if config.get('interface') : self.interface = config.get('interface')
        if config.get('first_custom_rules') : self.first_custom_rules = config.get('first_custom_rules')
        if config.get('middle_custom_rules') : self.middle_custom_rules = config.get('middle_custom_rules')
        if config.get('last_custom_rules') : self.last_custom_rules = config.get('last_custom_rules')

        self.dip = ''
        self.sip = ''
        if self.ip:
            self.dip = ' -d '+self.ip
            self.sip = ' -s '+self.ip

        self.iinterface = ''
        self.ointerface = ''
        if self.interface:
            self.iinterface = ' -i '+self.interface
            self.ointerface = ' -o ' + self.interface

    def start(self):
        rules = self.initHostRules()

        if self.first_custom_rules:
            rules += self.customRules(self.first_custom_rules)

        rules += self.established()

        if self.ftp_port:
            rules += self.enableFtp()
            self.tcp_in_ports.append(self.ftp_port)

        if self.tcp_in_ports:
            rules += self.tcpInRules()

        if self.udp_in_ports:
            rules += self.udpInRules()

        if self.middle_custom_rules:
            rules += self.customRules(self.middle_custom_rules)

        if self.out_put_enable:
            if self.tcp_out_ports:
                rules += self.tcpOutRules()

            if self.udp_out_ports:
                rules += self.udpOutRules()

        if self.ping_out:
            rules += self.pingOut()

        if self.ping_in:
            rules += self.pingIn()

        if self.last_custom_rules:
            rules += self.customRules(self.last_custom_rules)

        rules += self.sshRules()
        rules += self.rejectRules()

        self.write(rules)
        pass

    def customRules(self,data):
        rules = ''
        for rule in data:
            rules += rule+self.EOL
        return  rules

    def tcpInRules(self):
        ports = self.__map_num_2_str(self.tcp_in_ports)
        ports = ','.join(ports)
        rules = 'iptables -A INPUT {ip} {interface} -p tcp -m multiport --dports {ports} -m state --state NEW -j ACCEPT'.format(ports=ports,ip=self.dip, interface=self.iinterface)+self.EOL+self.EOL
        return rules

    def udpInRules(self):
        ports = self.__map_num_2_str(self.udp_in_ports)
        ports = ','.join(ports)
        rules = 'iptables -A INPUT {ip} {interface} -p udp -m multiport --dports {ports} -m state --state NEW -j ACCEPT'.format(ports=ports, ip=self.dip, interface=self.iinterface)+self.EOL+self.EOL
        return rules

    def tcpOutRules(self):
        ports = self.__map_num_2_str(self.tcp_out_ports)
        ports = ','.join(ports)
        rules = 'iptables -A OUTPUT {ip} {interface} -p tcp -m multiport --dports {ports} -m state --state NEW -j ACCEPT'.format(
            ports=ports, ip=self.sip, interface=self.ointerface) + self.EOL + self.EOL
        return rules

    def udpOutRules(self):
        ports = self.__map_num_2_str(self.udp_out_ports)
        ports = ','.join(ports)
        rules = 'iptables -A OUTPUT {ip} {interface}  -p udp -m multiport --dports {ports} -m state --state NEW -j ACCEPT'.format(
            ports=ports, ip=self.sip, interface=self.ointerface) + self.EOL + self.EOL
        return rules

    def enableFtp(self):
        return 'modprobe nf_conntrack_ftp'+ self.EOL

    def pingOut(self):
        return  'iptables -A OUTPUT {ip} {interface} -p icmp --icmp-type 0 -j ACCEPT'.format(ip=self.sip, interface=self.ointerface) + self.EOL

    def pingIn(self):
        return  'iptables -A INPUT {ip} {interface} -p icmp --icmp-type 8 -j ACCEPT'.format(ip=self.dip, interface=self.iinterface) + self.EOL

    def established(self):
        RELATED=''
        if self.ftp_port:
            RELATED = ',RELATED'

