西部数码创建子网站,温州seo排名,下载软件的网站,wordpress默认链接目录 一、iptables
1.基本语法
2.四表五链——重点记忆
2.1四表
2.2五链
2.3总结
3.iptables选项示例
3.1 -Z 清空流量计数
3.2 -P 修改默认规则
3.3 -D 删除规则
3.4 -R 指定编号替换规则
4.白名单
5.通用匹配
6.示例
6.1添加回环网卡
6.2可以访问端口
6.3 主…目录 一、iptables
1.基本语法
2.四表五链——重点记忆
2.1四表
2.2五链
2.3总结
3.iptables选项示例
3.1 -Z 清空流量计数
3.2 -P 修改默认规则
3.3 -D 删除规则
3.4 -R 指定编号替换规则
4.白名单
5.通用匹配
6.示例
6.1添加回环网卡
6.2可以访问端口
6.3 主机1可以访问主机2 主机2不可以访问主机1
7.扩展模块
7.1string字符串
7.2time
7.3connlimit 最大连接数
7.4limit——限制流量
编辑7.5state状态
7.6总结
7.6.1多端口匹配 7.6.2IP范围匹配
7.6.3MAC地址匹配
7.6.4状态匹配
8.规则保存
8.1iptables-save 打印当前所有规则 8.2规则保存/恢复方法一
8.3规则保存的第二种方法
8.4如果想将规则开机自启
8.5总结
8.5.1持久保存规则——save
8.5.2加载规则——restore
8.5.3开机自动重载规则
9.自定义链
9.1添加自定义链
9.2调用自定义链
9.3删除自定义链
10.规则优化、实践
11.NAT
11.1SNAT
11.1.2SNAT应用环境
11.1.3SNAT原理 11.1.4SNAT转换前提条件 11.1.5SNAT原理图
11.1.6SNAT实验
内网客户端
路由转发服务器企业连接外网的服务器
11.2DNAT
11.2.1DNAT应用环境
11.2.2DNAT原理
11.2.3DNAT转换前提条件
11.2.3DNAT原理图
11.2.4DNAT实验
内网客户端 一、iptables
1.基本语法 -t filter -A INPUT指定表和指定链指定filter表可以不写默认指定filter表指定INPUT链 -A是追加 append
-s 192.168.0.1 -j DROP指定规则是我们手动添加的规则
2.四表五链——重点记忆
2.1四表
raw、mange、nat、filter、security五表但是实际上一般只用四表security是指安全表一般不会使用其中最常用的是filter表放行和拒绝流量和nat表地址转换 四表优先级rawmangenatfilter 2.2五链
INPUT、 OUTPUT、 FORW
2.3总结
规则表的作用:容纳各种规则链; 表的划分依据防火墙规则的作用相似规则链的作用:容纳各种防火墙规则;规则的作用对数据包进行过滤或处理 ;链的分类依据处理数据包的不同时机表里有链链里有规则
3.iptables选项示例
3.1 -Z 清空流量计数 3.2 -P 修改默认规则
iptables 的各条链中默认策略是规则匹配的最后一个环节——当找不到任何一条能够匹配数据包的规则时则执行默认策略默认策略的控制类型为ACCEPT允许、DROP丢弃两种不支持REJECT
3.3 -D 删除规则 删除规则可以按照编号删除也可以按照规则删除 3.4 -R 指定编号替换规则
[rootlocalhost ~]#iptables -R INPUT 1 -s 192.168.241.0/24 -j ACCEPT
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 6 364 ACCEPT all -- * * 192.168.241.0/24 0.0.0.0/0 1 76 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 504 bytes)pkts bytes target prot opt in out source destination
4.白名单
[rootlocalhost ~]#iptables -A INPUT -s 192.168.241.1 -j ACCEPT
#设置只有192.168.241.1的主机可以访问我
[rootlocalhost ~]#iptables -A INPUT -j REJECT
#拒绝所有
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 66 4228 ACCEPT all -- * * 192.168.241.1 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 776 bytes)pkts bytes target prot opt in out source destination
5.通用匹配
基本匹配条件无需加载模块由iptables/netfilter自行提供
选项含义[ ! ] -s, --source address [/mask] [....]源IP地址或者不连续的IP地址[ ! ] -d, --destination address [/mask] [....]目标IP地址或者不连续的IP地址[ ! ] -p, --protocol protocol指定协议可使用数字如0all[ ! ] -i, --in-interface name报文流入的接口只能应用于数据报文流入的环节只应用INPUT、FORWARD、PREROUTING链[ ! ] -o, --out-interface name报文流出的接口只能应用于数据报文流出的环节只应用FORWARD、OUPUT、POSTROUTING链 protocoltcpudpicmpicmpv6udpliteespahsctpmh or all 参看/etc/protocols 协议匹配-p 协议名一般使用的是tcp udp icmp地址匹配-s 源地址-d 目的地址 可以是IP、网段、域名、空空代表任意地址接口匹配-i 入站网卡-o 出站网卡
6.示例
6.1添加回环网卡
[rootlocalhost ~]#ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
^C
--- 10.0.0.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms[rootlocalhost ~]#ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq1 ttl64 time0.083 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev 0.083/0.083/0.083/0.000 ms
[rootlocalhost ~]#iptables -I INPUT -i lo -j ACCEPT
[rootlocalhost ~]#
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 18 packets, 1100 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 10 packets, 1056 bytes)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq1 ttl64 time0.055 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev 0.055/0.055/0.055/0.000 ms
[rootlocalhost ~]#ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq1 ttl128 time0.467 ms
64 bytes from 10.0.0.10: icmp_seq2 ttl128 time4.90 ms
^C
--- 10.0.0.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev 0.467/2.686/4.906/2.220 ms
[rootlocalhost ~]#ping 20.0.0.1
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data.
64 bytes from 20.0.0.1: icmp_seq1 ttl128 time1.05 ms
64 bytes from 20.0.0.1: icmp_seq2 ttl128 time6.04 ms
