一、防火墻種類及使用說明

硬件：
    三層路由： 華為 H3C(華三)
    深信服
   Juniper
軟件：
   iptables
   firewalld
云防火墻：
   阿里云:安全組（默認的是白名單 防火墻默認規(guī)則是拒絕）

二沾凄、必須熟悉的名詞

容器: 瓶子 罐子 存放東西
表(table): 存放鏈的容器
鏈(chain): 存放規(guī)則的容器
規(guī)則(policy): 準許或拒絕規(guī)則 ACCPT DROP

image.png

三挖腰、 iptables 執(zhí)行過程※※※※※

工作流程小結(jié)：※※※※※
1. 防火墻是層層過濾的词身，實際是按照配置規(guī)則的順序從上到下屡穗，從前到后進行過濾的贴捡。
2. 匹配 表示 阻止還是通過，數(shù)據(jù)包就不再向下匹配新的規(guī)則 村砂。
3. 如果規(guī)則中沒有明確表明是阻止還是通過的烂斋，也就是沒有匹配規(guī)則，向下進行匹配础废，直到匹配默認規(guī)則得到明
確的阻止還是通過汛骂。
4. 防火墻的默認規(guī)則是所有規(guī)則執(zhí)行完才執(zhí)行的。

image.png

四评腺、表與鏈※※※※※

4表伍鏈
表：
filter： (默認帘瞭，防火墻功能 準許 拒絕)
nat：表 nat功能
    內(nèi)網(wǎng)服務(wù)器上外網(wǎng)（共享上網(wǎng)）
    端口映射
mangle
raw

filter表：

image.png

nat（Network Address Translation）表：

image.png

五、4表五鏈流程

image.png

六蒿讥、環(huán)境準備及命令

iptables iptables啟動或關(guān)閉的命令
yum install -y iptables-services
[root@m01 ~]# rpm -ql iptables
/usr/sbin/iptables #iptables管理命令
[root@m01 ~]# rpm -ql iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables #防火墻的配置文件
/usr/lib/systemd/system/ip6tables.service
/usr/lib/systemd/system/iptables.service #防火墻服務(wù)配置文件(命令)
#防火墻相關(guān)模塊 加載到內(nèi)核中
#加載防火墻的內(nèi)核模塊
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
[root@m01 ~]# lsmod |egrep 'filter|nat|ipt'
nf_nat_ftp 12770 0
nf_conntrack_ftp 18638 1 nf_nat_ftp
iptable_nat 12875 0
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4
nf_conntrack 133053 6
nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter 12810 0
ip_tables 27126 2 iptable_filter,iptable_nat
libcrc32c 12644 3 xfs,nf_nat,nf_conntrack
[root@m01 ~]# systemctl stop firewalld
[root@m01 ~]# systemctl disable firewalld
[root@m01 ~]# systemctl is-active firewalld.service
unknown
[root@m01 ~]# systemctl is-enabled firewalld.service
disabled
[root@m01 ~]# systemctl start iptables.service
[root@m01 ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to
/usr/lib/systemd/system/iptables.service.
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-hostprohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-hostprohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

七蝶念、iptables命令參數(shù)

image.png

image.png

image.png

八、配置filter表規(guī)則※※※※※

[root@m01 ~]# iptables -F
[root@m01 ~]# iptables -X
[root@m01 ~]# iptables -Z
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

九诈悍、 禁止訪問22端口

iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

image.png

刪除 規(guī)則 -D

image.png

十祸轮、禁止ip和端口訪問

[root@m01 ~]# iptables -I INPUT -s 10.0.0.7 -p tcp --dport 22 -j DROP
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 10.0.0.7 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