        rules = 'iptables -A INPUT -m state --state ESTABLISHED{RELATED} -j ACCEPT'.format(RELATED=RELATED) + self.EOL
        rules += 'iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT' + self.EOL + self.EOL
        return rules

    def initHostRules(self):
        rules =  'iptables -P FORWARD  DROP'+self.EOL
        rules += 'iptables -P INPUT  ACCEPT'+self.EOL
        rules += 'iptables -P OUTPUT  ACCEPT'+self.EOL
        rules += 'iptables -F'+self.EOL+self.EOL
        return  rules

    def sshRules(self):
        if not self.ssh_port:
            exit('need ssh_port')
        print('ssh port  {port}'.format(port=self.ssh_port))
        rules = 'iptables -A INPUT -p tcp --dport {port}  -j ACCEPT'.format(port=self.ssh_port)+self.EOL
        rules += 'iptables -A OUTPUT -p tcp --sport {port}  -j ACCEPT'.format(port=self.ssh_port)+self.EOL+self.EOL
        return rules

    def rejectRules(self):
        rules = 'iptables -A INPUT -j REJECT'+self.EOL
        rules += 'iptables -A OUTPUT -j REJECT'+self.EOL
        return rules

    def write(self, data):
        data = '#!/bin/bash'+self.EOL+self.EOL + data
        with open('shell/host-{name}.sh'.format(name=self.name),mode='w', encoding='utf-8')  as f:
            f.write(data)

    def __map_num_2_str(self,data):
       return map(lambda x: str(x), data)

if __name__ == '__main__':

    # pydepends = ['pyyaml']
    # for i in pydepends:
    #     os.system('/root/.virtualenvs/shellenv/bin/pip install  requests -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com '+i)

    iptables = generate('develop')
    iptables.start()

配置文件在conf下面 host-{name}.yaml 根据各种场景生成rules

ip: 192.168.1.202
interface: ens34

ssh_port: 22
ftp_port: 21

tcp_in_ports: [80, 443,139,445]
udp_in_ports: [80, 443,137,138]

out_put_enable: True
tcp_out_ports: [80, 443]
udp_out_ports: [53,123,323]

ping_in: True
ping_out: True

#单个ip并发
first_custom_rules :
  - iptables -A INPUT  -p tcp  --dport 80 -m connlimit --connlimit-above 50 -j REJECT

生成脚本在shell目录下

#!/bin/bash

iptables -P FORWARD  DROP
iptables -P INPUT  ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -F

iptables -A INPUT  -p tcp  --dport 80 -m connlimit --connlimit-above 50 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

modprobe nf_conntrack_ftp
iptables -A INPUT  -d 192.168.1.202  -i ens34 -p tcp -m multiport --dports 80,443,139,445,21 -m state --state NEW -j ACCEPT

iptables -A INPUT  -d 192.168.1.202  -i ens34 -p udp -m multiport --dports 80,443,137,138 -m state --state NEW -j ACCEPT

iptables -A OUTPUT  -s 192.168.1.202  -o ens34 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

iptables -A OUTPUT  -s 192.168.1.202  -o ens34  -p udp -m multiport --dports 53,123,323 -m state --state NEW -j ACCEPT

iptables -A OUTPUT  -s 192.168.1.202  -o ens34 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT  -d 192.168.1.202  -i ens34 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22  -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22  -j ACCEPT

iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT

网络防火墙介绍

Linux 防火墙_第3张图片

实验环境

node1 172.16.86.228
node2 forward
node3 192.168.1.202

在没有规则下,先观察ping

[root@node2 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@node2 ~]# iptables -vnL
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
#node3  访问 node1  http
[root@node3 ~]# ping 172.16.86.228

#如果不通  抓包
[root@node1 ~]# tcpdump -i any -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:11:38.783442 IP 192.168.1.202 > 172.16.86.228: ICMP echo request, id 6528, seq 13, length 64  node1收到来自node3的包
17:11:38.783492 IP 172.16.86.228 > 192.168.1.202: ICMP echo reply, id 6528, seq 13, length 64    node1响应给node3

