{"id":617,"date":"2016-02-06T14:21:00","date_gmt":"2016-02-06T06:21:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=617"},"modified":"2023-11-04T14:24:19","modified_gmt":"2023-11-04T06:24:19","slug":"iptables","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/617","title":{"rendered":"iptables"},"content":{"rendered":"\n

IPTABLES<\/strong>
\u7528\u4f86\u8a2d\u5b9anetfilter\u7684User Space\u5de5\u5177
ps:netfilter\u70balinux\u8ca0\u8cac\u8655\u7406\u7db2\u8def\u5c01\u5305\u4e4b\u7cfb\u7d71 <\/p>\n\n\n\n

\u5217\u51fatable
iptables [-t table] -L [-nv]
\u53c3\u6578\uff1a
-t table\uff1a\u9078\u64c7table,\u6709filter\u53canat,mangle,\u9810\u8a2d\u70bafilter
-L\uff1a\u5217\u51fatable\u898f\u5247
-n\uff1a\u4e0d\u9032\u884cIP\u8207HOSTNAME\u7684\u53cd\u67e5
-v\uff1a\u5217\u51fa\u66f4\u591a\u7684\u8cc7\u8a0a

\u522a\u9664
iptables [-t table] [-FXZ]
-F\uff1a\u6e05\u9664\u6240\u6709\u7684\u5df2\u8a02\u5b9a\u7684\u898f\u5247
-X\uff1a\u6bba\u6389\u6240\u6709\u4f7f\u7528\u8005\u81ea\u8a02\u7684chain
-Z\uff1a\u5c07\u6240\u6709\u7684chain\u7684\u8a08\u6578\u8207\u6d41\u91cf\u7d71\u8a08\u90fd\u6b780
-N:\u81ea\u8a02\u4e00\u689d\u65b0\u7684chain<\/p>\n\n\n\n

\u5b58\u6a94\u548c\u8b80\u6a94
iptables-save > file \uff1a\u5c07iptables\u7684\u898f\u5247\u8a2d\u5b9a\u5132\u5b58\u5728file\u7684\u6a94\u6848\u88e1
iptables-restore < file :\u5c07iptables\u7684\u898f\u5247\u8a2d\u5b9a\u6a94\u8b80\u9032\u4f86<\/p>\n\n\n\n

\u5b9a\u7fa9chain\u7684\u653f\u7b56
iptables [-t table] -P chain value
-P:\u5b9a\u7fa9\u653f\u7b56
-P chain value:\u53ef\u9078\u64c7\u7684chain\u6709INPUT,OUPUT,FORWARD,\u800cvalue\u6709ACCEPT,DROP
   ex:iptables -P INPUT DROP  \u5247\u6240\u6709\u9032\u5165\u7684\u5c01\u5305\u90fd\u6703\u88ab\u4e22\u68c4
\u82e5table\u662fnat,\u5247chain\u6709OUTPUT,POSTROUTING,PREROUTING
\u82e5table\u662fmangle,\u5247chain\u6709PREROUTING,POSTROUTING,INPUT,OUTPUT

\u5c01\u5305\u9032\u5165\u6642\u7684\u7d93\u904e\u7684chain\u9806\u5e8f\u70ba
1mangle(prerouting)>nat(prerouting)>\u4f9d\u662f\u5426\u8f49\u905e\u5c01\u5305\u52302a\u62162b
 2a\u9032\u884c\u5c01\u5305\u8f49\u905e mangle(forward)>filter(forward)>\u5230\u9806\u5e8f3
 2b\u7121,\u5c01\u5305\u9032\u5165\u4e3b\u6a5f mangle(input)>filter(input)>\u4e3b\u6a5f,\u8def\u7531\u5224\u65b7>mangle(output)>nat(output)>filter(output)>\u5230\u9806\u5e8f3
3mangle(postrouting)>nat(postrouting)

