iptables
iptables是用戶空間中寫(xiě)內(nèi)容發(fā)送到內(nèi)核中的五個(gè)位置上,幫我們生成規(guī)則的工具孩擂。iptables命令分為匹配條件和之后的處理動(dòng)作狼渊。
其中匹配條件分兩種:
- 基本匹配條件
-s,檢查報(bào)文中的源ip地址
-d类垦,檢查報(bào)文中的目標(biāo)ip地址
-p狈邑,檢查報(bào)文中的協(xié)議
-i,數(shù)據(jù)報(bào)文的流入接口
-o蚤认,檢查報(bào)文的流出接口 - 擴(kuò)展匹配條件
隱式擴(kuò)展——在使用-p選項(xiàng)指明了特定的協(xié)議時(shí)米苹,無(wú)需再同時(shí)使用-m選項(xiàng)指明擴(kuò)展模塊的擴(kuò)展機(jī)制
顯式擴(kuò)展——必須使用-m選項(xiàng)指明要調(diào)用的擴(kuò)展模塊的擴(kuò)展機(jī)制
其中使用顯示的擴(kuò)展匹配條件分為七種,可以讓訪問(wèn)者發(fā)送到本機(jī)的報(bào)文實(shí)現(xiàn)多端口匹配砰琢、地址范圍匹配蘸嘶、連接追蹤、字符串匹配陪汽、時(shí)間匹配训唱、并發(fā)連接限制、報(bào)文狀態(tài)匹配等應(yīng)用挚冤。
環(huán)境配置
提供服務(wù)器的主機(jī):192.168.10.10
遠(yuǎn)程訪問(wèn)的主機(jī):192.168.10.11
現(xiàn)在服務(wù)器上iptables規(guī)則是空的
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
服務(wù)端安裝軟件包來(lái)測(cè)試
[root@localhost ~]# yum -y install httpd telnet-server samba tftp-server vsftpd mariadb-server
配置服務(wù)端iptables規(guī)則
[root@localhost ~]# iptables -A INPUT -d 192.168.10.10 -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -s 192.168.10.10 -p tcp --sport 22 -j ACCEPT
#先放行ssh連接
[root@localhost ~]# iptables -A INPUT -i ens33 -j REJECT
[root@localhost ~]# iptables -A OUTPUT -o ens33 -j REJECT
#拒絕服務(wù)器網(wǎng)絡(luò)接口的所有連接
[root@localhost ~]# iptables -I OUTPUT 2 -s 192.168.10.10 -p icmp --icmp-type 8 -j ACCEPT
[root@localhost ~]# iptables -I INPUT 2 -d 192.168.10.10 -p icmp --icmp-type 0/0 -j ACCEPT
#放行服務(wù)器ping外部主機(jī)的報(bào)文
現(xiàn)在服務(wù)器的iptables規(guī)則如下:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2090 187K ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:22
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
3 15 1533 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1524 301K ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 tcp spt:22
2 0 0 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
3 49 4080 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reje
1. multiport况增,多端口匹配
服務(wù)器啟動(dòng)http和samba服務(wù),80训挡,139巡通,445端口都被監(jiān)聽(tīng)
[root@localhost ~]# systemctl start httpd.service nmb.service smb.service
[root@localhost ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 *:139 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 50 *:445 *:*
LISTEN 0 50 :::139 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 50 :::445 :::*
[root@localhost ~]# vim /var/www/html/index.html
<h1>Hello world!</h1>
#創(chuàng)建web首頁(yè)
此時(shí)用瀏覽器訪問(wèn)不成功,httpd服務(wù)雖然開(kāi)了舍哄,但是防火墻不允許
圖片.png
配置iptables開(kāi)放各個(gè)服務(wù)端口
[root@localhost ~]# iptables -I INPUT -d 192.168.10.10 -p udp --dport 137:138 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -s 192.168.10.10 -p udp --sport 137:138 -j ACCEPT
#開(kāi)放samba名稱解析服務(wù)
[root@localhost ~]# iptables -R INPUT 2 -d 192.168.10.10 -p tcp -m multiport --dports 22,80,139,445 -j ACCEPT
[root@localhost ~]# iptables -R OUTPUT 2 -s 192.168.10.10 -p tcp -m multiport --sports 22,80,139,445 -j ACCEPT
#修改第二條規(guī)則宴凉,增加開(kāi)放80和139,445這三個(gè)端口表悬,現(xiàn)在httpd和samba服務(wù)在防火墻中都允許訪問(wèn)
現(xiàn)在iptables規(guī)則如下:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 12 packets, 1248 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138
2 177 16504 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22,80,139,445
3 4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
4 41 4466 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1248 bytes)
num pkts bytes target prot opt in out source destination
1 10 1134 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 udp spts:137:138
2 11 1364 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 multiport sports 22,80,139,445
3 4 336 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
4 181 15197 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
瀏覽器成功訪問(wèn)
圖片.png
此時(shí)客戶端連接服務(wù)器的samba服務(wù)成功
[root@localhost ~]# smbclient -L 192.168.10.10
Enter SAMBA\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
myfiles Disk A test shared dir.