十一、禁止網(wǎng)段連入（禁止10.0.0.0網(wǎng)段訪問 8080端口）

nc ncat netcat
nc -l
telnet
[root@m01 ~]# yum provides nc
已加載插件：fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
2:nmap-ncat-6.40-16.el7.x86_64 : Nmap's Netcat replacement
源 ：base
匹配來源：
提供 ：nc
2:nmap-ncat-6.40-16.el7.x86_64 : Nmap's Netcat replacement
源 ：@base
匹配來源：
提供 ：nc
[root@m01 ~]#
[root@m01 ~]#
[root@m01 ~]#
[root@m01 ~]#
[root@m01 ~]#
[root@m01 ~]# rpm -qf `which nc`
nmap-ncat-6.40-16.el7.x86_64
#nc使用指南：
## 實現(xiàn)telnet檢查端口是否開啟
nc 10.0.0.61 22
## 聊天 送秋波
[root@m01 ~]# nc -l 8080
送秋波
送香菜
[root@m01 ~]# ss -lntup |grep 8080
tcp LISTEN 0 10 *:8080 *:*
users:(("nc",pid=10661,fd=4))
tcp LISTEN 0 10 :::8080 :::*
users:(("nc",pid=10661,fd=3))
[root@web01 ~]# telnet 10.0.0.61 8080 #連接到 8080端口
Trying 10.0.0.61...
Connected to 10.0.0.61.
Escape character is '^]'. #按ctrl + 】 退出
送秋波
送香菜
^C^C^C^C^C^C^]
telnet> Connection closed.
## 通過nc傳輸文件
[root@m01 ~]# nc -l 8080 >/tmp/hosts.txt
[root@web01 ~]# cat /etc/hosts |nc 10.0.0.61 8080
[root@m01 ~]# cat /tmp/hosts.txt
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.61 m01

十二侥钳、禁止172.16.1.0網(wǎng)段訪問 8080端口

iptables -I INPUT -s 10.0.0.0/24 -p tcp --dport 8080 -j DROP

image.png

十三适袜、只允許指定網(wǎng)段連入（允許10.0.0.0網(wǎng)段）

location /status {
stub_status;
allow 10.0.0.0/24;
deny all;
}
iptables -I INPUT ! -s 10.0.0.0/24 -j DROP

image.png

十四、 指定多個端口

[root@m01 ~]# iptables -I INPUT -p tcp -m multiport ! --dport 80,443 -j DROP
[root@m01 ~]# iptables -I INPUT -p tcp --dport 1024:65535 -j DROP
[root@m01 ~]# #禁止用戶訪問 1024-65535范圍的端口
[root@m01 ~]# iptables -I INPUT -p tcp --dport 1024:65535 -j DROP
[root@m01 ~]# iptables -I INPUT -p tcp --dport 81,444 -j DROP
iptables v1.4.21: invalid port/service `81,444' specified
Try `iptables -h' or 'iptables --help' for more information.
[root@m01 ~]# iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81,444
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
DROP all -- !10.0.0.0/24 0.0.0.0/0
DROP tcp -- 172.16.1.0/24 0.0.0.0/0 tcp dpt:8080
DROP tcp -- 10.0.0.7 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

image.png

十五舷夺、匹配ICMP 類型

ping
tracert(windows) traceroute (linux) 路由追蹤
ICMP（Internet Control Message Protocol）Internet控制報文協(xié)議

通過內(nèi)核參數(shù) 控制 禁止被ping

[root@m01 ~]# cat /etc/sysctl.conf
#/proc/sys/net/ipv4/icmp_echo_ignore_all
net.ipv4.icmp_echo_ignore_all = 1
[root@m01 ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1

通過防火墻規(guī)則 控制是否可以ping

[root@m01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
###iptables -I INPUT -p icmp --icmp-type any -j DROP
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

十六苦酱、 匹配網(wǎng)絡(luò)狀態(tài)（TCP/IP連接狀態(tài)）

-m state --state
NEW：已經(jīng)或?qū)有碌倪B接
ESTABLISHED：已建立的連接
RELATED：正在啟動的新連接
INVALID：非法或無法識別的
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

十七、限制并發(fā)及速率

iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -I INPUT -p icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 5 -j
ACCEPT
-m limit --limit n/{second/minute/hour}:
解釋：指定時間內(nèi)的請求速率”n”為速率给猾，后面為時間分別為：秒 分 時
--limit-burst [n]
解釋：在同一時間內(nèi)允許通過的請求”n”為數(shù)字疫萤，不指定默認為5

