企业常用防火墙iptables相关原理详解
责编:admin |2015-02-11 11:19:13防火墙的类型:
包过滤型防火墙:(IP/TCP)
简单包过滤、带状态检查包过滤(连接状态)
简单包过滤
带状态检测包过滤:连接状态
应用层网关防火墙:(对特定的应用层协议做检查)
硬件:
Netscreen、checkpoint
linux内核:
TCP/IP:网络子系统
打开linux系统转发功能:/proc/sys/net/ipv4/ip_forward
linux路由表查看:route –n、 netstat –rn
ipfw —linux kernel2.0
ipchains —linuxkernel 2.2
iptables —linux kernel 2.4以后
iptables:用户空间工具
编写规则:
netfilter
内核中,框架(framework)
hookfunction
规则链input、 output、 forward、prerouting 、postrouting
源地址转换:SNAT –在即将出去的网卡地址做转换
目标地址转换:DNAT –在刚刚进来的网卡地址做转换
端口地址转换:PNAT —
4.2 防火墙的功能:
filter —过滤
nat —转换
mangle —修改
raw
数据包过滤匹配流程:
转发数据流向:
到本机
PreroutingàInput
转发
PreroutingàForwardàPostrouting
由本机发出
OutputàPostrouting
table:
raw
Prerouting、Output
mangle
Prerouting、Input 、Output 、Forward、Postrouting
nat
Prerouting、Output、Postrouting
filter
Input、Output 、Forward
Prerouting
Input
Forward
Output
Postrouting
raw
yes
yes
mangle
yes
yes
yes
yes
yes
nat
yes
yes
yes
filter
yes
yes
yes
过滤:
匹配条件
netfilter,检查模块
拓展模块
处理动作
Accept
Drop,Reject
4.3 iptables用法
iptables [-tTABLE] COMMAND CHAIN [CRETIRIA] –jACTION
-t 后跟的table:raw manglenat filter[默认]
COMMAND:对链或者对链中的规则进行管理操作
链中规则:
-A —在链中最后添加一条新的规则
-I # —插入一条规则,#表示插入为第几条
-R # —替换第几条规则
-D # —删除第几条规则或者–DCRETAERIA删除链中规则
链:
-N —新建一个自定义链
-X —删除一个自定义的空链
-E —重命名一条自定义链
-F —清空指定链,如果不指定链,就会清空整个表中的链
-P —设置链的默认策略
-Z —置零(每条规则,包括默认策略都有两个计算器,一个是被本规则匹配到的所有数据包的个数,另一个是被本规则匹配到的所有数据包的大小之和)
-L —查看
-v –详细
-vv –更加详细
–line-munbers —行号
-x –显示精确值
-n –不要对地址或者名称做反解【显示数字地址】
ipatbes:
服务脚本:/ect/rc.d/init.d/iptables
脚本配置文件:/ect/sysconfig/iptables-config
规则保存位置:/etc/sysconfig/iptables
serviceiptables {status|start|stop|restart|save}
ls/ect/rc.d/init.d
… iptables …
ls/ect/sysconfig
… iptables-config …
serviceiptables status
cat/etc/sysconfig/iptables
serviceiptabes start
touch/etc/sysconfig/iptables
serviceiptabes start
iptabels–L –n
iptabels –L raw–n
iptabels –L nat–n
iptabels –Lmanagle–n
iptabels –L raw–n -v
匹配条件:
通用匹配:
-s –源地址
-d –目标地址
IP
NETWORK/MASK
!
-p {icmp|tcp|udp} –协议
-iIN_INTERFACE –指定流入接口
-oOUT_INTERFACE –指定流出接口
-jTARGET
ACCEPT
DROP
REJECT
REDIRECT
DNAT
SNAT
MASQUERADE
LOG
扩展匹配:
隐式扩展
-p tcp
–sportPORT[-PORT2]
–dportPORT[-PORT2]
–tcp-flagsSYN,ACK,RST,FIN SYN (=–syn )
-p udp
–sportPORT[-PORT2]
–dportPORT[-PORT2]
-p icmp
–icmp-type
0:echo-reply —响应
8:echo-request —请求
显示扩展
netfilter扩展模块引入的扩展,用于扩展匹配条件,通常需要额外专用选项来定义
-m state –用于实现链接的姿态检测
–state
NEW,ESTABLISHED,
RELATED[例如fdp],INVALID[无效的]
-mmultiport
–source-ports
–destination-ports
–ports
rpm–ql iptables
……
/lib/iptables/libipt_state.so —扩展state模块
……
/lib/iptables/libipt_mutiport –扩展mutiport模块
…….
