iptables和asa防火墙类似,作用一样,都是为了保证网络安全,系统安全,服务器的安全,和asa一样也需要建立策略。
The iptables and the asa firewalls are similar, and all serve the same purpose of ensuring network security, system security, server security and, like the asa, strategy.
下面通过一个案例先了解一下iptables防火墙规则的相关基础操作。(关于防火墙的相关知识概念,请关注微信公众号 L宝宝聊IT Linux防火墙基础与编写防火墙规则 文章)
Here is an example of the basic operation of the iptables firewall rules. (Regarding the concept of the firewall, focus on the micro-public L baby talking about IT Linux firewall foundations and writing firewall rules.)
实验环境:
Experimental Environment:
网站服务器ip地址是192.168.1.5,网关服务器的内网地址是eth0:192.168.1.254,外网地址是eth1:172.16.16.254,internter测试机是172.16.16.172。实现三台系统之间可以互相ping通。
The web server ip is 192.168.1.5, the gateway server is eth0:192.168.1.254, the outer web address is eth1:172.16.16.254 and the internter test is 172.16.16.172.
网管服务器需要开启路由转发功能
The network server needs to turn on the route forwarding function.
也可进入vim /etc/sysctl.conf 修改为 1 永久开启路由转发功能
Also enter vim /etc/syscl.conf to change to 1 permanently open route forwarding function
最后测试可以互相ping通即可
The final test will be able to work with each other.
下面介绍各种规则如何应用
一、编写防火墙规则
1、例如:在网站服务器的filter表的INPUT链中插入一条规则,拒绝发送给本机使用的ICMP协议的数据包。
1 For example, insert a rule into the INPUT chain of the filter table of the web server to refuse to send the package of the ICMP protocol used by the server.
执行:Iptables -t filter -I INPUT -p icmp -j REJECT
Execute: Iptables-tbilter-I INPUT-p imp-j REJECT
查看规则:iptables -L INPUT --line-numbers
View rules: iptables-L INPUT-line-numbers
然后再次使用172.16.16.172ping192.168.1.5,出现目标端口不可到达,无法ping通
Then again using 172.16.16.172 ping 192.168.1.5, the target port is unreachable and unable to access it.
2、添加新的规则
2. Add new rules
例如:
For example:
1)在filter表INPUT链的末尾添加一条规则,接受tcp协议(实验之前在网站服务器上搭建ftp服务,使用internet测试机可以访问ftp服务器)
1) Add a rule at the end of the filter table INPUT chain to accept the tcp protocol (ftp service installed on web server prior to the experiment, with access to the ftp server using an internet tester)
在internet测试机上访问
Visit on the internet test machine
默认网站服务器的防火墙开启,所以不能访问,然后执行:
Default web server firewalls are open so they cannot be accessed and then executed:
iptables -t filter -A INPUT -p tcp -j ACCEPT
发现依然不能访问,因为-A是在末尾添加一条新的规则
It was found that access was still unavailable because -A was adding a new rule at the end
所以执行:Iptables -I INPUT -p tcp -j ACCEPT(-I默认是添加在第一条)
So execute: Iptables-I INPUT-p tcp-j ACCEPT (-I defaulted to be added to Article 1)
再次访问ftp
Access ftp again
在网站服务器上查看规则
View the rules on the web server
例:2)添加规则允许udp数据包通过,默认位于filter的第一条
Example: 2) Add rule allowing the dup data package to pass by by default at number one in filter
Iptables -I INPUT -p udp -j ACCEPT
例:3)指定顺序号,添加规则允许icmp数据包通过,位于第2条
Example: 3) Assign a serial number, add rule allowing the icmp data package to pass, located in Article 2
Iptables -I INPUT 2 -p icmp -j ACCEPT
查看规则列表:
View rule list:
3、以数字形式显示规则列表,加快执行速度
3. Show the list of rules in digital form to speed up implementation
Iptables -n -L INPUT (-n -L 可简写为-nL)
Iptables-n-L INPUT (-n-L can be abbreviated as-nL)
4、删除,清空规则
4. Delete. Clear the rules.
1)若要删除filter表INPUT链中的第三条规则,执行:
1) To delete the third rule in the Filter Table INPUT chain, implement:
Iptables -D INPUT 3
2)清空指定链或表中的所有防火墙规则,使用-F
2) Empty all firewall rules in the specified chain or table, using -F
Iptables -F INPUT
3)清空filter表,nat表,mangle表
3) Empty Filter Tables, Nat Tables, Mangle Tables
Iptables -F
Iptables -t nat -F
Iptables -t mangle -F
5、设置默认策略:当找不到任何一条能够匹配数据包规则时,则执行默认策略
5. Set the default policy: When no one matches the package rule, the default policy is implemented
例如1)将filter表中FORWARD链的默认策略设置为丢弃,OUTPUT链的默认策略设置为允许(默认策略不参与规则的顺序编排,因此在前后并无区别。)
For example, 1) sets the default policy for the FORWARD chain in the filter table to discard, and the default policy for the OTPUT chain to allow (the default policy does not participate in the order of the rules, so there is no difference before and after).