[root@node2 ~]# tcpdump -i any -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:12:16.883705 IP 192.168.1.202 > 172.16.86.228: ICMP echo request, id 6528, seq 51, length 64    node3 请求 node1
17:12:16.884212 IP 172.16.86.228 > 192.168.1.202: ICMP echo reply, id 6528, seq 51, length 64      node1响应node3

从这个过程分析得到 无论是哪个网卡接近来的包,出去时候会自动选择一个能到达对面的网卡,  转发过程不会改变原地址和目标地址

添加规则

[root@node2 ~]# iptables -A FORWARD -j REJECT

通用规则

[root@node2 ~]# iptables -I FORWARD -m state --state ESTABLISHED   -j ACCEPT

放ping

[root@node2 ~]# iptables -I FORWARD   -p icmp --icmp-type 8 -j ACCEPT

tcp

[root@node2 ~]# iptables -I FORWARD   -p tcp  -m multiport --dports 80,443,139,445 -m state --state NEW -j ACCEPT

udp

[root@node2 ~]# iptables -I FORWARD -p udp -m multiport --dports 53  -m state --state NEW -j ACCEPT

ftp

[root@node2 ~]# modprobe nf_conntrack_ftp     #装载
[root@node2 ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED   -j ACCEPT
[root@node2 ~]# iptables -I FORWARD   -p tcp  -m multiport --dports 21 -m state --state NEW -j ACCEPT

python脚本生成

#!/root/.virtualenvs/shellenv/bin/python
import os

class generate:

    interface = False
    ip = False

    name = ''
    ssh_port = 22

    #21 or False
    ftp_port = False

    # for server response
    tcp_in_ports = [80]
    udp_in_ports = []

    ping = False

    first_custom_rules = []
    middle_custom_rules = []
    last_custom_rules = []

    EOL='\n'

    def __init__(self, config_name):
        import yaml
        self.name = config_name
        file_path = 'conf/forward-{name}.yaml'.format(name=config_name)
        if not os.path.isfile(file_path):
            print('no config')
            exit(1)

        config = yaml.load(open(file_path))

        if config.get('ssh_port') : self.ssh_port = config.get('ssh_port')
        if config.get('ftp_port') : self.ftp_port = config.get('ftp_port')
        if config.get('tcp_in_ports') : self.tcp_in_ports = config.get('tcp_in_ports')
        if config.get('udp_in_ports') : self.udp_in_ports = config.get('udp_in_ports')
        if config.get('out_put_enable') : self.out_put_enable = config.get('out_put_enable')
        if config.get('tcp_out_ports') : self.tcp_out_ports = config.get('tcp_out_ports')
        if config.get('udp_out_ports') : self.udp_out_ports = config.get('udp_out_ports')
        if config.get('ping_in') : self.ping_in = config.get('ping_in')
        if config.get('ping_out') : self.ping_out = config.get('ping_out')

        if config.get('first_custom_rules') : self.first_custom_rules = config.get('first_custom_rules')
        if config.get('middle_custom_rules') : self.middle_custom_rules = config.get('middle_custom_rules')
        if config.get('last_custom_rules') : self.last_custom_rules = config.get('last_custom_rules')

    def start(self):
        rules = self.initForwardRules()

        if self.first_custom_rules:
            rules += self.customRules(self.first_custom_rules)

        rules += self.established()

        if self.ftp_port:
            rules += self.enableFtp()
            self.tcp_in_ports.append(self.ftp_port)

        if self.tcp_in_ports:
            rules += self.tcpInRules()

        if self.udp_in_ports:
            rules += self.udpInRules()
        if self.middle_custom_rules:
            rules += self.customRules(self.middle_custom_rules)

        if self.ping:
            rules += self.doPing()

        if self.last_custom_rules:
            rules += self.customRules(self.last_custom_rules)

        rules += self.sshRules()
        rules += self.rejectRules()

        self.write(rules)

    def customRules(self,data):
        rules = ''
        for rule in data:
            rules += rule+self.EOL
        return  rules