十八、防火墻規(guī)則的保存與恢復

image.png

[root@m01 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@m01 ~]# iptables-save > /etc/sysconfig/iptables
[root@m01 ~]#
[root@m01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Wed Jul 24 23:28:23 2019
*filter
:INPUT ACCEPT [341:28194]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [271:30712]
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
COMMIT
# Completed on Wed Jul 24 23:28:23 2019
[root@m01 ~]# #恢復
[root@m01 ~]# #重啟防火墻
[root@m01 ~]# iptables -F
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@m01 ~]#
[root@m01 ~]# iptables-restore </etc/sysconfig/iptables
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

image.png

十九敢伸、實際生產(chǎn)用法

默認是拒絕 去電影院
逛公園
1. ssh可以連接進來
[root@m01 ~]# iptables -F
[root@m01 ~]# iptables -X
[root@m01 ~]# iptables -Z
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@m01 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.設(shè)置允許本機lo**通訊規(guī)則**
# 允許本機回環(huán)lo接口數(shù)據(jù)流量流出與流入
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
3. 配置默認規(guī)則及 放行 80 443端口
[root@m01 ~]# iptables -P INPUT DROP
[root@m01 ~]# iptables -P FORWARD DROP
[root@m01 ~]# iptables -P OUTPUT ACCEPT
[root@m01 ~]# iptables -A INPUT -m multiport -p tcp --dport 443,80 -j ACCEPT
[root@m01 ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@m01 ~]# iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
[root@m01 ~]# iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT
[root@m01 ~]#
[root@m01 ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80
ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
ACCEPT all -- 172.16.1.0/24 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@m01 ~]# iptables-save
# Generated by iptables-save v1.4.21 on Wed Jul 24 23:42:00 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [24:3008]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 443,80 -j ACCEPT
-A INPUT -s 10.0.0.0/24 -j ACCEPT
-A INPUT -s 172.16.1.0/24 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Wed Jul 24 23:42:00 2019
[root@m01 ~]# iptables-save
# Generated by iptables-save v1.4.21 on Tue Aug 20 16:31:56 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [52:5728]
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/24 -j ACCEPT
-A INPUT -s 172.16.1.0/24 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Tue Aug 20 16:31:56 2019
# Generated by iptables-save v1.4.21 on Tue Aug 20 16:31:56 2019
*nat
:PREROUTING ACCEPT [11:1542]
:INPUT ACCEPT [9:1220]
:OUTPUT ACCEPT [10:670]
:POSTROUTING ACCEPT [10:670]
COMMIT
# Completed on Tue Aug 20 16:31:56 2019

二十扯饶、nat表

image.png

[root@m01 ~]# iptables -P INPUT ACCEPT
[root@m01 ~]# iptables -P FORWARD ACCEPT
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80
ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
ACCEPT all -- 172.16.1.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@m01 ~]# iptables -F
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

二十一、實現(xiàn)共享上網(wǎng)※※※※※

物理服務(wù)器/虛擬機
云服務(wù)器 ：

image.png

1. 防火墻配置

[root@m01 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source
10.0.0.61
[root@m01 ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@m01 ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.ip_forward = 1
注意事項: 公網(wǎng)ip不固定: iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE

2. web配置

[root@web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no
IPADDR=10.0.0.7
PREFIX=24
GATEWAY=10.0.0.254
DNS1=223.5.5.5
GATEWAY=10.0.0.254
[root@web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
IPADDR=172.16.1.7
PREFIX=24
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.61
DNS1=1.2.4.8
[root@web01 ~]# systemctl restart network
[root@m01 ~]# ssh 172.16.1.7
Last login: Wed Jul 24 23:06:58 2019 from 10.0.0.1
[root@web01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default
qlen 1000
link/ether 00:0c:29:b2:e3:7e brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group
default qlen 1000
link/ether 00:0c:29:b2:e3:88 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb2:e388/64 scope link
valid_lft forever preferred_lft forever
[root@web01 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=8.90 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=127 time=7.52 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=127 time=9.28 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=4 ttl=127 time=9.36 ms
^C
--- baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 7.528/8.769/9.364/0.746 ms
[root@web01 ~]# ping 1.2.4.8
PING 1.2.4.8 (1.2.4.8) 56(84) bytes of data.
64 bytes from 1.2.4.8: icmp_seq=1 ttl=127 time=76.4 ms
64 bytes from 1.2.4.8: icmp_seq=2 ttl=127 time=76.8 ms
^C
--- 1.2.4.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 76.440/76.637/76.834/0.197 ms

3. 完成后 在web01 發(fā)出 ip r和ping 外網(wǎng)ip的結(jié)果

[root@web01 ~]# ip r
default via 172.16.1.61 dev eth1
169.254.0.0/16 dev eth1 scope link metric 1003
172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.7
[root@web01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.1.61 0.0.0.0 UG 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
[root@web01 ~]# ping baidu.com
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=127 time=21.7 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=2 ttl=127 time=32.6 ms
^C
--- baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 21.781/27.214/32.647/5.433 ms

