03-iptables-实验
来源:互联网 发布:mac androidsdk 编辑:程序博客网 时间:2024/05/22 06:24
03-iptables-实验
实验
A(172.16.11.206)
B(172.16.11.216)
C(172.16.11.207)
1 允许B访问A而C不行
# A[root@husa ~]# iptables -L -n -vChain INPUT (policy ACCEPT 782 packets, 74731 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 72 packets, 12516 bytes) pkts bytes target prot opt in out source destination [root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.216 -d 172.16.11.206 -j ACCEPT[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -j DROP[root@husa ~]# iptables -t filter -L -n -v Chain INPUT (policy ACCEPT 53 packets, 4997 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 172.16.11.216 172.16.11.206 0 0 DROP all -- * * 172.16.11.207 172.16.11.206 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29 packets, 4152 bytes) pkts bytes target prot opt in out source destination # B[root@husa ~]# ssh root@172.16.11.206The authenticity of host '172.16.11.206 (172.16.11.206)' can't be established.ECDSA key fingerprint is d8:88:76:ef:30:e0:f5:f7:4b:a2:63:51:55:2e:74:28.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.16.11.206' (ECDSA) to the list of known hosts.root@172.16.11.206's password: Last failed login: Sun Jan 24 19:16:54 CST 2016 from 172.16.16.1 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Sun Jan 24 19:16:39 2016 from 172.16.11.207[root@husa ~]# ip addr2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4d:a0:50 brd ff:ff:ff:ff:ff:ff inet 172.16.11.206/16 brd 172.16.255.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe4d:a050/64 scope link valid_lft forever preferred_lft forever# C[root@localhost ~]# ssh root@172.16.11.206ssh: connect to host 172.16.11.206 port 22: Connection timed out| # 由于A直接将pact丢弃导致Cssh链接没有任何响应[root@localhost ~]# ping 172.16.11.206 PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data. # ping也ping不通# A动态查看匹配的规则Every 1.0s: iptables -L -n -v --line-numbers Sun Jan 24 19:24:44 2016Chain INPUT (policy ACCEPT 528 packets, 53690 bytes)num pkts bytes target prot opt in out source destination1 43 5995 ACCEPT all -- * * 172.16.11.216 172.16.11.2062 74 6168 DROP all -- * * 172.16.11.207 172.16.11.206Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 146 packets, 25966 bytes)num pkts bytes target prot opt in out source destination
2 限制C不能pingA但是可以sshA
# A[root@husa ~]# iptables -F[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p icmp -j REJECT [root@husa ~]# iptables -L -n -v --line-numbersChain INPUT (policy ACCEPT 10 packets, 860 bytes)num pkts bytes target prot opt in out source destination 1 0 0 REJECT icmp -- * * 172.16.11.207 172.16.11.206 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 872 bytes)num pkts bytes target prot opt in out source destination # C[root@localhost ~]# ping 172.16.11.206PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.From 172.16.11.206 icmp_seq=1 Destination Port UnreachableFrom 172.16.11.206 icmp_seq=2 Destination Port UnreachableFrom 172.16.11.206 icmp_seq=3 Destination Port Unreachable^C--- 172.16.11.206 ping statistics ---3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2491ms[root@localhost ~]# ssh root@172.16.11.206root@172.16.11.206's password: Last login: Sun Jan 24 19:22:25 2016 from 172.16.250.35[root@husa ~]# ip addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4d:a0:50 brd ff:ff:ff:ff:ff:ff inet 172.16.11.206/16 brd 172.16.255.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe4d:a050/64 scope link valid_lft forever preferred_lft forever3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4d:a0:5a brd ff:ff:ff:ff:ff:ff inet 192.168.200.137/24 brd 192.168.200.255 scope global eno33554984 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe4d:a05a/64 scope link valid_lft forever preferred_lft forever
可以看到C不能pingA但是可以sshA
3 A有两张网卡,其中IP为172.16.11.206另一IP为192.16.200.137,限制C只能从192.16.200.137ping通
