03-iptables-實驗
實驗
A(172.16.11.206)
B(172.16.11.216)
C(172.16.11.207)
1 允許B訪問A而C不行
# A
[root@husa ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 782 packets, 74731 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 72 packets, 12516 bytes)
pkts bytes target prot opt in out source destination
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.216 -d 172.16.11.206 -j ACCEPT
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -j DROP
[root@husa ~]# iptables -t filter -L -n -v
Chain INPUT (policy ACCEPT 53 packets, 4997 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 172.16.11.216 172.16.11.206
0 0 DROP all -- * * 172.16.11.207 172.16.11.206
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29 packets, 4152 bytes)
pkts bytes target prot opt in out source destination
# B
[root@husa ~]# ssh [email protected]
The authenticity of host '172.16.11.206 (172.16.11.206)' can't be established.
ECDSA key fingerprint is d8:88:76:ef:30:e0:f5:f7:4b:a2:63:51:55:2e:74:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.11.206' (ECDSA) to the list of known hosts.
root@172.16.11.206's password:
Last failed login: Sun Jan 24 19:16:54 CST 2016 from 172.16.16.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Jan 24 19:16:39 2016 from 172.16.11.207
[root@husa ~]# ip addr
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4d:a0:50 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.206/16 brd 172.16.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:a050/64 scope link
valid_lft forever preferred_lft forever
# C
[root@localhost ~]# ssh [email protected]
ssh: connect to host 172.16.11.206 port 22: Connection timed out
| # 由於A直接將pact丟棄導致Cssh鏈接沒有任何響應
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
# ping也ping不通
# A動態查看匹配的規則
Every 1.0s: iptables -L -n -v --line-numbers Sun Jan 24 19:24:44 2016
Chain INPUT (policy ACCEPT 528 packets, 53690 bytes)
num pkts bytes target prot opt in out source destination
1 43 5995 ACCEPT all -- * * 172.16.11.216 172.16.11.206
2 74 6168 DROP all -- * * 172.16.11.207 172.16.11.206
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 146 packets, 25966 bytes)
num pkts bytes target prot opt in out source destination
2 限制C不能pingA但是可以sshA
# A
[root@husa ~]# iptables -F
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p icmp -j REJECT
[root@husa ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 10 packets, 860 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- * * 172.16.11.207 172.16.11.206 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 872 bytes)
num pkts bytes target prot opt in out source destination
# C
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
From 172.16.11.206 icmp_seq=1 Destination Port Unreachable
From 172.16.11.206 icmp_seq=2 Destination Port Unreachable
From 172.16.11.206 icmp_seq=3 Destination Port Unreachable
^C
--- 172.16.11.206 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2491ms
[root@localhost ~]# ssh [email protected]
root@172.16.11.206's password:
Last login: Sun Jan 24 19:22:25 2016 from 172.16.250.35
[root@husa ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4d:a0:50 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.206/16 brd 172.16.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:a050/64 scope link
valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4d:a0:5a brd ff:ff:ff:ff:ff:ff
inet 192.168.200.137/24 brd 192.168.200.255 scope global eno33554984
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:a05a/64 scope link
valid_lft forever preferred_lft forever
可以看到C不能pingA但是可以sshA
3 A有兩張網卡,其中IP爲172.16.11.206另一IP爲192.16.200.137,限制C只能從192.16.200.137ping通
# A
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -p icmp -j REJECT
# C
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
From 172.16.11.206 icmp_seq=1 Destination Port Unreachable
From 172.16.11.206 icmp_seq=2 Destination Port Unreachable
# A查看結果
Every 2.0s: iptables -L -n -v --line-numbers Sun Jan 24 19:56:30 2016
Chain INPUT (policy ACCEPT 225 packets, 20822 bytes)
num pkts bytes target prot opt in out source destination
