网络安全与iptables
防火墙的分类
- 按保护范围划分
- 主机防火墙:服务范围为当前一台主机
- 网络防火墙:服务范围为防火墙一侧的局域网
- 按实现方式划分:
- 硬件防火墙:在硬件级别实现部分功能防火墙,另一部分功能基于软件实现。
- 软件防火墙:防火墙应用软件,Windows 防火墙 ISA --> Forefront TMG
- 按网络协议划分:
- 网络层防火墙:OSI模型下四层,又称为包过滤防火墙
- 应用层防火墙:proxy代理网关,OSI模型七层
- 网络架构图
Netfilter
Netfilter是linux内核的一个子集,与IP协议契合,允许对数据包进行过滤、地址转换、处理等操作。
[root@ubuntu2204 ~]#grep -m 10 NETFILTER /boot/config-5.15.0-52-generic
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=m
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_HOOK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
Netfilter在内核中选取五个位置放了五个 hook 方法,用户可以通过命令工具向其写入规则。
- 【INPUT OUTPUT FORWARD PREROUTING POSTROUTING】
图解
关系
- 五个内置链 chain
- INPUT OUTPUT FORWARD PREROUTING POSTROUTING
- 五个表
- filter : 过滤规则表
- nat : 地址转换表
- mangle : 修改数据标记位规则
- raw : 关闭启用的连接跟踪机制,加快封包穿防火墙速度
- security : 强制访问控制(MAC)网络规则,由Linux安全模块(SELinux)实现
- 表控制优先级
- security --> raw --> mangle --> nat --> filter
- 表链对应关系
------------------------------------------------------------------------------------
#filter
[root@ubuntu2204 ~]#iptables -nvL -t filter
Chain INPUT (policy ACCEPT 62094 packets, 21M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
#nat
[root@ubuntu2204 ~]#iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
#raw
[root@ubuntu2204 ~]#iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
#mangle
[root@ubuntu2204 ~]#iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
#security
[root@ubuntu2204 ~]#iptables -nvL -t security
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
防火墙工具iptables
*以下案例的iptables设置以 Ubuntu 22.04.1 环境中为例
iptables [-t 表名] 命令选项 [链名] [条件匹配] [-j 目标动作或跳转]
说明:表名、链名用于指定iptables命令所操作的表和链,命令选项用于指定管理iptables规则的方式(比如:插入、增加、删除、查看等;条件匹配用于指定对符合什么样条件的数据包进行处理;目标动作或跳转用于指定数据包的处理方式(比如允许通过、拒绝、丢弃、跳转(Jump)给其它链处理。
命令选项
-A 在指定链的末尾添加(append)一条新的规则
-D 删除(delete)指定链中的某一条规则,可以按规则序号和内容删除
-I 在指定链中插入(insert)一条新的规则,默认在第一行添加
-R 修改、替换(replace)指定链中的某一条规则,可以按规则序号和内容替换
-L 列出(list)指定链中所有的规则进行查看
-E 重命名用户定义的链,不改变链本身
-F 清空(flush)
-N 新建(new-chain)一条用户自己定义的规则链
-X 删除指定表中用户自定义的规则链(delete-chain)
-P 设置指定链的默认策略(policy)
-Z 将所有表的所有链的字节和数据包计数器清零
-n 使用数字形式(numeric)显示输出结果
-v 查看规则表详细信息(verbose)的信息
-V 查看版本(version)
-h 获取帮助(help)
目标动作
ACCEPT : 接受
DROP : 丢弃不返回值
REJECT : 拒绝并返回
RETURN : 返回调用链
1. 从一个CHAIN里可以jump到另一个CHAIN, jump到的那个CHAIN是子CHAIN.
2. 从子CHAIN return后,回到触发jump的那条规则,从那条规则的下一条继续匹配.
3. 如果return不是在子CHAIN里,而是在main CHAIN,那么就以默认规则进行.
