iptables 高级学习笔记

iptables 是与最新的 2.6.x 版本 Linux 内核集成的 IP 信息包过滤系统。如果 Linux 系统连接到因特网或 LAN、服务器或连接 LAN 和因特网的代理服务器, 则该系统有利于在 Linux系统上更好地控制 IP 信息包过滤和防火墙配置。netfilter/iptables IP 信息包过滤系统是一种功能强大的工具,可用于添加、编辑和除去规则,这些规则是在做信息包过滤决定时,防火墙所遵循和组成的规则。这些规则存储在专用的信息包过滤表中,而这些表集成在 Linux 内核中。在信息包过滤表中,规则被分组放在我们所谓的链(chain)中。虽然 netfilter/iptables IP 信息包过滤系统被称为单个实体,但它实际上由两个组件 netfilter和 iptables 组成。netfilter 组件也称为内核空间(kernelspace),是内核的一部分,由一些信息包过滤表组成,这些表包含内核用来控制信息包过滤处理的规则集。iptables 组件是一种工具,也称为用户空间(userspace),它使插入、修改和除去信息包过滤表中的规则变得容易。netfilter/iptables 的最大优点是它可以配置有状态的防火墙。有状态的防火墙能够指定并记住为发送或接收信息包所建立的连接的状态。防火墙可以从信息包的连接跟踪状态获得该信息。在决定新的信息包过滤时,防火墙所使用的这些状态信息可以增加其效率和速度。netfilter/iptables 的另一个重要优点是,它使用户可以完全控制防火墙配置和信息包过滤。您可以定制自己的规则来满足您的特定需求,从而只允许您想要的网络流量进入系统。

 

filter point         filter          nat         mangle

--------------------------------------------------------------------------------------------

INPUT              x                              x

FORWARD          x                              x

OUTPUT            x             x              x

PREROUTING                       x              x

POSTROUTING                      x              x


[root@localhost ~]# which iptables

/sbin/iptables

[root@localhost ~]# rpm -qf `whichiptables`

iptables-1.3.5-5.3.el5_4.1

 

[root@localhost ~]# ls/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ ( ko 内核模块 kernel

object)

arptable_filter.ko             ip_conntrack_tftp.ko  iptable_nat.ko     ipt_MASQUERADE.ko

arp_tables.ko                   ip_nat_amanda.ko       iptable_raw.ko     ipt_NETMAP.ko

arpt_mangle.ko                  ip_nat_ftp.ko           ip_tables.ko       ipt_owner.ko

ip_conntrack_amanda.ko       ip_nat_h323.ko          ipt_addrtype.ko   ipt_recent.ko

ip_conntrack_ftp.ko           ip_nat_irc.ko           ipt_ah.ko           ipt_REDIRECT.ko

ip_conntrack_h323.ko          ip_nat.ko                 ipt_CLUSTERIP.ko  ipt_REJECT.ko

ip_conntrack_irc.ko           ip_nat_pptp.ko          ipt_dscp.ko         ipt_SAME.ko


 

ip_conntrack.ko                 ip_nat_sip.ko           ipt_DSCP.ko         ipt_TCPMSS.ko

ip_conntrack_netbios_ns.ko  ip_nat_snmp_basic.ko  ipt_ecn.ko          ipt_tos.ko

ip_conntrack_netlink.ko      ip_nat_tftp.ko          ipt_ECN.ko          ipt_TOS.ko

ip_conntrack_pptp.ko          ip_queue.ko              ipt_hashlimit.ko  ipt_ttl.ko

ip_conntrack_proto_sctp.ko  iptable_filter.ko      ipt_iprange.ko     ipt_TTL.ko

ip_conntrack_sip.ko           iptable_mangle.ko      ipt_LOG.ko          ipt_ULOG.ko

 

RHEL6 模块不能加载到 RHEL5(回忆加载模块)

 ===============================================================================

iptables [-t table] -A chain  rule-specification

-A, --append

iptables [-t table] -I chain[rulenum] rule-specification

-I, --insert

iptables [-t table] -D chain rulenum

-D, --delete

iptables [-t table] {-F|-L} [chain[rulenum]] [options...]

-F, --flush

-L, --list

iptables [-t table] -P chain target

-P, --policy

Rule :DROP,ACCEPT,LOG,REJECT

 

TARGETS


ACCEPT,  DROP,  QUEUE ,RETURN


TARGET EXTENSIONS    DNAT,LOG, MASQUERADE, REJECT, SNAT ... ... ...