……………………………………………………………………………………………

\u8a2d\u5b9achain\u7684\u898f\u5247
iptables -[A|I] chain [-io] [-p] [-s] [-d] [-j]
-A chain:\u9644\u52a0\u4e00\u689d\u898f\u5247\u5728\u5f8c\u9762
-I chain:\u5dee\u5165\u4e00\u689d\u898f\u5247\u5728\u524d\u9762
-R chain n\uff1a\u6539\u8b8a\u7b2cn\u689d\u898f\u5247
-D chain n\uff1a\u522a\u9664\u7b2cn\u689d\u898f\u5247
-D \u90e8\u4efdrule :\u522a\u9664\u7b2c\u4e00\u500b\u7b26\u5408rule\u7684\u503c
-D \u5b8c\u6574rule :\u522a\u9664\u548crule\u4e00\u6a23\u7684\u503c
-i interface:\u5c01\u5305\u9032\u5165\u7684interface,\u9700\u8207input\u914d\u5408,ex:lo,eth0
-o interface:\u540c\u4e0a,\u4f46\u9700\u8207output\u914d\u5408
-p protocol:\u8a2d\u5b9a\u898f\u5247\u9069\u7528\u65bc\u90a3\u500bprotocol,\u53ef\u9078tcp,udp,icmp,all
\u3000\u82e5protocol\u662ftcp\u6216udp\u5247\u53ef\u7528\u4ee5\u4e0b\u53c3\u6578
\u3000\u3000-s source:\u8a2d\u5b9a\u4f86\u6e90,source\u53ef\u4ee5\u662fip,ip\/mask,\u7db2\u57df,\u82e5\u5728sourec\u524d\u52a0\uff01\u8868\u793a\u62d2\u7d55
\u3000\u3000-d destination:\u8a2d\u5b9a\u76ee\u6a19,target\u7684\u503c\u540csource
\u3000\u3000–dport value1:value2 :\u6307\u5b9a\u76ee\u6a19port\u6216\u7a0b\u5f0f\u540d\u7a31,port\u865f\u53ef\u9078\u64c7\u4e00\u9023\u7e8c\u7bc4\u570d,\u9700\u642d\u914d-p
\u3000\u3000–sport value1:value2 :\u540c\u4e0a,\u4f46\u662f\u6307\u5b9a\u4f86\u6e90\uff0c\u9700\u642d\u914d-p
\u3000\u82e5protocol\u662ftcp\u53ef\u7528\u4ee5\u4e0b\u53c3\u6578
\u3000\u3000! -syn  \u4e0d\u662fsyn\u5c01\u5305
\u3000\u3000–syn tcp\u7684syn\u4f4d\u5143\u88ab\u958b\u555f,\u4e5f\u5c31\u662fsyn\u5c01\u5305
\u3000\u3000–tcp-flags value \u6307\u5b9atcp\u7684flag,value\u53ef\u9078syn,ack,fin,rst,urg,psh,all,none
    \u82e5protocol\u662ficmp\u53ef\u7528\u4ee5\u4e0b\u53c3\u6578
\u3000\u3000–icmp-type type:\u6307\u5b9aicmp\u7684type,ex:8=echo request
-j target:\u8a2d\u5b9a\u6b64\u898f\u5247\u8981\u5982\u4f55\u8655\u7406,\u53ef\u9078ACCEPT,DROP,TOS,LOG,\u81ea\u8a02chain
\u3000ex:iptables -A INPUT -i eth0 -s 192.168.1.10 -j DROP    \u5c07\u5f9e192.168.1.10\u9032\u5230eth0\u4ecb\u9762\u7684\u5c01\u5305drop
\u3000ex:iptables -R INPUT 1 -i ppp0 -p tcp –sport 80 -j DROP  \u5c07\u7b2c\u4e00\u500b\u898f\u5247\u6539\u6210\uff0c\u62d2\u7d55\u4efb\u4f55\u4f86\u6e90\u70baport80\u9032\u5165ppp0\u7684\u754c\u9762
\u3000ex:iptables -I INPUT -i ppp0 -p tcp –dport 80 -j ACCEPT \u5c01\u5305\u7684\u76ee\u6a19port\u82e5\u662f80\u800c\u4e14\u8981\u9032\u5165ppp0\u4ecb\u9762\u5247\u5141\u8a31\u901a\u884c
\u3000ex:iptables -A INPUT -p icmp –icmp-type 8 -j DROP  \u4e0d\u63a5\u53d7ping\u7684\u56de\u61c9
\u3000\u82e5target\u70balog,\u53ef\u7528\u4ee5\u4e0b\u53c3\u6578
\u3000\u3000–log-level value \u8981\u8a18\u9304\u5230syslog\u7684\u7b49\u7d1a,\u7b49\u7d1a\u53ef\u53c3\u8003syslog.conf
\u3000\u3000–log-prefix value \u6703\u5728\u6bcf\u7b46log\u524d\u52a0\u6307\u5b9a\u5b57\u4e32
\u3000\u3000–log-tcp-options \u8a18\u9304tcp header\u76f8\u95dc\u8a0a\u606f
\u3000\u3000–log-ip-options \u8a18\u9304ip header\u76f8\u95dc\u8a0a\u606f
\u3000ps:log\u6703\u8a18\u9304\u5230\/var\/log\/messages
\u3000ps:\u82e5\u8a2d\u5b9a–log-level debug,\u4e26\u5728syslog.conf\u5167\u52a0\u5165kern.=debug \/var\/log\/iptableslog,\u91cd\u555fsyslog\u5247\u53ef\u5c07log\u8a18\u5728iptableslog\u5167
\u3000ps:iptables log\u5206\u6790\u5668\u3000http:\/\/iptablelog.sourceforge.net\/\u3000
\u3000ex:iptables -I INPUT -p tcp –dport 80 -j LOG –log-prefix=flog \u82e5\u7b26\u5408\u5247\u8a18\u9304\u5230log\u4e2d,\u4e26\u5728\u6bcf\u7b46\u8a18\u9304\u524d\u52a0flog
  \u82e5target\u70batos,\u53ef\u7528\u4ee5\u4e0b\u53c3\u6578
     –set-tos Mzximize-Throughput  \u8b93\u901a\u904e\u91cf\u6700\u5927
     –set-tos Minimize-Delay \u53ef\u7372\u5f97\u66f4\u591a\u53cd\u61c9<\/p>\n\n\n\n

