[@[TOC](第二十九章 Linux防火墙 网络防火墙 小节3)]
网络防火墙
iptables/netfilter网络防火墙:
(1) 充当网关
(2) 使用filter表的FORWARD链
注意的问题:
(1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
(2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行
基于主机防火墙
| 名称 | 网卡\IP | 版本 |
|---|---|---|
| firewalld 7 | NAT、桥接\192.168.37.7、192.168.1.7 | Centos7 |
| 客户机 6 | NAT\192.168.37.6 | Centos6 |
| 客户机 18 | 桥接\192.168.1.18 | Centos7 |
firewalld
[root@firewalld ~]# vim /etc/sysctl.conf
...
net.ipv4.ip_forward=1 <--添加、开启路由转发功能、此时Centos6与Centos7可以互相ping通
...
[root@firewalld ~]# sysctl -p
net.ipv4.ip_forward = 1
#拒绝所有
[root@firewalld ~]# iptables -A FORWARD -j REJECT
# 在FORWARD插入序号1 协议 允许
[root@firewalld ~]# iptables -I FORWARD 1 -s 192.168.37.0/24 -p icmp --icmp-type 8 -j ACCEPT
源IP地址 icmp请求
#方法1 目标IP地址 icmp应答
[root@firewalld ~]# iptables -I FORWARD 1 -d 192.168.37.0/24 -p icmp --icmp-type 0 -j ACCEPT
或
#方法2 只要能ping出去、回来的时候就算ESTABLISHED
[root@firewalld ~]# iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
此时'客户机 6'可以ping通'客户机 18','客户机 18'ping不通'客户机 6'.
内网访问外网
客户机 18
[root@CentOS7 ~]# yum install httpd mod_ssl -y
[root@CentOS7 ~]# systemctl start httpd
#外网测试页面
[root@CentOS7 ~]# echo 18 server > /var/www/html/index.html
客户机 6
不能访问、因为没定义策略
[root@centos6 ~]$ curl 192.168.1.18
curl: (7) couldn't connect to host
firewalld
#允许源IP地址访问tcp协议的80端口
[root@firewalld ~]# iptables -I FORWARD 2 -s 192.168.37.0/24 -p tcp --dport 80 -j ACCEPT
客户机 6
访问成功
[root@centos6 ~]$ curl 192.168.1.18
18 server
firewalld
#允许源IP地址访问tcp协议的80和443端口
[root@firewalld ~]# iptables -R FORWARD 2 -s 192.168.37.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
客户机 6
[root@centos6 ~]$ curl -k https://192.168.1.18
18 server
外网访问内网
客户机 6
[root@centos6 ~]$ service httpd start
#内网测试页面
[root@centos6 ~]$ echo lan server > /var/www/html/index.html
客户机 18
[root@CentOS7 ~]# curl 192.168.37.6
curl: (7) Failed connect to 192.168.37.6:80; Connection refused
firewalld
允许外网、访问内网192.168.37.6主机的80和443端口
[root@firewalld ~]# iptables -I FORWARD 4 -d 192.168.37.6 -p tcp -m multiport --dports 80,443 -j ACCEPT
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 17 packets, 1096 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 4284 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
14 1176 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443 <--
16 1248 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 10 packets, 1136 bytes)
pkts bytes target prot opt in out source destination
客户机 18
外网访问内网成功
[root@CentOS7 ~]# curl 192.168.37.6
lan server
自定义链
firewalld
#自定义链'-N 链名称'
[root@firewalld ~]# iptables -N fromlantointernet
#改名'-E 旧名 新名'
[root@firewalld ~]# iptables -E fromlantointernet TOINTERNET
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 39 packets, 2640 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 5114 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
14 1176 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
1 60 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
16 1248 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 23 packets, 4684 bytes)
pkts bytes target prot opt in out source destination
Chain TOINTERNET (0 references) <--空的
pkts bytes target prot opt in out source destination
#添加了两条规则到'TOINTERNET'链中
[root@firewalld ~]# iptables -A TOINTERNET -s 192.168.37.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
[root@firewalld ~]# iptables -A TOINTERNET -s 192.168.37.0/24 -p icmp --icmp-type 8 -j ACCEPT
#查看'TOINTERNET'链中是否有刚刚添加的信息
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 56 packets, 3760 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 5114 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
14 1176 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
1 60 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
16 1248 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 35 packets, 7396 bytes)
pkts bytes target prot opt in out source destination
Chain TOINTERNET (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443 <--
0 0 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8 <--
#在'FORWARD' 链中删除与'TOINTERNET'链中重复的2条规则
[root@firewalld ~]# iptables -D FORWARD 2