# A[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -p icmp -j REJECT# C[root@localhost ~]# ping 172.16.11.206PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.From 172.16.11.206 icmp_seq=1 Destination Port UnreachableFrom 172.16.11.206 icmp_seq=2 Destination Port Unreachable# A查看结果Every 2.0s: iptables -L -n -v --line-numbers Sun Jan 24 19:56:30 2016Chain INPUT (policy ACCEPT 225 packets, 20822 bytes)num pkts bytes target prot opt in out source destination1 10 840 REJECT icmp -- * * 172.16.11.207 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 111 packets, 15992 bytes)num pkts bytes target prot opt in out source destination
4 限制C访问A的http服务,但是可以访问其他服务
# A[root@husa web]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp --dport 80 -j DROP # C[root@localhost ~]# curl "http://172.16.11.206"^C[root@localhost ~]# ssh root@172.16.11.206root@172.16.11.206's password: Last login: Sun Jan 24 19:53:57 2016 from 172.16.250.35
5 匹配TCP链接中的第一个SYN
# A[root@husa web]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp --dport 80 --syn -j ACCEPT[root@husa web]# iptables -L -n --line-numbers -vChain INPUT (policy ACCEPT 86 packets, 7831 bytes)num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 172.16.11.207 172.16.11.206 tcp dpt:80 flags:0x17/0x02Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 42 packets, 5556 bytes)num pkts bytes target prot opt in out source destination # C[root@localhost ~]# curl "http://172.16.11.206"<h1>hello world</h1># A[root@husa web]# iptables -L -n --line-numbers -vChain INPUT (policy ACCEPT 159 packets, 14063 bytes)num pkts bytes target prot opt in out source destination 1 1 60 ACCEPT tcp -- * * 172.16.11.207 172.16.11.206 tcp dpt:80 flags:0x17/0x02Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 66 packets, 8973 bytes)num pkts bytes target prot opt in out source destination
可以看到C访问一次A之后,A的这个条件已经匹配到了
6 限制反弹式木马
就是server只能接收client的请求,而server不能通过制定端口向client发送报文
7 限制任何人pingA,但是A可以ping别人
# A[root@husa web]# iptables -A INPUT -s 0.0.0.0 -d 172.16.11.206 -p icmp --icmp-type 8 -j DROP# B[root@localhost ~]# ping 172.16.11.206PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.64 bytes from 172.16.11.206: icmp_seq=1 ttl=64 time=0.299 ms64 bytes from 172.16.11.206: icmp_seq=2 ttl=64 time=0.693 ms^C--- 172.16.11.206 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1994msrtt min/avg/max/mdev = 0.299/0.496/0.693/0.197 ms----# A[root@husa web]# iptables -A INPUT -d 172.16.11.206 -p icmp --icmp-type 8 -j DROP[root@husa web]# iptables -L -n -vChain INPUT (policy ACCEPT 29 packets, 2422 bytes) pkts bytes target prot opt in out source destination 14 1176 DROP icmp -- * * 0.0.0.0/0 172.16.11.206 icmptype 8Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 9 packets, 1656 bytes) pkts bytes target prot opt in out source destination # B[root@localhost ~]# ping 172.16.11.206PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
其中的s的0.0.0.0表示的是本机所有IP而外网所有IP不写或者使用*就行了,正因为如此第一条没有匹配到,所以其他的主机可以ping通
8 禁止C访问A的80–8080端口
# A[root@husa web]# iptables -t filter -R INPUT 1 -s 172.16.11.207 -d 172.16.11.206 -p tcp --destination-port 80:8080 -j DROP# C
这里没有使用扩展模块,而直接使用tcp的选项
9 允许一个网段内的多个端口可以访问http和ssh
# A[root@husa web]# iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.11.206 -p tcp -m multiport --dports 80,22 -j ACCEPT# C[root@localhost ~]# curl "http://172.16.11.206"<h1>hello world</h1>[root@localhost ~]# ssh root@172.16.11.206root@172.16.11.206's password: Last login: Sun Jan 24 20:19:27 2016 from 172.16.11.207
10 修改默认策略
# A[root@husa web]# iptables -P INPUT DROP[root@husa web]# iptables -L -n -vChain INPUT (policy DROP 29 packets, 2244 bytes) pkts bytes target prot opt in out source destination 172 16401 ACCEPT tcp -- * * 172.16.0.0/16 172.16.11.206 multiport dports 80,22Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41 packets, 5470 bytes) pkts bytes target prot opt in out source destination
注意,上面这种设定之后,会有一个非常尴尬的情况发生:SSH不能链接了,所以在链上设置了默认DROP规则之后,一定要好好的做白名单
11 设置多IP限制
