2020-09-19

### 1、拒絕所有主機ping當前的主機。

```shell

#查看當前系統(tǒng)iptables規(guī)則

[root@centos8 ~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ? ? ?

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ? ? ?

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination

#添加規(guī)則

[root@centos8 ~]# iptables -A INPUT -p icmp -j REJECT

```

驗證:

```shell

[root@centos7 ~]# ping 10.0.0.24

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

From 10.0.0.24 icmp_seq=1 Destination Port Unreachable

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

^C

--- 10.0.0.24 ping statistics ---

2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 10ms

```

### 2、本機能夠訪問別的機器的HTTP服務(wù),但是別的機器無法訪問本機

```shell

#環(huán)境準備,本主機

[root@centos8 ~]# iptables -F

[root@centos8 ~]# dnf install -y httpd

[root@centos8 ~]# echo "This is a test page,`date`!" > /var/www/html/index.html

[root@centos8 ~]# systemctl start httpd

#環(huán)境準備,其他主機

[root@centos8-mini ~]# curl 10.0.0.24

This is a test page,Sat Sep 19 09:48:20 CST 2020!

#添加規(guī)則

[root@centos8-mini ~]# iptables -F

[root@centos8-mini ~]# dnf install -y httpd

[root@centos8-mini ~]# echo "Who travels for love finds a thousand miles not loger than one." > /var/www/html/index.html

[root@centos8-mini ~]# systemctl start httpd

```

```shell

[root@centos8 ~]# iptables -A INPUT -p tcp --dport 80 -j REJECT

#驗證

[root@centos8 ~]# curl 10.0.0.23

Who travels for love finds a thousand miles not loger than one.

[root@centos8-mini ~]# curl 10.0.0.24

curl: (7) Failed to connect to 10.0.0.24 port 80: Connection refused

```

### 3、實現(xiàn)最大并發(fā)控制

當我們發(fā)現(xiàn)有 ip 惡意攻擊我們得時候,我們可以通過對防火墻設(shè)定規(guī)則來進行控制。所以我們可以

添加connlimit模塊來實現(xiàn)對最大并發(fā)的控制。

```shell

[root@centos8 ~]# iptables -F

[root@centos8 ~]# iptables -A INPUT -s 10.0.0.1 -j ACCEPT

[root@centos8 ~]# iptables -A INPUT -m connlimit --connlimit-above 8 -j REJECT

[root@centos8 ~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ? ? ?

? 284 17472 ACCEPT? ? all? --? *? ? ? *? ? ? 10.0.0.1? ? ? ? ? ? 0.0.0.0/0? ? ? ? ?

? 282 23688 REJECT? ? all? --? *? ? ? *? ? ? 0.0.0.0/0? ? ? ? ? ? 0.0.0.0/0? ? ? ? ? ? #conn src/32 > 8 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ? ? ?

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ?

```

驗證:

```shell

#客戶端同時發(fā)起10個ping

[root@centos8-mini ~]# for i in {1..10}; do

> ping -c5 10.0.0.24 &

> done

[1] 1938

[2] 1939

[3] 1940

[4] 1941

[5] 1942

[6] 1943

[7] 1944

[8] 1945

[9] 1946

[10] 1947

[root@centos8-mini ~]# PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.355 ms

From 10.0.0.24 icmp_seq=1 Destination Port Unreachable

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.245 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.408 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=36.10 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.673 ms

From 10.0.0.24 icmp_seq=1 Destination Port Unreachable

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=1.97 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.274 ms

64 bytes from 10.0.0.24: icmp_seq=1 ttl=64 time=0.302 ms

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

From 10.0.0.24 icmp_seq=2 Destination Port Unreachable

From 10.0.0.24 icmp_seq=3 Destination Port Unreachable

From 10.0.0.24 icmp_seq=4 Destination Port Unreachable

From 10.0.0.24 icmp_seq=5 Destination Port Unreachable

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 19ms

rtt min/avg/max/mdev = 36.962/36.962/36.962/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 15ms

rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 13ms

rtt min/avg/max/mdev = 0.408/0.408/0.408/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, 80% packet loss, time 11ms

rtt min/avg/max/mdev = 1.973/1.973/1.973/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +1 errors, 80% packet loss, time 14ms

rtt min/avg/max/mdev = 0.673/0.673/0.673/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, 80% packet loss, time 15ms

rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, 80% packet loss, time 17ms

rtt min/avg/max/mdev = 0.245/0.245/0.245/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 1 received, +3 errors, 80% packet loss, time 18ms

rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 0 received, +2 errors, 100% packet loss, time 14ms

--- 10.0.0.24 ping statistics ---

5 packets transmitted, 0 received, +1 errors, 100% packet loss, time 24ms

^C

[1]? Exit 1? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[2]? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[3]? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[4]? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[5]? Exit 1? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[6]? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[7]? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[8]? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[9]-? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

[10]+? Done? ? ? ? ? ? ? ? ? ? ping -c5 10.0.0.24

```

### 4、實踐題

**實驗前提需求:**

| 主機名 | IP地址? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | 充當角色? ? ? |

| ------ | ------------------------------------------------------------ | ------------- |

| A7? ? | 192.168.72.130(僅主機)eth0? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | 互聯(lián)網(wǎng)服務(wù)器? |

| A8? ? | 192.168.72.128(僅主機)/eth1 10.0.0.13(NAT)/eth0 NAT設(shè)備他有一個是鏈接外網(wǎng)的ip有一個是鏈接內(nèi)網(wǎng)的ip | 防火墻NAT設(shè)備 |

| B8? ? | 10.0.0.24(NAT)eth0? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | 局域網(wǎng)服務(wù)器? |