[root@firewalld ~]# iptables -D FORWARD 2
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 14 packets, 956 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 5114 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
16 1248 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 8 packets, 1104 bytes)
pkts bytes target prot opt in out source destination
Chain TOINTERNET (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
0 0 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
#关联链。将'TOINTERNET'链插入'FORWARD'链中第二条。
[root@firewalld ~]# iptables -I FORWARD 2 -j TOINTERNET
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 560 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 5114 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 TOINTERNET all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
16 1248 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 5 packets, 572 bytes)
pkts bytes target prot opt in out source destination
Chain TOINTERNET (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 80,443
0 0 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
#'-R'替换'TOINTERNET'中第1条规则
[root@firewalld ~]# iptables -R TOINTERNET 1 -s 192.168.37.0/24 -p tcp -m multiport --dports 22,80,443 -j ACCEPT
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
71 10164 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 492 TOINTERNET all -- * * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
19 1476 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 6 packets, 776 bytes)
pkts bytes target prot opt in out source destination
Chain TOINTERNET (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 22,80,443 <--
1 84 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
客户机 6
可以连接
[root@centos6 ~]$ ssh 192.168.1.18
删除自定义链
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
71 10164 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 492 TOINTERNET all -- * * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
19 1476 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 6 packets, 776 bytes)
pkts bytes target prot opt in out source destination
Chain TOINTERNET (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.37.0/24 0.0.0.0/0 multiport dports 22,80,443
1 84 ACCEPT icmp -- * * 192.168.37.0/24 0.0.0.0/0 icmptype 8
[root@firewalld ~]# iptables -D FORWARD 2
#'-F'清空'TOINTERNET'中策略
[root@firewalld ~]# iptables -F TOINTERNET
#'-X'删除'TOINTERNET'链
[root@firewalld ~]# iptables -X TOINTERNET
#刚刚自定义'TOINTERNET'链被删除
[root@firewalld ~]# iptables -vnL
Chain INPUT (policy ACCEPT 18 packets, 1188 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
152 23202 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.37.6 multiport dports 80,443
19 1476 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 10 packets, 1352 bytes)
pkts bytes target prot opt in out source destination
NAT
NAT: network address translation
- PREROUTING,INPUT,OUTPUT,POSTROUTING
- 请求报文:修改源/目标IP,由定义如何修改
- 响应报文:修改源/目标IP,根据跟踪机制自动实现
SNAT:source NAT POSTROUTING, INPUT
- 让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装
- 请求报文:修改源IP
DNAT:destination NAT PREROUTING , OUTPUT
- 把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP
- 请求报文:修改目标IP
PNAT: port nat,端口和IP都进行修改
SNAT
nat表的target:
SNAT:固定IP
- --to-source [ipaddr[-ipaddr]][:port[-port]]
- --random
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
MASQUERADE:动态IP,如拨号网络
- --to-ports port[-port]
- --random
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j MASQUERADE
| 名称 | 网卡\IP | 版本 |
|---|---|---|
| firewalld 7 | NAT、桥接\192.168.37.7、192.168.1.7 | Centos7 |
| 客户机 6 | NAT\192.168.37.6 | Centos6 |
| 客户机 18 | 桥接\192.168.1.18 | Centos7 |
基于主机网络防火墙
SNAT
SNAT:固定IP
firewalld
#'nat'表地址转换、源IP地址(192.168.37.0/24)出去时替换成(192.168.1.7)
[root@firewalld ~]# iptables -t nat -A POSTROUTING -s 192.168.37.0/24 -j SNAT --to-source 192.168.1.7
[root@firewalld ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.37.0/24 0.0.0.0/0 to:192.168.1.7
客户机 6
可以访问
[root@centos6 ~]$ curl 192.168.1.18
18 server
[root@centos6 ~]$ ping 192.168.1.18 -c 2
PING 192.168.1.18 (192.168.1.18) 56(84) bytes of data.