# A[root@husa ~]# iptables -t filter -A INPUT -d 172.16.11.206 -p tcp -m iprange --src-range 172.16.11.207-172.16.11.217 -j DROP[root@husa ~]# iptables -L -n -v --line-numbersChain INPUT (policy ACCEPT 90 packets, 7950 bytes)num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 172.16.11.206 source IP range 172.16.11.207-172.16.11.217Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 36 packets, 4828 bytes)num pkts bytes target prot opt in out source destination # C[root@localhost ~]# curl "http://172.16.11.206"^C[root@localhost ~]# ssh root@172.16.11.206^C[root@localhost ~]# ping 172.16.11.206 PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.64 bytes from 172.16.11.206: icmp_seq=1 ttl=64 time=0.296 ms64 bytes from 172.16.11.206: icmp_seq=2 ttl=64 time=3.98 ms^C--- 172.16.11.206 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1736msrtt min/avg/max/mdev = 0.296/2.140/3.984/1.844 ms
可以看到C的TCP请求都被drop,ICMP请求还能进行
12 设置A的httpd中的html含有’hello’的报文不能发送
# A[root@husa ~]# iptables -t filter -A OUTPUT -s 172.16.11.206 -p tcp -m string --algo kmp --string 'hello' -j DROP# C[root@localhost ~]# curl "http://172.16.11.206"# A tail查看可以明显发现服务器已经响应了请求[root@husa ~]# tail /var/log/httpd/access_log172.16.250.35 - - [24/Jan/2016:20:12:20 +0800] "GET /index.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"172.16.250.35 - - [24/Jan/2016:20:12:20 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://172.16.11.206/index.html" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"172.16.250.35 - - [24/Jan/2016:20:12:26 +0800] "GET / HTTP/1.1" 200 481 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"172.16.250.35 - - [24/Jan/2016:20:12:26 +0800] "GET /icons/blank.gif HTTP/1.1" 200 148 "http://172.16.11.206/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"172.16.250.35 - - [24/Jan/2016:20:13:38 +0800] "GET / HTTP/1.1" 200 21 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"172.16.11.207 - - [24/Jan/2016:20:30:13 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"172.16.11.207 - - [24/Jan/2016:22:29:54 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"172.16.11.207 - - [24/Jan/2016:22:32:22 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"172.16.11.207 - - [24/Jan/2016:22:53:43 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"172.16.11.207 - - [24/Jan/2016:22:57:04 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
注意:此处是在OUTPUT链上做的规则
13 限制C在周一、周三、周五的8:30–18:30、22:00–05:00不能访问A
# A[root@husa ~]# date2016年 01月 24日 星期日 23:20:39 CST[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m time --weekdays 1,3,5 --timestart 08:30 --timestop 18:30 --kerneltz -j DROP[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m time --weekdays 1,3,5 --timestart 22:00 --timestop 05:00 --kerneltz -j DROP[root@husa ~]# iptables -L -n -vChain INPUT (policy ACCEPT 156 packets, 14087 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 172.16.11.207 172.16.11.206 TIME from 08:30:00 to 18:30:00 on Mon,Tue,Wed,Fri 0 0 DROP tcp -- * * 172.16.11.207 172.16.11.206 TIME from 22:00:00 to 05:00:00 on Mon,Tue,Wed,Fri UTCChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 60 packets, 10508 bytes) pkts bytes target prot opt in out source destination # C[root@localhost ~]# curl "http://172.16.11.206"curl: (7) couldn't connect to host
这里的时间是指服务器的时间,然后是多段时间要使用多条规则,记住使用kerneltz,因为默认使用UTC时间
14 设置C对A的链接数量不能大于2
# A[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m connlimit --connlimit-above 2 -j DROP[root@husa ~]# iptables -L -n -vChain INPUT (policy ACCEPT 14 packets, 1232 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 172.16.11.207 172.16.11.206 #conn src/32 > 2Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 1648 bytes) pkts bytes target prot opt in out source destination # C# C的终端一[root@localhost ~]# ssh root@172.16.11.206root@172.16.11.206's password: Last login: Sun Jan 24 23:38:24 2016 from 172.16.11.207[root@husa ~]# # C的终端二[root@localhost ~]# ssh root@172.16.11.206root@172.16.11.206's password: Last login: Sun Jan 24 23:38:39 2016 from 172.16.11.207[root@husa ~]# # C的终端三[root@localhost ~]# ssh root@172.16.11.206
可以发现,在C的三个终端通过ssh链接时,当达到第三个时就无法链接了,这种方式一般对长连接有效
15 设置请求速率
