一践美、設(shè)置主機(jī)防火墻。
開放: 服務(wù)器的:web服務(wù)找岖、vsftpd 文件服務(wù)陨倡、ssh遠(yuǎn)程連接服務(wù)、ping 請求许布。
1兴革、開放sshd服務(wù)
開放流入本地主機(jī),22端口的數(shù)據(jù)報文。
[root@stu13?~]#?iptables?-A?INPUT?--destination?192.168.60.99?-p?tcp?--dport?22?-j?ACCEPT
開放從本地主機(jī)22端口流出的數(shù)據(jù)報文
[root@stu13?~]#?iptables?-A?OUTPUT?--source?192.168.60.99?-p?tcp?--sport?22?-j?ACCEPT
修改默認(rèn)策略為:DROP杂曲。 目的禁止所有報文通過本機(jī)的TCP/IP協(xié)議棧庶艾,再開放指定端口的服務(wù)。
[root@stu13?~]#?iptables?-P?INPUT?DROP
[root@stu13?~]#?iptables?-P?OUTPUT?DROP
如:
[root@stu13?~]#?iptables?-L?-n?-v
Chain?INPUT?(policy?DROP?554?packets,?53329?bytes)?---->?已經(jīng)阻止到數(shù)據(jù)包了
pkts?bytes?target?prot?opt?in??out???source??????????destination
1162?60532?ACCEPT?tcp??--??*???*?????0.0.0.0/0???????192.168.60.99???????tcp?dpt:22
匹配到數(shù)據(jù)包
Chain?FORWARD?(policy?ACCEPT?0?packets,?0?bytes)
pkts?bytes?target?prot?opt?in??out???source????????destination
Chain?OUTPUT?(policy?DROP?0?packets,?0?bytes)
pkts?bytes?target?prot?opt?in??out???source???????????destination
681?96248?ACCEPT?tcp??--??*??????*??192.168.60.99????0.0.0.0/0???????????tcp?spt:22
2擎勘、開放本機(jī)提供的web服務(wù):
開放訪問本機(jī)的80,443服務(wù)咱揍。
開放流入本地主機(jī),80端口的數(shù)據(jù)報文
[root@stu13?~]#?iptables?-A?INPUT?--dst?192.168.60.99?-p?tcp?--dport?80?-j?ACCEP
開放從本地主機(jī)80端口流出的數(shù)據(jù)報文
[root@stu13?~]#?iptables?-A?OUTPUT?--src?192.168.60.99?-p?tcp?--sport?80?-j?ACCEPT
開放流入本地主機(jī)棚饵,443端口的數(shù)據(jù)報文
[root@stu13?~]#?iptables?-A?INPUT?--dst?192.168.60.99?-p?tcp?--dport?443?-j?ACCEPT
開放從本地主機(jī)443端口流出的數(shù)據(jù)報文
[root@stu13?~]#?iptables?-A?OUTPUT?--src?192.168.60.99?-p?tcp?--sport?443?-j?ACCEPT
3煤裙、本機(jī)可以接受ping
開放應(yīng)用層協(xié)議為icmp數(shù)據(jù)報文流入本機(jī)
[root@stu13?~]#?iptables?-A?INPUT?-p?icmp?-j?ACCEPT
開放應(yīng)用層協(xié)議為icmp數(shù)據(jù)報文流出本機(jī)
[root@stu13?~]#?iptables?-A?OUTPUT?-p?icmp?-j?ACCEPT
4、開放被動模式FTP服務(wù)
開放命令連接的21端口
裝載模塊:這是連接追蹤ftp服務(wù)器的數(shù)據(jù)連接的模塊噪漾。
[root@stu13?httpd-2.4.9]#?modprobe?nf_conntrack_ftp
查看是否裝載成功
[root@stu13?~]#?lsmod??|?grep?"nf_conntrack_ftp"
nf_conntrack_ftp???????10475??0
nf_conntrack???????????65428??3?nf_conntrack_ftp,nf_conntrack_ipv4,xt_
開放應(yīng)用層協(xié)議為tcp硼砰,目標(biāo)端口為21的數(shù)據(jù)報文流入本機(jī)
[root@stu13?~]#?iptables?-A?INPUT?--dst?192.168.60.99?-p?tcp?--dport?21?-m?state?--state?NEW?-j?ACCEPT
使用iptables的狀態(tài)追蹤功能,追蹤ftp服務(wù)器的數(shù)據(jù)傳輸端口怪与,意思是說:只要是找開的數(shù)據(jù)傳輸連接傳輸?shù)臄?shù)據(jù)報文與某個已經(jīng)建立連接有關(guān)連夺刑,就允許開數(shù)據(jù)包通過。
[root@stu13?~]#?iptables?-A?INPUT?--dst?192.168.60.99?-m?state?--state?ESTABLISHED,RELATED?-j?ACCEPT
數(shù)據(jù)流出
[root@stu13?~]#?iptables?-A?OUTPUT?--src?192.168.60.99?-m?state?--state?RELATED,ESTABLISHED?-j?ACCEPT
二分别、測試:主機(jī)防火墻開放的服務(wù)是否成功:
遍愿、PING 測試:本機(jī)PING其它主機(jī)
[root@stu13?~]#?ping?-c?1?192.168.60.1
PING?192.168.60.1?(192.168.60.1)?56(84)?bytes?of?data.
