Linux笔记-iptables模拟公司环境配置

x33g5p2x  于2022-04-01 转载在 Linux  
字(3.6k)|赞(0)|评价(0)|浏览(394)

需求有3点:

①员工在公司内部(10.10.155.0/24,10.10.188.0/24)能访问服务器上的任何服务。

②出差员工在上海,通过VPN连接到公司,外网(员工)拨号到VPN服务器,就可以使用内网的FTP、SAMBA、NFS、SSH。

③公司有一个门户网站需要允许公网访问。

允许外网访问服务:

| http | 80/tcp |
| https | 443/tcp |
| smtp | 25/tcp |
| smtps | 465/tcp |
| pop3 | 110/tcp |
| pop3s | 995/tcp |
| imap | 143/tcp |

配置思路:

①允许本地访问。

②允许已监听状态数据包通过。

③允许规则中允许通过的数据包通过(要开放ssh远程管理端口)。

④拒绝未被允许的数据包。

⑤iptables规则保存成配置文件。

服务器上的配置:

允许公式内部网段访问任何服务

iptables -A INPUT -s 10.10.155.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.188.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.140.0/24 -j ACCEPT

对所有外网开放服务,vpn的服务端口一般是1723

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

允许ICMP并拒绝其他的数据流入

iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT

本地网卡开放所有,允许所有数据流出

iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

查看目前所有配置:

[root@bogon ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  10.10.155.0/24       0.0.0.0/0           
ACCEPT     all  --  10.10.188.0/24       0.0.0.0/0           
ACCEPT     all  --  10.10.140.0/24       0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1723
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@bogon ~]#

下面是保存规则,这里有两种方式,一种是使用iptables自带的功能,去做

service iptables save

[root@bogon ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ]
[root@bogon ~]#
Generated by iptables-save v1.4.21 on Tue Mar  1 10:56:19 2022
*mangle
:PREROUTING ACCEPT [664:135581]
:INPUT ACCEPT [662:134905]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [547:110192]
:POSTROUTING ACCEPT [631:123541]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Mar  1 10:56:19 2022
# Generated by iptables-save v1.4.21 on Tue Mar  1 10:56:19 2022
*nat
:PREROUTING ACCEPT [211:28435]
:INPUT ACCEPT [36:4197]
:OUTPUT ACCEPT [188:15080]
:POSTROUTING ACCEPT [188:15080]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Mar  1 10:56:19 2022
# Generated by iptables-save v1.4.21 on Tue Mar  1 10:56:19 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Mar  1 10:56:19 2022

就可以了。

[root@bogon ~]# systemctl enable iptables.service
[root@bogon ~]#

一种是写个sh,然后放到开机自启里面。

vim /opt/iptables_ssh.sh

内容如下:

#!/bin/sh

iptables -A INPUT -s 10.10.155.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.188.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.140.0/24 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT

iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

修改开机自启,文件

vim /etc/rc.local

修改内容如下;

#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
/bin/sh /opt/iptable_ssh.sh

相关文章