企業常用防火墻iptables相關原理詳解
責編:admin |2015-02-11 11:19:13防火墻的類型:
包過濾型防火墻:(IP/TCP)
簡單包過濾、帶狀態檢查包過濾(連接狀態)
簡單包過濾
帶狀態檢測包過濾:連接狀態
應用層網關防火墻:(對特定的應用層協議做檢查)
硬件:
Netscreen、checkpoint
linux內核:
TCP/IP:網絡子系統
打開linux系統轉發功能:/proc/sys/net/ipv4/ip_forward
linux路由表查看:route –n、 netstat –rn
ipfw —linux kernel2.0
ipchains —linuxkernel 2.2
iptables —linux kernel 2.4以后
iptables:用戶空間工具
編寫規則:
netfilter
內核中,框架(framework)
hookfunction
規則鏈input、 output、 forward、prerouting 、postrouting
源地址轉換:SNAT –在即將出去的網卡地址做轉換
目標地址轉換:DNAT –在剛剛進來的網卡地址做轉換
端口地址轉換:PNAT —
4.2 防火墻的功能:
filter —過濾
nat —轉換
mangle —修改
raw
數據包過濾匹配流程:
轉發數據流向:
到本機
PreroutingàInput
轉發
PreroutingàForwardàPostrouting
由本機發出
OutputàPostrouting
table:
raw
Prerouting、Output
mangle
Prerouting、Input 、Output 、Forward、Postrouting
nat
Prerouting、Output、Postrouting
filter
Input、Output 、Forward
Prerouting
Input
Forward
Output
Postrouting
raw
yes
yes
mangle
yes
yes
yes
yes
yes
nat
yes
yes
yes
filter
yes
yes
yes
過濾:
匹配條件
netfilter,檢查模塊
拓展模塊
處理動作
Accept
Drop,Reject
4.3 iptables用法
iptables [-tTABLE] COMMAND CHAIN [CRETIRIA] –jACTION
-t 后跟的table:raw manglenat filter[默認]
COMMAND:對鏈或者對鏈中的規則進行管理操作
鏈中規則:
-A —在鏈中最后添加一條新的規則
-I # —插入一條規則,#表示插入為第幾條
-R # —替換第幾條規則
-D # —刪除第幾條規則或者–DCRETAERIA刪除鏈中規則
鏈:
-N —新建一個自定義鏈
-X —刪除一個自定義的空鏈
-E —重命名一條自定義鏈
-F —清空指定鏈,如果不指定鏈,就會清空整個表中的鏈
-P —設置鏈的默認策略
-Z —置零(每條規則,包括默認策略都有兩個計算器,一個是被本規則匹配到的所有數據包的個數,另一個是被本規則匹配到的所有數據包的大小之和)
-L —查看
-v –詳細
-vv –更加詳細
–line-munbers —行號
-x –顯示精確值
-n –不要對地址或者名稱做反解【顯示數字地址】
ipatbes:
服務腳本:/ect/rc.d/init.d/iptables
腳本配置文件:/ect/sysconfig/iptables-config
規則保存位置:/etc/sysconfig/iptables
serviceiptables {status|start|stop|restart|save}
ls/ect/rc.d/init.d
… iptables …
ls/ect/sysconfig
… iptables-config …
serviceiptables status
cat/etc/sysconfig/iptables
serviceiptabes start
touch/etc/sysconfig/iptables
serviceiptabes start
iptabels–L –n
iptabels –L raw–n
iptabels –L nat–n
iptabels –Lmanagle–n
iptabels –L raw–n -v
匹配條件:
通用匹配:
-s –源地址
-d –目標地址
IP
NETWORK/MASK
!
-p {icmp|tcp|udp} –協議
-iIN_INTERFACE –指定流入接口
-oOUT_INTERFACE –指定流出接口
-jTARGET
ACCEPT
DROP
REJECT
REDIRECT
DNAT
SNAT
MASQUERADE
LOG
擴展匹配:
隱式擴展
-p tcp
–sportPORT[-PORT2]
–dportPORT[-PORT2]
–tcp-flagsSYN,ACK,RST,FIN SYN (=–syn )
-p udp
–sportPORT[-PORT2]
–dportPORT[-PORT2]
-p icmp
–icmp-type
0:echo-reply —響應
8:echo-request —請求
顯示擴展
netfilter擴展模塊引入的擴展,用于擴展匹配條件,通常需要額外專用選項來定義
-m state –用于實現鏈接的姿態檢測
–state
NEW,ESTABLISHED,
RELATED[例如fdp],INVALID[無效的]
-mmultiport
–source-ports
–destination-ports
–ports
rpm–ql iptables
……
/lib/iptables/libipt_state.so —擴展state模塊
……
/lib/iptables/libipt_mutiport –擴展mutiport模塊
…….
