iptables网络防火墙
============================================================================
概述:
本章是上篇iptables基础(http://1992tao.blog.51cto.com/11606804/1864440)的后续,将主要介绍iptables的处理动作,保存和载入规则,以及iptables中网络防火墙的相关介绍和应用。内容如下:
iptables的保存和载入规则;
CentOS 6中iptables的保存和重载规则
CentOS 7开机自动生效规则;
iptables规则的优化思路;
iptables/netfilter网络防火墙的实验及队规则定义
============================================================================
★limit
基于收发报文的速率进行匹配;
--limit rate[/second|/minute|/hour|/day]:每秒/分/小时/天 限制多少个
--limit-burst number:指定令牌桶,默认为5个
演示
定义规则,指定令牌通为3个,每分钟20个ping报文到达
定义入栈规则:限定每分钟20个ping报文 [root@centos7 ~]# iptables -A INPUT -d 10.1.252.161 -p icmp --icmp-type 8 -m limit --limit-burst 3 --limit 20/minute -j ACCEPT 定义出栈规则:这里不做限定 [root@centos7 ~]# iptables -A OUTPUT -s 10.1.252.161 -p icmp --icmp-type 0 -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 598 packets, 52815 bytes) pkts bytes target prot opt in out source destination 10 512 REJECT tcp -- * * 0.0.0.0/0 10.1.252.161 tcp dpt:22 #conn src/32 > 2 reject-with icmp-port-unreachable 4405 342K ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 27 2268 ACCEPT icmp -- * * 0.0.0.0/0 10.1.252.161 icmptype 8 limit: avg 20/min burst 3 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 165 54078 REJECT tcp -- * * 10.1.252.161 0.0.0.0/0 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 3102 456K ACCEPT tcp -- * * 10.1.252.161 0.0.0.0/0 multiport sports 22,23,80 27 2268 ACCEPT icmp -- * * 10.1.252.161 0.0.0.0/0 icmptype 0 ====================================================================================== 测试:前三个一次放行,后面的都是3秒钟一个 [root@CentOS6 ~]# ping 10.1.252.161 PING 10.1.252.161 (10.1.252.161) 56(84) bytes of data. 64 bytes from 10.1.252.161: icmp_seq=1 ttl=64 time=0.673 ms 64 bytes from 10.1.252.161: icmp_seq=2 ttl=64 time=1.37 ms 64 bytes from 10.1.252.161: icmp_seq=3 ttl=64 time=0.364 ms 64 bytes from 10.1.252.161: icmp_seq=4 ttl=64 time=0.421 ms 64 bytes from 10.1.252.161: icmp_seq=7 ttl=64 time=0.332 ms 64 bytes from 10.1.252.161: icmp_seq=10 ttl=64 time=0.386 ms
★state (重要)
状态检测:连接追踪机制(conntrack)
☉连接状态
NEW:新连接
ESTABLISHED:已建立的连接
RELATED:相关联的连接
INVALID:无法识别的连接
UNTRACKED:未被追踪连接;
☉相关的内核模块:
nf_conntrack
nf_conntrack_ipv4
nf_conntrack_ftp
☉定义的文件
追踪到的连接定义在:/proc/net/nf_conntrack 文件中;
能追踪的最大连接数量定义在:/proc/sys/net/nf_conntrack_max,建议调整至足够大;
不同协议的连接追踪时长定义在:/proc/sys/net/netfilter/
[root@centos7 ~]# cat /proc/net/nf_conntrack ipv4 2 tcp 6 299 ESTABLISHED src=10.1.252.161 dst=10.1.250.25 sport=22 dport=51679 src=10.1.250.25 dst=10.1.252.161 sport=51679 dport=22 [ASSURED] mark=0 zone=0 use=2 [root@centos7 ~]# cat /proc/sys/net/nf_conntrack_max 31288 # 能追踪的最大连接数量,达到之后再有请求就会拒绝☉选项:
[!] --state state 定义什么状态
注意:
如果主机为一个负载均衡器(前端调度器),状态连接追踪机制最好不要开启,因为其已经承载了非常大的并发连接数量,如果开启可能会拒绝很多请求服务,这对于一个线上服务器来说几乎是致命的!至于其他主机(单台服务器)是可以开启的;
演示:
1.使用状态连接追踪机制