^C
--- 20.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev 1.053/3.547/6.041/2.494 ms
6.2可以访问端口
[rootlocalhost ~]#rpm -q httpd
httpd-2.4.6-99.el7.centos.1.x86_64
#要先安装httpd服务
[rootlocalhost ~]#iptables -I INPUT -s 192.168.241.22 -p tcp --dport 80 -j ACCEPT
#添加规则 让192.168.241.22主机可以通过tcp协议 访问80端口
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 192.168.241.22 0.0.0.0/0 tcp dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 600 bytes)pkts bytes target prot opt in out source destination [rootnode2 ~]#curl 192.168.241.11
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.1//EN http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtdhtmlhead
meta http-equivcontent-type contenttext/html; charsetUTF-8titleApache HTTP Server Test Page powered by CentOS/titlemeta http-equivContent-Type contenttext/html; charsetUTF-8!-- Bootstrap --link href/noindex/css/bootstrap.min.css relstylesheetlink relstylesheet hrefnoindex/css/open-sans.css typetext/css /style typetext/css!-- body {font-family: Open Sans, Helvetica, sans-serif;font-weight: 100;color: #ccc;background: rgba(10, 24, 55, 1);font-size: 16px;
}h2, h3, h4 {font-weight: 200;
}h2 {font-size: 28px;
}.jumbotron {margin-bottom: 0;color: #333;background: rgb(212,212,221); /* Old browsers */background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */
}.jumbotron h1 {font-size: 128px;font-weight: 700;color: white;text-shadow: 0px 2px 0px #abc,0px 4px 10px rgba(0,0,0,0.15),0px 5px 2px rgba(0,0,0,0.1),0px 6px 30px rgba(0,0,0,0.1);
}.jumbotron p {font-size: 28px;font-weight: 100;
}.main {background: white;color: #234;border-top: 1px solid rgba(0,0,0,0.12);padding-top: 30px;padding-bottom: 40px;
}.footer {border-top: 1px solid rgba(255,255,255,0.2);padding-top: 30px;
}--/style
/head
bodydiv classjumbotron text-centerdiv classcontainerh1Testing 123../h1p classleadThis page is used to test the proper operation of the a hrefhttp://apache.orgApache HTTP server/a after it has been installed. If you can read this page it means that this site is working properly. This server is powered by a hrefhttp://centos.orgCentOS/a./p/div/divdiv classmaindiv classcontainerdiv classrowdiv classcol-sm-6h2Just visiting?/h2p classleadThe website you just visited is either experiencing problems or is undergoing routine maintenance./ppIf you would like to let the administrators of this website know that youve seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name webmaster and directed to the websites domain should reach the appropriate person./ppFor example, if you experienced problems while visiting www.example.com, you should send e-mail to webmasterexample.com./p/divdiv classcol-sm-6h2Are you the Administrator?/h2pYou should add your website content to the directory tt/var/www/html//tt./ppTo prevent this page from ever being used, follow the instructions in the file tt/etc/httpd/conf.d/welcome.conf/tt./ph2Promoting Apache and CentOS/h2pYou are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!/ppa hrefhttp://httpd.apache.org/img srcimages/apache_pb.gif alt[ Powered by Apache ]/a a hrefhttp://www.centos.org/img srcimages/poweredby.png alt[ Powered by CentOS Linux ] height31 width88/a/p/div/div/div/div/divdiv classfooterdiv classcontainerdiv classrowdiv classcol-sm-6 h2Important note:/h2p classleadThe CentOS Project has nothing to do with this website or its content,it just provides the software that makes the website run./ppIf you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Project does not have anything to do with this website,the content or the lack of it./ppFor example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:/ppa hrefhttp://www.internic.net/whois.htmlhttp://www.internic.net/whois.html/a/p/divdiv classcol-sm-6h2The CentOS Project/h2pThe CentOS Linux distribution is a stable, predictable, manageable and reproduceable platform derived from the sources of Red Hat Enterprise Linux (RHEL).ppAdditionally to being a popular choice for web hosting, CentOS also provides a rich platform for open source communities to build upon. For more informationplease visit the a hrefhttp://www.centos.org/CentOS website/a./p/div/div/div/div/div