二、规则的匹配条件
对于同一条防火墙规则,可以指定多个匹配条件,这些条件必须都满足规则才能生效。
For the same firewall rules, multiple matching conditions may be specified, all of which must meet the rules in order to be effective.
1、通用匹配:分为三种类型,协议匹配,地址匹配,网络接口匹配。
Universal matching: Three types, protocol matching, address matching, network interface matching.
1)协议匹配
1) Agreement Matching
如果在网关服务器上开启防火墙,那么internet测试机是不能访问网站服务器的。
If the firewall is turned on the gateway server, the Internet tester will not be able to access the web server.
查看网关服务器的FORWARD链,发现只有一条拒绝all。
Views the FORWARD chain of the gateway server and finds only one rejectionall.
如果想允许路由转发,执行下面的命令:
If you want to allow the route to be transmitted, execute the following order:
iptables -I FORWARD -j ACCEPT,然后在internet测试机上可以访问网站服务器。
iptables-I FORWARD-j ACCEPT and then access the web server on the Internet tester.
然后如果想丢弃通过icmp协议访问防火墙本机的数据包,允许转发经过防火墙的除icmp协议之外的数据包,可以执行:
Then, if you want to discard the data package that accesses the firewall through the icmp protocol and allow the transfer of the information package that passes through the firewall other than the icmp protocol, you can execute:
Iptables -I INPUT -p icmp -j DROP
Iptables -A FORWARD ! -p icmp -j ACCEPT
执行之前先在internet测试机上ping网关服务器的172.16.16.254和192.168.1.5都是可以ping通的。执行完之后就不能ping通了,但是依然能够访问网站服务器的ftp。
Both 172.16.16.254 and 192.168.1.5 of the ping gateway server on the Internet test machine are available before implementation.
先在internet测试机上ping,可以ping通
Ping on the internet test machine first, you can ping through it.
然后在网关服务器上执行以下命令
Then execute the following command on the gateway server.
在internet测试机上ping192.168.1.5和172.16.16.254都不通了,但是ftp依然可以访问。
Ping 192.168.1.5 and 172.16.254 on the internet test machine are no longer operational, but ftp remains accessible.
2)地址匹配
2) Address Match
例1)例如:拒绝转发源地址为172.16.16.172的数据,允许转发源地址192.168.1.0的数据包
Example 1) for example: Refusal to transmit data from source address 172.16.16.172, allowing transmission of data package from source address 192.168.1.0
因为172.16.16.172就是internet测试机,所以internet测试机无法ping通192.168.1.5,也不能访问ftp
Because 172.16.16.172 is the Internet test machine, the Internet tester can't access 192.168.1.5, nor can it access ftp.
例2)如果检测到来自某网段的频繁扫描,登录等不良的企图,可以立即添加防火墙规则进行封锁。
Example 2) If an undesired attempt to scan frequently from a certain section of the net, such as login, is detected, the firewall rules can be added immediately to block it.
Iptables -I INPUT -s 10.20.30.0/24 -j DROP
Iptables -I FORWARD -s 10.20.30.0/24 -j DROP
3)网络接口匹配
3) Network Interface Match
例如:若要丢弃从外网接口访问防火墙本机且源地址为私有地址的数据包,执行以下操作:
For example, if you want to discard a data package with a private address from the outer web interface to access the firewall, do the following:
首先:在172.16.16.172上ping172.16.16.254,使之可以ping通
First: on 172.16.16.172 ping 172.16.16.254 so that it can be accessed
然后执行以下命令:
The following orders are then carried out:
再此在172.16.16.172上ping172.16.16.254,无法ping通,因为外网接口是eth1
And here on 172.16.16.172 ping 172.16.16.254, it's impossible to ping, because the outer network interface is eth1.