REDIRECT : 端口重定向
LOG : 记录日志
MARK : 做防火墙标记 --给从不同端口进入或行为不同的数据包打标记
DNAT : 目标地址转换
SNAT : 源地址转换
MASQUERADE : 地址伪装
自定义链
创建自定义链实现WEB的访问控制
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -N web_chain
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 65382 packets, 22M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain web_chain (0 references)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -E web_chain WEB_CHAIN
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 65486 packets, 22M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (0 references)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -A WEB_CHAIN -p tcp -m multiport --dports 80,443,8080 -j ACCEPT
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 65750 packets, 22M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -I INPUT -s 10.0.0.0/24 -j WEB_CHAIN
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 66342 packets, 22M bytes)
pkts bytes target prot opt in out source destination
29 1700 WEB_CHAIN all -- * * 10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -A WEB_CHAIN -p icmp -j ACCEPT
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 66509 packets, 22M bytes)
pkts bytes target prot opt in out source destination
144 9826 WEB_CHAIN all -- * * 10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -I WEB_CHAIN 2 -s 10.0.0.7 -j RETURN
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 66890 packets, 22M bytes)
pkts bytes target prot opt in out source destination
323 23740 WEB_CHAIN all -- * * 10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (1 references)
pkts bytes target prot opt in out source destination
6 394 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
0 0 RETURN all -- * * 10.0.0.7 0.0.0.0/0
4 596 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -A INPUT -s 10.0.0.7 -p icmp -j REJECT
[root@ubuntu2204 ~]#iptables -vnL
Chain INPUT (policy ACCEPT 67900 packets, 22M bytes)
pkts bytes target prot opt in out source destination
849 63186 WEB_CHAIN all -- * * 10.0.0.0/24 0.0.0.0/0
0 0 REJECT icmp -- * * 10.0.0.7 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (1 references)
pkts bytes target prot opt in out source destination
18 1182 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
4 336 RETURN all -- * * 10.0.0.7 0.0.0.0/0
17 3106 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
------------------------------------------------------------------------------------
#测试
10.0.07 环境
[root@rocky8 ~]#ping 10.0.0.200 -c2
PING 10.0.0.200 (10.0.0.200) 56(84) bytes of data.
From 10.0.0.200 icmp_seq=1 Destination Port Unreachable
From 10.0.0.200 icmp_seq=2 Destination Port Unreachable
--- 10.0.0.200 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms
[root@rocky8 ~]#curl 10.0.0.200
10.0.0.200 website....
------------------------------------------------------------------------------------
#测试
10.0.08 环境
[root@rocky8 ~]#curl 10.0.0.200
10.0.0.200 website....
[root@rocky8 ~]#ping 10.0.0.200 -c2
PING 10.0.0.200 (10.0.0.200) 56(84) bytes of data.
64 bytes from 10.0.0.200: icmp_seq=1 ttl=64 time=0.543 ms
64 bytes from 10.0.0.200: icmp_seq=2 ttl=64 time=3.56 ms
--- 10.0.0.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.543/2.051/3.559/1.508 ms
删除自定义链
#删除自定义链和创建的顺序相反,无法直接删除
[root@ubuntu2204 ~]#iptables -X WEB_CHAIN
iptables v1.8.7 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain WEB_CHAIN
#1.解耦
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 88767 packets, 100M bytes)
num pkts bytes target prot opt in out source destination
1 5823 578K WEB_CHAIN all -- * * 10.0.0.0/24 0.0.0.0/0
2 4 336 REJECT icmp -- * * 10.0.0.7 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (1 references)
num pkts bytes target prot opt in out source destination
1 24 1576 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
2 8 672 RETURN all -- * * 10.0.0.7 0.0.0.0/0
3 290 59434 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
[root@ubuntu2204 ~]#iptables -D INPUT 1
[root@ubuntu2204 ~]#iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 88972 packets, 100M bytes)
num pkts bytes target prot opt in out source destination
