iptables基础详解与实例推荐

Home » 编程开发 » iptables基础详解与实例推荐

一、iptables定义

iptables是一个工作于用户空间的防火墙应用软件,允许系统管理员可以调整设置X表(Xtables)提供相关的系统表格(目前主要位于iptables/netfilter)以及相关的“链”与“规则”来管理网络数据包的流动与转送的动作。因相关动作上的需要,iptables的操作需要用到超级用户的权限。在大部份的Linux系统上面,iptables是使用/usr/sbin/iptables来操作,文件则放置在手册页(Man page[2])底下,可以通过 man iptables 指令取得。通常iptables都需要内核层级的模块来配合运作,Xtables是主要在内核层级里面iptables API运作功能的模块。

主机防火墙:网络层防火墙可视为一种 IP 数据包过滤器,运作在底层的TCP/IP协议堆栈上

网络防火墙:工作于网络边缘的硬件设备;对于到达网络的数据包根据某种规则进行过滤处理。

二、iptables的四表和五链

四表

raw设置为raw时不再iptables做数据包连接跟踪处理mangle用于对数据包的一些传输特性进行修改(TOS、TTL…)nat用于对地址转发功能(端口映射、地址隐射等)filter对数据包的过滤功能(最常用的;默认项)

五链

PREROUTING数据包进入路由之前INPUT数据通过路由表后的目标位本机FORWARD数据通过路由表后的目标不为本机OUTPUT由本机出去的数据包向外发送POSTROUTING从网卡接口出去之前

对应关系

链表FORWARDfilter、mangleINPUTfilter、mangleOUTPUTfilter、mangle、natPREROUTINGmangle、natPOSTROUTINGmangle、nat

表链filterINPUT、FORWARD、OUTPUTnatPREROUTING、OUTPUT、POSTROUTINGmanglePREROUTING、INPUT、OUTPUT、FORWARD、POSTROUTINGrawPREROUTING、OUTPUT

三、基本的用法

1、格式

[Linux85]#man iptablesIPTABLES(8) iptables 1.4.7 IPTABLES(8) iptables -- administration tool for IPv4 packet filtering and NATSYNOPSIS iptables [-t table] {-A|-D} chain rule-specification #指定的链附加或删除规则 iptables [-t table] -I chain [rulenum] rule-specification #指定的链插入一条规则,默认为第一条 iptables [-t table] -R chain rulenum rule-specification #覆盖指定的链中的规则;规则需要重新写 iptables [-t table] -D chain rulenum #删除指定链的规则以行号格式 iptables [-t table] -S [chain [rulenum]] #只显示指定链的规则添加命令 iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] #-F:清空链中的规则 #-L:列出表中的所有规则 #-Z:清空规则计数器 iptables [-t table] -N chain #创建一条自定义空的规则链 iptables [-t table] -X [chain] #删除一条自定义空的规则链 iptables [-t table] -P chain target #为链指定默认策略;指定默认规则 iptables [-t table] -E old-chain-name new-chain-name #修改自定义链名称

2、匹配条件

通用匹配

-s匹配源地址;ip或网络地址;! 可以取反。-d匹配目标地址;ip或网络地址;! 可以取反。-p匹配协议{tcp|udp|icmp}-i数据报文流入的接口;通常{INPUT|FORWARD|PREROUTING}-o数据报文流出的接口;通常{OUTPUT|FORWARD|POSTROUTING}

扩展匹配

隐含扩展:使用-p{tcp|udp|icmp}指定某特定协议后;自动能够对协议进行的扩展

–dport m[-n]:匹配的目标端口;可以是连续的多个端口

–sport m[-n]:匹配的目标端口;可以是连续的多个端口

–tcp-flags:根据tcp的标志位来匹配

–icmp-type:icmp的状态

显式扩展:必须要明确指定的扩展模块

-m:扩展模块名称 –专用选项1 –专用选项2…(/lib64/xtables/*)

[Linux85]#ls /lib64/xtables/libip6t_HL.so libipt_SET.so libxt_SECMARK.so libxt_osf.solibip6t_LOG.so libipt_SNAT.so libxt_TCPMSS.so libxt_owner.solibip6t_REJECT.so libipt_TTL.so libxt_TCPOPTSTRIP.so libxt_physdev.solibip6t_ah.so libipt_ULOG.so libxt_TOS.so libxt_pkttype.solibip6t_dst.so libipt_addrtype.so libxt_TPROXY.so libxt_policy.solibip6t_eui64.so libipt_ah.so libxt_TRACE.so libxt_quota.solibip6t_frag.so libipt_ecn.so libxt_cluster.so libxt_rateest.solibip6t_hbh.so libipt_icmp.so libxt_comment.so libxt_recent.solibip6t_hl.so libipt_realm.so libxt_connbytes.so libxt_sctp.solibip6t_icmp6.so libipt_set.so libxt_connlimit.so libxt_socket.solibip6t_ipv6header.so libipt_ttl.so libxt_connmark.so libxt_standard.solibip6t_mh.so libipt_unclean.so libxt_conntrack.so libxt_state.solibip6t_rt.so libxt_AUDIT.so libxt_dccp.so libxt_statistic.solibipt_CLUSTERIP.so libxt_CHECKSUM.so libxt_dscp.so libxt_string.solibipt_DNAT.so libxt_CLASSIFY.so libxt_esp.so libxt_tcp.solibipt_ECN.so libxt_CONNMARK.so libxt_hashlimit.so libxt_tcpmss.solibipt_LOG.so libxt_CONNSECMARK.so libxt_helper.so libxt_time.solibipt_MASQUERADE.so libxt_DSCP.so libxt_iprange.so libxt_tos.solibipt_MIRROR.so libxt_MARK.so libxt_length.so libxt_u32.solibipt_NETMAP.so libxt_NFLOG.so libxt_limit.so libxt_udp.solibipt_REDIRECT.so libxt_NFQUEUE.so libxt_mac.solibipt_REJECT.so libxt_NOTRACK.so libxt_mark.solibipt_SAME.so libxt_RATEEST.so libxt_multiport.so

multiport:多端口匹配;一次指定多个(15个以内的)离散端口[!] –sports port[,port|,port:port]源端口[!] –dports port[,port|,port:port]目标端口[!] –ports port[,port|,port:port]不区分源与目标端口string:字符串匹配–algo {bm|kmp}字符匹配查找时使用算法;必选[!] –string pattern要查找的字符串;可以取反[!] –hex-string pattern要查找的字符;先编码成16进制的格式iprange:ip地址范围[!] –src-range from[-to]源IP;[!] –dst-range from[-to]目标IP;time:指定时间范围–datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]起始日期–datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]结束日期–timestart hh:mm[:ss]起始时间–timestop hh:mm[:ss]结束时间[!] –monthdays day[,day…]每月几号[!] –weekdays day[,day…]每周几limit:报文速率控制–limit rate[/second|/minute|/hour|/day]number/单位–limit-burst number峰值;最大值connlimit:每IP对指定服务最大并发连接数[!] –connlimit-above n并发超出个数state:状态匹配;根据netfilter内部会话表匹配;能建立连接的都能追踪根据ip_conntrack和nf_conntrack来实现对整个系统连接追踪INVALID无法识别的连接;例如:tcp-flags ALL ALL/ALL NONEESTABLISHED已建立连接的NEW新建立的连接RELATED相关联的;例如命令连接到数据连接

[Linux85]#iptables -A INPUT -d 172.16.251.85 -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT#使用state后;连接追踪模块会自动加载[Linux85]#lsmodModule Size Used bynf_conntrack_ipv4 9506 2nf_defrag_ipv4 1483 1 nf_conntrack_ipv4xt_state 1492 2nf_conntrack 79758 2 nf_conntrack_ipv4,xt_state[Linux85]#iptables -L -n -vChain INPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination  50 3768 ACCEPT tcp -- eth0 * 0.0.0.0/0 172.16.251.85 tcp dpt:22 state NEW,ESTABLISHEDChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 3252 bytes) pkts bytes target prot opt in out source destination [Linux85]#cat /proc/sys/net/nf_conntrack_max15692 #定义了连接追踪的最大值;可以按需调整[Linux85]#[Linux85]#iptables -L -n -vChain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination  357 25520 ACCEPT tcp -- eth0 * 0.0.0.0/0 172.16.251.85 tcp dpt:22 state NEW,ESTABLISHEDChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination  63 6928 ACCEPT tcp -- * * 172.16.251.85 0.0.0.0/0 tcp spt:22 state ESTABLISHED

四、实例演示

1、自定义一个规则链;过滤非法数据包;并被调用

[Linux85]#iptables -N clean_in#建立一条空规则链[Linux85]#iptables -A clean_in -d 172.16.251.85 -p tcp --tcp-flags ALL ALL -j DROP#DROP掉tcp-flags值全为1的[Linux85]#iptables -A clean_in -d 172.16.251.85 -p tcp --tcp-flags ALL NONE -j DROP#DROP掉tcp-flags值全为0的[Linux85]#iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP[Linux85]#iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP# 广播包[Linux85]#iptables -A clean_in -d 172.16.251.85 -j RETURN#检测完无匹配就跳回主链;继续下一条检测[Linux85]#iptables -A INPUT -d 172.16.251.85 -j clean_in#在INPUT调用[Linux85]#iptables -L -n -vChain INPUT (policy ACCEPT 38 packets, 2738 bytes) pkts bytes target prot opt in out source destination  35 2504 clean_in all -- * * 0.0.0.0/0 172.16.251.85 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 23 packets, 3260 bytes) pkts bytes target prot opt in out source destination Chain clean_in (1 references) pkts bytes target prot opt in out source destination  0 0 DROP tcp -- * * 0.0.0.0/0 172.16.251.85 tcp flags:0x3F/0x3F 0 0 DROP tcp -- * * 0.0.0.0/0 172.16.251.85 tcp flags:0x3F/0x00 0 0 DROP icmp -- * * 0.0.0.0/0 172.16.255.255  0 0 DROP icmp -- * * 0.0.0.0/0 255.255.255.255 35 2504 RETURN all -- * * 0.0.0.0/0 172.16.251.85

2、放行本机的ssh端口给指定IP

[Linux85]#iptables -A INPUT -s 172.16.254.28 -d 172.16.251.85 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT#放行新建立和已连接的[Linux85]#iptables -A OUTPUT -s 172.16.251.85 -m state --state ESTABLISHED -j ACCEPT#放行已连接的状态[Linux85]#iptables -P INPUT DROP[Linux85]#iptables -P OUTPUT DROP[Linux85]#iptables -L -n -vChain INPUT (policy DROP 11 packets, 1378 bytes) pkts bytes target prot opt in out source destination  396 29036 ACCEPT tcp -- * * 172.16.254.28 172.16.251.85 tcp dpt:22 state NEW,ESTABLISHEDChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination  91 8328 ACCEPT all -- * * 172.16.251.85 0.0.0.0/0 state ESTABLISHED[Linux87]#ssh 172.16.251.85ssh: connect to host 172.16.251.85 port 22: Connection timed out[Linux87]#测试87这台机器无法连接

3、本机禁ping

[Linux86]#ping 172.16.251.87PING 172.16.251.87 (172.16.251.87) 56(84) bytes of data.64 bytes from 172.16.251.87: icmp_seq=1 ttl=64 time=0.848 ms64 bytes from 172.16.251.87: icmp_seq=2 ttl=64 time=0.401 ms64 bytes from 172.16.251.87: icmp_seq=3 ttl=64 time=0.412 ms[Linux87]#iptables -A INPUT -d 172.16.251.87 -p icmp --icmp-type 8 -j DROP#禁止任何主机对于本机的icmp的请求[Linux87]#iptables -L -vn 查看已匹配到包Chain INPUT (policy ACCEPT 221 packets, 27594 bytes) pkts bytes target prot opt in out source destination  71 5964 DROP icmp -- * * 0.0.0.0/0 172.16.251.87 icmp type 8Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 98 packets, 14732 bytes) pkts bytes target prot opt in out source destination[Linux86]#ping 172.16.251.87 已经无法ping了PING 172.16.251.87 (172.16.251.87) 56(84) bytes of data.

4、放行本机80端口

#首先先放行ssh的22号端口[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT[Linux86]#iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT[Linux86]#iptables -P INPUT DROP[Linux86]#iptables -P OUTPUT DROP[Linux87]#curl http://172.16.251.86/index.htmlcurl: (7) couldn't connect to host[Linux87]##测试无法访问[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 80 -m state --state NEW -j ACCEPT#放行80端口[Linux87]#curl http://172.16.251.86/index.htmlThis a test Page![Linux87]#测试可以访问了[Linux86]#iptables -L -nvChain INPUT (policy DROP 76 packets, 11352 bytes) pkts bytes target prot opt in out source destination  340 27369 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:22 state NEW 3 164 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:80 state NEWChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination  304 34487 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED#上述都可以看到匹配的包

5、放行被动工作的ftp服务

[Linux87]#lftp 172.16.251.86/pubcd `ftp://172.16.251.86/pub' [Connecting...]#测试目前无法连接[Linux86]#iptables -A OUTPUT -s 172.16.251.86 -p tcp --sport 21 -j ACCEPT[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp --dport 21 -j ACCEPT[Linux86]#iptables -A INPUT -d 172.16.251.86 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT[Linux86]#iptables -A OUTPUT -s 172.16.251.86 -p tcp -m state --state ESTABLISHED -j ACCEPT#上述是放行ftp的端口和相关联的会话连接;还需要装载两个模块才能生效[Linux86]#modprobe nf_nat_ftp[Linux86]#modprobe nf_conntrack_ftp[Linux86]#vi /etc/sysconfig/iptables-config# Load additional iptables modules (nat helpers)# Default: -none-# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which# are loaded after the firewall rules are applied. Options for the helpers are# stored in /etc/modprobe.conf.IPTABLES_MODULES="nf_nat_ftp nf_conntrack_ftp"#写到配置文件;下次开机可以自动装载[Linux87]#lftp 172.16.251.86/pubcd ok, cwd=/publftp 172.16.251.86:/pub ls-rw-r--r-- 1 0 0 103 Mar 24 06:23 issuelftp 172.16.251.86:/pub #测试可以正常访问了[Linux86]#iptables -L -nvChain INPUT (policy DROP 326 packets, 41008 bytes) pkts bytes target prot opt in out source destination  1115 80408 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:22 174 9245 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 tcp dpt:21 14 696 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state RELATED,ESTABLISHEDChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 13 packets, 780 bytes) pkts bytes target prot opt in out source destination  671 72480 ACCEPT tcp -- * * 172.16.251.86 0.0.0.0/0 tcp spt:22 199 13355 ACCEPT tcp -- * * 172.16.251.86 0.0.0.0/0 tcp spt:21 14 885 ACCEPT tcp -- * * 172.16.251.86 0.0.0.0/0 state ESTABLISHED匹配到了包;对于上述规则可以进行优化处理;下述进行优化规则[Linux86]#iptables -I INPUT 1 -d 172.26.251.86 -m state --state RELATED,ESTABLISHED -j ACCEPT[Linux86]#iptables -I INPUT 2 -d 172.26.251.86 -p tcp -m multiport --dports 21,22 -m state --state NEW -j ACCEPT[Linux86]#iptables -I OUTPUT 1 -s 172.16.251.86 -m state --state ESTABLISHED -j ACCEPT[Linux86]#iptables -L -nvChain INPUT (policy DROP 2 packets, 406 bytes) pkts bytes target prot opt in out source destination  380 29174 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state RELATED,ESTABLISHED 2 104 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state NEW multiport dports 22,21Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination  50 6192 ACCEPT all -- * * 172.16.251.86 0.0.0.0/0 state ESTABLISHED#优化后;测试ftp正常;且还可以放行例如80等端口

6、屏蔽指定字符串的网页

[Linux87]#curl http://172.16.251.86/admin.htmlThis a admin page![Linux87]#curl http://172.16.251.86/index.htmlThis a test Page![Linux87]#上述访问正常;下面来写规则进行屏蔽admin字符的页面[Linux86]#iptables -I INPUT 1 -d 172.16.251.86 -p tcp -m string --algo bm --string "admin" -j DROP[Linux87]#curl http://172.16.251.86/index.htmlThis a test Page![Linux87]#curl http://172.16.251.86/admin.htmlcurl: (52) Empty reply from server[Linux87]#[Linux86]#iptables -L -nvChain INPUT (policy DROP 13 packets, 1264 bytes) pkts bytes target prot opt in out source destination  13 5510 DROP tcp -- * * 0.0.0.0/0 172.16.251.86 STRING match "admin" ALGO name bm TO 65535 931 79380 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 state RELATED,ESTABLISHED 12 672 ACCEPT tcp -- * * 0.0.0.0/0 172.16.251.86 multiport dports 22,21,80 state NEWChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination  416 47643 ACCEPT all -- * * 172.16.251.86 0.0.0.0/0 state ESTABLISHED

五、配置nat转发在不同网络放行web等服务

NAT:网络地址转换;iptables基于SNAT和DNAT这两个目标实现地址转换技术。

SNAT:源地址转换;用于让内网主机访问互联网。在POSTROUTING或OUTPUT上写规则。

DNAT:目标地址转换;让互联网上主机访问本地内网中的某服务器上的服务。在PREROUTING上写规则。

大致规划:

配置三台虚拟机:

linux87:172.16.251.87(内网)/192.168.111.11(外网)

linux86:172.16.251.86 网关指向:172.16.251.87

linux12:192.168.111.12

假设由192.168.111.12充当外网提供ftp和web等服务;

linux87:

[Linux87]#ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:5E:1E:4F inet addr:172.16.251.87 Bcast:172.16.255.255 Mask:255.255.0.0 inet6 addr: fe80::20c:29ff:fe5e:1e4f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:44356 errors:0 dropped:0 overruns:0 frame:0 TX packets:8569 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5091283 (4.8 MiB) TX bytes:4238794 (4.0 MiB) Interrupt:19 Base address:0x2000eth1 Link encap:Ethernet HWaddr 00:0C:29:5E:1E:59 inet addr:192.168.111.11 Bcast:192.168.111.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe5e:1e59/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:122 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11513 (11.2 KiB) TX bytes:2615 (2.5 KiB)#配置好IP地址后开启转发功能;[Linux87]#sysctl net.ipv4.ip_forward=1net.ipv4.ip_forward = 1[Linux87]#

linux86:

[Linux86]#ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:DF:70:B6 inet addr:172.16.251.86 Bcast:172.16.255.255 Mask:255.255.0.0 inet6 addr: fe80::20c:29ff:fedf:70b6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21060 errors:0 dropped:0 overruns:0 frame:0 TX packets:5558 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1984222 (1.8 MiB) TX bytes:707372 (690.7 KiB)#配置网关[Linux86]#route add default gw 172.16.251.87[Linux86]#route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth00.0.0.0 172.16.251.87 0.0.0.0 UG 0 0 0 eth0

为了演示方便;这里先把192.168.111.12的网关指向111.11;后续操作时在删除这个网关

linux12:

[Linux12]#ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:4D:AE:B9 inet addr:192.168.111.12 Bcast:192.168.111.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe4d:aeb9/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:268 errors:0 dropped:0 overruns:0 frame:0 TX packets:180 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23231 (22.6 KiB) TX byte#提供ftp和web等服务[Linux12]#ss -tunl | grep 80tcp LISTEN 0 128 :::80 :::* [Linux12]#ss -tunl | grep 21udp UNCONN 0 0 *:35216 *:* tcp LISTEN 0 32 *:21 *:* [Linux12]#[Linux12]#vi /var/www/html/index.htmlThis is 192.168.111.12 page![Linux12]#cd /var/ftp/pub/[Linux12]#touch 192.168.111.12.txt[Linux12]#ls192.168.111.12.txt[Linux12]#

上述配置完成后内部网络其实已经可以访问了;因为转发功能已开启;且网关都以指向251.87这台机器;所以这里可以看下效果

[Linux87]#curl http://192.168.111.12This is 192.168.111.12 page![Linux87]#[Linux86]#curl http://192.168.111.12This is 192.168.111.12 page![Linux86]#[Linux86]#lftp 192.168.111.12/pubcd ok, cwd=/publftp 192.168.111.12:/pub ls-rw-r--r-- 1 0 0 0 Mar 28 08:39 192.168.111.12.txt#测试访问都是正常的[Linux12]#tail -3 /var/log/httpd/access_log192.168.111.11 - - [28/Mar/2014:16:42:39 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" #这台是中间路由机器172.16.251.86 - - [28/Mar/2014:16:45:26 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" #这台是linux86172.16.254.28 - - [28/Mar/2014:16:45:45 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" #这台是宿主机的IP[Linux12]#

下面先把192.168.111.12上的网关删除;而后做SNAT转发后在查看下日志

[Linux86]#curl http://192.168.111.12curl: (7) couldn't connect to host[Linux86]#下面写入规则[Linux87]#iptables -t nat -A POSTROUTING -s 172.16.251.86 -j SNAT --to-source 192.168.111.11[Linux86]#curl http://192.168.111.12This is 192.168.111.12 page![Linux86]#再次测试;访问正常加入网关;来查看下日志[Linux12]# tail -4 /var/log/httpd/access_log172.16.254.28 - - [28/Mar/2014:16:45:45 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"192.168.111.11 - - [28/Mar/2014:16:52:33 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"192.168.111.11 - - [28/Mar/2014:16:54:31 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"192.168.111.11 - - [28/Mar/2014:16:54:32 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"[Linux12]# 上面的访问地址都已变成linux87这台外网IP了

上面的SNAT转换以成功;下面进行DNAT地址转换

[Linux87]#ss -tunl | grep 80[Linux87]##linux87主机上不提供web服务[Linux86]#curl http://172.16.251.87curl: (7) couldn't connect to host[Linux86]#测试也无法访问;现在把目标地址转换到192.168.111.12上。此时192.168.111.12不是作为外网提供;可以想象是作为内网的;与SNAT相互调换即可[Linux87]#iptables -t nat -A PREROUTING -d 172.16.251.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.111.12DNAT转换需要在PREROUTING上添加规则[Linux86]#curl http://172.16.251.87This is 192.168.111.12 page![Linux86]##测试访问成功;宿主机上也是可以正常访问的;因为源地址是开放给所有主机的;如需要屏蔽;可以在FORWARD上DROP需要屏蔽的IP即可而是自己。在你成功地把自己推销给别人之前,
iptables基础详解与实例推荐

相关文章:

你感兴趣的文章:

标签云:

亚洲高清电影在线, 免费高清电影, 八戒影院夜间, 八戒电影最新大片, 出轨在线电影, 午夜电影院, 在线影院a1166, 在线电影院, 在线观看美剧下载, 日本爱情电影, 日韩高清电影在线, 电影天堂网, 直播盒子app, 聚合直播, 高清美剧, 高清美剧在线观看 EhViewer-E站, E站, E站绿色版, qqmulu.com, qq目录网, qq网站目录,