    def tcpInRules(self):
        ports = self.__map_num_2_str(self.tcp_in_ports)
        ports = ','.join(ports)
        rules = 'iptables -A FORWARD  -p tcp -m multiport --dports {ports} -m state --state NEW -j ACCEPT'.format(ports=ports)+self.EOL+self.EOL
        return rules

    def udpInRules(self):
        ports = self.__map_num_2_str(self.udp_in_ports)
        ports = ','.join(ports)
        rules = 'iptables -A FORWARD  -p udp -m multiport --dports {ports} -m state --state NEW -j ACCEPT'.format(ports=ports)+self.EOL+self.EOL
        return rules

    def enableFtp(self):
        return 'modprobe nf_conntrack_ftp'+ self.EOL

    def doPing(self):
        return  'iptables -A FORWARD  -p icmp --icmp-type 8 -j ACCEPT' + self.EOL

    def established(self):
        rules = 'iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT' + self.EOL + self.EOL
        return rules

    def initForwardRules(self):
        rules =  'iptables -P FORWARD  ACCEPT'+self.EOL
        rules += 'iptables -P INPUT  ACCEPT'+self.EOL
        rules += 'iptables -P OUTPUT  ACCEPT'+self.EOL
        rules += 'iptables -F'+self.EOL+self.EOL
        return  rules

    def sshRules(self):
        if not self.ssh_port:
            exit('need ssh_port')
        print('ssh port  {port}'.format(port=self.ssh_port))
        rules = 'iptables -A INPUT -p tcp --dport {port}  -j ACCEPT'.format(port=self.ssh_port)+self.EOL
        rules += 'iptables -A OUTPUT -p tcp --sport {port}  -j ACCEPT'.format(port=self.ssh_port)+self.EOL+self.EOL
        return rules

    def rejectRules(self):
        rules = 'iptables -A INPUT -j REJECT'+self.EOL
        rules += 'iptables -A OUTPUT -j REJECT'+self.EOL
        return rules

    def write(self, data):
        data = '#!/bin/bash'+self.EOL+self.EOL + data
        with open('shell/forward-{name}.sh'.format(name=self.name),mode='w', encoding='utf-8')  as f:
            f.write(data)

    def __map_num_2_str(self,data):
       return map(lambda x: str(x), data)

if __name__ == '__main__':

    # pydepends = ['pyyaml']
    # for i in pydepends:
    #     os.system('/root/.virtualenvs/shellenv/bin/pip install  requests -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com '+i)

    iptables = generate('develop')
    iptables.start()

配置文件 conf/forward-develop.yaml

ip: False
interface: False

ssh_port: 22
ftp_port: 21

tcp_in_ports: [80, 443,139,445]
udp_in_ports: [80, 443,137,138]

ping: True

#单个ip并发
first_custom_rules :
  - iptables -A FORWARD  -p tcp  --dport 80 -m connlimit --connlimit-above 50 -j REJECT

nat dnat介绍

Linux 防火墙_第4张图片
snat

#在报文离开当前网卡前POSTROUTING转换源地址ip
[root@node2 ~]# iptables -t nat -A POSTROUTING -s 172.16.86.0/24 -j SNAT --to-source 192.168.1.201

dnat

#在报文进入网卡时候在PREROUTING改变目标地址
[root@node2 ~]# iptables -t nat -I PREROUTING -d 192.168.1.201  -p tcp --dport 80 -j DNAT --to-destination 172.16.86.228
[root@node3 ~]# curl http://192.168.1.201

It works!

#在报文进入网卡时候在PREROUTING改变目标地址和端口 [root@node3 ~]# curl http://192.168.1.201 curl: (7) Failed connect to 192.168.1.201:80; Connection refused [root@node2 ~]# iptables -t nat -R PREROUTING 1 -d 192.168.1.201 -p tcp --dport 80 -j DNAT --to-destination 172.16.86.228:8080 [root@node3 ~]# curl http://192.168.1.201

It works!

端口映射

作用于当前机器,以下例子把80映射到8080端口

[root@node1 ~]#  iptables -t nat -A PREROUTING  -d 172.16.86.228 -p tcp --dport 80 -j REDIRECT --to-ports  8080