64 bytes from 192.168.1.18: icmp_seq=1 ttl=63 time=1.24 ms
64 bytes from 192.168.1.18: icmp_seq=2 ttl=63 time=0.844 ms
--- 192.168.1.18 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.844/1.043/1.242/0.199 ms
客户机 18
以为'192.168.1.7'在ping、实际是'192.168.37.6'在ping
#抓包看一下
[root@CentOS7 ~]# tcpdump -i eth0 -nn host 192.168.1.7
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:56:51.216532 IP 192.168.1.7 > 192.168.1.18: ICMP echo request, id 26635, seq 1, length 64
09:56:51.216596 IP 192.168.1.18 > 192.168.1.7: ICMP echo reply, id 26635, seq 1, length 64
09:56:52.217277 IP 192.168.1.7 > 192.168.1.18: ICMP echo request, id 26635, seq 2, length 64
09:56:52.217311 IP 192.168.1.18 > 192.168.1.7: ICMP echo reply, id 26635, seq 2, length 64
09:56:54.222966 ARP, Request who-has 192.168.1.7 tell 192.168.1.18, length 28
09:56:54.223307 ARP, Reply 192.168.1.7 is-at 00:0c:29:07:f7:99, length 46
firewalld
MASQUERADE:动态IP,如拨号网络
#删除刚刚'SNAT:固定IP'
[root@firewalld ~]# iptables -F -t nat
#定义MASQUERADE:动态IP
[root@firewalld ~]# iptables -t nat -A POSTROUTING -s 192.168.37.0/24 -j MASQUERADE
[root@firewalld ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.37.0/24 0.0.0.0/0
客户机 6
[root@centos6 ~]$ ping 192.168.1.18 -c 2
PING 192.168.1.18 (192.168.1.18) 56(84) bytes of data.
64 bytes from 192.168.1.18: icmp_seq=1 ttl=63 time=0.886 ms
64 bytes from 192.168.1.18: icmp_seq=2 ttl=63 time=0.802 ms
--- 192.168.1.18 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.802/0.844/0.886/0.042 ms
[root@centos6 ~]$ curl 192.168.1.18
18 server
DNAT
DNAT
- --to-destination [ipaddr[-ipaddr]][:port[-port]]
iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
DNAT
客户机 18
[root@CentOS7 ~]# curl 192.168.1.7
curl: (7) Failed connect to 192.168.1.7:80; Connection refused
firewalld
# 目标IP地址 协议 端口号 映射成DNAT
[root@firewalld ~]# iptables -t nat -A PREROUTING -d 192.168.1.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.37.6:80
客户机 18
[root@CentOS7 ~]# curl 192.168.1.7
lan server
转发
REDIRECT:
- NAT表
- 可用于:PREROUTING OUTPUT 自定义链
- 通过改变目标IP和端口,将接受的包转发至不同端口
- --to-ports port[-port]
REDIRECT
客户机 6
访问80时转到8080
# 目标地址 协议 端口号 转发 8080
[root@centos6 ~]$ iptables -t nat -A PREROUTING -d 192.168.37.6 -p tcp --dport 80 -j REDIRECT --to-ports 8080