为了保证实验,首先添加一条状态追踪的规则,然后把把前面的规则删除 添加规则如下:只允许其他主机新链接和已建立的连接,访问本地主机的22,23和80端口 [root@centos7 ~]# iptables -A INPUT -d 10.1.252.161 -p tcp -m multiport --dports 22,23,80 -m state --state NEW,ESTABLISHED -j ACCEPT ====================================================================================== 查看规则,并删除前面定义的规则 [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 10 packets, 1769 bytes) pkts bytes target prot opt in out source destination 10 512 REJECT tcp -- * * 0.0.0.0/0 10.1.252.161 tcp dpt:22 #conn src/32 > 2 reject-with icmp-port-unreachable 5086 391K ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 76 6384 ACCEPT icmp -- * * 0.0.0.0/0 10.1.252.161 icmptype 8 limit: avg 20/min burst 3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 165 54078 REJECT tcp -- * * 10.1.252.161 0.0.0.0/0 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable 3566 499K ACCEPT tcp -- * * 10.1.252.161 0.0.0.0/0 multiport sports 22,23,80 76 6384 ACCEPT icmp -- * * 10.1.252.161 0.0.0.0/0 icmptype 0 # 查看规则得知新添加的规则在最后一个,所以把前面的删除,前面删除一个,后一个就变为一 [root@centos7 ~]# iptables -D INPUT 1 [root@centos7 ~]# iptables -D INPUT 1 [root@centos7 ~]# iptables -D INPUT 1 ======================================================================================= 删除出栈规则的第一,三条,新建一条规则覆盖第二条 [root@centos7 ~]# iptables -D OUTPUT 1 [root@centos7 ~]# iptables -D OUTPUT 2 删除第一条后原来的第三条变为第二条 [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 65 4352 ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3637 509K ACCEPT tcp -- * * 10.1.252.161 0.0.0.0/0 multiport sports 22,23,80 # 新定义新出栈规则,只放行已建立的连接 [root@centos7 ~]# iptables -R OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT =================================================================================== 现在的规则如下: [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 1144 packets, 107K bytes) pkts bytes target prot opt in out source destination 241 16244 ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 7 packets, 420 bytes) pkts bytes target prot opt in out source destination 31 2800 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 测试访问,没有问题,因为我们定义了只放行从22,23,80端口出去的已建立的连接。 [root@CentOS6 ~]# curl http://10.1.252.161/text.htmlTest Page My Test Page
[root@CentOS6 ~]# curl http://10.1.252.161/test.html sex
2.现在如果允许任何主机都可以ping本机,随意ping,怎么添加?
[root@centos7 ~]# iptables -A INPUT -d 10.1.252.161 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT 测试能否ping通 [root@CentOS6 ~]# ping 10.1.252.161 PING 10.1.252.161 (10.1.252.161) 56(84) bytes of data. 64 bytes from 10.1.252.161: icmp_seq=1 ttl=64 time=1.09 ms 64 bytes from 10.1.252.161: icmp_seq=2 ttl=64 time=0.413 ms 64 bytes from 10.1.252.161: icmp_seq=3 ttl=64 time=1.83 ms 64 bytes from 10.1.252.161: icmp_seq=4 ttl=64 time=1.62 ms 64 bytes from 10.1.252.161: icmp_seq=5 ttl=64 time=0.338 ms # 发现,是可以ping通的,因为我们出栈定义的是放行任何已建立的所有协议的连接,即,不管其他,只要状态为ESTABLISHED的统统放行; [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 790 packets, 76609 bytes) pkts bytes target prot opt in out source destination 472 32328 ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 state NEW,ESTABLISHED 5 420 ACCEPT icmp -- * * 0.0.0.0/0 10.1.252.161 icmptype 8 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 23 packets, 1580 bytes) pkts bytes target prot opt in out source destination 177 17173 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
3.如何开放本机的ftp服务呢?