iptabes–t filter –A INPUT –s 172.16.0.0/16 –p icmp –-icmp-type 8 –j DROP
—不允許172.16.0.0/16網段的用戶ping本機
iptables–t filter –L –n
……
target port opt source destination
DROP icmp — 172.16.0.0/16 0.0.0.0/0 icmptype 8
……
iptables–t filter –L –n -v
iptabes –t filter –A INPUT –s 172.16.0.0/16–d 172.16.100.1 –p icmp –-icmp-type 0 –j DROP
—不允許本機[172.16.100.1]ping172.16.0.0/16主機沒有響應
iptables –t filter –D INPUT 2
–刪除filter表的第二條規則
iptables –A INPUT –s !172.16.0.0/16 –d172.16.100.1 –p tcp –dport 80 –j DROP
–讓除了172.16.0.0/16的主機訪問172.16.100.1:80端口
iptables –L –n
iptabels –t filter –F INPUT
iptabels –L –n
iptables –F –清除所有的規則
iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –j ACCEPT
–讓所有機器的ssh訪問172.16.100.1
iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –j ACCEPT
iptables –L –n
iptables –t filter –P INPUT DROP
iptables –t filter –P OUTPUT DROP
iptables –L –n –v
—將除了22端口都Drop掉
iptables –A INPUT –d 172.16.100.1 –p icmp –-icmp-type8 –j ACCEPT
iptables –A OUTPUT –s 172.16.100.1 –p icmp–-icmp-type 0 –j ACCEPT
—現在別人可以ping通自己
iptables –A INPUT –s 172.16.100.1 –p icmp–-icmp-type 8 –j ACCEPT
iptables –A OUTPUT –d 172.16.100.1 –p icmp –-icmp-type0 –j ACCEPT
—現在可讓自己ping別人
iptables –F
iptable –L –n
iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –m state –state NEW,ESTABLISHED –j ACCEPT
iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –m state –state ESTABLISHED -j ACCEPT
iptables –P INPUT DROP
iptables –P OUTPUT DROP
iptables –L –n -v
—不讓本機建立任何新的ssh請求
iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 80 –m state –state NEW,ESTABLISHED –j ACCEPT
iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 80 –m state –state ESTABLISHED -j ACCEPT
—不讓本機建立任何新的80端口請求
對語句進行優化[將OUTPUT請求的兩條語句合并為一條]:
iptables –A OUTPUT –s 172.168.100.1 –mstate –state ESTABLISHED –j ACCEPT
iptables –D OUTPUT 1 –刪除第一條規則,但是第二條會自動變成第一條
iptables –D OUTPUT 1 –刪除第一條規則,此時才算刪除干凈了
iptables –L –n
iptables –A INPUT –d 172.16.100.1 –p icmp–icmp-type 8 –j ACCEPT
iptables –L –n
—讓別人可以ping通自己
對80和22端口合并
iptables –I INPUT 1 –d 172.16.100.1 –p tcp–m multiport –destination-ports 80,22 –m state –state NEW,ESTABLISHED –j ACCEPT
iptables –D INPUT 2
iptables –D INPUT 2
elinks –dump http://172.16.100.1
—不能本機連接自己
4.4 自定義鏈
創建:
iptables–N NAME
刪除:
iptables–X NAME
置零:
Iptables–Z NAME
iptables –N come_in
iptables –L –n -v
iptables –X come_in
iptables –L –n –v
iptables –Z INPUT
iptables –L –n –v
iptables –A INPUT –d 172.16.100.1 –p tcp–dport 80 –j ACCEPT
iptables –L –n –v
iptables –Z INPUT
iptables –L –n –v
netstat –tnlp
service httpd start
setenforce 0
service httpd start
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT
—讓localhost對localhost本地訪問ACCEPT
TCP
被動打開:LISTEN,SYN_RECV,ESTABLISHED
主動打開:SYN_SENT,ESTABLISHED
主動關閉:FIN_WAIT1,FIN_WAIT2,CLOSING,TIME_WAIT,CLOSED
被動關閉:CLOSE_WAIT,LAST_ACK,CLOSED,LISTEN
iptables –N clean_in
iptables –A clean_in –d 255.255.255.255 –picmp –j DROP
iptables –A clean_in –d 172.16.255.255 –picmp j DROP
iptables –A clean_in –p tcp ! –syn –m state–state NEW –j DROP
iptables –A clean_in –p tcp –tcp-flags ALLALL –j DROP
iptanles –A clean_in –p tcp –tcp-flags ALLNONE –j DROP
iptables –A clean_in –d 172.16.100.1 –jRETURN –跳出clean_in鏈
iptables –A INPUT –d 172.16.100.1 –j clean_in –跳到clean_in鏈上
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT
iptables –A INPUT –i eth0 –m multiport –ptcp –dports 53,113,135,137,139,445,-j DROP
iptables –A INPUT –i eth0 –m multiport –pudp –dports 53,113,135,137,139,445,-j DROP
