需求有3点:
①员工在公司内部(10.10.155.0/24,10.10.188.0/24)能访问服务器上的任何服务。
②出差员工在上海,通过VPN连接到公司,外网(员工)拨号到VPN服务器,就可以使用内网的FTP、SAMBA、NFS、SSH。
③公司有一个门户网站需要允许公网访问。
允许外网访问服务:
| http | 80/tcp |
| https | 443/tcp |
| smtp | 25/tcp |
| smtps | 465/tcp |
| pop3 | 110/tcp |
| pop3s | 995/tcp |
| imap | 143/tcp |
配置思路:
①允许本地访问。
②允许已监听状态数据包通过。
③允许规则中允许通过的数据包通过(要开放ssh远程管理端口)。
④拒绝未被允许的数据包。
⑤iptables规则保存成配置文件。
服务器上的配置:
允许公式内部网段访问任何服务
iptables -A INPUT -s 10.10.155.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.188.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.140.0/24 -j ACCEPT
对所有外网开放服务,vpn的服务端口一般是1723
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
允许ICMP并拒绝其他的数据流入
iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT
本地网卡开放所有,允许所有数据流出
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
查看目前所有配置:
[root@bogon ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.10.155.0/24 0.0.0.0/0
ACCEPT all -- 10.10.188.0/24 0.0.0.0/0
ACCEPT all -- 10.10.140.0/24 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@bogon ~]#
下面是保存规则,这里有两种方式,一种是使用iptables自带的功能,去做
service iptables save
[root@bogon ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
[root@bogon ~]#
Generated by iptables-save v1.4.21 on Tue Mar 1 10:56:19 2022
*mangle
:PREROUTING ACCEPT [664:135581]
:INPUT ACCEPT [662:134905]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [547:110192]
:POSTROUTING ACCEPT [631:123541]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Mar 1 10:56:19 2022
# Generated by iptables-save v1.4.21 on Tue Mar 1 10:56:19 2022
*nat
:PREROUTING ACCEPT [211:28435]
:INPUT ACCEPT [36:4197]
:OUTPUT ACCEPT [188:15080]
:POSTROUTING ACCEPT [188:15080]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Mar 1 10:56:19 2022
# Generated by iptables-save v1.4.21 on Tue Mar 1 10:56:19 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Mar 1 10:56:19 2022
就可以了。
[root@bogon ~]# systemctl enable iptables.service
[root@bogon ~]#
一种是写个sh,然后放到开机自启里面。
vim /opt/iptables_ssh.sh
内容如下:
#!/bin/sh
iptables -A INPUT -s 10.10.155.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.188.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.140.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
修改开机自启,文件
vim /etc/rc.local
修改内容如下;
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
/bin/sh /opt/iptable_ssh.sh
版权说明 : 本文为转载文章, 版权归原作者所有 版权申明
原文链接 : https://it1995.blog.csdn.net/article/details/123889100
内容来源于网络,如有侵权,请联系作者删除!