企业常用防火墙iptables相关原理详解

防火墙的类型：

包过滤型防火墙：(IP/TCP)简单包过滤、带状态检查包过滤(连接状态)简单包过滤带状态检测包过滤：连接状态应用层网关防火墙：(对特定的应用层协议做检查)硬件： Netscreen、checkpoint linux内核： TCP/IP：网络子系统打开linux系统转发功能:/proc/sys/net/ipv4/ip_forward linux路由表查看：route –n、 netstat –rn ipfw ---linux kernel2.0 ipchains ---linuxkernel 2.2 iptables ---linux kernel 2.4以后 iptables：用户空间工具编写规则： netfilter内核中，框架(framework) hookfunction规则链input、 output、 forward、prerouting 、postrouting
源地址转换：SNAT --在即将出去的网卡地址做转换目标地址转换：DNAT --在刚刚进来的网卡地址做转换端口地址转换：PNAT --

4.2 防火墙的功能：

filter ---过滤nat ---转换mangle ---修改raw数据包过滤匹配流程：




转发数据流向：
到本机 PreroutingàInput转发 PreroutingàForwardàPostrouting由本机发出 OutputàPostroutingtable：raw Prerouting、Outputmangle Prerouting、Input 、Output 、Forward、Postroutingnat Prerouting、Output、Postroutingfilter Input、Output 、Forward

	Prerouting	Input	Forward	Output	Postrouting
raw	yes			yes
mangle	yes	yes	yes	yes	yes
nat	yes			yes	yes
filter		yes	yes	yes

过滤：匹配条件 netfilter，检查模块拓展模块处理动作 Accept Drop，Reject

4.3 iptables用法

iptables [-tTABLE] COMMAND CHAIN [CRETIRIA] –jACTION -t 后跟的table:raw manglenat filter[默认] COMMAND:对链或者对链中的规则进行管理操作链中规则： -A ---在链中最后添加一条新的规则 -I # ---插入一条规则，#表示插入为第几条 -R # ---替换第几条规则 -D # ---删除第几条规则或者–DCRETAERIA删除链中规则链： -N ---新建一个自定义链 -X ---删除一个自定义的空链 -E ---重命名一条自定义链 -F ---清空指定链，如果不指定链，就会清空整个表中的链 -P ---设置链的默认策略 -Z ---置零（每条规则，包括默认策略都有两个计算器，一个是被本规则匹配到的所有数据包的个数，另一个是被本规则匹配到的所有数据包的大小之和） -L ---查看 -v --详细 -vv --更加详细 --line-munbers ---行号 -x --显示精确值 -n --不要对地址或者名称做反解【显示数字地址】ipatbes:服务脚本：/ect/rc.d/init.d/iptables脚本配置文件：/ect/sysconfig/iptables-config规则保存位置：/etc/sysconfig/iptables serviceiptables {status|start|stop|restart|save}
ls/ect/rc.d/init.d … iptables … ls/ect/sysconfig … iptables-config …

serviceiptables status cat/etc/sysconfig/iptables serviceiptabes start touch/etc/sysconfig/iptables serviceiptabes start

iptabels–L –niptabels –L raw–niptabels –L nat–niptabels –Lmanagle–niptabels –L raw–n -v

匹配条件：
通用匹配：
-s --源地址
-d --目标地址
IP
NETWORK/MASK
!
-p {icmp|tcp|udp} --协议
-iIN_INTERFACE --指定流入接口
-oOUT_INTERFACE --指定流出接口
-jTARGET
ACCEPT
DROP
REJECT
REDIRECT
DNAT
SNAT
MASQUERADE
LOG
扩展匹配：
隐式扩展
-p tcp
--sportPORT[-PORT2]
--dportPORT[-PORT2]
--tcp-flagsSYN,ACK,RST,FIN SYN (=--syn )
-p udp
--sportPORT[-PORT2]
--dportPORT[-PORT2]
-p icmp
--icmp-type
0:echo-reply ---响应
8:echo-request ---请求
显示扩展
netfilter扩展模块引入的扩展，用于扩展匹配条件，通常需要额外专用选项来定义
-m state --用于实现链接的姿态检测
--state
NEW,ESTABLISHED,
RELATED[例如fdp],INVALID[无效的]
-mmultiport
--source-ports
--destination-ports
--ports
rpm–ql iptables
……/lib/iptables/libipt_state.so ---扩展state模块……/lib/iptables/libipt_mutiport --扩展mutiport模块…….