64?bytes?from?192.168.60.1:?icmp_seq=1?ttl=64?time=1.81?ms
---?192.168.60.1?ping?statistics?---
1?packets?transmitted,?1?received,?0%?packet?loss,?time?2ms
rtt?min/avg/max/mdev?=?1.812/1.812/1.812/0.000?ms
在windows下ping 192.168.60.99主機(jī)
D:\>ping?192.168.60.99
正在?Ping?192.168.60.99?具有?32?字節(jié)的數(shù)據(jù):
來自?192.168.60.99?的回復(fù):?字節(jié)=32?時間=2ms?TTL=64
來自?192.168.60.99?的回復(fù):?字節(jié)=32?時間<1ms?TTL=64
192.168.60.99?的?Ping?統(tǒng)計信息:
數(shù)據(jù)包:?已發(fā)送?=?2,已接收?=?2耘斩,丟失?=?0?(0%?丟失)沼填,
往返行程的估計時間(以毫秒為單位):
最短?=?0ms,最長?=?2ms括授,平均?=?1ms
2坞笙、測試80服務(wù)
[root@nfs?~]#?curl?-eI?http://192.168.60.99/index.html
This?Server?is?OK...
3、在Windows 下測試:文件服務(wù)器荚虚。
D:\>ftp?192.168.60.99
連接到?192.168.60.99薛夜。
220?(vsFTPd?2.2.2)
用戶(192.168.60.99:(none)):?ftp
331?Please?specify?the?password.
密碼:
230?Login?successful.
ftp>?get?pub/inittab
200?PORT?command?successful.?Consider?using?PASV.
150?Opening?BINARY?mode?data?connection?for?pub/inittab?(884?bytes).
226?Transfer?complete.
ftp:?收到?884?字節(jié),用時?0.00秒?884000.00千字節(jié)/秒版述。
ftp>
4梯澜、測試連接到ssh服務(wù)
[root@nfs?~]#?ssh?192.168.60.99
Last?login:?Mon?Aug?18?17:51:20?2014
三、分析優(yōu)化防火墻
設(shè)置開放特定服務(wù)后的filter表的規(guī)則如下:
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
Chain?INPUT?(policy?DROP?1911?packets,?223K?bytes)
num???pkts?bytes?target???prot?opt?in???out??source????????destination
1?????7470??441K?ACCEPT???cp???--??*????*????0.0.0.0/0?????192.168.60.99?tcp?dpt:22
2???????51??4545?ACCEPT???tcp??--??*????*????0.0.0.0/0?????192.168.60.99?tcp?dpt:80
3????????1????60?ACCEPT???cp???--??*????*????0.0.0.0/0?????192.168.60.99?tcp?dpt:443
4????????4???288?ACCEPT???icmp?--??*????*????0.0.0.0/0?????0.0.0.0/0
5???????12???624?ACCEPT???tcp??--??*????*????0.0.0.0/0?????192.168.60.99?tcp?dpt:21?state?NEW
6??????174??8122?ACCEPT???all??--??*????*????0.0.0.0/0?????192.168.60.99?state?RELATED,ESTABLISHED
Chain?FORWARD?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
Chain?OUTPUT?(policy?DROP?8?packets,?480?bytes)
num???pkts?bytes?target???prot?opt?in??out??source???????????destination
1?????5761??701K?ACCEPT???tcp??--??*???*????192.168.60.99????0.0.0.0/0?????tcp?spt:22
2???????40??4522?ACCEPT???tcp??--??*???*????192.168.60.99????0.0.0.0/0?????tcp?spt:80
3????????1????40?ACCEPT???tcp??--??*???*????192.168.60.99????0.0.0.0/0?????tcp?spt:443
4????????4???288?ACCEPT???icmp?--??*???*????0.0.0.0/0????????0.0.0.0/0
5??????328?22614?ACCEPT???all??--??*???*????192.168.60.99????0.0.0.0/0????state?RELATED,ESTABLISHED
1渴析、優(yōu)化策略:將多條規(guī)則合并成一條晚伙。
(1)、使用umltiport擴(kuò)展模塊合并端口模塊:
