iptables网络防火墙扩展
环境模拟
- 主机规划:
# 外网主机eth0:192.168.1.100
# 防火墙主机eth0:192.168.1.106;eth1:10.10.2.1(网关地址)
# 内网主机eth0:10.10.2.2- 配置过程
#为防火墙主机添加ip
[root@gateway ~]# ip addr add 10.10.2.1/24 dev eth1
[root@gateway ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.106 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::b4f8:836f:3c67:e1af prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:a6:a1:15 txqueuelen 1000 (Ethernet)
RX packets 511 bytes 53486 (52.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 374 bytes 37517 (36.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:0c:29:a6:a1:1f txqueuelen 1000 (Ethernet)
RX packets 283 bytes 28356 (27.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 153 bytes 19483 (19.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#为内网主机添加ip
[root@node1 ~]# ip addr add 10.10.2.2/24 dev eth1
[root@node1 ~]# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.2.2 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:0c:29:a1:a6:3f txqueuelen 1000 (Ethernet)
RX packets 283 bytes 28356 (27.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 153 bytes 19483 (19.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#为内网主机添加路由信息
[root@node1 ~]# route add -net defalut gw 10.10.2.1
[root@node1 ~]# route add -net 192.168.1.0/24 gw 10.10.2.1
[root@node1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.2.1 0.0.0.0 UG 100 0 0 eth1
10.10.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 10.10.2.1 255.255.255.0 U 100 0 0 eth1
[root@node1 ~]# ping -c 2 10.10.2.1 #ping网关测试
PING 10.10.2.1 (10.10.2.1) 56(84) bytes of data.
64 bytes from 10.10.2.1: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 10.10.2.1: icmp_seq=2 ttl=64 time=0.040 ms
#为防火墙添加路由
[root@gateway ~]# route add -net 10.10.2.0/24 gw 10.10.2.1
[root@gateway ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
10.10.2.0 10.10.2.1 255.255.255.0 UG 0 0 0 eth1
10.10.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@gateway ~]# ping -c 2 10.10.2.2 #ping测试
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
64 bytes from 10.10.2.2: icmp_seq=1 ttl=64 time=2.15 ms
#此时内网主机可以ping通外网主机外网主机ping不同内网的
[root@node1 ~]# ping -c 2 192.168.1.100 #内网主机ping外网
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.990 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.536 ms
[root@webSr ~]# ping -c 2 10.10.2.2 #外网主机ping内网
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
--- 10.10.2.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
#外网主机添加路由
[root@webSr ~]# route add -net 10.10.2.0/24 gw 192.168.1.106
[root@webSr ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
10.10.2.0 192.168.1.106 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@webSr ~]# ping 10.10.2.2 -c2 #此时ping内网主机还是不能ping通
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
--- 10.10.2.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
## 防火墙开启内核转发后ping测试
[root@gateway ~]# sysctl -w net.ipv4.ip_forward=1
[root@webSr ~]# ping 10.10.2.2 -c2 #开启内核转发后可以ping通内网主机
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
64 bytes from 10.10.2.2: icmp_seq=1 ttl=63 time=0.732 ms
64 bytes from 10.10.2.2: icmp_seq=2 ttl=63 time=0.555 ms
## httpd服务测试
[root@webSr ~]# curl 10.10.2.2
this is 10.10.2.2 server!防火墙策略模拟
#例如防火墙主机的默认FORWARD链路默认会匹配到转发的报文
[root@gateway ~]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy ACCEPT 30 packets, 2628 bytes)
pkts bytes target prot opt in out source destination
## 把FORWARD链路改为DROP后是无法转发内外网主机的报文
[root@gateway html]# iptables -t filter -P FORWARD DROP
[root@gateway html]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
## 此时ping访问内网主机会返回无响应
[root@webSr ~]# ping -c 2 10.10.2.2
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
--- 10.10.2.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
#1. 在防火墙主机的FORWARD链路放行内网主机的httpd服务
[root@gateway ~]# iptables -t filter -I FORWARD -s 0.0.0.0/0 -d 10.10.2.2 -p tcp --dport 80 -j ACCEPT
[root@gateway ~]# iptables -t filter -A FORWARD -s 10.10.2.2 -d 0.0.0.0/0 -p tcp --sport 80 -j ACCEPT
[root@gateway ~]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.2.2 tcp dpt:80
0 0 ACCEPT tcp -- * * 10.10.2.2 0.0.0.0/0 tcp spt:80
##测试结果
[root@webSr ~]# curl 10.10.2.2
this is 10.10.2.2 server!