\u61c9\u7528:\u9632\u6b62 port scan
# NMAP FIN\/URG\/PSH<\/strong>
iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree<\/strong>
iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
# Another Xmas Tree<\/strong>
iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)<\/strong>
iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
# SYN\/RST<\/strong>
iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# SYN\/FIN — Scan(possibly)<\/strong>
iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP <\/p>\n\n\n\n

ps:
-j target\u7684\u5176\u4ed6\u53c3\u6578
RETURN:\u4e0d\u4f7f\u7528\u76ee\u524dchain\u898f\u5247,\u4e14\u76f4\u63a5\u8fd4\u56de\u4e26\u5230\u4e0b\u500bchain\u6216\u5176\u4ed6\u4f4d\u5740
\u7d50\u675f\u5728\u76ee\u524dchain\u4e2d\u7684\u904e\u6ffe\u7a0b\u5e8f\uff0c\u8fd4\u56de\u4e3bchain\u7e7c\u7e8c\u904e\u6ffe
ps:\u82e5\u628a\u81ea\u8a02chain\u770b\u505a\u526f\u7a0b\u5f0f,\u90a3return\u5c31\u76f8\u7576\u65bc\u63d0\u65e9\u7d50\u675f\u526f\u7a0b\u5f0f\u4e26\u8fd4\u56de\u5230\u4e3b\u7a0b\u5f0f\u4e2d
QUEUE:\u5c07packet\u9001\u5230\u6307\u5b9a\u7684\u61c9\u7528\u7a0b\u5f0f\u8655\u7406    \u3000
MARK:\u5c07packet\u6a19\u4e0a\u67d0\u500b\u7de8\u865f,\u7d66\u5f8c\u7e8c\u904e\u6ffe\u7684\u52d5\u4f5c\u53c3\u8003
ex:iptables -t mangle -A PREROUTING -p tcp –dport 80 -j MARK –set-mark 2
REJECT:\u963b\u64cb\u8a72packet,\u4e26\u56de\u50b3\u8a0a\u606f<\/p>\n\n\n\n

…………………………

\u4f7f\u7528\u6a21\u7d44
iptables -[A|I] chain -m module –module [-j]
module\u6709:<\/p>\n\n\n\n

