本文已参与「新人创作礼」活动, 一起开启掘金创作之路。
1.FORWARD 链实现内外网络的流量控制
范例:
#环境准备
#firewall主机配置
[root@rocky8 ~]# hostnamectl set-hostname firewall
[root@firewall ~]# dnf -y install net-tools
[root@firewall ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=172.31.1.8
PREFIX=21
GATEWAY=172.31.0.2
DNS1=223.5.5.5
DNS2=180.76.76.76
[root@firewall ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
NAME=eth1
DEVICE=eth1
BOOTPROTO=static
IPADDR=10.0.1.8
PREFIX=21
[root@firewall ~]# nmcli connection reload
[root@firewall ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
Wired connection 1 8f66d694-494f-31db-99a6-97673f8ece0b ethernet eth1
eth1 9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 ethernet --
[root@firewall ~]# nmcli connection up eth1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@firewall ~]# nmcli connection del Wired\ connection\ 1
Connection 'Wired connection 1' (8f66d694-494f-31db-99a6-97673f8ece0b) successfully deleted.
[root@firewall ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
eth1 9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 ethernet eth1
[root@firewall ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:f9:6a:d1 brd ff:ff:ff:ff:ff:ff
inet 172.31.1.8/21 brd 172.31.7.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef9:6ad1/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:f9:6a:db brd ff:ff:ff:ff:ff:ff
inet 10.0.1.8/21 brd 10.0.7.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef9:6adb/64 scope link
valid_lft forever preferred_lft forever
[root@firewall ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.248.0 U 101 0 0 eth1
172.31.0.0 0.0.0.0 255.255.248.0 U 100 0 0 eth0
#internal主机配置
root@ubuntu1804:~# hostnamectl set-hostname internal
root@internal:~# vim /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses: [10.0.2.18/21]
gateway4: 10.0.1.8
root@internal:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:5d:de:53 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.18/21 brd 10.0.7.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe5d:de53/64 scope link
valid_lft forever preferred_lft forever
root@internal:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.1.8 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
root@internal:~# ping 10.0.1.8
PING 10.0.1.8 (10.0.1.8) 56(84) bytes of data.
64 bytes from 10.0.1.8: icmp_seq=1 ttl=64 time=0.318 ms
64 bytes from 10.0.1.8: icmp_seq=2 ttl=64 time=0.367 ms
^C
--- 10.0.1.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1030ms
rtt min/avg/max/mdev = 0.318/0.342/0.367/0.030 ms
#lanserver1主机配置
[root@centos7 ~]# hostnamectl set-hostname lanserver1
[root@lanserver1 ~]# yum -y install net-tools
[root@lanserver1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=172.31.0.7
PREFIX=21
GATEWAY=172.31.1.8
DNS1=223.5.5.5
DNS2=180.76.76.76
[root@lanserver1 ~]# nmcli connection reload
[root@lanserver1 ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
[root@lanserver1 ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@lanserver1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:50:0f:03 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.7/21 brd 172.31.7.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe50:f03/64 scope link
valid_lft forever preferred_lft forever
[root@lanserver1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.1.8 0.0.0.0 UG 100 0 0 eth0
172.31.0.0 0.0.0.0 255.255.248.0 U 100 0 0 eth0
#lanserver2主机配置
[root@centos7-2 ~]# hostnamectl set-hostname lanserver2
[root@lanserver2 ~]# yum -y install net-tools
[root@lanserver2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=172.31.0.17
PREFIX=21
GATEWAY=172.31.1.8
DNS1=223.5.5.5
DNS2=180.76.76.76
[root@lanserver2 ~]# nmcli connection reload
[root@lanserver2 ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
[root@lanserver2 ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@lanserver2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c5:09:56 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.17/21 brd 172.31.7.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec5:956/64 scope link
valid_lft forever preferred_lft forever
[root@lanserver2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.1.8 0.0.0.0 UG 100 0 0 eth0
172.31.0.0 0.0.0.0 255.255.248.0 U 100 0 0 eth0
[root@lanserver2 ~]# ping 172.31.1.8
PING 172.31.1.8 (172.31.1.8) 56(84) bytes of data.
64 bytes from 172.31.1.8: icmp_seq=1 ttl=64 time=0.505 ms
64 bytes from 172.31.1.8: icmp_seq=2 ttl=64 time=0.461 ms
^C
--- 172.31.1.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.461/0.483/0.505/0.022 ms
root@internal:~# ping 172.31.0.7
PING 172.31.0.7 (172.31.0.7) 56(84) bytes of data.
^C
--- 172.31.0.7 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1022ms
#从10.0.2.18不能ping通 172.31.0.7
[root@firewall ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewall ~]# sysctl -p
net.ipv4.ip_forward = 1
root@internal:~# ping 172.31.0.7
PING 172.31.0.7 (172.31.0.7) 56(84) bytes of data.