# A[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m limit --limit 3/second --limit-burst 5 -j ACCEPT[root@husa ~]# iptables -t filter -I INPUT 2 -s 172.16.11.207 -d 172.16.11.206 -p icmp -j REJECT[root@husa ~]# iptables -L -n -vChain INPUT (policy ACCEPT 12 packets, 1056 bytes) pkts bytes target prot opt in out source destination 31 2380 ACCEPT tcp -- * * 172.16.11.207 172.16.11.206 limit: avg 3/sec burst 5 0 0 REJECT icmp -- * * 172.16.11.207 172.16.11.206 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7 packets, 1352 bytes) pkts bytes target prot opt in out source destination # C使用ping命令测试
16 限制通过80端口发送的响应必须是ESTABLISHED状态
# A[root@husa ~]# iptables -t filter -A INPUT -d 172.16.11.206 -p tcp -m multiport --dports 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT[root@husa ~]# iptables -t filter -A OUTPUT -s 172.16.11.206 -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED -j ACCEPT# 修改默认规则为DROP那么OUTPUT链中只有ESTABLISHED才能够接受,其他的状态都不能出去[root@husa ~]# iptables -P INPUT DROP [root@husa ~]# iptables -P OUTPUT DROP[root@husa ~]# iptables -P FORWARD DROP[root@husa ~]# iptables -L -n -v --line-numbersChain INPUT (policy DROP 271 packets, 23725 bytes)num pkts bytes target prot opt in out source destination 1 558 50064 ACCEPT tcp -- * * 0.0.0.0/0 172.16.11.206 multiport dports 22,80 state NEW,ESTABLISHEDChain FORWARD (policy DROP 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 7 packets, 436 bytes)num pkts bytes target prot opt in out source destination 1 143 21752 ACCEPT tcp -- * * 172.16.11.206 0.0.0.0/0 multiport sports 22,80 state ESTABLISHED# A[root@husa ~]# ssh root@172.16.11.207。# 上面A的请求就被拦截了,因为新发起的ssh链接直接被DROP了,但是这里不是因为其端口号是22,而是因为默认规则为DROP,因为A的ssh请求的端口是随机的而不是22!!!
注意建立规则的先后顺序,因为如果先修改默认规则为DROP之后,当前的SSH链接就断开了。
以上的这种设定,服务器不能主动建立连接,安全级别提高了许多
17 使用nf_conntrack_ftp模块
# C[root@localhost ~]# modinfo nf_conntrack_ftpfilename: /lib/modules/2.6.32-573.el6.x86_64/kernel/net/netfilter/nf_conntrack_ftp.koalias: nfct-helper-ftpalias: ip_conntrack_ftpdescription: ftp connection tracking helperauthor: Rusty Russell <rusty@rustcorp.com.au>license: GPLsrcversion: C71BEA8280D7366FB6AFF35depends: nf_conntrackvermagic: 2.6.32-573.el6.x86_64 SMP mod_unload modversions parm: ports:array of ushortparm: loose:bool# 安装nf_conntrack_ftp模块[root@localhost ~]# modprobe nf_conntrack_ftp# 添加iptables规则1,让SSH保持连接[root@localhost ~]# iptables -t filter -A INPUT -d 172.16.11.207 -p tcp --dport 22 -j ACCEPT[root@localhost ~]# iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp --sport 22 -j ACCEPT [root@localhost ~]# iptables -P INPUT DROP[root@localhost ~]# iptables -P OUTPUT DROP# 添加iptables规则2,限制ftp链接[root@localhost ~]# iptables -t filter -A INPUT -d 172.16.11.207 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT[root@localhost ~]# iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT [root@localhost ~]# iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp -m state --state ESTABLISHED -j ACCEPT [root@localhost ~]# iptables -t filter -A INPUT -d 172.16.11.207 -p tcp -m state --state RELATED -j ACCEPT
为什么是在INPUT链上使用RELATED规则呢?因为自始至终ftp的链接都是客户端主动向服务器发送各种控制和数据请求的,所以是在INPUT链上做出的规则
以上这种规则冗长,实际上是可以精简的
# 精简规则iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp -m state --state ESTABLISHED -j ACCEPTiptables -t filter -A INPUT -d 172.16.11.207 -p tcp -m state --state ESTABLISHED -j ACCEPTiptables -t filter -A INPUT -d 172.16.11.207 -p tcp -m multiport --dport 21,80,22 -m state --state NEW,RELATED -j ACCEPT
18 使用自定义链
# C# 添加icmp自定义链[root@localhost ~]# iptables -N icmp# 对icmp协议都拒绝,并添加没有被icmp链的时候,就返回给关联的INPUT链上[root@localhost ~]# iptables -A icmp -d 172.16.11.207 -p icmp -j REJECT[root@localhost ~]# iptables -A icmp -j RETURN# 表示将自定义链添加到INPUT链上并生效[root@localhost ~]# iptables -A INPUT -d 172.16.11.207 -j icmp[root@localhost ~]# iptables -L -n -v --line-numbersChain INPUT (policy ACCEPT 230 packets, 22633 bytes)num pkts bytes target prot opt in out source destination 1 98 8816 icmp all -- * * 0.0.0.0/0 172.16.11.207 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 51 packets, 6952 bytes)num pkts bytes target prot opt in out source destination Chain icmp (1 references)num pkts bytes target prot opt in out source destination 1 0 0 REJECT icmp -- * * 0.0.0.0/0 172.16.11.207 reject-with icmp-port-unreachable 2 98 8816 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # B[root@husa ~]# ping 172.16.11.207PING 172.16.11.207 (172.16.11.207) 56(84) bytes of data.From 172.16.11.207 icmp_seq=1 Destination Port UnreachableFrom 172.16.11.207 icmp_seq=2 Destination Port UnreachableFrom 172.16.11.207 icmp_seq=3 Destination Port Unreachable^C--- 172.16.11.207 ping statistics ---3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000ms
19 把对本机的ssh访问通过iptables记录下来