1.state(\u72c0\u614b\u6a21\u7d44),\u7528\u6cd5:<\/strong>
-m state –state value1,value2 :\u6307\u5b9a\u5c01\u5305\u7684\u72c0\u614b,value\u6709
\u3000INVALID\uff1a\u7121\u6548\u7684\u5c01\u5305\uff0c\u4f8b\u5982\u8cc7\u6599\u7834\u640d\u7684\u5c01\u5305\u72c0\u614b
\u3000ESTABLISHED\uff1a\u5df2\u7d93\u9023\u7dda\u6210\u529f\u7684\u9023\u7dda\u72c0\u614b
\u3000NEW\uff1a\u60f3\u8981\u65b0\u5efa\u7acb\u9023\u7dda\u7684\u5c01\u5305\u72c0\u614b,\u5c31\u662f\u7b2c\u4e00\u500b\u4f86\u7684\u5c01\u5305,tcp\u9023\u7dda\u958b\u59cb\u6703\u5148\u9001syn\u5c01\u5305
\u3000RELATED\uff1a\u6700\u5e38\u7528,\u8868\u793a\u6b64\u5c01\u5305\u662f\u8207\u6211\u5011\u4e3b\u6a5f\u767c\u9001\u51fa\u53bb\u7684\u5c01\u5305\u6709\u95dc
\u3000ex:iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT \u53ea\u8981\u5df1\u5efa\u7acb\u6216\u76f8\u95dc\u5c01\u5305\u5c31\u7d66\u4e88\u901a\u904e
\u3000ex:iptables -A INPUT -p tcp ! -syn -m state –state NEW -j DORP \u7b2c\u4e00\u500b\u4f86\u7684tcp\u5c01\u5305\u4e0d\u662fsyn\u5247\u62d2\u7d55<\/p>\n\n\n\n

2.mac(\u7db2\u8def\u5361\u786c\u9ad4\u4f4d\u7f6e),\u7528\u6cd5:<\/strong>
-m mac –mac-source value :\u6307\u5b9a\u4e3b\u6a5f(value\u70ba\u7db2\u5361\u5361\u865f)
ex:iptables -A INPUT -m mac –mac-source aa:bb:cc:dd:ee:ff -j ACCEPT \u82e5\u8981\u9032\u5165\u6b64\u7db2\u5361\u5247\u53ef\u901a\u884c<\/p>\n\n\n\n

3.limit<\/strong>(\u9650\u5236),\u7528\u6cd5<\/strong>
-m limit –limit value\/unit \u6bd4\u5c0d\u67d0\u6bb5\u6642\u9593\u5167\u5c01\u5305\u7684\u5e73\u5747\u6d41\u91cf,unit\u6709day,hour,minute,second
ex:iptables -A INPUT -m limit –limit 3\/hour\u3000\u6bcf\u5c0f\u6642\u5e73\u5747\u53ea\u80fd\u8655\u74063\u500b\u5c01\u5305
-m limit –limit-burst\u3000\u82e5\u540c\u6642\u9032\u4f86\u591a\u500b\u5c01\u5305,\u53ea\u6709\u5c11\u6578\u5e7e\u500b\u80fd\u653e\u5165\u7de9\u885d\u5340 ,\u5176\u9918\u4e1f\u68c4
ex:iptables -A INPUT -m limit –limit-burst 5\u3000\u82e5\u540c\u6642\u9032\u4f86\u591a\u500b\u5c01\u5305,\u53ea\u67095\u500b\u5c01\u5305\u653e\u5165\u7de9\u885d\u5340,\u5176\u9918\u4e1f\u68c4
ex:iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 6\/m –limit burst 10 -j ACCEPT \u82e5\u6bcf\u5206\u9418\u8d85\u904e10\u500bicmp\u5c01\u5305\u5247\u6bcf\u5206\u9418\u53ea\u80fd\u9032\u4f866\u500bicmp\u5c01\u5305
\u4fdd\u8b77ssh
to limit the the number of connections to the ssh port to 3 per minute: 
ex:
iptables -A INPUT -p tcp –dport 22 –syn -m limit –limit 1\/m –limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 –syn -j DROP 
rule 1
will accept new connections on port 22 provided that IP address hasn’t made more than 3 connection attempts in the last minute.
rule 2
If more than 3 connection attempts have been made within the last minute, then rule2 will DROP the connection<\/p>\n\n\n\n