/body/html
6.3 主机1可以访问主机2 主机2不可以访问主机1
前期测试双方可以互ping [rootlocalhost ~]#iptables -I INPUT -s 192.168.241.22 -p icmp --icmp-type 8 -j REJECT
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 10 packets, 612 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT icmp -- * * 192.168.241.22 0.0.0.0/0 icmptype 8 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 6 packets, 1032 bytes)pkts bytes target prot opt in out source destination [rootlocalhost ~]#iptables -F
[rootlocalhost ~]#iptables -I INPUT -s 192.168.241.22 -p icmp --icmp-type 8 -j DROP
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 488 bytes)pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 192.168.241.22 0.0.0.0/0 icmptype 8Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 684 bytes)pkts bytes target prot opt in out source destination DROP和REJECT的区别是REJECT会回复Unreachable但是DROP 不会回复 7.扩展模块
7.1string字符串 要先安装httpd [rootlocalhost ~]#echo wyb /var/www/html/index.html
#自建网页 使得其他主机访问httpd服务 是访问 wyb[rootlocalhost ~]#iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --from 62 --string wyb -j REJECT
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 14 packets, 852 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 9 packets, 1268 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 STRING match wyb ALGO name bm FROM 62 TO 65535 reject-with icmp-port-unreachable
[rootnode2 ~]#curl 192.168.241.11
wyb
[rootnode2 ~]#curl 192.168.241.11#不会跳转相关信息出来
7.2time 此时还可以ping通不要急因为date使用的是utc时间 此时的utc时间 我们修改一下时间 此时再ping 7.3connlimit 最大连接数
根据客户端IP做并发连接数数量匹配 可防止DosDenial of Service 拒绝服务攻击 --connlimit-upto N #连接的数量小于等于N时匹配 --connlimit-above N #连接的数量大于N时匹配 [rootlocalhost ~]# gcc flood_connect.c -o flood
#编译安装 黑客文件
[rootlocalhost ~]# ./flood 192.168.91.100
#运行黑客脚本[rootlocalhost ~]#ss [rootlocalhost ~]#iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT
#只允许两个流量来访问http 其他的拒绝 限制连接数
7.4limit——限制流量
测试目前ping192.168.241.11 无任何问题 此时通过制作一条防火墙规则来限制192.168.241.22主机的流量
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 13 packets, 806 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7 packets, 692 bytes)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables -I INPUT -p icmp --icmp-type 8 -m limit --limit 10/minute --limit-burst 5 -j ACCEPT
#通过限制icmp协议的8包请求包 流量 每分钟 限制最大流量为5个包
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 10/min burst 5Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables -A INPUT -p icmp -j REJECT
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination 7 588 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 10/min burst 50 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)pkts bytes target prot opt in out source destination
此时再通过192.168.241.22主机来ping192.168.241.11主机
7.5state状态
NEW新发出请求连接追踪信息库中不存在此连接的相关信息条目因此将其识别为第一次发出的请求ESTABLISHEDNEW状态之后连接追踪信息库中为其建立的条目失效之前期间内所进行的通信状态RELATED新发起的但与已有连接相关联的连接如ftp协议中的数据连接与命令连接之间的关系INVALID无效的连接如flag标记不正确UNTRACKED未进行追踪的连接如raw表中关闭追踪 一般只用NEW、ESTABLISHED 制作规则之前通过192.168.241.22主机ping192.168.241.11主机 添加一条规则 对于新流量设置拒绝
[rootlocalhost ~]#iptables -A INPUT -m state --state NEW -j REJECT
此时通过192.168.241.23主机ping192.168.241.11使用192.168.241.22主机还可以继续ping192.168.241.11 7.6总结
7.6.1多端口匹配
-m multiport --sport源端口列表-m multiport --dport目的端口列表
iptables -A INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 53 -j ACCEPT 7.6.2IP范围匹配
-m iprange --src-range IP范围iptables -A FORWARD -p udp -m iprange --src-range 192.168.80.100-192.168.80.200 -j DROP