1 10 840 REJECT icmp -- * * 172.16.11.207 0.0.0.0/0 reject-with icmp-port-unre
achable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 111 packets, 15992 bytes)
num pkts bytes target prot opt in out source destination
4 限制C訪問A的http服務,但是可以訪問其他服務
# A
[root@husa web]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp --dport 80 -j DROP
# C
[root@localhost ~]# curl "http://172.16.11.206"
^C
[root@localhost ~]# ssh [email protected]
root@172.16.11.206's password:
Last login: Sun Jan 24 19:53:57 2016 from 172.16.250.35
5 匹配TCP鏈接中的第一個SYN
# A
[root@husa web]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp --dport 80 --syn -j ACCEPT
[root@husa web]# iptables -L -n --line-numbers -v
Chain INPUT (policy ACCEPT 86 packets, 7831 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 172.16.11.207 172.16.11.206 tcp dpt:80 flags:0x17/0x02
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 42 packets, 5556 bytes)
num pkts bytes target prot opt in out source destination
# C
[root@localhost ~]# curl "http://172.16.11.206"
<h1>hello world</h1>
# A
[root@husa web]# iptables -L -n --line-numbers -v
Chain INPUT (policy ACCEPT 159 packets, 14063 bytes)
num pkts bytes target prot opt in out source destination
1 1 60 ACCEPT tcp -- * * 172.16.11.207 172.16.11.206 tcp dpt:80 flags:0x17/0x02
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 66 packets, 8973 bytes)
num pkts bytes target prot opt in out source destination
可以看到C訪問一次A之後,A的這個條件已經匹配到了
6 限制反彈式木馬
就是server只能接收client的請求,而server不能通過制定端口向client發送報文
7 限制任何人pingA,但是A可以ping別人
# A
[root@husa web]# iptables -A INPUT -s 0.0.0.0 -d 172.16.11.206 -p icmp --icmp-type 8 -j DROP
# B
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
64 bytes from 172.16.11.206: icmp_seq=1 ttl=64 time=0.299 ms
64 bytes from 172.16.11.206: icmp_seq=2 ttl=64 time=0.693 ms
^C
--- 172.16.11.206 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1994ms
rtt min/avg/max/mdev = 0.299/0.496/0.693/0.197 ms
----
# A
[root@husa web]# iptables -A INPUT -d 172.16.11.206 -p icmp --icmp-type 8 -j DROP
[root@husa web]# iptables -L -n -v
Chain INPUT (policy ACCEPT 29 packets, 2422 bytes)
pkts bytes target prot opt in out source destination
14 1176 DROP icmp -- * * 0.0.0.0/0 172.16.11.206 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 1656 bytes)
pkts bytes target prot opt in out source destination
# B
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
其中的s的0.0.0.0表示的是本機所有IP而外網所有IP不寫或者使用*就行了,正因爲如此第一條沒有匹配到,所以其他的主機可以ping通
8 禁止C訪問A的80–8080端口
# A
[root@husa web]# iptables -t filter -R INPUT 1 -s 172.16.11.207 -d 172.16.11.206 -p tcp --destination-port 80:8080 -j DROP
# C
這裏沒有使用擴展模塊,而直接使用tcp的選項
9 允許一個網段內的多個端口可以訪問http和ssh
# A
[root@husa web]# iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.11.206 -p tcp -m multiport --dports 80,22 -j ACCEPT
# C
[root@localhost ~]# curl "http://172.16.11.206"
<h1>hello world</h1>
[root@localhost ~]# ssh [email protected]
root@172.16.11.206's password:
Last login: Sun Jan 24 20:19:27 2016 from 172.16.11.207
10 修改默認策略
# A
[root@husa web]# iptables -P INPUT DROP
[root@husa web]# iptables -L -n -v
Chain INPUT (policy DROP 29 packets, 2244 bytes)
pkts bytes target prot opt in out source destination
172 16401 ACCEPT tcp -- * * 172.16.0.0/16 172.16.11.206 multiport dports 80,22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 41 packets, 5470 bytes)
pkts bytes target prot opt in out source destination
注意,上面這種設定之後,會有一個非常尷尬的情況發生:SSH不能鏈接了,所以在鏈上設置了默認DROP規則之後,一定要好好的做白名單
11 設置多IP限制
# A
[root@husa ~]# iptables -t filter -A INPUT -d 172.16.11.206 -p tcp -m iprange --src-range 172.16.11.207-172.16.11.217 -j DROP
[root@husa ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 90 packets, 7950 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 172.16.11.206 source IP range 172.16.11.207-172.16.11.217
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36 packets, 4828 bytes)
num pkts bytes target prot opt in out source destination
# C
[root@localhost ~]# curl "http://172.16.11.206"
^C
[root@localhost ~]# ssh [email protected]
^C
[root@localhost ~]# ping 172.16.11.206
PING 172.16.11.206 (172.16.11.206) 56(84) bytes of data.