4.mark\u7528\u6cd5<\/strong>
-m mark –mark value \u6bd4\u5c0d\u6b64\u5c01\u5305\u88ab-j MARK –set-mark\u7684value
ex:iptables -t mangle -A INPUT -m mark –mark 1000 \u6bd4\u5c0d\u5c01\u5305\u662f\u5426\u88ab\u6a19\u4e0a1000\u7684\u7de8\u865f<\/p>\n\n\n\n

5.recent\u7528\u6cd5<\/strong>
\u53c3\u6578\u5982\u4e0b
-seconds < num>\u6bd4\u5c0d\u5c0f\u65bc\u6b64\u79d2\u6578\u7684\u8a18\u9304\u624d\u52d5\u4f5c\u3000
-hitcount < num>\u91cd\u8986\u767c\u751f\u5e7e\u6b21
-name < name> \u5132\u5b58\u8cc7\u8a0a\u7684\u8a18\u9304\u6a94\u540d\u7a31\uff0c\u901a\u5e38\u5b58\u5728\u76ee\u9304\/proc\/net\/ipt_recent\/\u3000
-set < name> \u7576\u7b26\u5408\u689d\u4ef6\u6642\uff0c\u8981\u5132\u5b58\u5728\u6307\u5b9a\u7684\u8a18\u9304\u6a94\u540d\u7a31\u3000
-rcheck \u3000\u8207\u8a18\u9304\u6a94\u6bd4\u5c0d\uff0c\u4f46\u4e0d\u6703\u4fee\u6539\u66f4\u65b0
-update \u3000\u8207\u8a18\u9304\u6a94\u6bd4\u5c0d\uff0c\u6703\u4f5c\u4fee\u6539\u66f4\u65b0<\/p>\n\n\n\n

\u4fdd\u8b77ssh
prevent brute-force attacks by logging and blocking repeated attempts to login from the same IP address
ex:
iptables -A INPUT -p tcp –dport 22 -m recent –set –name ssh –rsource
iptables -A INPUT -p tcp –dport 22 -m recent ! –rcheck –seconds 60 –hitcount 4 –name ssh –rsource -j ACCEPT 
rule 1 
records the IP address of each attempt to access port 22 using the recent module.
records data usually is saved in \/proc\/net\/ipt_recent\/
rule 2
checks to see if that IP address has attempted to connect 4 or more times within the last 60 seconds,
and if not then the packet is accepted. 
Note this rule would require a default policy of DROP on the input chain.<\/p>\n\n\n\n

\u572810\u79d2\u5167\u8d85\u904e6\u6b21icmp-type8\u5c31drop\uff0c\u4e26\u505a\u8a18\u9304
ex:
iptables -A INPUT -p icmp -icmp-type 8 -m recent -name ICMP_check -update -seconds 10 -hitcount 6 -j DROP
iptables -A INPUT -p icmp -icmp-type 8 -m recent -set -name ICMP_check<\/p>\n\n\n\n

refer
http:\/\/ssorc.tw\/1053
http:\/\/ishm.idv.tw\/?p=188<\/p>\n\n\n\n

6.connlimit\uff0c\u9650\u5236\u6bcf\u500b ip \u7684\u9023\u7dda\u6578
<\/strong>\u53c3\u6578\u5982\u4e0b
-connlimit-above < number>
-connlimit-mask < CIDR ><\/strong><\/p>\n\n\n\n

\u9650\u5236\u6bcf\u500b ip \u53ea\u53ef\u4ee5\u6709 5 \u500b ssh \u9023\u7dda 
ex:
iptables -A INPUT -p tcp -syn -dport 22 -m connlimit -connlimit-above 5 -j REJECT<\/p>\n\n\n\n

\u5c07\u9023\u7dda\u6578\u5927\u65bc50\u7684\u505a\u653e\u5165message\u505a\u8a18\u9304
ex:
iptables -I INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 50 -j LOG –log-prefix “CONNLIMIT: ” –log-level warning  \u3000<\/p>\n\n\n\n

refer
http:\/\/www.phpini.com\/linux\/iptables-limit-ip-connections<\/p>\n\n\n\n

………………………..