#禁止转发源地址位于192.168.80.100-192.168.80.200的udp数据包
7.6.3MAC地址匹配
-m mac --mac-source MAC地址iptables -A FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
#禁止来自某MAC地址的数据包通过本机转发
7.6.4状态匹配
常见的连接状态
NEW :与任何连接无关的还没开始连接ESTABLISHED :响应请求或者已建立连接的连接态RELATED :与已有连接有相关性的(如FTP主被动模式的数据连接)衍生态一般与ESTABLISHED 配合使用INVALID:不能被识别属于哪个连接或没有任何状态
状态匹配: -m state --state 连接状态iptables -A FORWARD -m state --state NEW -P tcp ! --syn -j DROP
#禁止转发与正常TCP连接无关的非--syn请求数据包(如伪造的网络攻击数据包)
8.规则保存
使用iptables命令定义的规则手动删除之前其生效期限为kernel存活期限
save保存restore恢复
8.1iptables-save 打印当前所有规则
[rootlocalhost ~]#iptables-save
# Generated by iptables-save v1.4.21 on Sun Feb 18 16:09:28 2024
*mangle
:PREROUTING ACCEPT [494:50032]
:INPUT ACCEPT [494:50032]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [422:64901]
:POSTROUTING ACCEPT [475:74138]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Feb 18 16:09:28 2024
# Generated by iptables-save v1.4.21 on Sun Feb 18 16:09:28 2024
*nat
:PREROUTING ACCEPT [9:872]
:INPUT ACCEPT [9:872]
:OUTPUT ACCEPT [96:7438]
:POSTROUTING ACCEPT [96:7438]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Feb 18 16:09:28 2024
# Generated by iptables-save v1.4.21 on Sun Feb 18 16:09:28 2024
*filter
:INPUT ACCEPT [495:50209]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [423:65078]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Feb 18 16:09:28 2024 8.2规则保存/恢复方法一
[rootlocalhost ~]#iptables -I INPUT -s 192.168.241.22 -j REJECT
#设置拒绝192.168.241.22主机访问的规则
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 192.168.241.22 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 504 bytes)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables-save /opt/123
#将规则保存在/opt/123
[rootlocalhost ~]#iptables -F
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 12 packets, 704 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7 packets, 612 bytes)pkts bytes target prot opt in out source destination 此时的192.168.241.22主机从开始可以ping192.168.241.11主机添加规则后不能ping将规则保存在文件中再清空规则可以ping [rootlocalhost ~]#iptables-restore /opt/123
#将保存的规则通过/opt/123 重新加载到规则中
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 192.168.241.22 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 424 bytes)pkts bytes ta 此时192.168.241.22主机无妨再ping192.168.241.11主机
8.3规则保存的第二种方法
[rootlocalhost ~]#yum install iptables-services.x86_64 -ycp {,.}bak [rootlocalhost ~]#iptables -I INPUT -s 192.168.241.0/24 -j ACCEPT
[rootlocalhost ~]#iptables-save /etc/sysconfig/iptables
#保存规则
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 6 364 ACCEPT all -- * * 192.168.241.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 504 bytes)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#vim /etc/sysconfig/iptables
#规则将被保存在这个配置文件中并在这个配置文件中读取
[rootlocalhost ~]#systemctl enable iptables.service
#开机自启
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 5 packets, 380 bytes)pkts bytes target prot opt in out source destination 247 15804 ACCEPT all -- * * 192.168.241.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 175 packets, 18648 bytes)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables -F
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 384 bytes)pkts bytes target prot opt in out source destination #目前规则还在清空规则后重启 8.4如果想将规则开机自启
vim /etc/rc.d/rc.local 如果想开机自启需要给该配置文件加执行权限 将所有规则清空后重启 8.5总结
8.5.1持久保存规则——save
CentOS 7,8iptables-save /PATH/TO/SOME_RULES_FILECentOS 6将规则覆盖保存至/etc/sysconfig/iptables文件中 service iptables save
8.5.2加载规则——restore
CentOS 7,8iptables-restore /PATH/FROM/SOME_RULES_FILECentOS 6会自动从/etc/sysconfig/iptables 重新载入规则 service iptables restart iptables-restore选项
-n--noflush不清除原有规则-t--test仅分析生成规则集但不提交
8.5.3开机自动重载规则
在/etc/rc.d/rc.local文件添加
iptables-save /opt/iptables
vim ~/.basrc
iptables-restore /opt/iptables
9.自定义链
9.1添加自定义链
[rootlocalhost ~]#iptables -N web