64 bytes from 172.31.0.7: icmp_seq=1 ttl=63 time=1.15 ms
64 bytes from 172.31.0.7: icmp_seq=2 ttl=63 time=0.806 ms
64 bytes from 172.31.0.7: icmp_seq=3 ttl=63 time=0.668 ms
64 bytes from 172.31.0.7: icmp_seq=4 ttl=63 time=0.567 ms
^C
--- 172.31.0.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.567/0.799/1.157/0.224 ms
#从10.0.2.18不能ping通 172.31.0.7
[root@firewall ~]# dnf -y install tcpdump
[root@firewall ~]# tcpdump -i eth1 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:23:41.226584 IP 10.0.2.18 > 172.31.0.7: ICMP echo request, id 2011, seq 1, length 64
16:23:41.226881 IP 172.31.0.7 > 10.0.2.18: ICMP echo reply, id 2011, seq 1, length 64
16:23:42.250849 IP 10.0.2.18 > 172.31.0.7: ICMP echo request, id 2011, seq 2, length 64
16:23:42.251275 IP 172.31.0.7 > 10.0.2.18: ICMP echo reply, id 2011, seq 2, length 64
16:23:43.275432 IP 10.0.2.18 > 172.31.0.7: ICMP echo request, id 2011, seq 3, length 64
16:23:43.276534 IP 172.31.0.7 > 10.0.2.18: ICMP echo reply, id 2011, seq 3, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@firewall ~]# tcpdump -i eth0 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:24:00.652816 IP 10.0.2.18 > 172.31.0.7: ICMP echo request, id 2011, seq 20, length 64
16:24:00.653148 IP 172.31.0.7 > 10.0.2.18: ICMP echo reply, id 2011, seq 20, length 64
16:24:01.677569 IP 10.0.2.18 > 172.31.0.7: ICMP echo request, id 2011, seq 21, length 64
16:24:01.677845 IP 172.31.0.7 > 10.0.2.18: ICMP echo reply, id 2011, seq 21, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@internal:~# ping 172.31.0.17
PING 172.31.0.17 (172.31.0.17) 56(84) bytes of data.
64 bytes from 172.31.0.17: icmp_seq=1 ttl=63 time=0.546 ms
64 bytes from 172.31.0.17: icmp_seq=2 ttl=63 time=0.685 ms
64 bytes from 172.31.0.17: icmp_seq=3 ttl=63 time=0.426 ms
^C
--- 172.31.0.17 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2037ms
rtt min/avg/max/mdev = 0.426/0.552/0.685/0.107 ms
[root@lanserver1 ~]# ping 10.0.2.18
PING 10.0.2.18 (10.0.2.18) 56(84) bytes of data.
64 bytes from 10.0.2.18: icmp_seq=1 ttl=63 time=0.577 ms
64 bytes from 10.0.2.18: icmp_seq=2 ttl=63 time=0.790 ms
64 bytes from 10.0.2.18: icmp_seq=3 ttl=63 time=0.419 ms
^C
--- 10.0.2.18 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.419/0.595/0.790/0.153 ms
#从172.31.0.7能ping通 10.0.2.18
范例:内部可以访问外部,外部禁止访问内部
[root@firewall ~]# iptables -A INPUT -s 172.31.0.1 -j ACCEPT
[root@firewall ~]# iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
[root@firewall ~]# iptables -A FORWARD -s 172.31.0.0/21 ! -d 172.31.0.0/21 -m state --state NEW -j ACCEPT
[root@firewall ~]# iptables -A FORWARD -j REJECT
[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
152 11792 ACCEPT all -- * * 172.31.0.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT all -- * * 172.31.0.0/21 !172.31.0.0/21 state NEW
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@internal:~# ping 172.31.0.7
PING 172.31.0.7 (172.31.0.7) 56(84) bytes of data.
From 10.0.1.8 icmp_seq=1 Destination Port Unreachable
From 10.0.1.8 icmp_seq=2 Destination Port Unreachable
From 10.0.1.8 icmp_seq=3 Destination Port Unreachable
^C
--- 172.31.0.7 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2054ms
#从10.0.2.18不能ping通 172.31.0.7,从外部不能访问内部
[root@lanserver1 ~]# ping 10.0.2.18
PING 10.0.2.18 (10.0.2.18) 56(84) bytes of data.
64 bytes from 10.0.2.18: icmp_seq=1 ttl=63 time=0.645 ms
64 bytes from 10.0.2.18: icmp_seq=2 ttl=63 time=0.557 ms
^C
--- 10.0.2.18 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.557/0.601/0.645/0.044 ms
#从172.31.0.7能ping通 10.0.2.18,从内部可以访问外部
范例:针对内部的特定服务可以允许外部访问,其它服务禁止访问
[root@lanserver1 ~]# yum -y install httpd
[root@lanserver1 ~]# systemctl enable --now httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@lanserver1 ~]# echo lan web site > /var/www/html/index.html
[root@lanserver1 ~]# curl 172.31.0.7
lan web site
root@internal:~# curl 172.31.0.7
curl: (7) Failed to connect to 172.31.0.7 port 80: Connection refused
#外部不能访问内部的web服务
[root@firewall ~]# iptables -I FORWARD 3 -d 172.31.0.7 -p tcp --dport 80 -j ACCEPT
[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
278 21476 ACCEPT all -- * * 172.31.0.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
4 286 ACCEPT all -- * * 172.31.0.0/21 !172.31.0.0/21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.31.0.7 tcp dpt:80
6 432 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@internal:~# curl 172.31.0.7
lan web site
[root@firewall ~]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 299 ESTABLISHED src=172.31.1.8 dst=172.31.0.1 sport=22 dport=59400 src=172.31.0.1 dst=172.31.1.8 sport=59400 dport=22 [ASSURED] mark=0 zone=0 use=2