  

基于 ip 地址

=============================

匹配的标准

IP: -s 192.168.0.0/24

-d 192.168.0.1

NIC: -i eth0

-o eth1

!:  -i  eth0  ! -s 192.168.0.0/24


[root@localhost ~]# iptables -tfilter -A INPUT -s 192.168.2.0/24 -j DROP

[root@localhost ~]# iptables -I INPUT! -s 192.168.3.0/24 -j ACCEPT

[root@localhost ~]# iptables -I INPUT-i eth0 -j ACCEPT

[root@localhost ~]# service iptablessave


iptables:将防火墙规则保存到 /etc/sysconfig/iptables:

[确定] 

基于服务端口号

==========================================================================

protocol port : -p tcp --dport 80

-p udp --sport 53

port range: 0:1024

ICMP: -p icmp --icmp-typehost-unreachable

[root@localhost ~]# iptables -A INPUT-s 192.168.2.1 -p tcp --dport 80 -j DROP

默认策略

-P <chain><ACCEPT|DROP|REJECT>

[root@localhost ~]# iptables -P INPUTACCEPT

刷新一个 table 的所有 rule

[root@localhost ~]# iptables -F

iptables -t filter -L

默认策略设置成 DROP

[root@localhost ~]# iptables -tfilter -P INPUT DROP

SSH 对方主机,要回包

[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --sport 22 -j ACCEPT

默认策略 DROP 要放行自己 lo

[root@localhost ~]# iptables -tfilter -A INPUT -i lo -j ACCEPT

-v 详细信息 -n 不解析(ip 解析到主机名 port 解析到协议) --line-numbers 显示条目数

[root@localhost ~]# iptables -tfilter -L -n -v --line-numbers

MATCH EXTENSION 扩展匹配

===============================================================

icmp

[root@localhost ~]# iptables -tfilter -I INPUT -p icmp -h

[root@localhost ~]# iptables -tfilter -I INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT

[root@localhost ~]# iptables -tfilter -I INPUT -p icmp -m icmp --icmp-type echo-request -j DROP

(默认策略 ACCEPT)

================================================================

connlimit :Allowsyou to restrict the number of parallel TCP connections to  a server  per

client IP address (or address block).同一个 IP 同时发起,最多 2 个连接

[root@localhost ~]# iptables -tfilter -A INPUT -s 172.16.1.0/24 -p tcp --syn --dport 22 -m

connlimit -h

[root@localhost ~]# iptables -tfilter -A INPUT -s 172.16.1.0/24 -p tcp --syn --dport 22 -m

connlimit --connlimit-above 2 -jACCEPT

=================================================================

iprange

[root@localhost ~]# echo 1 >/proc/sys/net/ipv4/ip_forward

[root@localhost ~]# iptables -tfilter -A FORWARD -m iprange --src-range 172.16.1.10-172.16.1.20

-j DROP

[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 80 -m iprange --src-range

172.16.1.10-172.16.1.20 -j DROP

==================================================================

length

[root@localhost ~]# ping -c 1 node1

PING node1.uplooking.com (172.16.1.1)56(84) bytes of data.

64 bytes from node1.uplooking.com(172.16.1.1): icmp_seq=1 ttl=64 time=1.25 ms

--- node1.uplooking.com pingstatistics ---

1 packets transmitted, 1 received, 0%packet loss, time 0ms

rtt min/avg/max/mdev =1.259/1.259/1.259/0.000 ms

 

56(数据)+20(IP 首部)+8(ICMP 首部)

[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -m length --length 50:100 -j DROP

[root@node1 ~]# ping 172.16.1.6

PING 172.16.1.6 (172.16.1.6) 56(84)bytes of data.

--- 172.16.1.6 ping statistics ---

5 packets transmitted, 0 received,100% packet loss, time 4010ms

 

[root@node1 ~]# ping -c 1 -s 50172.16.1.6

PING 172.16.1.6 (172.16.1.6) 50(78)bytes of data.

--- 172.16.1.6 ping statistics ---

1 packets transmitted, 0 received,100% packet loss, time 0ms


[root@node1 ~]# ping -c 1 -s 21172.16.1.6

PING 172.16.1.6 (172.16.1.6) 21(49)bytes of data.

29 bytes from 172.16.1.6: icmp_seq=1ttl=64 time=7.25 ms  

-- 172.16.1.6 ping statistics ---

1 packets transmitted, 1 received, 0%packet loss, time 0ms

rtt min/avg/max/mdev = 7.255/7.255/7.255/0.000ms


========================================================================== 

limit(洪水流量 洪水攻击)

[root@node1 ~]# ping 172.16.1.6

PING 172.16.1.6 (172.16.1.6) 56(84)bytes of data.