#增加自定义链 取名为web
[rootlocalhost ~]#iptables -F
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 384 bytes)pkts bytes target prot opt in out source destination Chain web (0 references)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables -E web WEB
#修改web自定义链为WEB
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 400 bytes)pkts bytes target prot opt in out source destination Chain WEB (0 references)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables -A WEB -p tcp -m multiport --dport 80,443 -j ACCEPT
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 600 bytes)pkts bytes target prot opt in out source destination Chain WEB (0 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
[rootlocalhost ~]#iptables -I WEB -s 192.168.241.22 -p tcp --dport 80 -j DROP
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 600 bytes)pkts bytes target prot opt in out source destination Chain WEB (0 references)pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 192.168.241.22 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 自定义链是将相同连接的规则放在一起方便调用 9.2调用自定义链
[rootlocalhost ~]#iptables -A INPUT -s 192.168.241.22 -j WEB
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 14 packets, 1004 bytes)pkts bytes target prot opt in out source destination 4 336 WEB all -- * * 192.168.241.22 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12 packets, 1136 bytes)pkts bytes target prot opt in out source destination Chain WEB (1 references)pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 192.168.241.22 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
9.3删除自定义链
[rootlocalhost ~]#iptables -F INPUT
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 392 bytes)pkts bytes target prot opt in out source destination Chain WEB (0 references)pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 192.168.241.22 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
[rootlocalhost ~]#iptables -F WEB
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 392 bytes)pkts bytes target prot opt in out source destination Chain WEB (0 references)pkts bytes target prot opt in out source destination
[rootlocalhost ~]#iptables -X WEB
[rootlocalhost ~]#iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 392 bytes)pkts bytes target prot opt in out source destination 删除自定义链要注意 要先删除WEB规则 再删INPUT调用WEB的规则 最后删WEB链 10.规则优化、实践 安全放行所有入站和出站的状态为ESTABLISHED状态连接,建议放在第一条效率更高 谨慎放行入站的新请求 有特殊目的限制访问功能要在放行规则之前加以拒绝 同类规则访问同一应用比如http 匹配范围小的放在前面用于特殊处理 不同类的规则访问不同应用一个是http另一个是mysql 匹配范围大的放在前面效率更高 应该将那些可由一条规则能够描述的多个规则合并为一条,减少规则数量,提高检查效率 设置默认策略建议白名单只放行特定连接 A:iptables -P不建议容易出现“自杀现象” B:规则的最后定义规则做为默认策略推荐使用放在最后一条
11.NAT
NAT: network address translation支持PREROUTINGINPUTOUTPUTPOSTROUTING四个链
请求报文修改源/目标IP
响应报文修改源/目标IP根据跟踪机制自动实现
NAT的实现分为下面类型
SNATsource NAT 支持POSTROUTING, INPUT让本地网络中的主机通过某一特定地址访问外部网络实现地址伪装,请求报文修改源IP
DNATdestination NAT 支持PREROUTING , OUTPUT把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射)但隐藏真实IP,请求报文修改目标IP
PNAT: port nat端口和IP都进行修改
11.1SNAT
基于nat表的target适用于固定的公网IP
11.1.1SNAT原理与应用
11.1.2SNAT应用环境
局域网主机共享单个公网IP地址接入Internet私有IP不能在Internet中正常路由
11.1.3SNAT原理
源地址转换根据指定条件修改数据包的源IP地址通常被叫做源映射 11.1.4SNAT转换前提条件
1.局域网各主机已正确设置IP地址、子网掩码、默认网关地址
2.Linux网关开启IP路由转发 Linux系统本身是没有转发功能只有路由发送数据 11.1.5SNAT原理图 源IP地址目的IP地址192.168.241.1112.0.0.1012.0.0.112.0.0.10
11.1.6SNAT实验
内网客户端
[rootlocalhost ~]#systemctl stop firewalld
[rootlocalhost ~]#setenforce 0
setenforce: SELinux is disabled
[rootlocalhost ~]#yum install httpd -y
[rootlocalhost ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.241.2 0.0.0.0 UG 100 0 0 ens33
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.241.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
[rootlocalhost ~]#vim /etc/sysconfig/network-scripts/ifcfg-ens33
[rootlocalhost ~]#ping 12.0.0.254
PING 12.0.0.254 (12.0.0.254) 56(84) bytes of data.
64 bytes from 12.0.0.254: icmp_seq1 ttl128 time0.918 ms
^C
--- 12.0.0.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev 0.918/0.918/0.918/0.000 ms
[rootlocalhost ~]#ping 192.168.241.22
PING 192.168.241.22 (192.168.241.22) 56(84) bytes of data.
64 bytes from 192.168.241.22: icmp_seq1 ttl64 time0.740 ms
^C
--- 192.168.241.22 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev 0.740/0.740/0.740/0.000 ms
[rootlocalhost ~]#vim /etc/sysconfig/network-scripts/ifcfg-ens33
[rootlocalhost ~]#systemctl restart network 路由转发服务器企业连接外网的服务器
[rootnode2 ~]#systemctl stop firewalld
[rootnode2 ~]#setenforce 0 [rootnode2 ~]#cd /etc/sysconfig/network-scripts/
[rootnode2 network-scripts]#ls
ifcfg-ens33 ifdown-ppp ifup-ib ifup-Team
ifcfg-lo ifdown-routes ifup-ippp ifup-TeamPort
ifdown ifdown-sit ifup-ipv6 ifup-tunnel
ifdown-bnep ifdown-Team ifup-isdn ifup-wireless
ifdown-eth ifdown-TeamPort ifup-plip init.ipv6-global
ifdown-ib ifdown-tunnel ifup-plusb network-functions
ifdown-ippp ifup ifup-post network-functions-ipv6
ifdown-ipv6 ifup-aliases ifup-ppp
ifdown-isdn ifup-bnep ifup-routes
ifdown-post ifup-eth ifup-sit
[rootnode2 network-scripts]#cp ifcfg-ens33 ifcfg-ens36
[rootnode2 network-scripts]#vim ifcfg-ens36
[rootnode2 network-scripts]#systemctl restart network
[rootnode2 network-scripts]#sysctl -a|grep ip_forward
net.ipv4.ip_forward 0
net.ipv4.ip_forward_use_pmtu 0
sysctl: reading key net.ipv6.conf.all.stable_secret
sysctl: reading key net.ipv6.conf.default.stable_secret
sysctl: reading key net.ipv6.conf.ens33.stable_secret
sysctl: reading key net.ipv6.conf.ens36.stable_secret
sysctl: reading key net.ipv6.conf.lo.stable_secret
sysctl: reading key net.ipv6.conf.virbr0.stable_secret
sysctl: reading key net.ipv6.conf.virbr0-nic.stable_secret
[rootnode2 network-scripts]#vim /etc/sysctl.conf
[rootnode2 network-scripts]#sysctl -p
net.ipv4.ip_forward 1
[rootnode2 network-scripts]#ifconfig
ens33: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500inet 192.168.241.22 netmask 255.255.255.0 broadcast 192.168.241.255inet6 fe80::d9cd:6857:3bdc:7454 prefixlen 64 scopeid 0x20linkether 00:0c:29:3e:a0:08 txqueuelen 1000 (Ethernet)RX packets 1875 bytes 154348 (150.7 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 1092 bytes 135160 (131.9 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens36: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500inet 12.0.0.254 netmask 255.255.255.0 broadcast 12.0.0.255inet6 fe80::e94c:605b:4800:5850 prefixlen 64 scopeid 0x20linkether 00:0c:29:3e:a0:12 txqueuelen 1000 (Ethernet)RX packets 40 bytes 7659 (7.4 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 120 bytes 19942 (19.4 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags73UP,LOOPBACK,RUNNING mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10hostloop txqueuelen 1 (Local Loopback)RX packets 64 bytes 5568 (5.4 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 64 bytes 5568 (5.4 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0virbr0: flags4099UP,BROADCAST,MULTICAST mtu 1500inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255ether 52:54:00:fe:22:f2 txqueuelen 1000 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[rootnode2 ~]#iptables -t nat -A POSTROUTING -o ens36 -s 192.168.241.0/24 -p tcp --dport 80 -j SNAT --to 12.0.0.254 外网服务器
[rootlocalhost ~]#systemctl stop firewalld
[rootlocalhost ~]#setenforce 0
[rootlocalhost ~]#yum install httpd -y
[rootlocalhost ~]#vim /etc/sysconfig/network-scripts/ifcfg-ens33
[rootlocalhost ~]#systemctl restart network
[rootnode3 ~]#ping 12.0.0.254
PING 12.0.0.254 (12.0.0.254) 56(84) bytes of data.
64 bytes from 12.0.0.254: icmp_seq1 ttl64 time0.404 ms
64 bytes from 12.0.0.254: icmp_seq2 ttl64 time3.43 ms
^C
--- 12.0.0.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev 0.404/1.918/3.433/1.515 ms
[rootnode3 ~]#ping 192.168.241.22
PING 192.168.241.22 (192.168.241.22) 56(84) bytes of data.
64 bytes from 192.168.241.22: icmp_seq1 ttl64 time0.480 ms
^C
--- 192.168.241.22 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev 0.480/0.480/0.480/0.000 ms
[rootnode3 ~]#systemctl start httpd 此时的地址应该是公网地址访问httpd服务 给路由转发服务器添加规则后 11.2DNAT
nat表的target适用于端口映射即可重定向到本机也可以支持重定向至不同主机的不同端
口但不支持多目标即不支持负载均衡功能
11.2.1DNAT应用环境
在Internet中发布位于局域网内的服务器
11.2.2DNAT原理
目的地址转换根据指定条件修改数据包的目的IP地址保证了内网服务器的安全通常被叫做目的映射
11.2.3DNAT转换前提条件
1.局域网的服务器能够访问Internet
2.网关的外网地址有正确的DNS解析记录
3.Linux网关开启IP路由转发
11.2.3DNAT原理图 源IP地址目的IP地址12.0.0.1012.0.0.112.0.0.10192.168.241.11
11.2.4DNAT实验
内网客户端
[rootlocalhost ~]#systemctl start httpd
[rootlocalhost ~]#systemctl status httpd
● httpd.service - The Apache HTTP ServerLoaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)Active: active (running) since 日 2024-02-18 19:51:16 CST; 10s agoDocs: man:httpd(8)man:apachectl(8)Main PID: 3932 (httpd)Status: Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/secCGroup: /system.slice/httpd.service├─3932 /usr/sbin/httpd -DFOREGROUND├─3935 /usr/sbin/httpd -DFOREGROUND├─3936 /usr/sbin/httpd -DFOREGROUND├─3937 /usr/sbin/httpd -DFOREGROUND├─3938 /usr/sbin/httpd -DFOREGROUND└─3939 /usr/sbin/httpd -DFOREGROUND2月 18 19:51:16 localhost.localdomain systemd[1]: Starting The Apache HT...
2月 18 19:51:16 localhost.localdomain httpd[3932]: AH00558: httpd: Could...
2月 18 19:51:16 localhost.localdomain systemd[1]: Started The Apache HTT...
Hint: Some lines were ellipsized, use -l to show in full.
路由转发服务器
[rootnode2 ~]#iptables -t nat -A PREROUTING -i ens36 -d 12.0.0.254 -p tcp --dport 80 -j DNAT --to 192.168.241.11
外网服务器 想让外网服务器访问12.0.0.254相当于访问192.168.241.11的httpd 要在路由转发服务器做规则
[rootnode3 ~]#curl 12.0.0.254
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.1//EN http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtdhtmlhead
meta http-equivcontent-type contenttext/html; charsetUTF-8titleApache HTTP Server Test Page powered by CentOS/titlemeta http-equivContent-Type contenttext/html; charsetUTF-8!-- Bootstrap --link href/noindex/css/bootstrap.min.css relstylesheetlink relstylesheet hrefnoindex/css/open-sans.css typetext/css /style typetext/css!-- body {font-family: Open Sans, Helvetica, sans-serif;font-weight: 100;color: #ccc;background: rgba(10, 24, 55, 1);font-size: 16px;
}h2, h3, h4 {font-weight: 200;
}h2 {font-size: 28px;
}.jumbotron {margin-bottom: 0;color: #333;background: rgb(212,212,221); /* Old browsers */background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */
}.jumbotron h1 {font-size: 128px;font-weight: 700;color: white;text-shadow: 0px 2px 0px #abc,0px 4px 10px rgba(0,0,0,0.15),0px 5px 2px rgba(0,0,0,0.1),0px 6px 30px rgba(0,0,0,0.1);
}.jumbotron p {font-size: 28px;font-weight: 100;
}.main {background: white;color: #234;border-top: 1px solid rgba(0,0,0,0.12);padding-top: 30px;padding-bottom: 40px;
}.footer {border-top: 1px solid rgba(255,255,255,0.2);padding-top: 30px;
}--/style
/head
bodydiv classjumbotron text-centerdiv classcontainerh1Testing 123../h1p classleadThis page is used to test the proper operation of the a hrefhttp://apache.orgApache HTTP server/a after it has been installed. If you can read this page it means that this site is working properly. This server is powered by a hrefhttp://centos.orgCentOS/a./p/div/divdiv classmaindiv classcontainerdiv classrowdiv classcol-sm-6h2Just visiting?/h2p classleadThe website you just visited is either experiencing problems or is undergoing routine maintenance./ppIf you would like to let the administrators of this website know that youve seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name webmaster and directed to the websites domain should reach the appropriate person./ppFor example, if you experienced problems while visiting www.example.com, you should send e-mail to webmasterexample.com./p/divdiv classcol-sm-6h2Are you the Administrator?/h2pYou should add your website content to the directory tt/var/www/html//tt./ppTo prevent this page from ever being used, follow the instructions in the file tt/etc/httpd/conf.d/welcome.conf/tt./ph2Promoting Apache and CentOS/h2pYou are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!/ppa hrefhttp://httpd.apache.org/img srcimages/apache_pb.gif alt[ Powered by Apache ]/a a hrefhttp://www.centos.org/img srcimages/poweredby.png alt[ Powered by CentOS Linux ] height31 width88/a/p/div/div/div/div/divdiv classfooterdiv classcontainerdiv classrowdiv classcol-sm-6 h2Important note:/h2p classleadThe CentOS Project has nothing to do with this website or its content,it just provides the software that makes the website run./ppIf you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Project does not have anything to do with this website,the content or the lack of it./ppFor example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:/ppa hrefhttp://www.internic.net/whois.htmlhttp://www.internic.net/whois.html/a/p/divdiv classcol-sm-6h2The CentOS Project/h2pThe CentOS Linux distribution is a stable, predictable, manageable and reproduceable platform derived from the sources of Red Hat Enterprise Linux (RHEL).ppAdditionally to being a popular choice for web hosting, CentOS also provides a rich platform for open source communities to build upon. For more informationplease visit the a hrefhttp://www.centos.org/CentOS website/a./p/div/div/div/div/div
/body/html
12.延伸——故障案例
启用了的iptables staste模块用户访问的问题经过研究发现有一个内核选项的默认值过低netfilter/nf_conntrack max 默认为65536一般建议把这个值调大一点
[rootlocalhost ~]#cat /proc/net/nf_conntrack
#启用后会写在这个文件中
ipv4 2 tcp 6 299 ESTABLISHED src192.168.241.1 dst192.168.241.11 sport53186 dport22 src192.168.241.11 dst192.168.241.1 sport22 dport53186 [ASSURED] mark0 zone0 use2
ipv4 2 udp 17 12 src192.168.241.11 dst84.16.73.33 sport54501 dport123 [UNREPLIED] src84.16.73.33 dst192.168.241.11 sport123 dport54501 mark0 zone0 use2
[rootlocalhost ~]#lsmod|grep conn
#内核模块可以看到调用state状态时可以看到
xt_conntrack 12760 0
nf_conntrack_ipv4 15053 1
nf_defrag_ipv4 12729 1 nf_conntrack_ipv4
nf_conntrack 133387 5 nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4
libcrc32c 12644 3 xfs,nf_nat,nf_conntrack
[rootlocalhost ~]#cat /proc/sys/net/netfilter/nf_conntrack_max
#记录的用户数为65536
65536
[rootlocalhost ~]#echo 1 /proc/sys/net/netfilter/nf_conntrack_max
#修改最大记录数为1
[rootlocalhost ~]#cat /proc/sys/net/netfilter/nf_conntrack_max
1 注意如果是Centos6版本请不要轻易使用iptables -vnL 因为iptables -vnL在Centos6版本是开启state模块可能会造成重大的连接事故