1 4 336 REJECT icmp -- * * 10.0.0.7 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain WEB_CHAIN (0 references)
num pkts bytes target prot opt in out source destination
1 24 1576 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080
2 8 672 RETURN all -- * * 10.0.0.7 0.0.0.0/0
3 292 59791 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
#2.清空自定义表规则
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -L WEB_CHAIN
Chain WEB_CHAIN (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports http,https,http-alt
RETURN all -- 10.0.0.7 anywhere
ACCEPT icmp -- anywhere anywhere
[root@ubuntu2204 ~]#iptables -F WEB_CHAIN
[root@ubuntu2204 ~]#iptables -L WEB_CHAIN
Chain WEB_CHAIN (0 references)
target prot opt source destination
#3.删除自定义表
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -X WEB_CHAIN
[root@ubuntu2204 ~]#iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 89345 packets, 100M bytes)
num pkts bytes target prot opt in out source destination
1 4 336 REJECT icmp -- * * 10.0.0.7 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
设置单独的日志文件(默认日志文件为/var/log/message)
#设置单独的日志文件
#设置路径
------------------------------------------------------------------------------------
apt -y install rsyslog
systemctl enable rsyslog --now
vim /etc/rsyslog.conf
#添加 kern.级别 文件存放路径
kern.debug /var/log/iptables-debug.log
systemctl restart rsyslog
#设置iptables 日志记录规则
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 4/min -j LOG --log-prefix "Iptables-SSH-IN: " --log-level 7
[root@ubuntu2204 ~]#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[root@ubuntu2204 ~]#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@ubuntu2204 ~]#iptables -P INPUT DROP
[root@ubuntu2204 ~]#iptables -nvL --line-numbers
Chain INPUT (policy DROP 336 packets, 29405 bytes)
num pkts bytes target prot opt in out source destination
1 290 24360 RETURN icmp -- * * 10.0.0.7 0.0.0.0/0
2 1 76 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW limit: avg 4/min burst 5 LOG flags 0 level 7 prefix "Iptables-SSH-IN: "
3 1 76 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
4 579 93552 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
#执行测试
------------------------------------------------------------------------------------
#规则添加前
[root@rocky8 ~]#ping 10.0.0.200
PING 10.0.0.200 (10.0.0.200) 56(84) bytes of data.
64 bytes from 10.0.0.200: icmp_seq=1 ttl=64 time=0.428 ms
64 bytes from 10.0.0.200: icmp_seq=2 ttl=64 time=0.270 ms
#规则添加后
[root@rocky8 ~]#ping 10.0.0.200
PING 10.0.0.200 (10.0.0.200) 56(84) bytes of data.
^C
--- 10.0.0.200 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2041ms
#设置iptables 查看日志
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#cat /var/log/iptables-debug.log
Nov 3 10:13:22 ubuntu2204 kernel: [155791.750585] Iptables-SSH-IN: IN=eth0 OUT= MAC=00:0c:29:df:99:92:00:50:56:c0:00:08:08:00 SRC=10.0.0.1 DST=10.0.0.200 LEN=76 TOS=0x00 PREC=0x00 TTL=128 ID=50994 DF PROTO=TCP SPT=11677 DPT=22 WINDOW=4100 RES=0x00 ACK PSH URGP=0
解读
Iptables-SSH-IN: 通过指定--log-prefix选项,这是我们在日志记录中使用的前缀
IN=eth0 OUT=: 这表示从该接口传入数据包。对于传出数据包将为空。
IN= OUT=: 这表示从该接口传出数据包。对于传入的数据包将为空。
MAC=: 00:0c:29:df:99:92目标MAC地址,:00:50:56:c0:00:08为源MAC地址,08:00为上层协议代码,表示IP协议。
SRC=: 源IP地址 --10.0.0.1
DST=:目的IP地址 --10.0.0.200
LEN=: 数据包的长度 --76
PROTO=: 使用什么类型协议 --TCP
SPT=: 源端口 --11677
DPT=: 目标端口 --22
iptables 扩展模块
multiport --> 多端口
iprange --> 连续的网段
mac --> 指明MAC地址
string --> 匹配应用层报文字符,比如屏蔽敏感字
iptables -A OUTPUT -p tcp --sport 80 -m string --algo kmp --from 62 --string "google" -j REJECT
kmp 算法支持nginx和httpd
time --> 匹配报文到达时间
connlimit --> 根据客户端IP做并发数量匹配
limit --> 匹配报文收发速度,做传输速度策略
iptables -A INPUT -p icmp -m limit --limit-burst 10 --limit 20/minute -j ACCEPT
iptables -A INPUT -p icmp -j REJECT
------------------------------------------------------------------------------------
state --> 根据链接跟踪机制去检查链接状态,比较耗费资源
连接过多的解决办法:
1. 加大nf_conntrack_max值
2. 降低nf_conntrack timeout时间
范例:本机可以访问10.0.0.7,而10.0.0.7不可以访问本机
[root@ubuntu2204 ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT ! -s 10.0.0.7/32 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables 规则优化最佳实践