iptabes–t filter –A INPUT –s 172.16.0.0/16 –p icmp –-icmp-type 8 –j DROP
—不允许172.16.0.0/16网段的用户ping本机
iptables–t filter –L –n
……
target port opt source destination
DROP icmp — 172.16.0.0/16 0.0.0.0/0 icmptype 8
……
iptables–t filter –L –n -v
iptabes –t filter –A INPUT –s 172.16.0.0/16–d 172.16.100.1 –p icmp –-icmp-type 0 –j DROP
—不允许本机[172.16.100.1]ping172.16.0.0/16主机没有响应
iptables –t filter –D INPUT 2
–删除filter表的第二条规则
iptables –A INPUT –s !172.16.0.0/16 –d172.16.100.1 –p tcp –dport 80 –j DROP
–让除了172.16.0.0/16的主机访问172.16.100.1:80端口
iptables –L –n
iptabels –t filter –F INPUT
iptabels –L –n
iptables –F –清除所有的规则
iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –j ACCEPT
–让所有机器的ssh访问172.16.100.1
iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –j ACCEPT
iptables –L –n
iptables –t filter –P INPUT DROP
iptables –t filter –P OUTPUT DROP
iptables –L –n –v
—将除了22端口都Drop掉
iptables –A INPUT –d 172.16.100.1 –p icmp –-icmp-type8 –j ACCEPT
iptables –A OUTPUT –s 172.16.100.1 –p icmp–-icmp-type 0 –j ACCEPT
—现在别人可以ping通自己
iptables –A INPUT –s 172.16.100.1 –p icmp–-icmp-type 8 –j ACCEPT
iptables –A OUTPUT –d 172.16.100.1 –p icmp –-icmp-type0 –j ACCEPT
—现在可让自己ping别人
iptables –F
iptable –L –n
iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –m state –state NEW,ESTABLISHED –j ACCEPT
iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –m state –state ESTABLISHED -j ACCEPT
iptables –P INPUT DROP
iptables –P OUTPUT DROP
iptables –L –n -v
—不让本机建立任何新的ssh请求
iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 80 –m state –state NEW,ESTABLISHED –j ACCEPT
iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 80 –m state –state ESTABLISHED -j ACCEPT
—不让本机建立任何新的80端口请求
对语句进行优化[将OUTPUT请求的两条语句合并为一条]:
iptables –A OUTPUT –s 172.168.100.1 –mstate –state ESTABLISHED –j ACCEPT
iptables –D OUTPUT 1 –删除第一条规则,但是第二条会自动变成第一条
iptables –D OUTPUT 1 –删除第一条规则,此时才算删除干净了
iptables –L –n
iptables –A INPUT –d 172.16.100.1 –p icmp–icmp-type 8 –j ACCEPT
iptables –L –n
—让别人可以ping通自己
对80和22端口合并
iptables –I INPUT 1 –d 172.16.100.1 –p tcp–m multiport –destination-ports 80,22 –m state –state NEW,ESTABLISHED –j ACCEPT
iptables –D INPUT 2
iptables –D INPUT 2
elinks –dump http://172.16.100.1
—不能本机连接自己
4.4 自定义链
创建:
iptables–N NAME
删除:
iptables–X NAME
置零:
Iptables–Z NAME
iptables –N come_in
iptables –L –n -v
iptables –X come_in
iptables –L –n –v
iptables –Z INPUT
iptables –L –n –v
iptables –A INPUT –d 172.16.100.1 –p tcp–dport 80 –j ACCEPT
iptables –L –n –v
iptables –Z INPUT
iptables –L –n –v
netstat –tnlp
service httpd start
setenforce 0
service httpd start
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT
—让localhost对localhost本地访问ACCEPT
TCP
被动打开:LISTEN,SYN_RECV,ESTABLISHED
主动打开:SYN_SENT,ESTABLISHED
主动关闭:FIN_WAIT1,FIN_WAIT2,CLOSING,TIME_WAIT,CLOSED
被动关闭:CLOSE_WAIT,LAST_ACK,CLOSED,LISTEN
iptables –N clean_in
iptables –A clean_in –d 255.255.255.255 –picmp –j DROP
iptables –A clean_in –d 172.16.255.255 –picmp j DROP
iptables –A clean_in –p tcp ! –syn –m state–state NEW –j DROP
iptables –A clean_in –p tcp –tcp-flags ALLALL –j DROP
iptanles –A clean_in –p tcp –tcp-flags ALLNONE –j DROP
iptables –A clean_in –d 172.16.100.1 –jRETURN –跳出clean_in链
iptables –A INPUT –d 172.16.100.1 –j clean_in –跳到clean_in链上
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT
iptables –A INPUT –i eth0 –m multiport –ptcp –dports 53,113,135,137,139,445,-j DROP
iptables –A INPUT –i eth0 –m multiport –pudp –dports 53,113,135,137,139,445,-j DROP
iptables –A INPUT –i eth0 –p udp –dport1026 –j DROP
iptables –A INPUT –i eth0 –m multiport –ptcp –dport 1433,4899 –j DROP
iptables –A INPUT –p icmp –m limit –limit10/second –j ACCEPT
iptables –A INPUT ! –syn –p tcp –m state–state NEW –j DROP
iptables –A INPUT –p tcp –tcp-flags ALLALL –j DROP
iptables –A INPUT –p tcp –tcp-flags ALLNONE –j DROP
iptables –A INPUT –p icmp –d255.255.255.255 –j DROP
iptables –A INPUT –p icmp –d 172.16.255.255–j DROP
4.5 限定链接速率
显示扩展(续)
/lib/iptables
-mlimit
3/s,1000
–limit3/min
–limit-burst3000
iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp –icmp-type 8 –m limit –limit 5/minute –limit-burst 8 –j ACCEPT
iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp –icmp-type 8 –j DROP
iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m state –state ESTABLISHED –j ACCEPT
iptables –I INPUT 2 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m limit –limit 2/minute –limit-burst 2 –m state –stateNEW –j ACCEPT
这两条可以写成一条命令
iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m limit –limit 2/minute –limit-burst 2 –m state –state NEW, ESTABLISHED –j ACCEPT
iptables –I INPUT 3 –i eth0 –d 172.16.100.1–p tcp –dport 22 –j DROP
—对SSH的访问值限定
4.6 限定连接数
/lib/iptables
-mconnlimit
[!] –connlimit-above n –多于n个表示满足条件,表示应该不允许的个数
-miprage
–src-rangeip-ip
–dst-rangeip-ip
-mmac
–mac-sourceXX:XX:XX:XX:XX:XX
-mstring
–algo[kmp|bm]
–string“STRING”
iptables–I OUTPUT 1 –o eth0 –s 172.16.100.1 –p tcp –dport 80 –m string –algo kmp–string “sex” –j DROP
iptables–L –n -v
-mrecent
利用iptables的recent模块来抵御DOS攻击
SSH:远程连接,
iptables –I INPUT –p tcp –dport 22 –mconnlimit –connlimit-above 3 –j DROP
iptables –I INPUT –p tcp –dport 22 –mstate –state NEW –m recent –set –name SSH
iptables –I INPUT –p tcp –dport 22 –mstate –state NEW –m –update –seconds 300 –hitcount 3 –name SSH –j DROP
iptables –A INPUT –p tcp –dport 22 –mstate –state NEW –m recent –update –name SSH–seconds 300 –hitcount 3 –jLOG –log-prefix “SSH ATTACK”
–记录日志
4.7 网卡的源地址转发模拟
模拟图:
说明:
Intra Host IP:192.168.10.2模式为Vmnet1 ifconfig eth0192.168.10.2/24(ping192.168.100.1不通)
routeadd default gw 192.168.10.1(指定网关时候,还是ping192.168.100.1不通了,需要转发一次)
Iptables eth0 IP:192.168.10.1 模式为Vmnet1 ifconfig eth0 192.168.10.1/24
Serverhttpd start
打开主机的转发功能(转发)
cat /proc/sys/net/ipv4/ip_forward —输出0
echo1 > /proc/sys/net/ipv4/ip_forward
Iptables eth1 IP:192.168.100.1模式为Bridge ifconfig eth1 192.168.100.1/16
Internet Host IP:192.168.100.2模式为Bridge ifconfig eth0 192.168.100.2/16
vi/var/www/html/index.html
thisis a test!
route add default gw 192.168.100.1
当100.1ping100.2时候抓包
tcpdump–i eth0 –nn –X host 172.16.100.2 (100.2)
ping 192.168.100.2 (100.1)
tcpdump–i eth0 –nn –X tcp port 80 and host 172.16.100.2 (100.2)
elinks–dump http://172.16.100.2(100.1)
做源地址转换
iptables–t nat –A POSTROUTING –s 192.168.10.1/24 –o eth1 –j SNAT –to-srource172.16.100.1 (Iptables)
iptables–t nat –L –n(100.1)
elinks–dump http://172.16.100.2 (10.2)
iptables–t nat –L –n (100.1)
tail/var/log/httpd/access_log(100.2)
限定只允许80,443,53端口上网
iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p tcp –m multiport –destination-port 80,443,53 –j SNAT–to-source 123.1.21.3
iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport –destination-port 80,443,53 –j –to-source123.1.21.3
MASQURADE:自动选择一个合适地址作为转换后的源地址
iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport –destination-port 80,443,53 –j MASQURADE
–此模式用于拨号上网,即外网地址动态获取!
下一篇:某网贷平台遭受攻击