[root@stu13?httpd-2.4.9]#?ll?/lib/xtables-1.4.7/?|?grep?"multiport"
-rwxr-xr-x.?1?root?root?10772?Feb?22??2013?libxt_multiport.so
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?--dst?192.168.60.99?-p?tcp?-m?multiport?--dports?80,443,22?-j?ACCEPT
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?2
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?2
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?2
[root@stu13?httpd-2.4.9]#?iptables?-I?OUTPUT?--src?192.168.60.99?-p?tcp?-m?multiport?--sports?80,443,22?-j?ACCEPT
[root@stu13?httpd-2.4.9]#?iptables?-D?OUTPUT?2
[root@stu13?httpd-2.4.9]#?iptables?-D?OUTPUT?2
[root@stu13?httpd-2.4.9]#?iptables?-D?OUTPUT?2
(2)俭茧、查看合并端口后filter過濾表
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
Chain?INPUT?(policy?DROP?20?packets,?2060?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1??????813?49587?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????multiport?dports?80,443,22
2????????4???288?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3???????13???676?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:21?state?NEW
4??????196??9102?ACCEPT?????all??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?RELATED,ESTABLISHED
Chain?FORWARD?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
Chain?OUTPUT?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1??????165?21277?ACCEPT?????tcp??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????multiport?sports?80,443,22
2????????4???288?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3??????355?24153?ACCEPT?????all??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?RELATED,ESTABLISHED
2咆疗、使用iptables/netfiltes提供的狀態(tài)追蹤功能優(yōu)化防火墻;
iptables/netfiter提供有一個狀態(tài)追蹤功能母债,只要第一次連接都是NEW狀態(tài)午磁。下一次連接只要在狀態(tài)追蹤表的計數(shù)器的時間沒到之前,該客戶端重新建立的連接,iptables/netfilter 也認(rèn)為該連接是ESTABLISHED狀態(tài)的漓踢。
通常情況下牵署,處于ESTABLISHED狀態(tài)的連接要比處于NEW狀態(tài)的連接要多得多漏隐,那么意味著:ESTABLISHED狀態(tài)的連接傳輸?shù)臄?shù)據(jù)報文通常要比NEW狀態(tài)的連接傳輸?shù)臄?shù)據(jù)報文要多得多喧半。數(shù)據(jù)報文經(jīng)過某鏈時,數(shù)據(jù)報文與鏈中的定義的規(guī)則一一做匹配青责,順序是從上到下依次做匹配操作挺据。如果數(shù)據(jù)報文的某些特征,如:源IP地址脖隶、目標(biāo)IP地址扁耐、源端口、目標(biāo)端口产阱、連接的狀態(tài)婉称、TCP的標(biāo)志位等,與鏈中定義的規(guī)則匹配到了构蹬,就執(zhí)行【-j】后面的 action(如:DROP|ACCEPT等)王暗。如果數(shù)據(jù)報文與它經(jīng)過的鏈中的規(guī)則從上到下一一做匹配,都沒有匹配到的話庄敛,就執(zhí)行iptables中定義的默認(rèn)規(guī)policy俗壹。因為,定義防火墻規(guī)則的時候藻烤,首先拒絕所有(默認(rèn)策略都為:DROP)绷雏,開放某些服務(wù)的數(shù)據(jù)報文通過.處于ESTABLISHED狀態(tài)的連接傳輸?shù)臄?shù)據(jù)報文通常是安全的,應(yīng)該允許它通過怖亭,而數(shù)據(jù)報文通過的鏈的要做規(guī)則檢查的規(guī)則又有很多涎显,而處于ESTABLISHED狀態(tài)的連接,要傳輸?shù)臄?shù)據(jù)報文很多兴猩,那么怎么樣要它快速通過iptables/netfilter的防火墻的規(guī)則檢查呢期吓?