- 安全放行所有入站和出站状态为ESTABLISHED状态连接,建议放在第一条,效率更高。
- 谨慎放行入站新请求。
- 有特殊目的的限制访问功能,要在放行规则之前加以拒绝。
- 同类规则(访问同一应用,比如:http ),匹配范围小的放在前面,用于特殊处理。
- 不同类的规则(访问不同应用,一个是 http ,另一个是 mysql ),范围大的放在前面,效率更高。
-s 10.0.0.6 -p tcp --dport 3306 -j REJECT
-s 172.16.0.0/16 -p tcp --dport 80 -j REJECT
- 应该将那些可由一条规则能够描述的多个规则合并为一条,减少规则数量,提高检查效率。
- 设置默认策略,建议白名单(只放行特定连接)
- iptables -p ,不建议,容易"自杀"
- 最后定义规则作为默认策略,推荐使用,放在最后一条
iptables规则保存
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT ! -s 10.0.0.7/32 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#apt -y install iptables-persistent
[root@ubuntu2204 ~]#cat /etc//iptables/rules.v4
# Generated by iptables-save v1.8.7 on Thu Nov 3 14:50:44 2022
*filter
:INPUT ACCEPT [5913:1139621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT ! -s 10.0.0.7/32 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Nov 3 14:50:44 2022
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables -D INPUT 4
[root@ubuntu2204 ~]#iptables -D INPUT 3
[root@ubuntu2204 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 5914 packets, 1140K bytes)
pkts bytes target prot opt in out source destination
548 31532 ACCEPT all -- * * 10.0.0.1 0.0.0.0/0
1415 240K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
[root@ubuntu2204 ~]#iptables-save
# Generated by iptables-save v1.8.7 on Thu Nov 3 14:53:14 2022
*filter
:INPUT ACCEPT [5914:1139768]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Nov 3 14:53:14 2022
[root@ubuntu2204 ~]#cat /etc//iptables/rules.v4
# Generated by iptables-save v1.8.7 on Thu Nov 3 14:50:44 2022
*filter
:INPUT ACCEPT [5913:1139621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT ! -s 10.0.0.7/32 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Nov 3 14:50:44 2022
------------------------------------------------------------------------------------
# 将当前策略写入rules文件
[root@ubuntu2204 ~]#iptables-save > /etc/iptables/rules.v4
[root@ubuntu2204 ~]#cat /etc//iptables/rules.v4
# Generated by iptables-save v1.8.7 on Thu Nov 3 14:53:52 2022
*filter
:INPUT ACCEPT [5925:1140955]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Nov 3 14:53:52 2022
------------------------------------------------------------------------------------
#开机时加载规则到本地
vim /etc/rc.local
#!/bin/bash
iptables-save > /etc/iptables/rules.v4
chmod +x /etc/rc.local
------------------------------------------------------------------------------------
#测试-开机后查询策略
[root@ubuntu2204 ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
[root@ubuntu2204 ~]#iptables-save
# Generated by iptables-save v1.8.7 on Thu Nov 3 15:07:18 2022
*filter
:INPUT ACCEPT [222:20008]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [671:63242]
-A INPUT -s 10.0.0.1/32 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Nov 3 15:07:18 2022
网络防火墙
- 配置路由时可以跟踪一下路由路径,方便调试
- mtr ip 或者 treepath ip -n
- 实验步骤
配置 internet 外网主机(Ubuntu)
设置仅主机模式
------------------------------------------------------------------------------------
配置网络IP
[root@internet ~]#vim /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 192.168.10.7/24
gateway4: 192.168.10.100
~
------------------------------------------------------------------------------------
apt install -y nginx
------------------------------------------------------------------------------------
#测试 能否获取内网信息
[root@internet ~]#curl 10.0.0.7
lanserver07
[root@internet ~]#ping 10.0.0.8 -c3
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
64 字节,来自 10.0.0.8: icmp_seq=1 ttl=63 时间=1.77 毫秒
64 字节,来自 10.0.0.8: icmp_seq=2 ttl=63 时间=1.28 毫秒
64 字节,来自 10.0.0.8: icmp_seq=3 ttl=63 时间=1.95 毫秒
--- 10.0.0.8 ping 统计 ---
已发送 3 个包, 已接收 3 个包, 0% 包丢失, 耗时 2003 毫秒
rtt min/avg/max/mdev = 1.278/1.667/1.953/0.285 ms
配置防火墙(Ubuntu)
设置仅eth0:NAT模式与eth1:仅主机模式
------------------------------------------------------------------------------------
vim /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 10.0.0.200/24
gateway4: 10.0.0.2
eth1:
addresses:
- 192.168.10.100/24
[root@firewall ~]#netplan apply
------------------------------------------------------------------------------------