64 bytes from 172.16.1.6: icmp_seq=1ttl=64 time=0.304 m

64 bytes from 172.16.1.6: icmp_seq=2ttl=64 time=0.346 ms

64 bytes from 172.16.1.6: icmp_seq=3ttl=64 time=0.584 ms

3 packets transmitted, 3 received, 0%packet loss, time 2007ms

rtt min/avg/max/mdev =0.304/0.411/0.584/0.124 ms

[root@localhost]#iptables –t filter-A INPUT -s172.16.1.1 -p icmp -m limit --limit 10/minute -j

ACCEPT

[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -j DROP

--limit-burst number               number to match in a burst,default 5

6 秒一个

前 5 个不限制 后每

===========================================================================

mac (局域网用 广域网不用)

[root@localhost ~]# iptables -tfilter -A INPUT [ -p icmp ] -m mac --mac 00:0C:29:24:44:0A -j

DROP

[root@localhost ~]# arping 172.16.1.1

ARPING 172.16.1.1 from 172.16.1.6eth0

Unicast reply from 172.16.1.1[00:0C:29:24:44:0A]  0.979ms

Unicast reply from 172.16.1.1[00:0C:29:24:44:0A]  1.122ms

Unicast reply from 172.16.1.1[00:0C:29:24:44:0A]  1.102ms

Unicast reply from 172.16.1.1[00:0C:29:24:44:0A]  0.949ms

Sent 4 probes (1 broadcast(s))

Received 4 response(s)

=============================================================================

multiport

[root@localhost ~]# iptables -tfilter -A INPUT -p tcp -m multiport --source-ports 22,80,21 -j

ACCEPT

state 基于链接状态

这里有四种有效状态,名称分别为 ESTABLISHED 、 INVALID 、 NEW 和 RELATED 。

NEW    意味着该信息包已经或将启动新的连接,或者它与尚未用于发送和接收信息包的连接相关联。

ESTABLISHED 指出该信息包属于已建立的连接,该连接一直用于发送和接收信息包并且完全有效。

RELATED  表示该信息包正在启动新连接,以及它与已建立的连接相关联。

INVALID  状态指出该信息包与任何已知的流或连接都不相关联,它可能包含错误的数据或头。


ICMP

PING ------->B

echo-request--------------------->

<---------------------echo-reply

 

NEW

ESTABLISHED 

[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -m icmp --icmp-type echo-request -m state

--state NEW -j LOG --log-prefix" ICMP_NEW "

root@localhost ~]# iptables -t filter-A OUTPUT -p icmp -m icmp --icmp-type echo-reply -m state

--state ESTABLISHED -j LOG--log-prefix " ICMP_ESTABLISHED "

echo-request----------------------->

NEW

<----XXXXXXX------      RELATED

[root@localhost ~]# iptables -tfilter -A OUTPUT -p icmp -m icmp --icmp-type echo-request -m

state --state NEW -j LOG --log-prefix" ICMP_NEW "

[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -m icmp --icmp-type host-unreachable -m

state --state RELATED -j LOG--log-prefix " ICMP_RELATED "

TCP

A                   B

------------SYN---------->

ß------syn+ack-------

------------ack----------->

...

--------push+data----->

<-----------ack-----------

...

-------------fin----------->

<-----------ack-----------

<------------fin------------

-------------ack----------->

SYN ACK PUSH FIN URG(紧急) RST (重置)

PUSH-->推标记 对延迟/延时要求高,交互式服务 push 位

ACK ---> TCP 三次握手 四次挥手 确认/重传

FIN ---> 挥手

SYN ---> 三次握手

URG --->程序员写程序会用 应用程序决定用不用

RST ----> 访问一个没有开放的 port


node2 ------------ssh------------> node1 exit


[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 22 -m state --state NEW -j LOG

--log-prefix "INPUT_NEW_22"--log-tcp-option --log-ip-option

[root@node1 ~]# iptables -t filter -AOUTPUT -p tcp --sport 22 -m state --state NEW -j LOG

--log-prefix"OUTPUT_NEW_22" --log-tcp-option --log-ip-option

[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 22 -m state --state ESTABLISHED -j LOG

--log-prefix "INPUT_ESTABLISHED_22"--log-tcp-option --log-ip-option

[root@node1 ~]# iptables -t filter -AOUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j