2、隐含匹配:以指定的协议匹配作为前提条件,相当于子条件。
2. Implicit matching: a sub-condition that presupposes a specified agreement match.
1)端口匹配
1) Port Match
例如:允许网段192.168.1.0/24转发dns查询数据包。
For example, network segment 192.168.1.0/24 is allowed to transmit dns query kits.
首先在网站服务器上开启dns服务
Start with dns service on the web server.
vim /var/named/chroot/var/named/google.com.zone
为了实验效果,先在网关服务器上执行以下命令,阻止转发
For experimental effects, execute the following command on the gateway server and block transmission.
Iptables -I FORWARD -j REJECT
然后在internet测试机上执行nslookup,不能解析
Then run an inkup on the internet test machine. It's not possible to parse it.
接下来在网关服务器上执行隐含匹配,允许为172.16.16.0网段转发dns查询包
Next, an implicit match will be performed on the gateway server, allowing the dns query package to be forwarded for 172.16.16.0
再次在internet测试机上测试解析
Try the internet test machine again.
2)ICMP类型匹配
2) ICMP Type Match
若要禁止从其他主机ping本机,但是允许本机ping其他主机,可以执行以下操作
If you want to ban other mainframes but allow other mainframes, you can perform the following.
首先为了实验测试方便,在网关服务器上执行:(执行之前把其它的规则都删掉,关闭防火墙即可编写规则后会自动打开)
First, for the ease of testing, execute it on the gateway server: (delete all other rules before execution, turn off the firewall and then open the rules automatically.)
nternet测试机和网站服务器之间可以互相ping通,然后执行:
The nternet test machine and the web server can interact with each other and then execute:
如果实验不通,把上面的最后一条改为iptables -A INPUT -p icmp-j DROP
If the experiment fails, change the last entry above to iptables-A INPUT-p imp-j Drop
然后测试:
And then test:
3、显示匹配
Three, show the match.
必须调用相应的模块,然后方可设置匹配条件
The corresponding module must be called before matching conditions can be set
1)多端口匹配
1) Multiport Match
例如:允许网站服务器本机开放25、80、110、143端口
For example, website servers are allowed to open ports 25, 80, 110, 143
2)ip范围匹配
2) ip Range Match
例如:禁止转发源地址位于192.168.4.21与192.168.4.28之间的tcp数据包。
For example, it is prohibited to forward the source address to a tcp data package between 192.168.4.21 and 192.168.4.28.
3)mac地址匹配
3) Mac Address Match
例如:禁止以下mac地址的主机访问网站服务器的任何应用。
For example, the host at the following Mac address is prohibited from accessing the web server.
4)状态匹配
4) Status Match
例如:禁止转发与正常tcp连接无关的非syn请求数据包(如伪造的网络攻击数据包)。
For example, it is prohibited to forward non-syn request packets (e.g. forged cyberattack kits) unrelated to normal tcp connections.
再例如:开放本机的web服务80端口,但对发给本机的tcp应答数据包予以放行,其他入站数据包均丢弃,对应的入站规则如下:
For example, web service port, which is open, is 80, but the tcp response package, which is sent to this machine, is released, all other access kits are discarded, and the corresponding entry rules are as follows:
以上就时iptables防火墙规则的基本应用,下面时上机实验部分:
The basic application of the iptables firewall rules above, on board the experimental part below:
三、上机实验
1、实验环境和上面的一样
1. The same experimental environment as above
网站服务器ip地址是192.168.1.5,网关服务器的内网地址是eth0:192.168.1.254,外网地址是eth1:172.16.16.254,internter测试机是172.16.16.172。实现三台系统之间可以互相ping通。
The web server ip is 192.168.1.5, the gateway server is eth0:192.168.1.254, the outer web address is eth1:172.16.16.254 and the internter test is 172.16.16.172.
2、为网站服务器编写入站规则
2. Preparation of access rules for web servers
(1)本例中所有规则均在filter表的INPUT链内添加,默认策略设置为DROP。
(1) All rules in this example are added to the INPUT chain in the filter table, with the default policy set to DROP.
(2)使用“-p icmp ! --icmp-type 8 ”的条件匹配非ICMP请求的数据包。
(2) Match the data packages not requested by ICMP with the conditions of "-p icmp! --icmp-type 8 ".
(3)使用“-p tcp --dport 80”的条件匹配对TCP 80端口的访问。
(3) Match access to the TCP 80 port using the conditions of "-p tcp-dport 80 ".