#持久保存-开启路由转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewall ~]# sysctl -a |grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
配置内网主机(Rocky)
两台内网主机 设置仅eth0:NAT模式 路由指向防火墙NAT端口
------------------------------------------------------------------------------------
[root@lanserver07 ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.7
PREFIX=24
GATEWAY=10.0.0.200
ONBOOT=yes
~
------------------------------------------------------------------------------------
[root@lanserver08 ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.8
PREFIX=24
GATEWAY=10.0.0.200
ONBOOT=yes
------------------------------------------------------------------------------------
#测试 能否获取外网信息
[root@rocky8 ~]#curl 192.168.10.7
internet
[root@lanserver07 ~]#curl 192.168.10.7
internet
设置防火墙策略
------------------------------------------------------------------------------------
#添加规则 使10.0.0.0/24网段能访问任意其他网段
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/24 ! -d 10.0.0.0/24 -m state --state NEW -j ACCEPT
[root@firewall ~]#iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 6140 packets, 30M bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 512 packets, 42200 bytes)
num pkts bytes target prot opt in out source destination
1 1048 88032 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT all -- * * 10.0.0.0/24 !10.0.0.0/24 state NEW
Chain OUTPUT (policy ACCEPT 7839 packets, 932K bytes)
num pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
#添加规则 使外网不能访问10.0.0.0/24网段
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 6296 packets, 30M bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 513 packets, 42284 bytes)
num pkts bytes target prot opt in out source destination
1 1777 149K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 3 244 ACCEPT all -- * * 10.0.0.0/24 !10.0.0.0/24 state NEW
3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 7954 packets, 944K bytes)
num pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------
#测试
1. 外网ping内网
[root@internet ~]#ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
来自 192.168.10.100 icmp_seq=1 目标端口不可达
来自 192.168.10.100 icmp_seq=2 目标端口不可达
来自 192.168.10.100 icmp_seq=3 目标端口不可达
来自 192.168.10.100 icmp_seq=4 目标端口不可达
^C
--- 10.0.0.8 ping 统计 ---
已发送 4 个包, 已接收 0 个包, +4 错误, 100% 包丢失, 耗时 3065 毫秒
[root@internet ~]#ping 10.0.0.7
PING 10.0.0.7 (10.0.0.7) 56(84) bytes of data.
来自 192.168.10.100 icmp_seq=1 目标端口不可达
来自 192.168.10.100 icmp_seq=2 目标端口不可达
来自 192.168.10.100 icmp_seq=3 目标端口不可达
来自 192.168.10.100 icmp_seq=4 目标端口不可达
^C
--- 10.0.0.7 ping 统计 ---
已发送 4 个包, 已接收 0 个包, +4 错误, 100% 包丢失, 耗时 3005 毫秒
[root@internet ~]#
2. 内网ping外网
[root@lanserver07 ~]#ping 192.168.10.7
PING 192.168.10.7 (192.168.10.7) 56(84) bytes of data.
64 bytes from 192.168.10.7: icmp_seq=1 ttl=63 time=1.42 ms
64 bytes from 192.168.10.7: icmp_seq=2 ttl=63 time=2.20 ms
64 bytes from 192.168.10.7: icmp_seq=3 ttl=63 time=2.09 ms
^C
--- 192.168.10.7 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 1.421/1.903/2.197/0.345 ms
[root@lanserver08 ~]#ping 192.168.10.7
PING 192.168.10.7 (192.168.10.7) 56(84) bytes of data.
64 bytes from 192.168.10.7: icmp_seq=1 ttl=63 time=1.38 ms
64 bytes from 192.168.10.7: icmp_seq=2 ttl=63 time=2.15 ms
64 bytes from 192.168.10.7: icmp_seq=3 ttl=63 time=1.43 ms
64 bytes from 192.168.10.7: icmp_seq=4 ttl=63 time=0.928 ms
^C
--- 192.168.10.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/av xvasafg/max/mdev = 0.928/1.472/2.154/0.440 ms
利用SNAT实现源ip和端口转换,可以实现以下需求:
1. **内外网利用伪装后的ip互通**
2. **内外网使用相同的通信协议不同端口,不会有地址冲突**
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to[-source] EixIP
*注意开启ip_forward
范例:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j SNAT --to-source 172.18.1.6-172.18.1.9
适用于专线 - 不常用
一般情况下还是使用动态公网IP
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
一般情况下,都是私网地址转换为公用ip互相通信【公网ip资源珍贵】
利用DNAT实现目标ip和端口的转换,可以实现以下需求:
1. 内外网被访问时利用DNAT进行ip和端口映射,安全
iptables -t nat -A PREROUTING -d ExtIP -p tcp|upd --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
范例:
iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7:8080
* 192.168.0.8 代表目标地址 port 端口映射是该地址的端口,防火墙本身没有该端口
如果局域网的网关配置公网ip会发生一下什么?