分析:要想开放本机的ftp服务,就要开放本机的21号端口,和所有的随机端口;但是我们考虑做连接 追踪的话,要开放21号端口,状态为NEW和RELATED(相关联的连接),出栈为RELATED就可以出去,但是入栈 的随机端口要放行状态为ESTABLISHED和RELATED;既然所有的连接第一次都为NEW,后面的都是RELATED 那么我们把所有服务的RELATED放在一起,定义一条规则即可。 # ====================================================================================== 定义入栈规则,所有相关联的和第二次访问的报文统统放行 [root@centos7 ~]# iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 8 packets, 624 bytes) pkts bytes target prot opt in out source destination 6 396 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 611 41872 ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 22,23,80 state NEW,ESTABLISHED 5 420 ACCEPT icmp -- * * 0.0.0.0/0 10.1.252.161 icmptype 8 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 264 25681 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 修改第2条规则,因为入栈的第一条规则已经定义状态为ESTABLISHED的放行,所以此处只需定义第一次访问 21,22,23,80端口的服务,即NEW状态的放行即可; [root@centos7 ~]# iptables -R INPUT 2 -d 10.1.252.161 -p tcp -m multiport --dports 21:23,80 -m state --state NEW -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6 396 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.252.161 multiport dports 21:23,80 state NEW 5 420 ACCEPT icmp -- * * 0.0.0.0/0 10.1.252.161 icmptype 8 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 814 78777 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED # ====================================================================================== 启动本地vsftpd服务,测试,看能否连接 [root@CentOS6 ~]# lftp 10.1.252.161 lftp 10.1.252.161:~> ls `ls' at 0 [Making data connection...] 这时我们发现仍然无法连接,这是因为追踪ftp的模块没有被指定 [root@centos7 ~]# lsmod |grep ftp # 启动追踪 ftp 的模块 [root@centos7 ~]# modprobe nf_conntrack_ftp [root@centos7 ~]# lsmod |grep ftp nf_conntrack_ftp 18638 0 nf_conntrack 105107 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4 再次连接ftp服务,可以正常连接 [root@CentOS6 ~]# lftp 10.1.252.161 lftp 10.1.252.161:~> ls drwxr-xr-x 2 0 0 6 Nov 20 2015 pub drwxrwxr-x 2 0 0 22 Oct 18 03:06 upload
总结:
处理动作(跳转目标):
★语法:
-j tagetname [per-target-options]
★简单target:
ACCEPT
DROP
★扩展target:
☉REJECT:
--reject-with type
icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreach‐able, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited,默认为icmp-port-unreachable;
☉LOG:记录日志
urn on kernel logging of matching packets.
--log-level level
--log-prefix prefix:日志信息的前导信息;
演示:
添加对连接本机的ssh服务的日志记录
# 添加规则前查看规则记录 [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 23 packets, 2403 bytes) pkts bytes target prot opt in out source destination 97 6515 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.14 multiport dports 21:23,80 state NEW 4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.14 icmptype 8 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 212 bytes) pkts bytes target prot opt in out source destination 330 35467 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED # 添加日志记录规则,这里在第2条规则前插入,因为只对新链接的ssh服务记录日志 [root@centos7 ~]# iptables -I INPUT 2 -d 192.168.1.14 -p tcp --dport 22 -j LOG --log-prefix "openssh from kernel:" [root@centos7 ~]# iptables -vnL Chain INPUT (policy DROP 66 packets, 5920 bytes) pkts bytes target prot opt in out