64 bytes from 172.16.11.206: icmp_seq=1 ttl=64 time=0.296 ms
64 bytes from 172.16.11.206: icmp_seq=2 ttl=64 time=3.98 ms
^C
--- 172.16.11.206 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1736ms
rtt min/avg/max/mdev = 0.296/2.140/3.984/1.844 ms可以看到C的TCP請求都被drop,ICMP請求還能進行
12 設置A的httpd中的html含有’hello’的報文不能發送
# A
[root@husa ~]# iptables -t filter -A OUTPUT -s 172.16.11.206 -p tcp -m string --algo kmp --string 'hello' -j DROP
# C
[root@localhost ~]# curl "http://172.16.11.206"
# A tail查看可以明顯發現服務器已經響應了請求
[root@husa ~]# tail /var/log/httpd/access_log
172.16.250.35 - - [24/Jan/2016:20:12:20 +0800] "GET /index.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
172.16.250.35 - - [24/Jan/2016:20:12:20 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://172.16.11.206/index.html" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
172.16.250.35 - - [24/Jan/2016:20:12:26 +0800] "GET / HTTP/1.1" 200 481 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
172.16.250.35 - - [24/Jan/2016:20:12:26 +0800] "GET /icons/blank.gif HTTP/1.1" 200 148 "http://172.16.11.206/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
172.16.250.35 - - [24/Jan/2016:20:13:38 +0800] "GET / HTTP/1.1" 200 21 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
172.16.11.207 - - [24/Jan/2016:20:30:13 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
172.16.11.207 - - [24/Jan/2016:22:29:54 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
172.16.11.207 - - [24/Jan/2016:22:32:22 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
172.16.11.207 - - [24/Jan/2016:22:53:43 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
172.16.11.207 - - [24/Jan/2016:22:57:04 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
注意:此處是在OUTPUT鏈上做的規則
13 限制C在週一、週三、週五的8:30–18:30、22:00–05:00不能訪問A
# A
[root@husa ~]# date
2016年 01月 24日 星期日 23:20:39 CST
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m time --weekdays 1,3,5 --timestart 08:30 --timestop 18:30 --kerneltz -j DROP
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m time --weekdays 1,3,5 --timestart 22:00 --timestop 05:00 --kerneltz -j DROP
[root@husa ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 156 packets, 14087 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 172.16.11.207 172.16.11.206 TIME from 08:30:00 to 18:30:00 on Mon,Tue,Wed,Fri
0 0 DROP tcp -- * * 172.16.11.207 172.16.11.206 TIME from 22:00:00 to 05:00:00 on Mon,Tue,Wed,Fri UTC
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60 packets, 10508 bytes)
pkts bytes target prot opt in out source destination
# C
[root@localhost ~]# curl "http://172.16.11.206"
curl: (7) couldn't connect to host
這裏的時間是指服務器的時間,然後是多段時間要使用多條規則,記住使用kerneltz,因爲默認使用UTC時間
14 設置C對A的鏈接數量不能大於2
# A
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m connlimit --connlimit-above 2 -j DROP
[root@husa ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 14 packets, 1232 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 172.16.11.207 172.16.11.206 #conn src/32 > 2
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 1648 bytes)
pkts bytes target prot opt in out source destination
# C
# C的終端一
[root@localhost ~]# ssh [email protected]
root@172.16.11.206's password:
Last login: Sun Jan 24 23:38:24 2016 from 172.16.11.207
[root@husa ~]#
# C的終端二
[root@localhost ~]# ssh [email protected]
[email protected]'s password:
Last login: Sun Jan 24 23:38:39 2016 from 172.16.11.207
[root@husa ~]#
# C的終端三
[root@localhost ~]# ssh [email protected]可以發現,在C的三個終端通過ssh鏈接時,當達到第三個時就無法鏈接了,這種方式一般對長連接有效
15 設置請求速率
# A
[root@husa ~]# iptables -t filter -A INPUT -s 172.16.11.207 -d 172.16.11.206 -p tcp -m limit --limit 3/second --limit-burst 5 -j ACCEPT
[root@husa ~]# iptables -t filter -I INPUT 2 -s 172.16.11.207 -d 172.16.11.206 -p icmp -j REJECT