二十二池颈、 實現(xiàn)端口轉(zhuǎn)發(fā)※※※※※

image.png

image.png

[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -p tcp --dport 9000 -j
DNAT --to-destination 172.16.1.7:22
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000
to:172.16.1.7:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61
測試與檢查:
本地shell中
[d:\~]$ ssh root@10.0.0.61 9000

二十三尾序、實現(xiàn)ip映射

ip a add 10.0.0.62/24 dev eth0 label eth0:0
[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.62 -j DNAT --to-destination
172.16.1.7
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000
to:172.16.1.7:22
DNAT all -- 0.0.0.0/0 10.0.0.62 to:172.16.1.7
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61

二十四、補充資料:
面試題:讓1個服務(wù)開機自啟動 有什么方法 http://www.reibang.com/p/fc26d73fe050
【不會別做運維了】CentOS 6 VS 7 區(qū)別 http://www.reibang.com/p/d6d9a49e95c9
二十五躯砰、總結(jié)

4表五鏈 及 執(zhí)行過程
防火墻執(zhí)行過程
案例：
企業(yè)防火墻實現(xiàn)：屏蔽
nat規(guī)則
共享上網(wǎng)
端口映射/轉(zhuǎn)發(fā)

練習題:
【面試題】老男孩教育防火墻企業(yè)面試題iptalbes
http://www.reibang.com/p/19422676b854
二十六每币、面試題
5、請寫出查看iptables當前所有規(guī)則的命令琢歇。

iptables-save
iptables -nL
iptables -nL -t nat

6兰怠、禁止來自10.0.0.188 ip地址訪問80端口的請求

iptables -I INPUT -s 10.0.0.188 -p tcp --dport 80 -j DROP

7梦鉴、如何使在命令行執(zhí)行的iptables規(guī)則永久生效？

cp /etc/sysconfig/iptables{,.bak.$(date +%F)}
iptables-save >/etc/sysconfig/iptables
/etc/sysconfig/iptables

8揭保、實現(xiàn)把訪問10.0.0.3:80的請求轉(zhuǎn)到172.16.1.17:80

iptables -t nat -A PREROUTING -d 10.0.0.3 -p tcp --dport 80 -j DNAT --todestination 172.16.1.17:80

9肥橙、實現(xiàn)172.16.1.0/24段所有主機通過124.32.54.26外網(wǎng)IP共享上網(wǎng)。

iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source
123.32.54.26
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT MASQUERADE

防火墻 筆試題 www.reibang.com/p/2180face8381
封掉/通過:ip或端口
下次:nat表
共享上網(wǎng)
端口轉(zhuǎn)發(fā)
二十七掖举、lnmt環(huán)境

java簡介
JAVA: LNMT(tomcat)
tomcat
resin
weblogic( 配合oracle)
PHP: LNMP LAMP

image.png

tomcat必備姿勢
tomcat apache-tomcat
jvm java virtual machine java虛擬機
代碼的可移植性 1份代碼 處處使用
占用內(nèi)存
jdk java development kit java開發(fā)環(huán)境
java命令
jvm
jdk
Oracle jdk
openjdk