iptabes–t filter –A INPUT –s 172.16.0.0/16 –p icmp –-icmp-type 8 –j DROP ---不允许172.16.0.0/16网段的用户ping本机 iptables–t filter –L –n …… target port opt source destination DROP icmp -- 172.16.0.0/16 0.0.0.0/0 icmptype 8 …… iptables–t filter –L –n -v

iptabes –t filter –A INPUT –s 172.16.0.0/16–d 172.16.100.1 –p icmp –-icmp-type 0 –j DROP ---不允许本机[172.16.100.1]ping172.16.0.0/16主机没有响应iptables –t filter –D INPUT 2 --删除filter表的第二条规则iptables –A INPUT –s !172.16.0.0/16 –d172.16.100.1 –p tcp –dport 80 –j DROP --让除了172.16.0.0/16的主机访问172.16.100.1:80端口iptables –L –niptabels –t filter –F INPUTiptabels –L –niptables –F --清除所有的规则

iptables –t filter –A INPUT –d 172.16.100.1–p tcp –dport 22 –j ACCEPT--让所有机器的ssh访问172.16.100.1iptables –t filter –A OUTPUT –s172.16.100.1 –p tcp –sport 22 –j ACCEPTiptables –L –niptables –t filter –P INPUT DROPiptables –t filter –P OUTPUT DROPiptables –L –n –v---将除了22端口都Drop掉iptables –A INPUT –d 172.16.100.1 –p icmp –-icmp-type8 –j ACCEPTiptables –A OUTPUT –s 172.16.100.1 –p icmp–-icmp-type 0 –j ACCEPT---现在别人可以ping通自己iptables –A INPUT –s 172.16.100.1 –p icmp–-icmp-type 8 –j ACCEPTiptables –A OUTPUT –d 172.16.100.1 –p icmp –-icmp-type0 –j ACCEPT---现在可让自己ping别人

iptables –Fiptable –L –niptables –t filter –A INPUT –d 172.16.100.1–p tcp --dport 22 –m state --state NEW,ESTABLISHED –j ACCEPTiptables –t filter –A OUTPUT –s172.16.100.1 –p tcp --sport 22 –m state --state ESTABLISHED -j ACCEPTiptables –P INPUT DROPiptables –P OUTPUT DROPiptables –L –n -v---不让本机建立任何新的ssh请求

iptables –t filter –A INPUT –d 172.16.100.1–p tcp --dport 80 –m state --state NEW,ESTABLISHED –j ACCEPTiptables –t filter –A OUTPUT –s172.16.100.1 –p tcp --sport 80 –m state --state ESTABLISHED -j ACCEPT---不让本机建立任何新的80端口请求

对语句进行优化[将OUTPUT请求的两条语句合并为一条]:iptables –A OUTPUT –s 172.168.100.1 –mstate --state ESTABLISHED –j ACCEPT iptables –D OUTPUT 1 --删除第一条规则,但是第二条会自动变成第一条iptables –D OUTPUT 1 --删除第一条规则,此时才算删除干净了iptables –L –n

iptables –A INPUT –d 172.16.100.1 –p icmp--icmp-type 8 –j ACCEPTiptables –L –n---让别人可以ping通自己

对80和22端口合并iptables –I INPUT 1 –d 172.16.100.1 –p tcp–m multiport –destination-ports 80,22 –m state –state NEW,ESTABLISHED –j ACCEPTiptables –D INPUT 2iptables –D INPUT 2

elinks –dump http://172.16.100.1---不能本机连接自己

4.4 自定义链

创建: iptables–N NAME删除: iptables–X NAME置零: Iptables–Z NAMEiptables –N come_iniptables –L –n -viptables –X come_iniptables –L –n –viptables –Z INPUTiptables –L –n –v

iptables –A INPUT –d 172.16.100.1 –p tcp--dport 80 –j ACCEPTiptables –L –n –viptables –Z INPUTiptables –L –n –v

netstat –tnlpservice httpd startsetenforce 0service httpd start

iptables –A INPUT –i lo –j ACCEPTiptables –A OUTPUT –o lo –j ACCEPT---让localhost对localhost本地访问ACCEPT

TCP

被动打开:LISTEN,SYN_RECV,ESTABLISHED主动打开:SYN_SENT,ESTABLISHED

主动关闭:FIN_WAIT1,FIN_WAIT2,CLOSING,TIME_WAIT,CLOSED被动关闭:CLOSE_WAIT,LAST_ACK,CLOSED,LISTEN

iptables –N clean_iniptables –A clean_in –d 255.255.255.255 –picmp –j DROPiptables –A clean_in –d 172.16.255.255 –picmp j DROPiptables –A clean_in –p tcp ! –syn –m state–state NEW –j DROPiptables –A clean_in –p tcp --tcp-flags ALLALL –j DROPiptanles –A clean_in –p tcp --tcp-flags ALLNONE –j DROPiptables –A clean_in –d 172.16.100.1 –jRETURN --跳出clean_in链

iptables –A INPUT –d 172.16.100.1 –j clean_in --跳到clean_in链上

iptables –A INPUT –i lo –j ACCEPTiptables –A OUTPUT –o lo –j ACCEPT

iptables –A INPUT –i eth0 –m multiport –ptcp --dports 53,113,135,137,139,445,-j DROPiptables –A INPUT –i eth0 –m multiport –pudp --dports 53,113,135,137,139,445,-j DROPiptables –A INPUT –i eth0 –p udp --dport1026 –j DROPiptables –A INPUT –i eth0 –m multiport –ptcp --dport 1433,4899 –j DROP

iptables –A INPUT –p icmp –m limit –limit10/second –j ACCEPT

iptables –A INPUT ! --syn –p tcp –m state–state NEW –j DROPiptables –A INPUT –p tcp --tcp-flags ALLALL –j DROPiptables –A INPUT –p tcp --tcp-flags ALLNONE –j DROP

iptables –A INPUT –p icmp –d255.255.255.255 –j DROPiptables –A INPUT –p icmp –d 172.16.255.255–j DROP