[root@husa ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 12 packets, 1056 bytes)
pkts bytes target prot opt in out source destination
31 2380 ACCEPT tcp -- * * 172.16.11.207 172.16.11.206 limit: avg 3/sec burst 5
0 0 REJECT icmp -- * * 172.16.11.207 172.16.11.206 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 1352 bytes)
pkts bytes target prot opt in out source destination
# C使用ping命令測試
16 限制通過80端口發送的響應必須是ESTABLISHED狀態
# A
[root@husa ~]# iptables -t filter -A INPUT -d 172.16.11.206 -p tcp -m multiport --dports 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@husa ~]# iptables -t filter -A OUTPUT -s 172.16.11.206 -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED -j ACCEPT
# 修改默認規則爲DROP那麼OUTPUT鏈中只有ESTABLISHED才能夠接受,其他的狀態都不能出去
[root@husa ~]# iptables -P INPUT DROP
[root@husa ~]# iptables -P OUTPUT DROP
[root@husa ~]# iptables -P FORWARD DROP
[root@husa ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 271 packets, 23725 bytes)
num pkts bytes target prot opt in out source destination
1 558 50064 ACCEPT tcp -- * * 0.0.0.0/0 172.16.11.206 multiport dports 22,80 state NEW,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 7 packets, 436 bytes)
num pkts bytes target prot opt in out source destination
1 143 21752 ACCEPT tcp -- * * 172.16.11.206 0.0.0.0/0 multiport sports 22,80 state ESTABLISHED
# A
[root@husa ~]# ssh [email protected]
。
# 上面A的請求就被攔截了,因爲新發起的ssh鏈接直接被DROP了,但是這裏不是因爲其端口號是22,而是因爲默認規則爲DROP,因爲A的ssh請求的端口是隨機的而不是22!!!
注意建立規則的先後順序,因爲如果先修改默認規則爲DROP之後,當前的SSH鏈接就斷開了。
以上的這種設定,服務器不能主動建立連接,安全級別提高了許多
17 使用nf_conntrack_ftp模塊
# C
[root@localhost ~]# modinfo nf_conntrack_ftp
filename: /lib/modules/2.6.32-573.el6.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell <rusty@rustcorp.com.au>
license: GPL
srcversion: C71BEA8280D7366FB6AFF35
depends: nf_conntrack
vermagic: 2.6.32-573.el6.x86_64 SMP mod_unload modversions
parm: ports:array of ushort
parm: loose:bool
# 安裝nf_conntrack_ftp模塊
[root@localhost ~]# modprobe nf_conntrack_ftp
# 添加iptables規則1,讓SSH保持連接
[root@localhost ~]# iptables -t filter -A INPUT -d 172.16.11.207 -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp --sport 22 -j ACCEPT
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -P OUTPUT DROP
# 添加iptables規則2,限制ftp鏈接
[root@localhost ~]# iptables -t filter -A INPUT -d 172.16.11.207 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp -m state --state ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -d 172.16.11.207 -p tcp -m state --state RELATED -j ACCEPT
爲什麼是在INPUT鏈上使用RELATED規則呢?因爲自始至終ftp的鏈接都是客戶端主動向服務器發送各種控制和數據請求的,所以是在INPUT鏈上做出的規則
以上這種規則冗長,實際上是可以精簡的
# 精簡規則
iptables -t filter -A OUTPUT -s 172.16.11.207 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 172.16.11.207 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 172.16.11.207 -p tcp -m multiport --dport 21,80,22 -m state --state NEW,RELATED -j ACCEPT
18 使用自定義鏈
# C
# 添加icmp自定義鏈
[root@localhost ~]# iptables -N icmp
# 對icmp協議都拒絕,並添加沒有被icmp鏈的時候,就返回給關聯的INPUT鏈上
[root@localhost ~]# iptables -A icmp -d 172.16.11.207 -p icmp -j REJECT
[root@localhost ~]# iptables -A icmp -j RETURN
# 表示將自定義鏈添加到INPUT鏈上並生效
[root@localhost ~]# iptables -A INPUT -d 172.16.11.207 -j icmp
[root@localhost ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 230 packets, 22633 bytes)
num pkts bytes target prot opt in out source destination
1 98 8816 icmp all -- * * 0.0.0.0/0 172.16.11.207
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 6952 bytes)
num pkts bytes target prot opt in out source destination
Chain icmp (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- * * 0.0.0.0/0 172.16.11.207 reject-with icmp-port-unreachable
2 98 8816 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# B
[root@husa ~]# ping 172.16.11.207
PING 172.16.11.207 (172.16.11.207) 56(84) bytes of data.