\u6838\u5fc3\u7684\u7db2\u8def\u529f\u80fd
\u4e00\u500b\u529f\u80fd\u8868\u793a\u6210\u4e00\u500b\u6a94\u6848,\u6a94\u6848\u5167\u7684\u503c\u8a2d\u62101\u8868\u793a\u555f\u52d5

\u5728\u6b64\u76ee\u9304\/proc\/sys\/net\/ipv4\/\u6709:
tcp_syncookies  \u907f\u514dSYN Flooding \u7684 DoS \u653b\u64ca
tcp_max_syn_backlog TCP\u5c01\u5305\u9023\u7dda\u6700\u4f73\u5316
tcp_synack_retries TCP\u5c01\u5305\u9023\u7dda\u6700\u4f73\u5316
tcp_abort_on_overflow TCP\u5c01\u5305\u9023\u7dda\u6700\u4f73\u5316
icmp_echo_ignore_broadcasts \u53ea\u52ff\u7565ping broadcast,\u53ef\u907f\u514dping flooding\u53caping of death
icmp_echo_ignore_all \u5168\u90e8\u7684ping\u90fd\u4e0d\u56de\u61c9,\u7f3a\u9ede\u662f\u96e3\u5224\u65b7\u4e3b\u6a5f\u662f\u5426\u5728\u7dda\u4e0a
icmp_ignore_bogus_error_responses \u555f\u52d5\u5ffd\u7565\u8a18\u9304\u529f\u80fd\u53ef\u907f\u514d\u4e00\u4e9b\u5047\u56de\u61c9\u5c0dsyslog\u9032\u884cDoS\u653b\u64ca
tcp_ecn \u81ea\u52d5\u64c1\u585e\u901a\u77e5,\u4e26\u975e\u6240\u6709ip\u652f\u63f4,\u5efa\u8b70\u95dc\u6389

\u5728\u6b64\u76ee\u9304\/proc\/sys\/net\/ipv4\/conf\/\u7db2\u8def\u4ecb\u9762\/*\u6709:
rp_filter \u9006\u5411\u8def\u5f91\u904e\u6ffe,\u5c07\u4e0d\u5408\u7406\u7684\u5c01\u5305\u4e1f\u68c4,\u53ef\u907f\u514d\u653b\u64ca\u8005\u507d\u88dd\u6210\u4fe1\u4efb\u7db2\u57df\u4f86\u6b3a\u9a19\u9632\u706b\u7246
log_martians \u5c07\u4e0d\u5408\u6cd5\u7684ip\u7d00\u9304\u5728\/var\/log\/messages
ex:echo “1” > \/proc\/sys\/net\/ipv4\/tcp_syncookies \u555f\u52d5\u963b\u64cbsyn flooding\u6a5f\u5236
accept_redirects \u5efa\u8b70\u95dc\u9589
send_redirects \u5efa\u8b70\u95dc\u9589

……………………………………………………………………………………………………….

\u95dc\u65bcnat
\u76f8\u95dc\u6838\u5fc3\u7db2\u8def\u529f\u80fd\u6709:
\/proc\/sys\/net\/ipv4\/ip_forward  \u6253\u958bLinux\u6838\u5fc3\u7684\u5c01\u5305\u8f49\u905e\u80fd\u529b,\u8b93linux\u5177router\u529f\u80fd
ps:\u53ef\u5728\/etc\/sysctl.conf\u5167\u52a0\u5165net.ipv4.ip_forward=1,\u5728\u57f7\u884csysctl -p\u8b93\u8a2d\u5b9a\u7acb\u5373\u751f\u6548