source destination 608 46158 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 52 LOG tcp -- * * 0.0.0.0/0 192.168.1.14 tcp dpt:22 LOG flags 0 level 4 prefix "openssh from kernel:" 1 52 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.14 multiport dports 21:23,80 state NEW 4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.14 icmptype 8 state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 2 packets, 131 bytes) pkts bytes target prot opt in out source destination 707 76206 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED # 查看日志文件 [root@centos7 ~]# tail /var/log/messages Oct 22 21:40:01 centos7 systemd: Started Session 19 of user root. Oct 22 21:40:01 centos7 systemd: Starting Session 19 of user root. # 如下所示为记录的日志 Oct 22 21:42:02 centos7 kernel: openssh from kernel:IN=eno16777736 OUT= MAC=00:0c:29:d7:41:ed:80:9b:20:5c:ea:f8:08:00 SRC=192.168.1.12 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=25457 DF PROTO=TCP SPT=63409 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 22 21:42:03 centos7 systemd: Started Session 20 of user root. Oct 22 21:42:03 centos7 systemd-logind: New session 20 of user root. Oct 22 21:42:03 centos7 systemd: Starting Session 20 of user root. Oct 22 21:42:03 centos7 dbus[986]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Oct 22 21:42:03 centos7 dbus-daemon: dbus[986]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Oct 22 21:42:03 centos7 dbus[986]: [system] Successfully activated service 'org.freedesktop.problems' Oct 22 21:42:03 centos7 dbus-daemon: dbus[986]: [system] Successfully activated service 'org.freedesktop.problems'
保存和载入规则
★保存:
iptables-save > /PATH/TO/SOME_RULE_FILE
★重载:
iptables-restore < /PATH/FROM/SOME_RULE_FILE
☉选项:
-n, --noflush:不清除原有规则
-t, --test:仅分析生成规则集,但不予提交;
演示:
2.iptables-save保存规则
[root@centos7 ~]# iptables-save # Generated by iptables-save v1.4.21 on Sat Oct 22 21:58:03 2016 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [1:76] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 192.168.1.14/32 -p tcp -m tcp --dport 22 -j LOG --log-prefix "openssh from kernel:" -A INPUT -d 192.168.1.14/32 -p tcp -m multiport --dports 21:23,80 -m state --state NEW -j ACCEPT -A INPUT -d 192.168.1.14/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED -j ACCEPT COMMIT # Completed on Sat Oct 22 21:58:03 2016 # 保存至/etc/sysconfig/iptables [root@centos7 ~]# iptables-save > /etc/sysconfig/iptables
3.iptables-restore重载规则
[root@centos7 ~]# iptables -F [root@centos7 ~]# iptables-restore < /etc/sysconfig/iptables
【CentOS 6】
★保存规则:service iptables save
保存规则于 /etc/sysconfig/iptables,保存操作会清除文件中原有的内容;
★重载规则:server iptables restart
默认重载 /etc/sysconfig/iptables文件中的规则
★脚本配置文件:/etc/sysconfig/iptables-config
用于指明要装载的模块;
演示:
[root@CentOS6 ~]# vim /etc/sysconfig/iptables-config
# 要首先创建一个/etc/sysconfig/iptables 空文件 [root@CentOS6 ~]# touch /etc/sysconfig/iptables [root@CentOS6 ~]# service iptables save # 保存 iptables: Nothing to save. [WARNING] [root@CentOS6 ~]# service iptables restart #重载 iptables: Applying firewall rules: [ OK ] iptables: Loading additional modules: nf_conntrack_ftp [ OK ] [root@CentOS6 ~]# lsmod |grep ftp nf_conntrack_ftp 12049 0 nf_conntrack 79537 1 nf_conntrack_ftp
★CentOS 7开机自动生效规则:
firewalld服务;
shell脚本,直接记录iptables命令
自定义unit file或init script;
规则优化思路
★优化思路:
☉优先放行双方向状态为ESTABLISHED的报文;
☉服务于不同类别的功能的规则,匹配到报文可能性更大的放前面;
☉服务于同一类别的功能的规则,匹配条件较为严格的放前面;
☉设置默认策略:白名单机制
可使用iptables -P设定默认策略;
建议在规则链的最后定义规则做为默认策略;
如下:
回顾:
=============================================================================
iptables/netfilter网络防火墙
=============================================================================
实验:
实现内网主机与外网主机之间的通信,并在网关主机的FORWARD链上添加规则,控制访问。
实验模型:
实验环境准备:
1)三台虚拟主机(CentOS 7,CentOS 7 ,CentOS 6),模拟两台物理机,其中两台CentOS 7的主机在内网之中,一台作为网关主机,一台作为内网主机;CentOS 6主机为外网主机;
2)内网主机中的网关主机要有两块网卡,一块网卡负责与内网主机(虚拟机2)进行通信;一块网卡作为与网主机进行通信;
3)内网网关主机与外网主机的网卡都要为桥接模式,内网网关主机的另一块网卡与内网虚拟机2通信的连接模式为仅主机模式(VMnet1);
4)ip设置,内网的网段为192.168.22.0/24,外网为10.1.0.0/16。这里设置内网主机ip为192.168.22.2且网关必须要指向网关主机的内网网卡 ;网关主机与内网通信的网卡ip为192.168.22.1,与外网通信的网卡ip为10.1.252.161;外网主机ip为10.1.252.153
准备如下图:
1.网关主机(CentOS 7)的两块网卡及各自的ip如下图:
网关主机与外网通信的网卡的网关为10.1.0.1,如下图,可以正常ping通
2.内网主机(虚拟机2),的网络连接模式要为VMnet1,必须要和网关主机的内网网卡连接模式相同,如下:
内网虚拟机2 ip配置,及网关配置(必须要指明)如下:
重启网络服务,查看如下:
内网主机ping网关主机内网网卡的ip 192.168.22.1,可以正常ping通;
内网主机ping网关主机的外网网卡ip ,发现也可以ping通,这是因为网卡默认是属于内核的,ping10.1.252.161为本主机(网关主机)上的地址,而网关主机的内网网卡能够与内网虚拟机2的ip 192.168.22.2通信,所以这里不是转发,还是在本机上,虽然网关主机两个网卡的地址不在一个网段。只有到另外一台主机(外网主机)才是转发。
3.外网主机CentOS 6 IP设置如下图:
如上,实验环境已经转备好了,现在我们开始实验。。。
实验:
1.在未打开网关主机的核心转发功能之前,内网虚拟主机(localhost)访问外网主机(CentOS 6),看能否ping通,过程如下:
1)首先查看网关主机(CentOS 7)的核心转发功能确认是关闭的
2)现在我们用内网虚拟机ping外网主机(CentOS 6)的ip 10.1.252.153,发现是ping不通的
3)我们在网关主机的内网网卡上抓包,是可以成功抓包的,如下:
在网关主机的外网网卡上抓包不成功
外网主机抓包不成功;
结论:
说明内网虚拟主机的报文在到达网关主机的外网网卡时,由于网关主机没有开启核心转发功能,所以不能到达,只能和网关主机的内网网卡进行通信,因为没有到达网关主机的外网网卡,所以无法通过网关主机的外网网卡与外网主机之间进行通信。
2.现在我们开启网关主机的核心转发功能,再用内网虚拟主机(localhost)去请求外网主机看能否ping通。
1)网关主机开启核心转发功能,如下:
2)使用内网虚拟主机ping外网主机(CentOS 6),如下:
3)在外网主机(CentOS 6)上抓包,可以正常抓包,并且有响应报文
4)在网关主机的外网网卡上抓包,如下,可以正常抓到包也有响应报文
5)那为什么内网虚拟主机收不到响应报文呢?,原因是外网主机收到报文后会把响应报文首先提交给网关,而外网的网关现在为10.1.0.1,没有指向网关主机外网的ip,所以,网关主机的外网接受不到响应报文,现在修改如下:
[root@CentOS6 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0 [root@CentOS6 ~]# route del -net 0.0.0.0 gw 10.1.0.1 # 删除原来的网关 [root@CentOS6 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 [root@CentOS6 ~]# route add default gw 10.1.252.161 # 新添加一条网关 [root@CentOS6 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 0.0.0.0 10.1.252.161 0.0.0.0 UG 0 0 0 eth0
6)修改之后发现,内网中的虚拟主机马上就收到响应报文了
3.因为网关主机有核心转发功能,所以现在我们在网关主机上的FORWARD链上添加规则,实验如下:
1)现在我们首先用外网主机去请求内网虚拟主机的web服务,如下
[root@CentOS6 ~]# curl http://192.168.22.2/test.html Home Page # 可以正常访问
2)用内网虚拟主机访问外网的web服务,也可以正常访问,如下:
3)以上均为正常的,现在我们在网关主机上添加规则DROP
[root@centos7 ~]# iptables -vnL # 添加规则前查看无任何规则 Chain INPUT (policy ACCEPT 35 packets, 2769 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 6 packets, 1160 bytes) pkts bytes target prot opt in out source destination # 添加规则,所有的协议,目标源地址策略都为DROP [root@centos7 ~]# iptables -A FORWARD -j DROP [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 6 packets, 396 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 3 packets, 372 bytes) pkts bytes target prot opt in out source destination