IPC$ IPC IPC Service (Samba Server Version 4.7.1)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
MYGROUP
2. iprange弥锄,IP范圍匹配
[root@localhost ~]# useradd centos
[root@localhost ~]# echo 112233 | passwd --stdin centos
#添加賬戶,設(shè)置密碼
[root@localhost ~]# systemctl start telnet.socket
#啟動(dòng)telnet服務(wù)
[root@localhost ~]# ss -tnl | grep 23
LISTEN 0 128 :::23 :::*
#telnet服務(wù)的23端口被監(jiān)聽(tīng)
添加規(guī)則允許IP范圍連接23端口
[root@localhost ~]# iptables -I INPUT 3 -d 192.168.10.10 -p tcp --dport 23 -m iprange --src-range 192.168.10.10-192.168.10.12 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT 3 -s 192.168.10.10 -p tcp --sport 23 -m iprange --dst-range 192.168.10.10-192.168.10.12 -j ACCEPT
此時(shí)iptables規(guī)則:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 8 packets, 832 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138
2 898 76002 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22,80,139,445
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:23 source IP range 192.168.10.10-192.168.10.12
4 4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
5 61 6697 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 832 bytes)
num pkts bytes target prot opt in out source destination
1 28 2892 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 udp spts:137:138
2 504 61425 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 multiport sports 22,80,139,445
3 0 0 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 tcp spt:23 destination IP range 192.168.10.10-192.168.10.12
4 4 336 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
5 261 21265 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
使用192.168.10.11的telnet連接服務(wù)器蟆沫,連接正常
[root@localhost ~]# telnet 192.168.10.10
Trying 192.168.10.10...
Connected to 192.168.10.10.
Escape character is '^]'.
Kernel 3.10.0-693.el7.x86_64 on an x86_64
localhost login: centos
Password:
[centos@localhost ~]$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::48ce:e732:4093:e240 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:bb:9e txqueuelen 1000 (Ethernet)
RX packets 12605 bytes 11697499 (11.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6849 bytes 845935 (826.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 330 bytes 32456 (31.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 330 bytes 32456 (31.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用不在服務(wù)器配置IP范圍內(nèi)的主機(jī)192.168.10.13來(lái)連接籽暇,不成功
[root@localhost ~]# telnet 192.168.10.10
Trying 192.168.10.10...
telnet: connect to address 192.168.10.10: Connection timed out
3. time,匹配能訪問(wèn)網(wǎng)絡(luò)的時(shí)間
開(kāi)放同步時(shí)間服務(wù)端口饭庞,客戶端同步用的323戒悠,使用ntp命令同步用的123
[root@localhost ~]# iptables -I OUTPUT 4 -s 192.168.10.10 -p udp -m multiport --dports 123,323 -j ACCEPT
[root@localhost ~]# iptables -I INPUT 4 -d 192.168.10.10 -p udp -m multiport --sports 123,323 -j ACCEPT
配置允許訪問(wèn)的IP段在什么時(shí)間才允許訪問(wèn)
[root@localhost ~]# iptables -R INPUT 3 -d 192.168.10.10 -p tcp --dport 23 -m iprange --src-range 192.168.10.10-192.168.10.12 -m time --timestart 12:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j ACCEPT
[root@localhost ~]# iptables -R OUTPUT 3 -s 192.168.10.10 -p tcp --sport 23 -m iprange --dst-range 192.168.10.10-192.168.10.12 -m time --timestart 12:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j ACCEPT
#在周一到周五的12點(diǎn)至16點(diǎn)允許訪問(wèn),周六周日全天允許訪問(wèn)舟山,--kerneltz使用內(nèi)核中的時(shí)間
此時(shí)規(guī)則如下:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138
2 1922 158K ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22,80,139,445
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:23 source IP range 192.168.10.10-192.168.10.12 TIME from 12:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
4 27 2052 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 multiport sports 123,323
5 4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
6 104 11233 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 55 5529 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 udp spts:137:138
2 1216 146K ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 multiport sports 22,80,139,445
3 0 0 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 tcp spt:23 destination IP range 192.168.10.10-192.168.10.12 TIME from 12:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
4 31 2356 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 multiport dports 123,323
5 4 336 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
6 338 27293 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
使用在范圍內(nèi)的主機(jī)連接也失敗绸狐,因?yàn)槲疫@的時(shí)間未到12點(diǎn)
[root@localhost ~]# telnet 192.168.10.10
Trying 192.168.10.10...