2(1)、根據(jù)防火墻做數(shù)據(jù)報文的匹配規(guī)則峭跳,應(yīng)該讓處于ESTABLISHED狀態(tài)的連接傳輸?shù)臄?shù)據(jù)報文快速??????通過變卦的規(guī)則檢查膘婶,意思是說:防火墻根據(jù)連接追蹤功能一發(fā)現(xiàn)該數(shù)據(jù)報文是ESTABLISHED??????狀態(tài)的連接發(fā)送的,立馬發(fā)行蛀醉。做法:把允許處于ESTABLISHED連接的數(shù)據(jù)報文通過的策略放???????在鏈的所有規(guī)則的最前面悬襟。
(2)、狀態(tài)檢測拯刁,是連接追蹤模塊實現(xiàn)的脊岳。連接追蹤模塊在內(nèi)核內(nèi)存中維護(hù)一張追蹤表,記錄每個連?????接的狀態(tài),以及連接處于ESTABLISHED的狀態(tài)的超時時間和可以追蹤多少個連接以及目前正追??????蹤的連接數(shù)等等割捅。注意:要根據(jù)實際應(yīng)用開啟或關(guān)閉連接追蹤功能奶躯。
連接追蹤模塊可以追蹤的連接數(shù)量
[root@stu13?httpd-2.4.9]#?cat?/proc/sys/net/nf_conntrack_max
31928
連接處于ESTABLISHED狀態(tài)的超時時長
[root@stu13?/]#?cat?/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
432000??約等于5天。
當(dāng)前追蹤的所有連接:
[root@stu13?httpd-2.4.9]#?cat?/proc/sys/net/netfilter/nf_conntrack_count
3
注意:
如果亿驾,我們啟用了iptables/netfilterr 的連接追蹤功能的話嘹黔,當(dāng)前追蹤的所有連接數(shù)已經(jīng)達(dá)到連接追蹤模塊可以追蹤的連接數(shù)量的上限了,且連接追蹤到的連接處于ESTABLISHED狀態(tài)的連接莫瞬,還沒到失效時間儡蔓。后續(xù)新的連接只能等待,iptables/netfilter的連接追蹤表有連接的超時時間到疼邀。才可以通過我們的防火墻喂江。而防火墻定義的ESTABLISHED狀態(tài)的走超時時長為5天,而我們的TCP連接在TCP的各種狀態(tài)的超時時長旁振,都是很短的获询。所以。會導(dǎo)致大量的后續(xù)新的連接被拒絕拐袜。也就是出現(xiàn)連接服務(wù)器超時的情況發(fā)生吉嚣。所以,根據(jù)實際應(yīng)用調(diào)整這些參數(shù)很關(guān)鍵阻肿⊥咂荩或比較繁忙的服務(wù)器就不應(yīng)該開啟iptables/netflter的連接追蹤功能。
iptables/netfilter的連接追蹤功能是通過下述擴(kuò)展模塊實現(xiàn)的丛塌。
[root@stu13?httpd-2.4.9]#?ll?/lib/xtables-1.4.7/?|?grep?"state"
-rwxr-xr-x.?1?root?root??5860?Feb?22??2013?libxt_state.so
提供较解,允許發(fā)往特定端口處于ESTABLISHED狀態(tài)連接的數(shù)據(jù)報文通過TCP/IP協(xié)議棧,且把該規(guī)則放在鏈的所有規(guī)則的最前面赴邻。
INPUT表
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?1?--dst?192.168.60.99?-p?tcp?-m?multiport?--dports?80,443,22?-m?state?--state??ESTABLISHED,NEW?-j?ACCEPT
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?2
OUTPUT表:允許處于ESTABLISHED狀態(tài)連接的數(shù)據(jù)報文從本機(jī)出去印衔。且把該規(guī)則放在鏈的所有規(guī)則的最前面。
[root@stu13?httpd-2.4.9]#?iptables?-I?OUTPUT?1?--src?192.168.60.99?-p?tcp?-m?multiport?--sports?80,443,22?-m?state?--state?ESTABLISHE?-j?ACCEPT
[root@stu13?~]#?iptables?-D?OUTPUT?2
使用狀態(tài)檢測功能優(yōu)化后的:
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
Chain?INPUT?(policy?DROP?138?packets,?12760?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1??????760?49519?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????multiport?dports?80,443,22?state?NEW,ESTABLISHED
2???????14??1128?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3???????18???936?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:21?state?NEW
4??????299?13853?ACCEPT?????all??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?RELATED,ESTABLISHED
Chain?FORWARD?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
Chain?OUTPUT?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1?????1194??153K?ACCEPT?????tcp??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????multiport?sports?80,443,22?state?ESTABLISHED
2???????14??1128?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3??????465?30940?ACCEPT?????all??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?RELATED,ESTABLISHED
分析:
因為姥敛,只要是ESTABLISHED狀態(tài)的連接的數(shù)據(jù)報文奸焙,是不會有問題的。不需要檢測端口了彤敛。這樣提高了iptable/netfiler檢測數(shù)據(jù)報文的速度与帆。只要是ESTABLISHED狀態(tài)的連接的數(shù)據(jù)報文都允許通過。