LOG:记录日志 LOG: --log-level level 指明日志级别 --log-prefix prefix 指明日志前缀
# C[root@localhost ~]# iptables -A INPUT -d 172.16.11.207 -p tcp --dport 22 -j LOG[root@localhost ~]# tail -n 1 /var/log/messagesDec 20 14:55:58 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:8c:89:a5:0d:ae:03:08:00 SRC=172.16.250.35 DST=172.16.11.207 LEN=136 TOS=0x00 PREC=0x00 TTL=128 ID=6075 DF PROTO=TCP SPT=7253 DPT=22 WINDOW=251 RES=0x00 ACK PSH URGP=0 # B[root@husa ~]# ssh root@172.16.11.207The authenticity of host '172.16.11.207 (172.16.11.207)' can't be established.RSA key fingerprint is a7:61:b5:8a:ce:87:99:89:0e:8a:81:ce:ac:83:f0:52.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.16.11.207' (RSA) to the list of known hosts.root@172.16.11.207's password: Last login: Sun Dec 20 14:32:49 2015 from 172.16.250.35[root@localhost ~]# # C[root@localhost ~]# tail -n /var/log/messagesDec 20 14:56:23 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.16.11.207 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15967 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK URGP=0 Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.16.11.207 LEN=196 TOS=0x00 PREC=0x00 TTL=64 ID=15968 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK PSH URGP=0 Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.16.11.207 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15969 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK URGP=0 Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.16.11.207 LEN=180 TOS=0x00 PREC=0x00 TTL=64 ID=15970 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK PSH URGP=0 Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.16.11.207 LEN=500 TOS=0x10 PREC=0x00 TTL=64 ID=15971 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK PSH URGP=0 Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.16.11.207 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15972 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK URGP=0
练习:INPUT和OUTPUT默认策略为DROP;
1、限制本地主机的web服务器在周一不允许访问;新请求的速率不能超过100个每秒;web服务器包含了admin字符串的页面不允许访问;web服务器仅允许响应报文离开本机; 2、在工作时间,即周一到周五的8:30-18:00,开放本机的ftp服务给172.16.0.0网络中的主机访问;数据下载请求的次数每分钟不得超过5个; 3、开放本机的ssh服务给172.16.x.1-172.16.x.100中的主机,x为你的学号,新请求建立的速率一分钟不得超过2个;仅允许响应报文通过其服务端口离开本机; 4、拒绝TCP标志位全部为1及全部为0的报文访问本机; 5、允许本机ping别的主机;但不开放别的主机ping本机;练习:判断下述规则的意义: # iptables -N clean_in # iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP # iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP # iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP # iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP # iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP # iptables -A clean_in -d 172.16.100.7 -j RETURN # iptables -A INPUT -d 172.16.100.7 -j clean_in # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -i eth0 -m multiport -p tcp --dports 53,113,135,137,139,445 -j DROP # iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP # iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROP # iptables -A INPUT -i eth0 -m multiport -p tcp --dports 1433,4899 -j DROP # iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
- 03-iptables-实验
- 网络安全实验iptables
- iptables 快速上手(使用ssh 22端口实验)
- IPTABLES
- Iptables
- iptables
- iptables
- Iptables
- iptables
- iptables
- iptables
- iptables
- IPTABLES
- iptables
- iptables
- iptables
- iptables
- iptables
- Excel批量转换科学计数法为文本格式
- 潜伏者
- easyui扩展JS
- JodaTime开源时间/日期库
- 浅谈C++中内存分配、函数调用和返回值问题
- 03-iptables-实验
- 为何不能在头文件里写定义?
- java.lang.StackTraceElement类
- 劫持系统调用
- 使用MiddleGen-hibernate-r5生成hbm文件及POJO文件
- 程序开发路上的历程(中)
- Android事件分发深入分析
- tomcat 配置文件
- java Pattern和Matcher详解