telnet: connect to address 192.168.10.10: Connection timed out
把時(shí)間改為10點(diǎn)至16點(diǎn)卤恳,我這現(xiàn)在時(shí)間是11點(diǎn)
[root@localhost ~]# iptables -R OUTPUT 3 -s 192.168.10.10 -p tcp --sport 23 -m iprange --dst-range 192.168.10.10-192.168.10.12 -m time --timestart 10:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j ACCEPT
[root@localhost ~]# iptables -R INPUT 3 -d 192.168.10.10 -p tcp --dport 23 -m iprange --src-range 192.168.10.10-192.168.10.12 -m time --timestart 10:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j ACCEPT
連接登錄成功
[root@localhost ~]# telnet 192.168.10.10
Trying 192.168.10.10...
Connected to 192.168.10.10.
Escape character is '^]'.
Kernel 3.10.0-693.el7.x86_64 on an x86_64
localhost login: centos
Password:
Last login: Wed Jun 27 22:44:22 from ::ffff:192.168.10.11
4. string,字符串匹配
配置網(wǎng)站網(wǎng)頁(yè)包含敏感字符串a(chǎn)pple時(shí)寒矿,用戶訪問(wèn)時(shí)不讓響應(yīng)
[root@localhost ~]# vim /var/www/html/test.html
hi apple,how are you!
[root@localhost ~]# iptables -I OUTPUT -s 192.168.10.10 -m string --algo kmp --string "apple" -j REJECT
#配置規(guī)則禁止apple字符串
iptables規(guī)則如下:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138
2 2915 236K ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22,80,139,445
3 190 10244 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:23 source IP range 192.168.10.10-192.168.10.12 TIME from 10:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
4 61 4636 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 multiport sports 123,323
5 4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
6 185 18276 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 544 205K REJECT all -- * * 192.168.10.10 0.0.0.0/0 STRING match "apple" ALGO name kmp TO 65535 reject-with icmp-port-unreachable
2 73 7287 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 udp spts:137:138
3 1876 231K ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 multiport sports 22,80,139,445
4 108 6159 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 tcp spt:23 destination IP range 192.168.10.10-192.168.10.12 TIME from 10:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
5 65 4940 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 multiport dports 123,323
6 4 336 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
7 410 33565 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
此時(shí)用瀏覽器訪問(wèn)test.html不能訪問(wèn)
圖片.png
5. connlimit突琳,單ip的并發(fā)連接數(shù)限制
[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# mysql
MariaDB [(none)]> CREATE USER 'test'@'192.168.%.%' IDENTIFIED BY '112233';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
[root@localhost ~]# vim /etc/my.cnf.d/server.cnf
[mysqld]
skip_name_resolve=ON
[root@localhost ~]# systemctl restart mariadb.service
[root@localhost ~]# iptables -I INPUT 2 -s 192.168.10.0/24 -d 192.168.10.10 -p tcp --dport 3306 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT 2 -d 192.168.10.0/24 -s 192.168.10.10 -p tcp --sport 3306 -j ACCEPT
#添加規(guī)則放行3306
iptables默認(rèn)規(guī)則是黑名單,配置mysql連接數(shù)小于或等于2是允許訪問(wèn)
[root@localhost ~]# iptables -R INPUT 2 -s 192.168.10.0/24 -d 192.168.10.10 -p tcp --dport 3306 -m connlimit --connlimit-upto 2 -j ACCEPT
#只要修改入棧規(guī)則符相,不需修改出棧拆融,因限制了入棧自然就不會(huì)有多余的出棧
iptables規(guī)則:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138
2 0 0 ACCEPT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:3306 #conn src/32 <= 2
3 1453 112K ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22,80,139,445
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:23 source IP range 192.168.10.10-192.168.10.12 TIME from 10:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