LOG --log-prefix"OUTPUT_ESTABLISHED_22" --log-tcp-option --log-ip-option

 

A-------------->B 80

<------RST----- B 没有开放 80 

[root@localhost ~]# service httpdstatus

httpd: unrecognized service

[root@localhost ~]# tcpdump -i eth0host 172.16.1.1 and port 80 -nn

tcpdump: verbose output suppressed,use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes

23:37:30.389821 IP 172.16.1.1.59535> 172.16.1.6.80: S 4240260197:4240260197(0) win 5840

<mss 1460,sackOK,timestamp134373116 0,nop,wscale 3>

23:37:30.390652 IP 172.16.1.6.80 >172.16.1.1.59535: R 0:0(0) ack 4240260198 win 0

23:37:30.390147 IP 172.16.1.1.59536> 172.16.1.6.80: S 4243179156:4243179156(0) win 5840

<mss 1460,sackOK,timestamp134373117 0,nop,wscale 3>

23:37:30.390232 IP 172.16.1.6.80 >172.16.1.1.59536: R 0:0(0) ack 4243179157 win 0

23:37:30.390454 IP 172.16.1.1.59537> 172.16.1.6.80: S 4239605108:4239605108(0) win 5840

<mss 1460,sackOK,timestamp134373117 0,nop,wscale 3>

23:37:30.390509 IP 172.16.1.6.80 >172.16.1.1.59537: R 0:0(0) ack 4239605109 win 0

 

nmap -sA -p 扫描端口

A:ack

s:scan

A-------ACK------->B 80      NEW

<-------RST--------

ESTABLISHED

[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 80 -m state --state NEW -j LOG

--log-prefix " NEW_ACK "--log-tcp-options --log-ip-options

[root@localhost ~]# iptables -tfilter -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j

LOG --log-prefix "ESTABLISHED_RST " --log-tcp-options --log-ip-options

[root@localhost ~]# >/var/log/kernel.log

[root@node2 ~]# nmap -sA -p 80 172.16.1.6

[root@localhost

Mar     14    00:14:03     localhost     kernel:           NEW_ACK     IN=eth0    OUT=

MAC=00:0c:29:30:c1:b6:00:0c:29:9f:ce:10:08:00   SRC=172.16.1.2   DST=172.16.1.6   LEN=40

TOS=0x00 PREC=0x00 TTL=53 ID=35327PROTO=TCP SPT=57765 DPT=80 WINDOW=2048

RES=0x00 ACK URGP=0

Mar 14 00:14:03 localhostkernel:    ESTABLISHED_RST IN= OUT=eth0SRC=172.16.1.6

DST=172.16.1.2 LEN=40 TOS=0x00PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=57765

WINDOW=0 RES=0x00 RST URGP=0

nmap -sF IP 对方不开端口回  RST+ACK

A--------FIN-------> B INVALID

<----RST+ACK-----   INVALID


[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 80 -m state --state INVALID -j LOG

--log-prefix " INVALID_FIN" --log-tcp-options --log-ip-options

[root@localhost ~]# iptables -tfilter -A OUTPUT -p tcp --sport 80 -m state --state INVALID -j LOG

--log-prefix " INVALID_RST_ACK" --log-tcp-options --log-ip-options

[root@localhost ~]# >/var/log/kernel.log 

[root@node2 ~]# nmap -sF -p 80172.16.1.6

[root@localhost ~]# cat/var/log/kernel.log

Mar     14    00:20:11     localhost     kernel:          INVALID_FIN     IN=eth0    OUT=

MAC=00:0c:29:30:c1:b6:00:0c:29:9f:ce:10:08:00   SRC=172.16.1.2   DST=172.16.1.6   LEN=40

TOS=0x00 PREC=0x00 TTL=58 ID=19723PROTO=TCP SPT=61490 DPT=80 WINDOW=3072

RES=0x00 FIN URGP=0

Mar 14 00:20:11 localhostkernel:    INVALID_RST_ACK IN= OUT=eth0SRC=172.16.1.6

DST=172.16.1.2 LEN=40 TOS=0x00PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=61490

WINDOW=0 RES=0x00 ACK RST URGP=0

iptables -t filter -A INPUT -p tcp -mstate --state INVALIED -j DROP

INVALID 必须 DROP 掉,放行 NEW 状态+SYN 标记

默认策略 DROP

方法 1:iptables-t filter -A INPUT -p tcp --dport 80 -j ACCEPT

方法 2:iptables-t filter -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

方法 3:iptables-t filter -A INPUT -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT

方法4: iptables -t filter -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED-j ACCEP

FTP

A 1029----------syn----------->  B  21  NEW

<-------syn+ack---------       ESTABLISHED

-----------ack---------->       ESTABLISHED

1030 ----------syn----------> B5000

NEW/RELATED modprobe ip_contrack_ftp 有了这

个模块被识别为 RELATED

ESTABLISHED

------------ack--------->

ESTABLISHED

[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 21 -m state --state NEW -j LOG

--log-prefix " in_21_new "--log-ip-options --log-tcp-options

[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 21 -m state --state ESTABLISHED -j LOG

--log-prefix " in_21_es "--log-ip-options --log-tcp-options

[root@node1 ~]# iptables -t filter -AINPUT -p tcp  -m state --state RELATED -jLOG --log-prefix "

in_21_RE " --log-ip-options--log-tcp-options

UDP

A------------->B  port 12345

<--------------

ESTABLISHED

-------------->             NEW

<---------------            ESTABLISHED

 

A 到 BNEW   B 到 A ES

[root@node1 ~]# iptables -t filter -AINPUT -p udp --dport 12345 -m state --state NEW -j LOG

--log-prefix " IN_12345_NEW"

[root@node1 ~]# iptables -t filter -AINPUT -p udp --dport 12345 -m state --state ESTABLISHED -j

LOG --log-prefix " IN_12345_ES"

[root@node1 ~]# iptables -t filter -AOUTPUT -p udp --sport 12345 -m state --state ESTABLISHED -j

LOG --log-prefix " OUT_12345_ES"

[root@node1 ~]# iptables -t filter -AOUTPUT -p udp --sport 12345 -m state --state NEW -j LOG

--log-prefix " OUT_12345_NEW"

[root@node1 ~]# iptables -t filter -AINPUT -s 192.168.0.202 -p udp --dport 53 -m state --state

NEW -j LOG --log-prefix "IN_53_NEW "

[root@node1 ~]# iptables -t filter -AINPUT -s 192.168.0.202 -p udp --dport 53 -m state --state

ESTABLISHED -j LOG --log-prefix" IN_53_ES "

[root@node1 ~]# iptables -t filter -AOUTPUT -d 192.168.0.202 -p udp --sport 53 -m state --state

NEW -j LOG --log-prefix "OUT_53_NEW "

[root@node1 ~]# iptables -t filter -AOUTPUT -d 192.168.0.202 -p udp --sport 53 -m state --state

ESTABLISHED -j LOG --log-prefix" OUT_53_ES

UDP 每次发数据包 NEW


对方没有回应的服务,回包 udp port-unreachable


RELATED

A------------->B  port 12345(端口未开放)   NEW

<--------------    icmp port-unreachable RELATED

 

nc (网络连接) -u (udp,不加-u,TCP) 自己 IP -l 端口 (不加-l,就写端口,连接别人端口)

不接收远端日志

[root@node1 ~]# tcpdump -i eth0 -nnhost node2

tcpdump: verbose output suppressed,use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes

19:26:16.309934 IP 192.168.0.202.514> 192.168.0.201.514: SYSLOG user.notice, length: 18

19:26:16.419374 IP 192.168.0.201 >192.168.0.202: ICMP 192.168.0.201 udp port 514

unreachable, length 54

==============================================================================

ttl

[root@node1 ~]# iptables -t filter -AINPUT  -s 192.168.0.202 -m ttl --ttl-eq64 -j DROP

[root@node1 ~]# cat/proc/sys/net/ipv4/ip_default_ttl

64

iptables -m ttl -h

[root@node2 ~]# echo 128 >/proc/sys/net/ipv4/ip_default_ttl

[root@node2 ~]# ping 192.168.0.201 -c1

[root@node1 ~]# tcpdump -i eth0 -nnvhost 192.168.0.202

tcpdump: listening on eth0, link-typeEN10MB (Ethernet), capture size 96 bytes

20:07:11.305825 IP (tos 0x0, ttl 128,id 0, offset 0, flags [DF], proto: ICMP (1), length: 84)

192.168.0.202 > 192.168.0.201:ICMP echo request, id 1806, seq 1, length 64

20:07:11.305880 IP (tos 0x0, ttl  64, id 47246, offset 0, flags [none], proto:ICMP (1), length: 84)