二十八快骗、 tomcat環(huán)境搭建

web01 eth0
1. jdk
#man bash
#PATH 存放命令的路徑
## ls
cat >>/etc/profile <<'EOF'
export JAVA_HOME=/application/jdk
export PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH
export CLASSPATH=.:$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$JAVA_HOME/lib/tools.jar
EOF
. /etc/profile
[root@web01 ~]# mkdir -p /application
[root@web01 application]# tar xf jdk-8u60-linux-x64.tar.gz -C /application/
[root@web01 application]# ln -s /application/jdk1.8.0_60/ /application/jdk
[root@web01 application]# java -version
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
2. tomcat
[root@web01 application]# tar xf apache-tomcat-8.0.27.tar.gz
[root@web01 application]# ll
總用量 185908
drwxr-xr-x 9 root root 160 8月 20 19:16 apache-tomcat-8.0.27
-rw-r--r-- 1 root root 9128610 10月 5 2015 apache-tomcat-8.0.27.tar.gz
lrwxrwxrwx 1 root root 25 8月 20 19:11 jdk -> /application/jdk1.8.0_60/
drwxr-xr-x 8 10 143 255 8月 5 2015 jdk1.8.0_60
-rw-r--r-- 1 root root 181238643 10月 5 2015 jdk-8u60-linux-x64.tar.gz
[root@web01 application]# ln -s /application/apache-tomcat-8.0.27
/application/tomcat
[root@web01 application]# ll /application/
總用量 185908
drwxr-xr-x 9 root root 160 8月 20 19:16 apache-tomcat-8.0.27
-rw-r--r-- 1 root root 9128610 10月 5 2015 apache-tomcat-8.0.27.tar.gz
lrwxrwxrwx 1 root root 25 8月 20 19:11 jdk -> /application/jdk1.8.0_60/
drwxr-xr-x 8 10 143 255 8月 5 2015 jdk1.8.0_60
-rw-r--r-- 1 root root 181238643 10月 5 2015 jdk-8u60-linux-x64.tar.gz
lrwxrwxrwx 1 root root 33 8月 20 19:16 tomcat -> /application/apache-tomcat8.0.27
[root@web01 application]# mv *.tar.gz /tmp/
[root@web01 application]# ll
總用量 0
drwxr-xr-x 9 root root 160 8月 20 19:16 apache-tomcat-8.0.27
lrwxrwxrwx 1 root root 25 8月 20 19:11 jdk -> /application/jdk1.8.0_60/
drwxr-xr-x 8 10 143 255 8月 5 2015 jdk1.8.0_60
lrwxrwxrwx 1 root root 33 8月 20 19:16 tomcat -> /application/apache-tomcat-8.0.27
[root@web01 application]# /application/tomcat/bin/version.sh
Using CATALINA_BASE: /application/tomcat
Using CATALINA_HOME: /application/tomcat
Using CATALINA_TMPDIR: /application/tomcat/temp
Using JRE_HOME: /application/jdk
Using CLASSPATH:
/application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar
Server version: Apache Tomcat/8.0.27
Server built: Sep 28 2015 08:17:25 UTC
Server number: 8.0.27.0
OS Name: Linux
OS Version: 3.10.0-957.5.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_60-b27
JVM Vendor: Oracle Corporation
[root@web01 application]# #9.x 8.5 8.0
3. 啟動與管理
startup.sh 啟動
shutdown.sh 關(guān)閉
catalina.sh 核心腳本
PRG="$0"
PRGDIR=`dirname "$PRG"` #dirname 路徑
#[root@web01 ~]# dirname /etc/sysconfig/iptables-config
#/etc/sysconfig
#[root@web01 ~]# basename /etc/sysconfig/iptables-config
#iptables-config
EXECUTABLE=catalina.sh
exec "$PRGDIR"/"$EXECUTABLE" start "$@"
#/application/tomcat/bin/catalina.sh start
[root@web01 bin]# /application/tomcat/bin/startup.sh
Using CATALINA_BASE: /application/tomcat
Using CATALINA_HOME: /application/tomcat
Using CATALINA_TMPDIR: /application/tomcat/temp
Using JRE_HOME: /application/jdk
Using CLASSPATH:
/application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar
Tomcat started.
[root@web01 bin]# ss -lntup |grep tomcat
[root@web01 bin]# ss -lntup |grep java
tcp LISTEN 0 100 :::8009 :::*
users:(("java",pid=12137,fd=51))
tcp LISTEN 0 100 :::8080 :::*
users:(("java",pid=12137,fd=46))
tcp LISTEN 0 1 ::ffff:127.0.0.1:8005 :::*
users:(("java",pid=12137,fd=68))
[root@web01 bin]# ps -ef |grep java
root 12137 1 5 19:26 pts/2 00:00:03 /application/jdk/bin/java -
Djava.util.logging.config.file=/application/tomcat/conf/logging.properties -
Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
Djava.endorsed.dirs=/application/tomcat/endorsed -classpath
/application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar -
Dcatalina.base=/application/tomcat -Dcatalina.home=/application/tomcat -
Djava.io.tmpdir=/application/tomcat/temp org.apache.catalina.startup.Bootstrap start
root 12182 11916 0 19:27 pts/2 00:00:00 grep --color=auto java
/application/jdk/bin/java
-Djava.util.logging.config.file=/application/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.endorsed.dirs=/application/tomcat/endorsed
-classpath /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat
-juli.jar
-Dcatalina.base=/application/tomcat
-Dcatalina.home=/application/tomcat
-Djava.io.tmpdir=/application/tomcat/temp org.apache.catalina.startup.Bootstrap
start

二十九、測試

image.png