5 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 multiport sports 123,323
6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
7 7 942 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 192.168.10.10 0.0.0.0/0 STRING match "apple" ALGO name kmp TO 65535 reject-with icmp-port-unreachable
2 7 554 ACCEPT tcp -- * * 192.168.10.10 192.168.10.0/24 tcp spt:3306
3 0 0 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 udp spts:137:138
4 978 117K ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 multiport sports 22,80,139,445
5 0 0 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 tcp spt:23 destination IP range 192.168.10.10-192.168.10.12 TIME from 10:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
6 0 0 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 multiport dports 123,323
7 0 0 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
8 4 352 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
同一個(gè)ip并發(fā)連接數(shù)據(jù)庫(kù)超過(guò)兩個(gè)時(shí),在新增的連接不成功
圖片.png
6. limit啊终,速率限制
這里的限制是指報(bào)文的發(fā)包速率限制镜豹。使用的是令牌桶算法,每拿一個(gè)令牌才能相應(yīng)的發(fā)一個(gè)報(bào)文蓝牲,而令牌按照固定頻率發(fā)放趟脂,在沒(méi)有報(bào)文發(fā)送的時(shí)候,會(huì)像桶一樣把令牌攢起來(lái)搞旭,在需要發(fā)送報(bào)文的時(shí)候會(huì)一次性把桶里的報(bào)文都發(fā)出去散怖,這就叫做令牌桶算法菇绵。
添加規(guī)則
[root@localhost ~]# iptables -I INPUT 6 -d 192.168.10.10 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 20/minute -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT 6 -s 192.168.10.10 -p icmp --icmp-type 0 -j ACCEPT
iptables規(guī)則:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138
2 39 2688 ACCEPT tcp -- * * 192.168.10.0/24 192.168.10.10 tcp dpt:3306 #conn src/32 <= 2
3 1936 147K ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22,80,139,445
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 tcp dpt:23 source IP range 192.168.10.10-192.168.10.12 TIME from 10:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
5 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 multiport sports 123,323
6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 8 limit: avg 20/min burst 5
7 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.10.10 icmptype 0 code 0
8 19 2537 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 192.168.10.10 0.0.0.0/0 STRING match "apple" ALGO name kmp TO 65535 reject-with icmp-port-unreachable
2 35 2960 ACCEPT tcp -- * * 192.168.10.10 192.168.10.0/24 tcp spt:3306
3 0 0 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 udp spts:137:138
4 1278 152K ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 multiport sports 22,80,139,445
5 0 0 ACCEPT tcp -- * * 192.168.10.10 0.0.0.0/0 tcp spt:23 destination IP range 192.168.10.10-192.168.10.12 TIME from 10:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri
6 0 0 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 0
7 0 0 ACCEPT udp -- * * 192.168.10.10 0.0.0.0/0 multiport dports 123,323
8 0 0 ACCEPT icmp -- * * 192.168.10.10 0.0.0.0/0 icmptype 8
9 11 968 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
另一臺(tái)主機(jī)發(fā)起ping請(qǐng)求肄渗,令牌桶用完后,3秒一個(gè)發(fā)包
圖片.png
7. state咬最,報(bào)文狀態(tài)匹配
state是一個(gè)非常重要的擴(kuò)展翎嫡,可以基于連接追蹤功能去查看每一報(bào)文當(dāng)前所處的狀態(tài)。不論什么協(xié)議永乌,客戶端第一次訪問(wèn)時(shí)惑申,服務(wù)器會(huì)去內(nèi)核內(nèi)存中的追蹤表查看他之前是否來(lái)過(guò),查不到就證明是第一次來(lái)翅雏,記錄入追蹤表圈驼,如果查到以前來(lái)過(guò)就不檢查規(guī)則,直接允許訪問(wèn)望几,這稱為連接追蹤機(jī)制绩脆。在訪問(wèn)量特別大的場(chǎng)景下,比如負(fù)載均衡服務(wù)器不建議開(kāi)啟橄抹,追蹤表最大只能記錄6萬(wàn)多的條目靴迫,訪問(wèn)數(shù)超過(guò)就會(huì)無(wú)法記錄出錯(cuò),導(dǎo)致所有的連接失敗楼誓。
報(bào)文狀態(tài)有五種:
NEW: 第一次連接時(shí)
ESTABLISHED:已建立的連接玉锌;
INVALID:無(wú)法識(shí)別的連接;
RELATED:相關(guān)聯(lián)的連接疟羹,當(dāng)前連接是一個(gè)新請(qǐng)求主守,但附屬于某個(gè)已存在的連接
UNTRACKED:row表上關(guān)閉連接追蹤功能
使用此擴(kuò)展可以使規(guī)則寫(xiě)的更簡(jiǎn)潔禀倔,無(wú)論請(qǐng)求本地的任何服務(wù),只要NEW之后的再次連接都認(rèn)為是沒(méi)問(wèn)題的丸逸,把入棧的第一條規(guī)則匹配ESTABLISHED狀態(tài)放行蹋艺,此時(shí)會(huì)提升很高效率。
配置規(guī)則:
[root@localhost ~]# iptables -F
#清空之前的所有規(guī)則
[root@localhost ~]# iptables -A INPUT -d 192.168.10.10 -p tcp -m multiport --dports 22:23,80,139,445,3306 -m state --state NEW -j ACCEPT
#tcp協(xié)議的22:23,80,139,445,3306這些端口的NEW請(qǐng)求都允許連接
[root@localhost ~]# iptables -I INPUT -d 192.168.10.10 -m state --state ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -s 192.168.10.10 -m state --state ESTABLISHED -j ACCEPT
#入棧和出棧的ESTABLISHED狀態(tài)都允許連接
[root@localhost ~]# iptables -I INPUT 2 -d 192.168.10.10 -p udp --dport 137:138 -m state --state NEW -j ACCEPT
#udp的137黄刚,138端口第一次NEW訪問(wèn)時(shí)放行
[root@localhost ~]# iptables -A INPUT -d 192.168.10.10 -j REJECT
[root@localhost ~]# iptables -A OUTPUT -d 192.168.10.10 -j REJECT
#把默認(rèn)規(guī)則設(shè)置為拒絕REJECT
iptables規(guī)則:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 884 70044 ACCEPT all -- * * 0.0.0.0/0 192.168.10.10 state ESTABLISHED
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138 state NEW
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 22:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- * * 0.0.0.0/0 192.168.10.10 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 519 53140 ACCEPT all -- * * 192.168.10.10 0.0.0.0/0 state ESTABLISHED
2 0 0 REJECT all -- * * 0.0.0.0/0 192.168.10.10 reject-with icmp-port-unreachable
測(cè)試以下四種服務(wù)都成功訪問(wèn)
圖片.png
[root@localhost ~]# smbclient -L 192.168.10.10
Enter SAMBA\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
myfiles Disk A test shared dir.
IPC$ IPC IPC Service (Samba Server Version 4.7.1)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
MYGROUP
[root@localhost ~]# telnet 192.168.10.10
Trying 192.168.10.10...
Connected to 192.168.10.10.
Escape character is '^]'.
Kernel 3.10.0-693.el7.x86_64 on an x86_64
localhost login: centos
Password:
Last login: Wed Jun 27 11:30:24 from ::ffff:192.168.10.11
[root@localhost ~]# mysql -utest -h192.168.10.10 -p112233
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
現(xiàn)在配置放行ftp服務(wù)
[root@localhost ~]# systemctl start vsftpd.service
[root@localhost ~]# ss -tnl | grep 21
LISTEN 0 32 :::21 :::*
#21端口已被監(jiān)聽(tīng)
[root@localhost ~]# modprobe nf_conntrack_ftp
#安裝ftp追蹤模塊
修改規(guī)則:
[root@localhost ~]# iptables -R INPUT 3 -d 192.168.10.10 -p tcp -m multiport --dports 21:23,80,139,445,3306 -m state --state NEW -j ACCEPT
#現(xiàn)在對(duì)規(guī)則改造下捎谨,添加21端口
[root@localhost ~]# iptables -R INPUT 1 -d 192.168.10.10 -m state --state ESTABLISHED,RELATED -j ACCEPT
#添加RELATED
iptables規(guī)則:
[root@localhost ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 940 ACCEPT all -- * * 0.0.0.0/0 192.168.10.10 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.10 udp dpts:137:138 state NEW
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.10 multiport dports 21:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- * * 0.0.0.0/0 192.168.10.10 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1315 143K ACCEPT all -- * * 192.168.10.10 0.0.0.0/0 state ESTABLISHED
2 22 1628 REJECT all -- * * 0.0.0.0/0 192.168.10.10 reject-with icmp-port-unreachable
另一臺(tái)主機(jī)ftp登錄測(cè)試:
[root@localhost ~]# ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root):
530 Permission denied.
Login failed.
ftp> ls
#匿名登錄成功