192.168.0.201 > 192.168.0.202:ICMP echo reply, id 1806, seq 1, length 64

===============================================================================

tos type of service

iptables -m tos -h

tos 0 一般服务(大多数,可以抓包看)

tos 2 最小开销服务 没有

tos 4 最大可靠性 没有

tos 8 最大吞吐量

下载 ftp 20

tos 16 最小延时 tcp pushtelnet ssh ftp 2

抓包发现

ssh tos 0

16

scp tos 0   8

scp 可以 ssh 不行

iptables -A INPUT -p tcp --dport 22-m tos 16 -j DROP

DROP/REJECT

===================================

[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 22 -j DROP

[root@localhost ~]# tcpdump -i eth0-nn host 172.16.1.1 and port 22

tcpdump: verbose output suppressed,use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes

23:03:53.029197 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0)  win 5840

<mss 1460,sackOK,timestamp165299736 0,nop,wscale 3>

23:03:56.110705 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0)  win 5840

<mss 1460,sackOK,timestamp165302737 0,nop,wscale 3>

23:04:02.123340 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0)  win 5840

<mss 1460,sackOK,timestamp165308737 0,nop,wscale 3>

23:04:14.139680 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0)  win 5840

<mss 1460,sackOK,timestamp165320737 0,nop,wscale 3>

23:04:38.468138 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0)  win 5840

<mss 1460,sackOK,timestamp165344738 0,nop,wscale 3>

23:05:27.726803 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0)  win 5840

<mss 1460,sackOK,timestamp165392738 0,nop,wscale 3>


[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

[root@localhost ~]# tcpdump -i eth0-nn host 172.16.1.1 and port 22

tcpdump: verbose output suppressed,use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes

23:10:05.690273 IP 172.16.1.1.44300> 172.16.1.6.22: S 3060689565:3060689565(0) win 5840

<mss 1460,sackOK,timestamp165668951 0,nop,wscale 3>

23:10:05.690645 IP 172.16.1.6.22 >172.16.1.1.44300: R 0:0(0) ack 3060689566 win 0

==============================================================================

网络地址转换(NAT,Network Address Translation)属接入广域网(WAN)技术,是一种将私有(保留)地址转化为合法 IP 地址的转换技术,它被广泛应用于各种类型 Internet 接入方式和各种类型的网络中。原因很简单,NAT 不仅完美地解决了 IP 地址不足的问题,而且还能够有效地避免来自网络外部的攻击,隐藏并保护网络内部的计算机。

透明转发

Client<------------------------------------->NAT Server <----------------------------------> WEB Server

192.168.1.1                   192.168.1.2-----1.1.1.1                           1.1.1.2

Clinet: route add default gw192.168.1.254 dev eth0

NAT Server: echo 1 >/proc/sys/net/ipv4/ip_forward

WEB Server: route add default gw1.1.1.1 dev eth0

SNAT 公司上网

Client<------------------------------------->NAT Server <------------------------------------> WEB Server

192.168.1.1        eth0:192.168.1.254   eth1:1.1.1.1                          1.1.1.2

Clinet: route add default gw192.168.1.254 dev eth0

NAT Server: echo 1 >/proc/sys/net/ipv4/ip_forward

NAT Server: iptables -t nat -A POSTROUTING-p tcp --dport 80 -j SNAT --to-source 1.1.1.1

NAT Server: iptables -t nat -APOSTROUTING -o eth0 -j MASQUERADE (适用于 DHCP)


DNAT 发布内网的一台服务器

WEBServer<----------------------------------> NAT Server<--------------------------------> Client

192.168.1.1             eth0:192.168.1.254   eth1:1.1.1.1                   1.1.1.2

WEB Server: route add default gw192.168.1.254 dev eth0

NAT Server: iptables -t nat -APREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to-des  

192.168.1.1:80

iptables -t nat -A PREROUTING -p tcp--dport 80 -j REDIRECT --to-ports 3128

端口地址重定向 透明代理用的规则

===============================================================================

mark 打标记 用 mangle 表

iptables -t mangle -A PREROUTING -mttl --ttl-eq 64 -j MARK --set-mark 10

iptables -t mangle -A PREROUTING -mttl --ttl-eq 123 -j MARK --set-mark 20

iptables -t filter -A FORWARD -m mark--mark 10 -j ACCEPT

iptables -t filter -A FORWARD -m mark--mark 20 -j DROP

打标记的位置很重要

表优先级 mangle --------> nat ------>filter

你可能感兴趣的:(iptables 高级学习笔记)