所以墨榄,對上述的INPUT表的第一條規(guī)則進(jìn)行拆分玄糟,如下
1
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?1?--dst?192.168.60.99?-p?tcp?-m?state?--state?ESTABLISHED?-j?ACCEPT
并把發(fā)往指定端口的數(shù)據(jù)報文,進(jìn)行NEW狀態(tài)的數(shù)據(jù)報文檢測組成一條規(guī)則
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?2?--dst?192.168.60.99?-p?tcp?-m?multiport?--dports?80,443,21,22?-m?state?--state?NEW?-j?ACCEPT
修改第三條規(guī)則
[root@stu13?httpd-2.4.9]#?iptables?-R?INPUT?3?--dst?192.168.60.99?-m?state?--state?RELATED?-j?ACCEPT
刪除
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?3
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?4
修改后INPUT表變成
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
Chain?INPUT?(policy?DROP?129?packets,?11581?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1?????4793??374K?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?ESTABLISHED
2???????35??1820?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????multiport?dports?80,443,21,22?state?NEW
3????????7???364?ACCEPT?????all??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?RELATED
4????????0?????0?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
袄秩。阵翎。逢并。。郭卫。砍聊。
分析OUTPU表
Chain?OUTPUT?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1?????3466??482K?ACCEPT?????tcp??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????multiport?sports?80,443,22?state?ESTABLISHED
2???????22??1608?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3??????547?36931?ACCEPT?????all??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?RELATED,ESTABLISHED
分析:跟上述一樣,允許處于ESTABLISHED狀態(tài)的連接的數(shù)據(jù)報文通過TCP/IP協(xié)議棧贰军。修改OUTPUT表的第1條與第3條規(guī)則
修改第一條規(guī)則
[root@stu13?httpd-2.4.9]#?iptables?-R?OUTPUT?1?--src?192.168.60.99?-p?tcp?-m?state?--state?ESTABLISHED?-j?ACCEPT
修改第三條規(guī)則
[root@stu13?httpd-2.4.9]#?iptables?-R?OUTPUT?3?--src?192.168.60.99?-m?state?--state?RELATED?-j?ACCEPT
修改后的OOUPUT表的規(guī)則如下:
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
玻蝌。。谓形。灶伊。。
Chain?OUTPUT?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1??????794??148K?ACCEPT?????tcp??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?ESTABLISHED
2???????22??1608?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3????????0?????0?ACCEPT?????all??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?RELATED
經(jīng)過使用端口合并和iptables/netfilter的狀態(tài)追蹤功能優(yōu)化規(guī)則表之后:
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
Chain?INPUT?(policy?DROP?540?packets,?53525?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1??????225?10816?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?ESTABLISHED
2????????0?????0?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????multiport?dports?80,443,21,22?state?NEW
3????????0?????0?ACCEPT?????all??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?RELATED
4????????0?????0?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
Chain?FORWARD?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
Chain?OUTPUT?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1??????194?27924?ACCEPT?????tcp??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?ESTABLISHED