现在我们再去用外网请求内网和内网请求外网发现都请求不到了,如下:
4)现在设定,放行由内网外访问外网的服务,也就是只允许内网主机可以访问外网任意主机的web服务;
# 添加规则如下:目标地址为外网的所有地址,端口固定为80 [root@centos7 ~]# iptables -I FORWARD -s 192.168.22.0/24 -p tcp --dport 80 -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 13 packets, 894 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 tcp dpt:80 6 360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 6 packets, 1224 bytes) pkts bytes target prot opt in out source destination # ======================================================================================== 此时内网还无法请求外网,因为只是开放了请求报文,并没有允许响应报文入栈,所以还要添加响应 报文入栈的规则 [root@centos7 ~]# iptables -I FORWARD 2 -d 192.168.22.0/24 -p tcp --sport 80 -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 16 packets, 1176 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 240 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.22.0/24 tcp spt:80 17 1020 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes) pkts bytes target prot opt in out source destination
现在内网再去请求外网的web服务,可以正常访问
5)我们知道这只是一个web服务,同样还会有很多的服务,这样的话规则的添加会越来越多,所以,这里我们可以做状态追踪,因为,任何请求进来的报文都是安全的报文。设定规则如下:
[root@centos7 ~]# iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 26 packets, 2386 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 17 1065 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 tcp dpt:80 29 1740 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 6 packets, 856 bytes) pkts bytes target prot opt in out source destination # 如此一来,无论是由内而外,还是由外而内,只要是响应报文统统放行,这样只需要去匹配请求报文 规则即可。
6)现在我们修改第二条规则,添加多个端口,ftp/21,ssh/22,http/80,telnet/23,sanba/445,139,并只允许新建立的连接来访问
# 规则设定如下,只放行了状态为NEW的的连接 [root@centos7 ~]# iptables -R FORWARD 2 -s 192.168.22.0/24 -p tcp -m multiport --dports 80,22,23,21,139,445 -m state --state NEW -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 24 packets, 1790 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 9 840 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 multiport dports 80,22,23,21,139,445 state NEW 29 1740 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 7 packets, 860 bytes) pkts bytes target prot opt in out source destination
访问如下:
7)现在我们通过内网的主机访问外网的ftp服务,访问不了,如下:
我们要开放RELATED的状态连接
# 要想被追踪,要首先添加追踪ftp状态的nf_conntrack_ftp模块 [root@centos7 ~]# lsmod |grep nf_conntrack_ftp [root@centos7 ~]# modprobe nf_conntrack_ftp [root@centos7 ~]# lsmod |grep nf_conntrack_ftp nf_conntrack_ftp 18638 0 nf_conntrack 105745 3 xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4 # 接下来添加RELATED的状态规则 [root@centos7 ~]# iptables -R FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 26 packets, 1850 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 12 720 ACCEPT tcp -- * * 192.168.22.0/24 0.0.0.0/0 multiport dports 80,22,23,21,139,445 state NEW 73 4380 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 10 packets, 1672 bytes) pkts bytes target prot opt in out source destination
再次使用内网主机访问外网主机的ftp服务,如下:
总结:
★iptables/netfilter网络防火墙:
添加规则于FORWARD链,注意几个问题:
⊙请求和响应报文均会经由FORWARD链,要注意规则的方向性;
第一条: iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
⊙如果可以启用conntrack机制,注意网关主机所能够追踪的连接数的最大数量要符合需要;