iptables filter表小案例

1.放行22端口,80端口,21端口数据,且22端口只能固定ip段:

[root@weixing01 ~]# vim /usr/local/sbin/iptables.sh

#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.188.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

然后执行该脚本

[root@weixing01 ~]# sh /usr/local/sbin/iptables.sh 

[root@weixing01 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   39  3144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.188.0/24     0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 23 packets, 4376 bytes)
 pkts bytes target     prot opt in     out     source               destination         

2.让本机可以ping通外网,但是外网无法ping通本机:

[root@weixing01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP

iptables nat表

iptables_第1张图片

1.首先准备两台主机,一台具备两个网卡,一台具备一个网卡
2.将第一台主机增加两块网卡,一个设置成NAT,一个设置成LAN区段模式,修改ip

[root@weixing01 ~]# ifconfig ens37 192.168.100.1/24

3.参照第二步,将另一台主机增加一块网卡,设置成LAN区段模式,区段与第一台一致。
4.设置好后互相ping

[root@weixing01 ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.287 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.375 ms

5.首先打开路由转发:

[root@weixing01 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@weixing01 ~]# echo "1" >!$
echo "1" >/proc/sys/net/ipv4/ip_forward
[root@weixing01 ~]# cat /proc/sys/net/ipv4/ip_forward
1

6.增加一条规则:

[root@weixing01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

7.设置网关:

route add default gw 192.168.100.1

8.在设置dns,就可以连接外网了:

vi /etc/resolv.conf
nameserver  119.29.29.29

9.需求2,让其他主机可以访问到这台机子:

[root@weixing01 ~]# iptables -t nat -A PREROUTING -d 192.168.188.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@weixing01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.188.130

添加两条规则,然后增加网关,现在通过1122端口就可以访问只有一块网卡的主机。

[root@weixing01 ~]# w
 23:24:40 up  1:25,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                      22:06    2:24   0.16s  0.16s -bash
root     pts/0    192.168.188.1    23:24    0.00s  0.01s  0.00s w
[root@weixing01 ~]# ifconfig
ens33: flags=4099  mtu 1500
        ether 00:0c:29:ca:b5:ec  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163  mtu 1500
        inet 192.168.100.100  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:feca:b5f6  prefixlen 64  scopeid 0x20
        ether 00:0c:29:ca:b5:f6  txqueuelen 1000  (Ethernet)
        RX packets 259  bytes 31802 (31.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 382  bytes 41908 (40.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1  (Local Loopback)
        RX packets 446  bytes 37058 (36.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 446  bytes 37058 (36.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

注意事项:在需求1中,全部配置完成后,主机2可以ping通主机1ip,但是无法ping通网关以及外网,需要做以下操作:如第一个所示,将FORWARD表的规则删除即可实现

[root@weixing01 ~]# iptables  -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1127  107K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    84 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    6   468 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 175 packets, 20774 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 753 packets, 99000 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@weixing01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@weixing01 ~]# iptables  -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   500 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)
 pkts bytes target     prot opt in     out     source               destination