2????????0?????0?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
3????????0?????0?ACCEPT?????all??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?RELATED
3寒跳、使用自定義鏈分成分成等級iptables規(guī)則:
如果,防火墻規(guī)則很多的話竹椒,這樣寫就顯示得很亂童太,不明了。造成后續(xù)添加規(guī)則就在很多不便胸完。因為书释,每種服務(wù)的訪問量都不一樣。簡單的合并多個端口的做法并是不很理想赊窥。
最好為開放的每個服務(wù)都使用一條自定義鏈爆惧。這樣,以后我們要為某服務(wù)添加或刪除規(guī)則只要找到該服務(wù)對應(yīng)的自定義鏈锨能,就可以操作了扯再,很方便。如下:
(1)址遇、為http 80服務(wù)自定義一條鏈
[root@stu13?~]#?iptables?-t?filter?-N?http_in
[root@stu13?~]#?iptables?-A?http_in?-d?192.168.60.99?-p?tcp?--dport?80??-m?state?--state?NEW?-j?ACCEPT
INPUT鏈調(diào)用該鏈
[root@stu13?~]#?iptables?-I?INPUT?2?-d?192.168.60.99?-p?tcp?--dport?80?-j?http_in
如果熄阻,使用自定義規(guī)則檢測數(shù)據(jù)報文沒有匹配到則返回主鏈INPUT
1
[root@stu13?httpd-2.4.9]#?iptables?-A?http_in?-j?RETURN
(2)、為https 443 服務(wù)自定義一條鏈
[root@stu13?~]#?iptables?-t?filter?-N?https_in
[root@stu13?~]#?iptables?-A?https_in?-d?192.168.60.99?-p?tcp?--dport?443?-m?state?--state?NEW?-j?ACCEPT
調(diào)用自定義鏈
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?3?-d?192.168.60.99?-p?tcp?--dport?443?-j?https_in
如果倔约,使用自定義規(guī)則檢測數(shù)據(jù)報文沒有匹配到則返回主鏈INPUT
[root@stu13?httpd-2.4.9]#?iptables?-A?https_in?-j?RETURN
(3)秃殉、為ssh服務(wù)自定義一條鏈
[root@stu13?~]#?iptables?-t?filter?-N?ssh_in
[root@stu13?~]#?iptables?-A?ssh_in?-d?192.168.60.99?-p?tcp?--dport?22?-m?state?--state?NEW?-j?ACCEPT
調(diào)用該鏈
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?4?-d?192.168.60.99?-p?tcp?--dport?22?-j?ssh_in
如果,使用自定義規(guī)則檢測數(shù)據(jù)報文沒有匹配到則返回主鏈INPUT
[root@stu13?httpd-2.4.9]#?iptables?-A?ssh_in?-j?RETURN
(4)浸剩、為vsftp文件服務(wù)自定義一條鏈
[root@stu13?~]#?iptables?-t?filter?-N?vsftp_in
[root@stu13?~]#?iptables?-A?vsftp_in?-d?192.168.60.99?-p?tcp?--dport?21?-m?state?--state?NEW?-j?ACCEPT
調(diào)用該鏈
[root@stu13?httpd-2.4.9]#?iptables?-I?INPUT?5?-d?192.168.60.99?-p?tcp?--dport?21?-j?vsftp_in
如果钾军,使用自定義規(guī)則檢測數(shù)據(jù)報文沒有匹配到則返回主鏈INPUT
[root@stu13?httpd-2.4.9]#?iptables?-A?vsftp_in?-j?RETURN
(5)、刪除INPUT鏈的第6條規(guī)則(端口合并那條鏈)
1
[root@stu13?httpd-2.4.9]#?iptables?-D?INPUT?6
使用自定義鏈后绢要,規(guī)則表如下:
[root@stu13?~]#?iptables?--line-numbers?-L?-n?-v
Chain?INPUT?(policy?DROP?928?packets,?83409?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1?????7351??435K?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?ESTABLISHED
2????????6???312?http_in????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:80
3????????0?????0?https_in???tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:443
4????????2???104?ssh_in?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:22
5????????2???104?vsftp_in???tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:21
6????????8???416?ACCEPT?????all??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????state?RELATED
7????????8???672?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
Chain?FORWARD?(policy?DROP?0?packets,?0?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
Chain?OUTPUT?(policy?DROP?2?packets,?120?bytes)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1?????5842??751K?ACCEPT?????tcp??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?ESTABLISHED