From 172.16.11.207 icmp_seq=1 Destination Port Unreachable
From 172.16.11.207 icmp_seq=2 Destination Port Unreachable
From 172.16.11.207 icmp_seq=3 Destination Port Unreachable
^C
--- 172.16.11.207 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000ms
19 把對本機的ssh訪問通過iptables記錄下來
LOG:記錄日誌
LOG:
--log-level level 指明日誌級別
--log-prefix prefix 指明日誌前綴
# C
[root@localhost ~]# iptables -A INPUT -d 172.16.11.207 -p tcp --dport 22 -j LOG
[root@localhost ~]# tail -n 1 /var/log/messages
Dec 20 14:55:58 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:8c:89:a5:0d:ae:03:08:00 SRC=172.16.250.35 DST=172.16.11.207 LEN=136 TOS=0x00 PREC=0x00 TTL=128 ID=6075 DF PROTO=TCP SPT=7253 DPT=22 WINDOW=251 RES=0x00 ACK PSH URGP=0
# B
[root@husa ~]# ssh [email protected]
The authenticity of host '172.16.11.207 (172.16.11.207)' can't be established.
RSA key fingerprint is a7:61:b5:8a:ce:87:99:89:0e:8a:81:ce:ac:83:f0:52.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.11.207' (RSA) to the list of known hosts.
[email protected]'s password:
Last login: Sun Dec 20 14:32:49 2015 from 172.16.250.35
[root@localhost ~]#
# C
[root@localhost ~]# tail -n /var/log/messages
Dec 20 14:56:23 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.1
6.11.207 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15967 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK URGP=0
Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.1
6.11.207 LEN=196 TOS=0x00 PREC=0x00 TTL=64 ID=15968 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK PSH URGP=0
Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.1
6.11.207 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15969 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK URGP=0
Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.1
6.11.207 LEN=180 TOS=0x00 PREC=0x00 TTL=64 ID=15970 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK PSH URGP=0
Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.1
6.11.207 LEN=500 TOS=0x10 PREC=0x00 TTL=64 ID=15971 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK PSH URGP=0
Dec 20 14:56:25 localhost kernel: IN=eth0 OUT= MAC=00:0c:29:68:9a:b8:00:0c:29:eb:ce:aa:08:00 SRC=172.16.11.216 DST=172.1
6.11.207 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15972 DF PROTO=TCP SPT=42137 DPT=22 WINDOW=156 RES=0x00 ACK URGP=0
練習:INPUT和OUTPUT默認策略爲DROP;
1、限制本地主機的web服務器在週一不允許訪問;新請求的速率不能超過100個每秒;web服務器包含了admin字符串的頁面不允許訪問;web服務器僅允許響應報文離開本機;
2、在工作時間,即週一到週五的8:30-18:00,開放本機的ftp服務給172.16.0.0網絡中的主機訪問;數據下載請求的次數每分鐘不得超過5個;
3、開放本機的ssh服務給172.16.x.1-172.16.x.100中的主機,x爲你的學號,新請求建立的速率一分鐘不得超過2個;僅允許響應報文通過其服務端口離開本機;
4、拒絕TCP標誌位全部爲1及全部爲0的報文訪問本機;
5、允許本機ping別的主機;但不開放別的主機ping本機;
練習:判斷下述規則的意義:
# iptables -N clean_in
# iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
# iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
# iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP
# iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP
# iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP
# iptables -A clean_in -d 172.16.100.7 -j RETURN
# iptables -A INPUT -d 172.16.100.7 -j clean_in
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -i eth0 -m multiport -p tcp --dports 53,113,135,137,139,445 -j DROP
# iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
# iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROP
# iptables -A INPUT -i eth0 -m multiport -p tcp --dports 1433,4899 -j DROP
# iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT