​七周四次课（5月9日)iptables filter表案例、iptables nat表应用

 10. 15 iptables filter表小案例

输入如下的内容：
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -i ACCEPT
$ipt -A INPUT -s 192.168.218.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

ipt 定义了一个变量，变量要写绝对路径，这样才不会被环境变量所影响。然后使用 -F 命令清空规则，-P 是定义默认的策略，-A 增加规则。这边用脚本执行命令

 iptables -I INPUT -p icmp --icmp-type 8 -j DROP   禁ping操作

10.16 iptables nat表应用

1、打开端口转发模式

查询（将 /proc/sys/net/ipv4/ip_forward设置为1为转发，默认为0）；

[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@shu-test ~]#

打开端口转发

echo "1" > /proc/sys/net/ipv4/ip_forward

[root@shu-test ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@shu-test ~]#

2、在机器A上增加规则

（记住B机器的网关必须指向机器A的ens37也就是192.168.100.1）

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

在机器A上增加nat 将源地址192.168.100.0/24的所有路由（数据包）指向ens33出去

[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 659 packets, 67162 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain INPUT (policy ACCEPT 18 packets, 1935 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 50 packets, 3782 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 50 packets, 3782 bytes)
pkts bytes target     prot opt in     out     source               destination         
   42  3201 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
[root@shu-test ~]#

3、测试：

如果能ping通机器A的ens33网卡，而ping不通外网，可以清空下iptables -F配置的规则；
机器B上ping www.hao123.com

[root@localhost ~]# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.
64 bytes from 192.168.188.1: icmp_seq=1 ttl=127 time=1.58 ms
64 bytes from 192.168.188.1: icmp_seq=2 ttl=127 time=0.814 ms
^C
--- 192.168.188.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.814/1.199/1.585/0.387 ms
[root@localhost ~]# ping www.hao123.com
PING hao123.n.shifen.com (112.34.111.167) 56(84) bytes of data.
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=1 ttl=127 time=31.1 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=2 ttl=127 time=31.5 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=3 ttl=127 time=31.2 ms
^C
--- hao123.n.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 31.116/31.291/31.502/0.159 ms
[root@localhost ~]#

端口映射

需求2：C机器只能和A通信，让C机器可以直接通过B机器22端口；（端口映射）

1、打开A机器的端口转发功能；

echo "1" > /proc/sys/net/ipv4/ip_forward

[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]#

2、清空和删除所有配置

使用iptables -F与 -D 命令，详情见前文章

3、在A机器上添加规则

iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
将192.168.100.101的22端口 映射到A机器的ens33的1122端口上，
使外网通过访问192.168.188.2:1122来达到访问机器C（ip：192.168.100.101）的22端口；

[root@shu-test ~]# iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
[root@shu-test ~]#
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 13 packets, 1072 bytes)
pkts bytes target     prot opt in     out     source               destination         
    5   260 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.188.2        tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 6 packets, 549 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 7 packets, 412 bytes)
pkts bytes target     prot opt in     out     source               destination         
  113  8561 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
[root@shu-test ~]#

4、在A机器上添加回包规则

iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
将从192.168.100.101的过来的包，返回给192.168.188.2；
有来有回

[root@shu-test ~]# iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    5   260 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.188.2        tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  122  9236 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           
    0     0 SNAT       all  --  *      *       192.168.100.101      0.0.0.0/0            to:192.168.188.2
[root@shu-test ~]#

5、测试

在Windows上直接ssh 192.168.188.2：1122