\u4f7f\u7528nat\u8868\u7684-j action\u5982\u679c\u662f
 MASQUERADE,\u8868\u793a\u507d\u88ddip
 SNAT –to,\u8868\u793a\u76f4\u63a5\u4fee\u6539ip\u8868\u982d,\u9700\u4f7f\u7528postrouting\u93c8
 DNAT –to,\u8868\u793a\u76f4\u63a5\u4fee\u6539ip\u8868\u982d,\u9700\u4f7f\u7528prerouting\u93c8
 REDICRECT –to-ports,\u9032\u884cport\u8f49\u63db
ex:iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth1 -j MASQUERADE\u3000\/\/\u82e5\u5c01\u5305\u5f9e192.168.1.2\u4f86\u4e14\u8981\u5f9eeth1\u4ecb\u9762\u51fa\u53bb,\u5247\u5c07\u5c01\u5305\u507d\u88dd
ex:iptables -t nat -A POSTROUTING -o eth1 -j SNAT –to 192.168.200.250  \/\/\u628a\u8981\u5f9eeth1\u4ecb\u9762\u51fa\u53bb\u7684\u5c01\u5305,\u5c01\u5305\u4f86\u6e90\u6539\u70ba192.168.200.250
ex:iptables -t nat -A PREROUTING -p tcp -i eth1 –dport 80 -j DNAT –to 192.168.1.210:80 
\u3000\/\/\u628a\u9032\u5165eth1\u4ecb\u9762\u4e14\u76ee\u6a19\u57e0\u70ba80\u7684\u5c01\u5305,\u5c01\u5305\u76ee\u6a19\u6539\u70ba192.168.1.210:80
ex:iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080 \/\/\u82e5\u5c01\u5305\u9032\u4f86\u7684\u76ee\u6a19\u57e0\u70ba80,\u5247\u6539\u70ba8080


nat\u4e3b\u6a5f\u9700\u8a2d\u5b9a\u7684\u6709
echo “1” > \/proc\/sys\/net\/ipv4\/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
\u82e5ppp0\u4ecb\u9762\u5c0d\u5916,\u4e14\u5c0d\u5167\u7db2\u8def\u70ba192.168.1.0\/24
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0\/24 -j MASQUERADE
ps:\u4ee5\u4e0a\u8a2d\u5b9a\u90fd\u5728nat\u7684\u5c0d\u5167\u7db2\u8def\u5df1\u9023\u7dda,\u4e14\u9810\u8a2d\u9598\u9053\u70ba\u5916\u7db2\u4ecb\u9762\u7684\u60c5\u6cc1\u4e0b
ps:\u8981\u900f\u904enat\u7684\u4e3b\u6a5f,client\u7aef\u9598\u9053\u8981\u8a2dnat\u4e3b\u6a5f,\u901a\u5e38dns\u4e5f\u9700\u8981\u8a2d\u5b9a

………………………………

\u5e38\u7528\u7bc4\u4f8b

basic mode:
\u4f7f\u7528iptables\u6642\u5efa\u8b70\u958b\u555f\u9019\u4e9b\u529f\u80fd
echo 1 > \/proc\/sys\/net\/ipv4\/tcp_syncookies
echo 1 > \/proc\/sys\/net\/ipv4\/tcp_max_syn_backlog
echo 1 > \/proc\/sys\/net\/ipv4\/tcp_synack_retries
echo 1 > \/proc\/sys\/net\/ipv4\/tcp_abort_on_overflow
echo 1 > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_all
echo 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/rp_filter
echo 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/log_martians

client mode:
client\u7aef\u96fb\u8166\u5efa\u8b70\u8a2d\u5b9a\u65b9\u5f0f
ps:\u5047\u8a2d\u9023\u5916\u7db2\u5361\u70baeth0
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
\u4efb\u4f55\u4e3b\u52d5\u9023\u7dda\u5230client\u7aef\u96fb\u8166\u90fd\u6703\u88ab\u62d2\u7d55,\u9664\u975e\u662f\u7531client\u7aef\u767c\u8d77\u7684\u9023\u7dda\u6216\u5df2\u5b58\u5728\u7684\u9023\u7dda\u624d\u51c6\u8a31\u901a\u904e

