企业常用防火墙iptables相关原理详解

  防火墙的类型:

  包过滤型防火墙:(IP/TCP)

  简单包过滤、带状态检查包过滤(连接状态)

  简单包过滤

  带状态检测包过滤:连接状态

  应用层网关防火墙:(对特定的应用层协议做检查)

  硬件:

  Netscreen、checkpoint

  linux内核:

  TCP/IP:网络子系统

  打开linux系统转发功能:/proc/sys/net/ipv4/ip_forward

  linux路由表查看:route –n、 netstat –rn

  ipfw                  —linux kernel2.0

  ipchains            —linuxkernel 2.2

  iptables             —linux kernel 2.4以后

  iptables:用户空间工具

  编写规则:

  netfilter

  内核中,框架(framework)

  hookfunction

  规则链input、 output、 forward、prerouting 、postrouting

  源地址转换:SNAT                  –在即将出去的网卡地址做转换

  目标地址转换:DNAT             –在刚刚进来的网卡地址做转换

  端口地址转换:PNAT             —

  4.2 防火墙的功能:

  filter                   —过滤

  nat           —转换

  mangle     —修改

  raw

  数据包过滤匹配流程:

  转发数据流向:

  到本机

  PreroutingàInput

  转发

  PreroutingàForwardàPostrouting

  由本机发出

  OutputàPostrouting

  table:

  raw

  Prerouting、Output

  mangle

  Prerouting、Input 、Output 、Forward、Postrouting

  nat

  Prerouting、Output、Postrouting

  filter

  Input、Output 、Forward

  Prerouting

  Input

  Forward

  Output

  Postrouting

  raw

  yes

  yes

  mangle

  yes

  yes

  yes

  yes

  yes

  nat

  yes

  yes

  yes

  filter

  yes

  yes

  yes

  过滤:

  匹配条件

  netfilter,检查模块

  拓展模块

  处理动作

  Accept

  Drop,Reject

  4.3 iptables用法

  iptables [-tTABLE]  COMMAND CHAIN [CRETIRIA] –jACTION

  -t 后跟的table:raw manglenat filter[默认]

  COMMAND:对链或者对链中的规则进行管理操作

  链中规则:

  -A           —在链中最后添加一条新的规则

  -I #         —插入一条规则,#表示插入为第几条

  -R #        —替换第几条规则

  -D #              —删除第几条规则或者–DCRETAERIA删除链中规则

  链:

  -N              —新建一个自定义链

  -X              —删除一个自定义的空链

  -E               —重命名一条自定义链

  -F               —清空指定链,如果不指定链,就会清空整个表中的链

  -P               —设置链的默认策略

  -Z               —置零(每条规则,包括默认策略都有两个计算器,一个是被本规则匹配到的所有数据包的个数,另一个是被本规则匹配到的所有数据包的大小之和)

  -L               —查看

  -v                                  –详细

  -vv                              –更加详细

  –line-munbers          —行号

  -x                                  –显示精确值

  -n                                  –不要对地址或者名称做反解【显示数字地址】

  ipatbes:

  服务脚本:/ect/rc.d/init.d/iptables

  脚本配置文件:/ect/sysconfig/iptables-config

  规则保存位置:/etc/sysconfig/iptables

  serviceiptables {status|start|stop|restart|save}

  ls/ect/rc.d/init.d

  …      iptables    …

  ls/ect/sysconfig

  …      iptables-config                   …

  serviceiptables status

  cat/etc/sysconfig/iptables

  serviceiptabes start

  touch/etc/sysconfig/iptables

  serviceiptabes start

  iptabels–L –n

  iptabels –L raw–n

  iptabels –L nat–n

  iptabels –Lmanagle–n

  iptabels –L raw–n -v

  匹配条件:

  通用匹配:

  -s                                           –源地址

  -d                                           –目标地址

  IP

  NETWORK/MASK

  !

  -p {icmp|tcp|udp}             –协议

  -iIN_INTERFACE                –指定流入接口

  -oOUT_INTERFACE          –指定流出接口

  -jTARGET

  ACCEPT

  DROP

  REJECT

  REDIRECT

  DNAT

  SNAT

  MASQUERADE

  LOG

  扩展匹配:

  隐式扩展

  -p tcp

  –sportPORT[-PORT2]

  –dportPORT[-PORT2]

  –tcp-flagsSYN,ACK,RST,FIN SYN (=–syn )

  -p udp

  –sportPORT[-PORT2]

  –dportPORT[-PORT2]

  -p icmp

  –icmp-type

  0:echo-reply              —响应

  8:echo-request         —请求

  显示扩展

  netfilter扩展模块引入的扩展,用于扩展匹配条件,通常需要额外专用选项来定义

  -m state   –用于实现链接的姿态检测

  –state

  NEW,ESTABLISHED,

  RELATED[例如fdp],INVALID[无效的]

  -mmultiport

  –source-ports

  –destination-ports

  –ports

  rpm–ql iptables

  ……

  /lib/iptables/libipt_state.so    —扩展state模块

  ……

  /lib/iptables/libipt_mutiport   –扩展mutiport模块

  …….

  iptabes–t filter –A INPUT –s 172.16.0.0/16 –p icmp –-icmp-type 8 –j DROP

  —不允许172.16.0.0/16网段的用户ping本机

  iptables–t filter –L –n

  ……

  target       port         opt    source                      destination

  DROP        icmp                   —       172.16.0.0/16           0.0.0.0/0                    icmptype 8

  ……

  iptables–t filter –L –n -v

  iptabes –t filter –A INPUT –s 172.16.0.0/16–d 172.16.100.1 –p icmp –-icmp-type 0 –j DROP

  —不允许本机[172.16.100.1]ping172.16.0.0/16主机没有响应

  iptables –t filter –D INPUT 2

  –删除filter表的第二条规则

  iptables –A INPUT –s !172.16.0.0/16 –d172.16.100.1 –p tcp –dport 80 –j DROP

  –让除了172.16.0.0/16的主机访问172.16.100.1:80端口

  iptables –L –n

  iptabels –t filter –F INPUT

  iptabels –L –n

  iptables –F      –清除所有的规则

  iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –j ACCEPT

  –让所有机器的ssh访问172.16.100.1

  iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –j ACCEPT

  iptables –L –n

  iptables –t filter –P INPUT DROP

  iptables –t filter –P OUTPUT DROP

  iptables –L –n –v

  —将除了22端口都Drop掉

  iptables –A INPUT –d 172.16.100.1 –p icmp –-icmp-type8 –j ACCEPT

  iptables –A OUTPUT –s 172.16.100.1 –p icmp–-icmp-type 0 –j ACCEPT

  —现在别人可以ping通自己

  iptables –A INPUT –s 172.16.100.1 –p icmp–-icmp-type 8 –j ACCEPT

  iptables –A OUTPUT –d 172.16.100.1 –p icmp –-icmp-type0 –j ACCEPT

  —现在可让自己ping别人

  iptables –F

  iptable –L –n

  iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –m state –state NEW,ESTABLISHED –j ACCEPT

  iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –m state –state ESTABLISHED -j ACCEPT

  iptables –P INPUT DROP

  iptables –P OUTPUT DROP

  iptables –L –n -v

  —不让本机建立任何新的ssh请求

  iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 80 –m state –state NEW,ESTABLISHED –j ACCEPT

  iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 80 –m state –state ESTABLISHED -j ACCEPT

  —不让本机建立任何新的80端口请求

  对语句进行优化[将OUTPUT请求的两条语句合并为一条]:

  iptables –A OUTPUT –s 172.168.100.1 –mstate –state ESTABLISHED –j ACCEPT

  iptables –D OUTPUT 1     –删除第一条规则,但是第二条会自动变成第一条

  iptables –D OUTPUT 1     –删除第一条规则,此时才算删除干净了

  iptables –L –n

  iptables –A INPUT –d 172.16.100.1 –p icmp–icmp-type 8 –j ACCEPT

  iptables –L –n

  —让别人可以ping通自己

  对80和22端口合并

  iptables –I INPUT 1 –d 172.16.100.1 –p tcp–m multiport –destination-ports 80,22 –m state –state NEW,ESTABLISHED –j ACCEPT

  iptables –D INPUT 2

  iptables –D INPUT 2

  elinks –dump http://172.16.100.1

  —不能本机连接自己

  4.4 自定义链

  创建:

  iptables–N NAME

  删除:

  iptables–X NAME

  置零:

  Iptables–Z NAME

  iptables –N come_in

  iptables –L –n -v

  iptables –X come_in

  iptables –L –n –v

  iptables –Z INPUT

  iptables –L –n –v

  iptables –A INPUT –d 172.16.100.1 –p tcp–dport 80 –j ACCEPT

  iptables –L –n –v

  iptables –Z INPUT

  iptables –L –n –v

  netstat –tnlp

  service httpd start

  setenforce 0

  service httpd start

  iptables –A INPUT –i lo –j ACCEPT

  iptables –A OUTPUT –o lo –j ACCEPT

  —让localhost对localhost本地访问ACCEPT

  TCP

  被动打开:LISTEN,SYN_RECV,ESTABLISHED

  主动打开:SYN_SENT,ESTABLISHED

  主动关闭:FIN_WAIT1,FIN_WAIT2,CLOSING,TIME_WAIT,CLOSED

  被动关闭:CLOSE_WAIT,LAST_ACK,CLOSED,LISTEN

  iptables –N clean_in

  iptables –A clean_in –d 255.255.255.255 –picmp –j DROP

  iptables –A clean_in –d 172.16.255.255 –picmp j DROP

  iptables –A clean_in –p tcp ! –syn –m state–state NEW –j DROP

  iptables –A clean_in –p tcp –tcp-flags ALLALL –j DROP

  iptanles –A clean_in –p tcp –tcp-flags ALLNONE –j DROP

  iptables –A clean_in –d 172.16.100.1 –jRETURN   –跳出clean_in链

  iptables –A INPUT –d 172.16.100.1 –j clean_in       –跳到clean_in链上

  iptables –A INPUT –i lo –j ACCEPT

  iptables –A OUTPUT –o lo –j ACCEPT

  iptables –A INPUT –i eth0 –m multiport –ptcp –dports 53,113,135,137,139,445,-j DROP

  iptables –A INPUT –i eth0 –m multiport –pudp –dports 53,113,135,137,139,445,-j DROP

  iptables –A INPUT –i eth0 –p udp –dport1026 –j DROP

  iptables –A INPUT –i eth0 –m multiport –ptcp –dport 1433,4899 –j DROP

  iptables –A INPUT –p icmp –m limit –limit10/second –j ACCEPT

  iptables –A INPUT ! –syn –p tcp –m state–state NEW –j DROP

  iptables –A INPUT –p tcp –tcp-flags ALLALL –j DROP

  iptables –A INPUT –p tcp –tcp-flags ALLNONE –j DROP

  iptables –A INPUT –p icmp –d255.255.255.255 –j DROP

  iptables –A INPUT –p icmp –d 172.16.255.255–j DROP

  4.5 限定链接速率

  显示扩展(续)

  /lib/iptables

  -mlimit

  3/s,1000

  –limit3/min

  –limit-burst3000

  iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp –icmp-type 8 –m limit –limit 5/minute –limit-burst 8 –j ACCEPT

  iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp –icmp-type 8 –j DROP

  iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m state –state ESTABLISHED –j ACCEPT

  iptables –I INPUT 2 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m limit –limit 2/minute –limit-burst 2 –m state –stateNEW –j ACCEPT

  这两条可以写成一条命令

  iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m limit –limit 2/minute –limit-burst 2 –m state –state NEW, ESTABLISHED –j ACCEPT

  iptables –I INPUT 3 –i eth0 –d 172.16.100.1–p tcp –dport 22 –j DROP

  —对SSH的访问值限定

  4.6 限定连接数

  /lib/iptables

  -mconnlimit

  [!]   –connlimit-above n         –多于n个表示满足条件,表示应该不允许的个数

  -miprage

  –src-rangeip-ip

  –dst-rangeip-ip

  -mmac

  –mac-sourceXX:XX:XX:XX:XX:XX

  -mstring

  –algo[kmp|bm]

  –string“STRING”

  iptables–I OUTPUT 1 –o eth0 –s 172.16.100.1 –p tcp –dport 80 –m string –algo kmp–string “sex” –j DROP

  iptables–L –n -v

  -mrecent

  利用iptables的recent模块来抵御DOS攻击

  SSH:远程连接,

  iptables –I INPUT –p tcp –dport 22 –mconnlimit –connlimit-above 3 –j DROP

  iptables –I INPUT –p tcp –dport 22 –mstate –state NEW –m recent –set –name SSH

  iptables –I INPUT –p tcp –dport 22 –mstate –state NEW –m –update –seconds 300 –hitcount 3 –name SSH –j DROP

  iptables –A INPUT –p tcp –dport 22 –mstate –state NEW –m recent –update –name SSH–seconds 300 –hitcount 3 –jLOG –log-prefix “SSH ATTACK”

  –记录日志

  4.7 网卡的源地址转发模拟

  模拟图:

  说明:

  Intra Host                 IP:192.168.10.2模式为Vmnet1   ifconfig eth0192.168.10.2/24(ping192.168.100.1不通)

  routeadd default gw 192.168.10.1(指定网关时候,还是ping192.168.100.1不通了,需要转发一次)

  Iptables  eth0         IP:192.168.10.1 模式为Vmnet1   ifconfig eth0 192.168.10.1/24

  Serverhttpd start

  打开主机的转发功能(转发)

  cat /proc/sys/net/ipv4/ip_forward          —输出0

  echo1 > /proc/sys/net/ipv4/ip_forward

  Iptables   eth1          IP:192.168.100.1模式为Bridge     ifconfig eth1 192.168.100.1/16

  Internet Host           IP:192.168.100.2模式为Bridge     ifconfig eth0 192.168.100.2/16

  vi/var/www/html/index.html

  thisis a test!

  route add default gw 192.168.100.1

  当100.1ping100.2时候抓包

  tcpdump–i eth0 –nn –X host 172.16.100.2 (100.2)

  ping 192.168.100.2 (100.1)

  tcpdump–i eth0 –nn –X tcp port 80 and host 172.16.100.2 (100.2)

  elinks–dump http://172.16.100.2(100.1)

  做源地址转换

  iptables–t nat –A POSTROUTING –s 192.168.10.1/24 –o eth1 –j SNAT –to-srource172.16.100.1 (Iptables)

  iptables–t nat –L –n(100.1)

  elinks–dump http://172.16.100.2 (10.2)

  iptables–t nat –L –n (100.1)

  tail/var/log/httpd/access_log(100.2)

  限定只允许80,443,53端口上网

  iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p tcp –m multiport –destination-port 80,443,53 –j SNAT–to-source 123.1.21.3

  iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport –destination-port 80,443,53 –j –to-source123.1.21.3

  MASQURADE:自动选择一个合适地址作为转换后的源地址

  iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport –destination-port 80,443,53 –j MASQURADE

  –此模式用于拨号上网,即外网地址动态获取!

发表评论

邮箱地址不会被公开。 必填项已用*标注