#2. 在防火墙主机的FORWARD链路放行icmp协议报文
[root@gateway ~]# iptables -t filter -A FORWARD -s 0.0.0.0/0 -d 10.10.2.2 -p icmp -j ACCEPT
[root@gateway ~]# iptables -t filter -A FORWARD -s 10.10.2.2 -d 0.0.0.0/0 -p icmp -j ACCEPT
[root@gateway html]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 393 ACCEPT tcp -- * * 0.0.0.0/0 10.10.2.2 tcp dpt:80
4 483 ACCEPT tcp -- * * 10.10.2.2 0.0.0.0/0 tcp spt:80
2 168 ACCEPT icmp -- * * 0.0.0.0/0 10.10.2.2
2 168 ACCEPT icmp -- * * 10.10.2.2 0.0.0.0/0
##ping测试
[root@webSr ~]# ping -c 2 10.10.2.2
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
64 bytes from 10.10.2.2: icmp_seq=1 ttl=63 time=1.26 ms
64 bytes from 10.10.2.2: icmp_seq=2 ttl=63 time=0.844 ms
--- 10.10.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.844/1.052/1.260/0.208 ms
#3. 在防火墙主机的FORWARD链路放行SSH协议报文
[root@gateway ~]# iptables -t filter -R FORWARD 1 -s 0.0.0.0/0 -d 10.10.2.2 -p tcp -m multiport --dports 22,80 -j ACCEPT
[root@gateway ~]# iptables -t filter -R FORWARD 2 -s 10.10.2.2 -d 0.0.0.0/0 -p tcp -m multiport --sports 22,80 -j ACCCEPT
[root@gateway ~]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.2.2 multiport dports 22,80
0 0 ACCEPT tcp -- * * 10.10.2.2 0.0.0.0/0 multiport sports 22,80
4 336 ACCEPT icmp -- * * 0.0.0.0/0 10.10.2.2
4 336 ACCEPT icmp -- * * 10.10.2.2 0.0.0.0/0
#测试结果
[root@webSr ~]# ssh 10.10.2.2
The authenticity of host '10.10.2.2 (10.10.2.2)' can't be established.
ECDSA key fingerprint is SHA256:L9CbpTobb9XTCcGkflBj30Y0IuyfzRZc++ULTLsY3ug.
ECDSA key fingerprint is MD5:0a:7a:c1:cc:58:b7:42:1b:bf:ca:80:84:21:dd:03:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.2.2' (ECDSA) to the list of known hosts.
root@10.10.2.2's password:
##规则优化
[root@gateway ~]# iptables -t filter -F FORWARD
[root@gateway ~]# iptables -t filter -A FORWARD -m state --state ESTABLISHED -j ACCEPT #只要是建立过请求的报文一律放行
[root@gateway ~]# iptables -t filter -A FORWARD -s 0.0.0.0/0 -d 10.10.2.2 -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
[root@gateway ~]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.2.2 multiport dports 22,80 state NEW
#测试结果
[root@webSr ~]# curl 10.10.2.2 #httpd服务结果
this is 10.10.2.2 server!
[root@webSr ~]# ssh 10.10.2.2 #ssh服务结果
root@10.10.2.2\'s password:
#4. 防火墙主机在FORWARD链路放行ftp报文
## 未放行前网关防火墙测试
[root@gateway ~]# lftp 10.10.2.2/pub
cd 成功, 当前目录=/pub
lftp 10.10.2.2:/pub> ls
-rw-r--r-- 1 0 0 465 Feb 14 13:43 fstab
[root@webSr ~]# lftp 10.10.2.2 #可以正常连接但是回显有问题
lftp 10.10.2.2:~> ls
'ls' at 0 [正在连接...]
## 放行流程示例:
[root@gateway ~]# modprobe nf_conntrack_ftp #装载ftp连接追踪模块
[root@gateway ~]# lsmod |grep ftp
nf_conntrack_ftp 18478 0
nf_conntrack 139224 7 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6
[root@gateway ~]# iptables -t filter -R FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT #放行RELATED状态
[root@gateway ~]# iptables -t filter -R FORWARD 2 -s 0.0.0.0/0 -d 10.10.2.2 -p tcp -m multiport --dports 21,22,80 -m state --state NEW -j ACCEPT
[root@gateway ~]# iptables -t filter -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.2.2 multiport dports 21,22,80 state NEW
1 84 ACCEPT icmp -- * * 0.0.0.0/0 10.10.2.2
0 0 ACCEPT icmp -- * * 10.10.2.2 0.0.0.0/0
## 放行完成后测试:
[root@webSr ~]# lftp 10.10.2.2/pub
cd 成功, 当前目录=/pub
lftp 10.10.2.2:/pub> ls
-rw-r--r-- 1 0 0 465 Feb 14 13:43 fstab版权属于:龙之介大人
本文链接:https://i7dom.cn/231/2020/15/iptables-gateway-filter.html
本站所有原创文章采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。 您可以自由的转载和修改,但请务必注明文章来源和作者署名并说明文章非原创且不可用于商业目的。