(4)使用“-p tcp -m state --stateESTABLISHED,RELATED”匹配TCP响应数据包。
(4) Match TCP response packages with "-p tcp-m state--stateESTABLISHED, RELATED ".
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -A INPUT -p icmp !--icmp-type 8 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp--dport 80 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp -mstate --state ESTABLISHED,RELATED -j ACCEPT
(5)测试入站控制效果:从其他主机可以访问本机中的Web服务,但不能访问其他任何服务(如FTP、DNS);从本机可以ping通其他主机,但其他主机无法ping通本机。
(5) Test access control effect: Web service in the mainframe can be accessed from other hosts, but no other service can be accessed (e.g. FTP, DNS); other hosts can be reached from the mainframe, but others cannot be accessed from the mainframe.
[root@localhost ~]# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp !type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
…… //其他测试过程略
... / /other test processes
3、为网关服务器编写转发规则
3. Preparation of transmission rules for gateway servers
(1)本例中所有规则均在filter表的FORWARD链内添加,默认策略设置为DROP。
(1) All rules in this example are added to the FORWARD chain in the filter table, with the default policy set to DROP.
(2)针对TCP协议的80、20、21、25、110、143端口,以及UDP协议的53端口,分别为从局域网访问Internet、从Internet响应局域网请求的过程编写转发规则。
(2) For ports 80, 20, 21, 25, 110, 143 of the TCP agreement and for port 53 of the UDP agreement, transmission rules have been prepared for the process of accessing the Internet from the local area network (LAN) and responding to requests from the local area network (LAN) from the Internet.
[root@localhost ~]# iptables -P FORWARD DROP
[root@localhost ~]# iptables -A FORWARD -s192.168.1.0/24 -p tcp -m multiport --dport 20,21,
80,25,110,143 -o eth1 -j ACCEPT
[root@localhost ~]# iptables -A FORWARD -i eth1-m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -A FORWARD -s192.168.1.0/24 -p udp --dport 53 -oeth1 -j ACCEPT
[root@localhost ~]# iptables -A FORWARD -p udp--sport 53 -i eth1-j ACCEPT
(3)执行DNS查询,获知站点web.qq.com、w.qq.com、im.qq.com当前所用的IP地址包括:112.90.141.88、112.90.141.163、112.90.141.164、58.251.149.159、58.251.60.202、123.138.238.100、123.138.238.101。然后依次针对这些IP地址编写转发规则,禁止到TCP协议的80、443端口的访问。
(3) Execute DNS queries and obtain information about sites such as web.qq.com, w.qq.com, im.q.com, currently using IP addresses such as: 112.90.141.88, 112.90.141.163, 112.90.141.1164, 58.251.149.159, 58.251.60.202, 123.138.238.100, 123.138.238.101.
[root@localhost ~]# vi /opt/black_ip.txt //编写封禁地址列表
[root@localhost~] #vi/opt/ black_ip.txt//to prepare a list of banned addresses
112.90.141.88
112.90.141.163
112.90.141.164
58.251.149.159
58.251.60.202
123.138.238.100
123.138.238.101
[root@localhost ~]# for i in `cat/opt/black_ip.txt`; do iptables -I FORWARD -d$i -p tcp -m multiport --dport 80,443 -j DROP ; done //读取IP地址以插入规则
[root@localhost~]# for i in `cat/opt/black_ip.txt '; do iptables-I FORWARD-d$i-p-tcp-m multiport-dport 80,443-j DROP; doe/ read IP addresses to insert rules
(4)测试转发控制效果:从局域网中的主机无法访问Internet中的web.qq.com等被封站点,但能够访问其他Web站点,也能够访问DNS、FTP等网络服务。
(4) Test forwarding control effects: The host from the local area network is unable to access blocked sites such as web.qq.com in the Internet, but is able to access other web sites as well as network services such as DNS, FTP, etc.
[root@localhost ~]# iptables -nL FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 123.138.238.101 multiportdports 80,443
DROP tcp -- 0.0.0.0/0 123.138.238.100 multiport dports80,443
DROP tcp -- 0.0.0.0/0 58.251.60.202 multiport dports80,443
DROP tcp -- 0.0.0.0/0 58.251.149.159 multiport dports80,443
DROP tcp -- 0.0.0.0/0 112.90.141.164 multiport dports80,443
DROP tcp -- 0.0.0.0/0 112.90.141.163 multiport dports80,443
DROP tcp -- 0.0.0.0/0 112.90.141.88 multiport dports
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论