2????????0?????0?ACCEPT?????all??--??*??????*???????192.168.60.99????????0.0.0.0/0???????????state?RELATED
3????????8???672?ACCEPT?????icmp?--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
Chain?http_in?(1?references)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1????????6???312?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:80?state?NEW
2????????0?????0?RETURN?????all??--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
Chain?https_in?(1?references)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1????????0?????0?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:443?state?NEW
2????????0?????0?RETURN?????all??--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
Chain?ssh_in?(1?references)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1????????2???104?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:22?state?NEW
2????????0?????0?RETURN?????all??--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
Chain?vsftp_in?(1?references)
num???pkts?bytes?target?????prot?opt?in?????out?????source???????????????destination
1????????2???104?ACCEPT?????tcp??--??*??????*???????0.0.0.0/0????????????192.168.60.99???????tcp?dpt:21?state?NEW
2????????0?????0?RETURN?????all??--??*??????*???????0.0.0.0/0????????????0.0.0.0/0
說明:
在INPUT鏈吏恭,根據(jù)實際應(yīng)用情況,服務(wù)的訪問繁忙程序調(diào)整袖扛,http_in砸泛、https_in十籍、ssh_in、vsftp_in的先后順序唇礁,來優(yōu)化iptables/netfilter
的效率勾栗。
有了自定義鏈后,數(shù)據(jù)報文的檢查流程如下圖:
四盏筐、測試優(yōu)化后的防火墻策略是否成功:
1围俘、測試 http 80 服務(wù)
1
2[root@nfs?~]#?curl?http://192.168.60.99/index.html
This?Server?is?OK...
2、測試 ssh 服務(wù)
[root@nfs?~]#?ssh?192.168.60.99
Last?login:?Mon?Aug?18?20:21:25?2014?from?192.168.60.88
3琢融、測試vsftp 服務(wù)
D:\>ftp?192.168.60.99
連接到?192.168.60.99界牡。
220?(vsFTPd?2.2.2)
用戶(192.168.60.99:(none)):?ftp
331?Please?specify?the?password.
密碼:
230?Login?successful.
ftp>?get?pub/inittab
200?PORT?command?successful.?Consider?using?PASV.
150?Opening?BINARY?mode?data?connection?for?pub/inittab?(884?bytes).
226?Transfer?complete.
ftp:?收到?884?字節(jié),用時?0.07秒?12.63千字節(jié)/秒漾抬。
ftp>
4宿亡、測試ping
(1)、ping本主機(jī)
D:\>ping?192.168.60.99
正在?Ping?192.168.60.99?具有?32?字節(jié)的數(shù)據(jù):
來自?192.168.60.99?的回復(fù):?字節(jié)=32?時間=1ms?TTL=64
來自?192.168.60.99?的回復(fù):?字節(jié)=32?時間<1ms?TTL=64
來自?192.168.60.99?的回復(fù):?字節(jié)=32?時間<1ms?TTL=64
來自?192.168.60.99?的回復(fù):?字節(jié)=32?時間<1ms?TTL=64
192.168.60.99?的?Ping?統(tǒng)計信息:
數(shù)據(jù)包:?已發(fā)送?=?4纳令,已接收?=?4挽荠,丟失?=?0?(0%?丟失),
往返行程的估計時間(以毫秒為單位):
最短?=?0ms平绩,最長?=?1ms圈匆,平均?=?0ms
(2)、本主機(jī)ping別的主機(jī)
1
[root@stu13?~]#?ping?-c?1?192.168.60.88
PING?192.168.60.88?(192.168.60.88)?56(84)?bytes?of?data.
64?bytes?from?192.168.60.88:?icmp_seq=1?ttl=64?time=0.590?ms
---?192.168.60.88?ping?statistics?---
1?packets?transmitted,?1?received,?0%?packet?loss,?time?5ms
rtt?min/avg/max/mdev?=?0.590/0.590/0.590/0.000?ms
(3)捏雌、回環(huán)地址
1
[root@stu13?~]#?ping?-c?1?127.0.0.1
PING?127.0.0.1?(127.0.0.1)?56(84)?bytes?of?data.
64?bytes?from?127.0.0.1:?icmp_seq=1?ttl=64?time=0.375?ms
---?127.0.0.1?ping?statistics?---
1?packets?transmitted,?1?received,?0%?packet?loss,?time?0ms
rtt?min/avg/max/mdev?=?0.375/0.375/0.375/0.000?ms