iptables filter表小案例
1.放行22端口,80端口,21端口数据,且22端口只能固定ip段:
[root@weixing01 ~]# vim /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.188.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
然后执行该脚本
[root@weixing01 ~]# sh /usr/local/sbin/iptables.sh
[root@weixing01 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 3144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.188.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 4376 bytes)
pkts bytes target prot opt in out source destination
2.让本机可以ping通外网,但是外网无法ping通本机:
[root@weixing01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
iptables nat表
1.首先准备两台主机,一台具备两个网卡,一台具备一个网卡
2.将第一台主机增加两块网卡,一个设置成NAT,一个设置成LAN区段模式,修改ip
[root@weixing01 ~]# ifconfig ens37 192.168.100.1/24
3.参照第二步,将另一台主机增加一块网卡,设置成LAN区段模式,区段与第一台一致。
4.设置好后互相ping
[root@weixing01 ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.287 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.375 ms
5.首先打开路由转发:
[root@weixing01 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@weixing01 ~]# echo "1" >!$
echo "1" >/proc/sys/net/ipv4/ip_forward
[root@weixing01 ~]# cat /proc/sys/net/ipv4/ip_forward
1
6.增加一条规则:
[root@weixing01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
7.设置网关:
route add default gw 192.168.100.1
8.在设置dns,就可以连接外网了:
vi /etc/resolv.conf
nameserver 119.29.29.29
9.需求2,让其他主机可以访问到这台机子:
[root@weixing01 ~]# iptables -t nat -A PREROUTING -d 192.168.188.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@weixing01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.188.130
添加两条规则,然后增加网关,现在通过1122端口就可以访问只有一块网卡的主机。
[root@weixing01 ~]# w
23:24:40 up 1:25, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 22:06 2:24 0.16s 0.16s -bash
root pts/0 192.168.188.1 23:24 0.00s 0.01s 0.00s w
[root@weixing01 ~]# ifconfig
ens33: flags=4099 mtu 1500
ether 00:0c:29:ca:b5:ec txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163 mtu 1500
inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:feca:b5f6 prefixlen 64 scopeid 0x20
ether 00:0c:29:ca:b5:f6 txqueuelen 1000 (Ethernet)
RX packets 259 bytes 31802 (31.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 382 bytes 41908 (40.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 446 bytes 37058 (36.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 446 bytes 37058 (36.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
注意事项:在需求1中,全部配置完成后,主机2可以ping通主机1ip,但是无法ping通网关以及外网,需要做以下操作:如第一个所示,将FORWARD表的规则删除即可实现
[root@weixing01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1127 107K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 468 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 175 packets, 20774 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 753 packets, 99000 bytes)
pkts bytes target prot opt in out source destination
[root@weixing01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@weixing01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 500 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)
pkts bytes target prot opt in out source destination