防火墻有兩種：數據包過濾、應用層防火墻
200人以下的需要128MB的數據包過濾防火墻就夠了
防火墻結構：單機防火墻、網關式防火墻、透明防火墻
DMZ網關式防火墻

image.png

DMZ網關式防火墻改良版 NAT功能

image.png

image.png

防火墻核心功能：filter nat mangle raw
filter input forward output
nat prerouting postrouting ouput
mangle prerouting input forward output postrouting
raw prerouting output
input 進來 output 出去 forward 中轉路過
優(yōu)先匹配

iptables -L
iptables -F clear
iptables -A add new rule
-I input new rule
-R replace old rule
-D delete old rule
iptables -t filter
iptables -t net
iptables -t mangle
iptables -t raw

iptables -t filter -L INPUT
iptables -t filter -F
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -P FORWARD DROP //默認不轉發(fā)
iptables -t filter -I INPUT 2 -p tcp -j ACCEPT
iptables -t filter -R INPUT 2 -p tcp -j ACCEPT //第二條規(guī)則被替換
iptables -t filter -D INPUT 2 //刪除第二條規(guī)則
iptables -A INPUT -p icmp -s ip -j DROP //刪除從IP進入到本地的所有
//DROP ACCEPT REJECT
iptables -A INPUT -p all -s 192.168.1.0/24 -d 192.168.0.1 -j ACCEPT

image.png

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j DROP

單機防火墻實例INPUT

image.png

image.png

網關式防火墻filter
簡單網關式防火墻shell

image.png

nat設置
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 10.1.0.200
如果公網IP不固定
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
多對多NAT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 10.1.0.200-10.1.0.205

image.png

image.png

不允許所有人訪問www.playboy.com
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d www.playboy.com -j DROP
iptables -A INPUT -p icmp -j DROP
![image.png](https://upload-images.jianshu.io/upload_images/9967595-1574aa11b8f2963e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-c3786e353ab87e36.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
tcp-flags
![image.png](https://upload-images.jianshu.io/upload_images/9967595-54cd4fad20922858.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-b06a034d9cc00e17.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
--mac-source
![image.png](https://upload-images.jianshu.io/upload_images/9967595-6033ea4910c37cad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
multiport
iptables -A INPUT -p tcp --syn -m state --state NEW -m multiport --dports 21,22,23,99 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLESHED,RELATED -j ACCEPT
-m owner --uid-owner jacky 
![image.png](https://upload-images.jianshu.io/upload_images/9967595-6889a0d4bae429f1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-60dd24948fb8419d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
-m iprange --src-range 192.0.1-192.0.64
![image.png](https://upload-images.jianshu.io/upload_images/9967595-28a854fe51090738.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
iprange --src-range  --dst-range
-m ttl --ttl-eq 64
pkttype
![image.png](https://upload-images.jianshu.io/upload_images/9967595-18bb90da6c6e819f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
mtu -m length --length 
![image.png](https://upload-images.jianshu.io/upload_images/9967595-b3c7d5219d024e13.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
limit限制包數量
iptables -A INPUT -p icmp -m limit --limit 6/m --limit -burst 10 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
recent 顯示ssh密碼嘗試次數
https://www.cnblogs.com/hiloves/archive/2011/07/19/2109899.html
recent 限制80端口每秒內只能由10個鏈接，超過次數記錄日志和拒絕
 iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j LOG --log-prefix 'DDOS:' --log-ip-options
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j DROP
recent 
http://www.path8.net/tn/archives/5867
string 對數據內容進行過濾
![image.png](https://upload-images.jianshu.io/upload_images/9967595-0439fd6444cf0cef.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-c2abe6b5e42f9036.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
connlimit 限制連接數量
![image.png](https://upload-images.jianshu.io/upload_images/9967595-97fa74a8b4dd8b48.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
connbytes限制下載量
quota每天只能下載500M
![image.png](https://upload-images.jianshu.io/upload_images/9967595-4ff5935171e7ece6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
time 設置規(guī)則的生效時間
![image.png](https://upload-images.jianshu.io/upload_images/9967595-43e265cd4ea83432.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-7e0762706fedfb67.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
conntrack 為 state加強版
![image.png](https://upload-images.jianshu.io/upload_images/9967595-cbad9cc57a28051f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-220fd6e9af9bbef5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
statistic
![image.png](https://upload-images.jianshu.io/upload_images/9967595-ebf96e872c4454ba.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-2f77ea7c0daac107.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
hastlimit
![image.png](https://upload-images.jianshu.io/upload_images/9967595-17ed950a04a486eb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
u32
自定義用戶鏈
REJECT自定義錯誤信息
![image.png](https://upload-images.jianshu.io/upload_images/9967595-3b643c1934bb58c5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
-j LOG記錄日志
![image.png](https://upload-images.jianshu.io/upload_images/9967595-e1ede44b6bf79658.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-e43a3ba9234839ee.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-3e71272f3a8914b2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)