答:局域网访问外网时需要DNAT转换地址后访问外网,假如转换网址为1.1.1.1,在真正访问1.1.1.1网址时,会被判断为私网地址,信息将不会对外发送,将导致无法访问1.1.1.1的公网。所以DNAT转换时需要使用私网地址段。
私网地址:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
利用REDIRECT转发,可以实现以下需求:
1. 通过改变目标IP和端口,将接受的包转发转发至同一个主机的不同端口(无需开启ip_forward)
iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080
场景:
假设网络团队将ip端口更改到8080,应用运维团队还在使用原端口80,应急情况下可以使用端口转发将8080端口的数据包转入到80端口,也可以正常使用。
综合案例
两个私有网络的互相通讯
------------------------------------------------------------------------------------
192.168.0.0/24 centos 仅主机网卡配置
cat /etc/sysconfig/network-scripts/ifcfg-eth0
XXX
IPADDR=192.168.0.6
PREFIX=24
GATEWAY=192.268.0.8
ONBOOT=yes
XXX
------------------------------------------------------------------------------------
172.16.0.18/24 centos NAT网卡配置
cat /etc/sysconfig/network-scripts/ifcfg-eth0
XXX
IPADDR=172.16.0.7
PREFIX=24
GATEWAY=172.16.0.18
ONBOOT=yes
XXX
------------------------------------------------------------------------------------
firewall01 ubuntu 仅主机/NAT网卡配置
[root@firewall01 ~]#cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 10.0.0.100/24
[root@firewall01 ~]#cat /etc/netplan/02-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eth1:
addresses:
- 192.168.0.8/24
#设置地址转换策略
[root@firewall01 ~]#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
[root@firewall01 ~]#iptables -t nat -A PREROUTING -d 10.0.0.100 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.6:80
[root@firewall01 ~]#iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 5 packets, 396 bytes)
num pkts bytes target prot opt in out source destination
1 6 360 DNAT tcp -- * * 0.0.0.0/0 10.0.0.100 tcp dpt:80 to:192.168.0.6:80
Chain INPUT (policy ACCEPT 2 packets, 162 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 286 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 346 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * * 192.168.0.0/24 !192.168.0.0/24
[root@firewall01 ~]#iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 10.0.0.100/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.6:80
-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
------------------------------------------------------------------------------------
firewall02 ubuntu NAT网卡配置
[root@firewall02 ~]#cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 10.0.0.200/24
dhcp4: true
[root@firewall02 ~]#cat /etc/netplan/02-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eth1:
addresses:
- 172.16.0.18/24
#设置地址转换策略
[root@firewall02 ~]#iptables -t nat -A POSTROUTING -s 172.16.0.18/24 ! -d 172.16.0.18 -j MASQUERADE
[root@firewall02 ~]#iptables -t nat -A PREROUTING -d 10.0.0.200 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.7:80
[root@firewall02 ~]#iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1 60 DNAT tcp -- * * 0.0.0.0/0 10.0.0.200 tcp dpt:80 to:172.16.0.7:80
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 113 8544 MASQUERADE all -- * * 172.16.0.0/24 !172.16.0.18
[root@firewall02 ~]#iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 10.0.0.200/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.7:80
-A POSTROUTING -s 172.16.0.0/24 ! -d 172.16.0.18/32 -j MASQUERADE
------------------------------------------------------------------------------------
测试
[root@firewall01 ~]#curl 10.0.0.200
lanserver08 webPage
[root@firewall02 ~]#curl 10.0.0.100
lanserver07 webpage
我是moore,大家一起加油!
标签:iptables,网络安全,10.0,--,18,bytes,ACCEPT,0.0,root From: https://blog.51cto.com/u_15791168/5826094