**業(yè)務(wù)需求:**

現(xiàn)在我在外地出差使用A7互聯(lián)網(wǎng)主機,但是現(xiàn)在由于公司有業(yè)務(wù)需要我 ssh 鏈接到內(nèi)網(wǎng)、這時候

我就聯(lián)系我們公司同事在防火墻上配置相關(guān)規(guī)則讓我鏈接進公司內(nèi)網(wǎng)

##### 4.1 模擬業(yè)務(wù)場景環(huán)境

```shell

#A7主機

[root@iA7 ~]# hostname -I

192.168.72.130

[root@A7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

NAME=eth0

BOOTOPROTO=static

IPADDR=192.168.72.130

PREFIX=24

GATEWAY=192.168.72.128

ONBOOT=yes

[root@A7 ~]# route -n

Kernel IP routing table

Destination? ? Gateway? ? ? ? Genmask? ? ? ? Flags Metric Ref? ? Use Iface

192.168.72.0? ? 0.0.0.0? ? ? ? 255.255.255.0? U? ? 0? ? ? 0? ? ? ? 0 eth0

0.0.0.0? ? ? ? 192.168.72.128? 0.0.0.0? ? ? ? UG? ? 0? ? ? 0? ? ? ? 0 eth0

#A8主機

[root@A8 ~]# hostname -I

10.0.0.13 192.168.72.128

[root@A8 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

NAME=eth1

BOOTPROTO=static

IPADDR=192.168.72.128

PREFIX=24

GATEWAY=

ONBOOT=yes

[root@A8 ~]# route -n

Kernel IP routing table

Destination? ? Gateway? ? ? ? Genmask? ? ? ? Flags Metric Ref? ? Use Iface

0.0.0.0? ? ? ? 10.0.0.2? ? ? ? 0.0.0.0? ? ? ? UG? ? 102? ? 0? ? ? ? 0 eth0

10.0.0.0? ? ? ? 0.0.0.0? ? ? ? 255.255.255.0? U? ? 102? ? 0? ? ? ? 0 eth0

192.168.72.0? ? 0.0.0.0? ? ? ? 255.255.255.0? U? ? 101? ? 0? ? ? ? 0 eth1

#B8主機

[root@B8 ~]# hostname -I

10.0.0.24

[root@B8 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

NAME=eth0

BOOTPROTO=static

IPADDR=10.0.0.24

PREFIX=24

GATEWAY=10.0.0.13

DNS1=10.0.0.13

DNS2=114.114.114.114

ONBOOT=yes

```

##### 4.2 測試三臺主機是否互通

```shell

#A7

[root@A7]# ping 10.0.0.24 -c1

PING 10.0.0.24 (10.0.0.24) 56(84) bytes of data.

64 bytes from 10.0.0.24: icmp_seq=1 ttl=63 time=1.21 ms

--- 10.0.0.24 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 1ms

rtt min/avg/max/mdev = 1.219/1.219/1.219/0.000 ms

#B8

[root@B8 ~]# ping baidu.com -c1

PING baidu.com (39.156.69.79) 56(84) bytes of data.

64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=128 time=16.10 ms

--- baidu.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 16.994/16.994/16.994/0.000 ms

[root@B8 ~]# ping 192.168.72.130 -c1

PING 192.168.72.130 (192.168.72.130) 56(84) bytes of data.

64 bytes from 192.168.72.130: icmp_seq=1 ttl=63 time=0.475 ms

--- 192.168.72.130 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.475/0.475/0.475/0.000 ms

```

##### 4.3 相關(guān)配置實現(xiàn)業(yè)務(wù)需要

```shell

#A8開啟數(shù)據(jù)轉(zhuǎn)發(fā)功能

[root@A8 ~]# vim /etc/sysctl.conf

net.ipv4.ip_forward=1

[root@A8 ~]# sysctl -p

net.ipv4.ip_forward = 1

#A8設(shè)置相關(guān)防火墻,只允許A7 ssh連接B8

[root@A8 ~]# iptables -A FORWARD -j REJECT

[root@A8 ~]# iptables -I FORWARD -s 192.168.72.0/24 -p tcp --dport 22 -j ACCEPT

[root@A8 ~]# iptables -I FORWARD 2 -d 192.168.72.0/24 -p tcp --sport 22 -j ACCEPT

[root@A8 ~]# iptables -vnL

Chain INPUT (policy ACCEPT 30 packets, 1776 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ? ? ?

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination? ? ? ?

? 28? 3573 ACCEPT? ? tcp? --? *? ? ? *? ? ? 192.168.72.0/24? ? ? 0.0.0.0/0? ? ? ? ? ? tcp dpt:22

? 17? 4569 ACCEPT? ? tcp? --? *? ? ? *? ? ? 0.0.0.0/0? ? ? ? ? ? 192.168.72.0/24? ? ? tcp spt:22

? 30? 2104 REJECT? ? all? --? *? ? ? *? ? ? 0.0.0.0/0? ? ? ? ? ? 0.0.0.0/0? ? ? ? ? ? reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 26 packets, 2148 bytes)

pkts bytes target? ? prot opt in? ? out? ? source? ? ? ? ? ? ? destination?

```

驗證:

```shell

[root@A7 ~]# ssh 10.0.0.24

ssh: connect to host 10.0.0.24 port 22: Connection timed out

[root@A7]# ssh 10.0.0.24

The authenticity of host '10.0.0.24 (10.0.0.24)' can't be established.

RSA key fingerprint is 23:cf:76:41:d8:73:dc:36:e5:2e:70:b2:ef:f3:36:3a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.0.0.24' (RSA) to the list of known hosts.

root@10.0.0.24's password:

Last login: Sat Sep 19 15:45:12 2020 from 10.0.0.1

[root@B8 ~]# hostname -I

10.0.0.24

```

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

友情鏈接更多精彩內(nèi)容