iptables –A INPUT –i eth0 –p udp –dport1026 –j DROP
iptables –A INPUT –i eth0 –m multiport –ptcp –dport 1433,4899 –j DROP
iptables –A INPUT –p icmp –m limit –limit10/second –j ACCEPT
iptables –A INPUT ! –syn –p tcp –m state–state NEW –j DROP
iptables –A INPUT –p tcp –tcp-flags ALLALL –j DROP
iptables –A INPUT –p tcp –tcp-flags ALLNONE –j DROP
iptables –A INPUT –p icmp –d255.255.255.255 –j DROP
iptables –A INPUT –p icmp –d 172.16.255.255–j DROP
4.5 限定鏈接速率
顯示擴展(續)
/lib/iptables
-mlimit
3/s,1000
–limit3/min
–limit-burst3000
iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp –icmp-type 8 –m limit –limit 5/minute –limit-burst 8 –j ACCEPT
iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp –icmp-type 8 –j DROP
iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m state –state ESTABLISHED –j ACCEPT
iptables –I INPUT 2 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m limit –limit 2/minute –limit-burst 2 –m state –stateNEW –j ACCEPT
這兩條可以寫成一條命令
iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp –dport 22 –m limit –limit 2/minute –limit-burst 2 –m state –state NEW, ESTABLISHED –j ACCEPT
iptables –I INPUT 3 –i eth0 –d 172.16.100.1–p tcp –dport 22 –j DROP
—對SSH的訪問值限定
4.6 限定連接數
/lib/iptables
-mconnlimit
[!] –connlimit-above n –多于n個表示滿足條件,表示應該不允許的個數
-miprage
–src-rangeip-ip
–dst-rangeip-ip
-mmac
–mac-sourceXX:XX:XX:XX:XX:XX
-mstring
–algo[kmp|bm]
–string“STRING”
iptables–I OUTPUT 1 –o eth0 –s 172.16.100.1 –p tcp –dport 80 –m string –algo kmp–string “sex” –j DROP
iptables–L –n -v
-mrecent
利用iptables的recent模塊來抵御DOS攻擊
SSH:遠程連接,
iptables –I INPUT –p tcp –dport 22 –mconnlimit –connlimit-above 3 –j DROP
iptables –I INPUT –p tcp –dport 22 –mstate –state NEW –m recent –set –name SSH
iptables –I INPUT –p tcp –dport 22 –mstate –state NEW –m –update –seconds 300 –hitcount 3 –name SSH –j DROP
iptables –A INPUT –p tcp –dport 22 –mstate –state NEW –m recent –update –name SSH–seconds 300 –hitcount 3 –jLOG –log-prefix “SSH ATTACK”
–記錄日志
4.7 網卡的源地址轉發模擬
模擬圖:
說明:
Intra Host IP:192.168.10.2模式為Vmnet1 ifconfig eth0192.168.10.2/24(ping192.168.100.1不通)
routeadd default gw 192.168.10.1(指定網關時候,還是ping192.168.100.1不通了,需要轉發一次)
Iptables eth0 IP:192.168.10.1 模式為Vmnet1 ifconfig eth0 192.168.10.1/24
Serverhttpd start
打開主機的轉發功能(轉發)
cat /proc/sys/net/ipv4/ip_forward —輸出0
echo1 > /proc/sys/net/ipv4/ip_forward
Iptables eth1 IP:192.168.100.1模式為Bridge ifconfig eth1 192.168.100.1/16
Internet Host IP:192.168.100.2模式為Bridge ifconfig eth0 192.168.100.2/16
vi/var/www/html/index.html
thisis a test!
route add default gw 192.168.100.1
當100.1ping100.2時候抓包
tcpdump–i eth0 –nn –X host 172.16.100.2 (100.2)
ping 192.168.100.2 (100.1)
tcpdump–i eth0 –nn –X tcp port 80 and host 172.16.100.2 (100.2)
elinks–dump http://172.16.100.2(100.1)
做源地址轉換
iptables–t nat –A POSTROUTING –s 192.168.10.1/24 –o eth1 –j SNAT –to-srource172.16.100.1 (Iptables)
iptables–t nat –L –n(100.1)
elinks–dump http://172.16.100.2 (10.2)
iptables–t nat –L –n (100.1)
tail/var/log/httpd/access_log(100.2)
限定只允許80,443,53端口上網
iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p tcp –m multiport –destination-port 80,443,53 –j SNAT–to-source 123.1.21.3
iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport –destination-port 80,443,53 –j –to-source123.1.21.3
MASQURADE:自動選擇一個合適地址作為轉換后的源地址
iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport –destination-port 80,443,53 –j MASQURADE
–此模式用于撥號上網,即外網地址動態獲取!
下一篇:某網貸平臺遭受攻擊