\u4f7f\u7528forward\u7684strict nat mode:
ps:\u5047\u8a2dnat\u5df1\u8a2d\u5b9a\u597d\u53ef\u6b63\u5e38\u4f7f\u7528,\u9023\u5916\u7db2\u5361\u70baeth0
iptables -P FORWARD DROP
iptables -I FORWARD -o eth0 -p tcp –dport 80 -j ACCEPT
iptables -I FORWARD -o eth0 -p tcp –dport 443 -j ACCEPT
iptables -I FORWARD -o eth0 -p tcp –dport 53 -j ACCEPT
iptables -I FORWARD -o eth0 -p udp –dport 53 -j ACCEPT
iptables -I FORWARD -o eth0 -p tcp –dport 21 -j ACCEPT
iptables -I FORWARD -o eth0 -p tcp –dport 20 -j ACCEPT
iptables -A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
\u4f7f\u7528\u8005\u53ea\u53ef\u700f\u89bd\u7db2\u9801\u4ee5\u53caftp
iptables -A FORWARD -o eth0 -j LOG –log-prefix=natdeny
\u8a18\u9304\u4f7f\u7528\u8005\u4f7f\u7528\u90a3\u4e9bport\u88ab\u64cb\u6389,\u57f7\u884ccat \/var\/log\/message | grep natdeny\u53ef\u601d\u8003\u90a3\u4e9bport\u53ef\u958b\u653e

\u4f7f\u7528mangle\u7684strict nat mode
ps:\u5047\u8a2dnat\u5df1\u8a2d\u5b9a\u597d\u53ef\u6b63\u5e38\u4f7f\u7528,\u4e14lan\u4ecb\u9762\u70baeth0,wan\u4ecb\u9762\u70bappp0
iptables -t mangle -P PREROUTING DROP
iptables -t mangle -I PREROUTING -i lo -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p udp –dport 53 -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p tcp –dport 53 -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p tcp –dport 80 -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p tcp –dport 443 -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p tcp –dport 20 -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p tcp –dport 21 -j ACCEPT
iptables -t mangle -I PREROUTING -i eth0 -p tcp –dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -i ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT
\u4f7f\u7528\u8005\u53ea\u53ef\u700f\u89bd\u7db2\u9801\u4ee5\u53caftp
iptables -t mangle -A PREROUTING -i eth0 -j LOG –log-prefix=natdeny
\u8a18\u9304\u4f7f\u7528\u8005\u4f7f\u7528\u90a3\u4e9bport\u88ab\u64cb\u6389,\u57f7\u884ccat \/var\/log\/message | grep natdeny\u53ef\u601d\u8003\u90a3\u4e9bport\u53ef\u958b\u653e

server mode
\u5047\u8a2d\u9032\u5165\u5167\u90e8\u7684\u4ecb\u9762\u70baeth0
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -I OUTPUT -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
#\u82e5\u6709web server\u8981\u52a0\u5165
iptables -I INPUT -i eth0 -p tcp –dport 80 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp –dport 443 -j ACCEPT
#\u82e5\u6709ftp server\u8981\u52a0\u5165
iptables -I INPUT -i eth0 -p tcp –dport 20 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp –dport 21 -j ACCEPT
#\u82e5\u6709dns server\u8981\u52a0\u5165
iptables -I INPUT -i eth0 -p tcp –dport 53 -j ACCEPT
iptables -I INPUT -i eth0 -p udp –dport 53 -j ACCEPT
#\u82e5\u6709mail server\u8981\u52a0\u5165
iptables -I OUTPUT -i eth0 -p tcp –dport 25 -j ACCEPT
iptables -I OUTPUT -o eth0 -p tcp –dport 25 -j ACCEPT
#\u82e5\u8981\u7528ssh\u7ba1\u7406\u8981\u52a0\u5165
iptables -I INPUT -i eth0 -p tcp –dport 22 -j ACCEPT



\u53c3\u8003\u8cc7\u6599
\u7db2\u8def\u76f8\u95dc\u6587\u4ef6\u53ca\u5404\u5927\u7db2\u7ad9
\u9632\u706b\u7246\u76f8\u95dc\u66f8\u7c4d<\/p>\n","protected":false},"excerpt":{"rendered":"

IPTABLES\u7528\u4f86\u8a2d\u5b9anetfilter\u7684User Spa …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[17],"tags":[],"class_list":["post-617","post","type-post","status-publish","format-standard","hentry","category-systemtool"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=617"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/617\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}