4.5 限定链接速率

显示扩展(续)/lib/iptables -mlimit 3/s,1000 --limit3/min --limit-burst3000iptables –A INPUT –i eth0 –d 172.16.100.1–p icmp --icmp-type 8 –m limit --limit 5/minute --limit-burst 8 –j ACCEPTiptables –A INPUT –i eth0 –d 172.16.100.1–p icmp --icmp-type 8 –j DROP

iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp --dport 22 –m state –state ESTABLISHED –j ACCEPTiptables –I INPUT 2 –i eth0 –d 172.16.100.1–p tcp --dport 22 –m limit --limit 2/minute --limit-burst 2 –m state --stateNEW –j ACCEPT这两条可以写成一条命令iptables –I INPUT 1 –i eth0 –d 172.16.100.1–p tcp --dport 22 –m limit --limit 2/minute --limit-burst 2 –m state --state NEW, ESTABLISHED –j ACCEPTiptables –I INPUT 3 –i eth0 –d 172.16.100.1–p tcp --dport 22 –j DROP---对SSH的访问值限定

4.6 限定连接数

/lib/iptables -mconnlimit[!] --connlimit-above n --多于n个表示满足条件,表示应该不允许的个数

-miprage --src-rangeip-ip --dst-rangeip-ip -mmac --mac-sourceXX:XX:XX:XX:XX:XX -mstring --algo[kmp|bm] --string“STRING” iptables–I OUTPUT 1 –o eth0 –s 172.16.100.1 –p tcp --dport 80 –m string --algo kmp--string “sex” –j DROP iptables–L –n -v -mrecent

利用iptables的recent模块来抵御DOS攻击SSH:远程连接,iptables –I INPUT –p tcp --dport 22 –mconnlimit --connlimit-above 3 –j DROPiptables –I INPUT –p tcp --dport 22 –mstate --state NEW –m recent --set --name SSHiptables –I INPUT –p tcp --dport 22 –mstate --state NEW –m --update --seconds 300 --hitcount 3 --name SSH –j DROP

iptables –A INPUT –p tcp --dport 22 –mstate --state NEW –m recent --update --name SSH--seconds 300 --hitcount 3 –jLOG --log-prefix “SSH ATTACK”--记录日志

4.7 网卡的源地址转发模拟

模拟图:

说明:Intra Host IP:192.168.10.2模式为Vmnet1 ifconfig eth0192.168.10.2/24(ping192.168.100.1不通) routeadd default gw 192.168.10.1(指定网关时候,还是ping192.168.100.1不通了,需要转发一次)Iptables eth0 IP:192.168.10.1 模式为Vmnet1 ifconfig eth0 192.168.10.1/24 Serverhttpd start打开主机的转发功能(转发)cat /proc/sys/net/ipv4/ip_forward ---输出0 echo1 > /proc/sys/net/ipv4/ip_forward Iptables eth1 IP:192.168.100.1模式为Bridge ifconfig eth1 192.168.100.1/16Internet Host IP:192.168.100.2模式为Bridge ifconfig eth0 192.168.100.2/16 vi/var/www/html/index.html thisis a test!route add default gw 192.168.100.1当100.1ping100.2时候抓包 tcpdump–i eth0 –nn –X host 172.16.100.2 (100.2) ping 192.168.100.2 (100.1) tcpdump–i eth0 –nn –X tcp port 80 and host 172.16.100.2 (100.2) elinks–dump http://172.16.100.2(100.1)做源地址转换 iptables–t nat –A POSTROUTING –s 192.168.10.1/24 –o eth1 –j SNAT --to-srource172.16.100.1 (Iptables) iptables–t nat –L –n(100.1) elinks–dump http://172.16.100.2 (10.2) iptables–t nat –L –n (100.1) tail/var/log/httpd/access_log(100.2)

限定只允许80,443,53端口上网iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p tcp –m multiport --destination-port 80,443,53 –j SNAT--to-source 123.1.21.3iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport --destination-port 80,443,53 –j --to-source123.1.21.3

MASQURADE:自动选择一个合适地址作为转换后的源地址iptables –t nat –A POSTROUTING –s192.168.0.0/24 –p udp –m multiport --destination-port 80,443,53 –j MASQURADE--此模式用于拨号上网,即外网地址动态获取!