iptables转发功能
程序员文章站
2022-07-12 14:19:55
...
一、准备三台虚拟机
首先三台机器firewalld都关闭
1. test1 ip:192.168.10.11
2. test2 ip:192.168.10.12
ip: 192.168.215.128 (仅主机)
3. test3 ip: 192.168.215.129 (仅主机)
注:test3设置的为静态ip,网关为192.168.215.128
4. 打开三台机器的httpd服务
首先三台都能互相ping通
test1
test2
test3
此时ping不通192.168.10.11,我们需要把test2的转发打开
[aaa@qq.com ~]# cat /proc/sys/net/ipv4/ip_forward
0
[aaa@qq.com ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
此时可以ping通
二、 设置防火墙规则
1. test2 配置
[aaa@qq.com ~]# iptables -A FORWARD -j REJECT
[aaa@qq.com ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
现在test1 和test3互相不能ping
2. 设置test2防火墙规则,使其可以ping通
[aaa@qq.com html]# iptables -I FORWARD -p tcp -s 192.168.10.11 --dport 80 -j ACCEPT
[aaa@qq.com html]# iptables -I FORWARD -p tcp -d 192.168.10.11 --sport 80 -j ACCEPT
[aaa@qq.com html]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.10.11 tcp spt:80
ACCEPT tcp -- 192.168.10.11 0.0.0.0/0 tcp dpt:80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
验证:
[aaa@qq.com html]# curl 192.168.215.129
This is a test of test3 ...
但是test3还是不能curl 通test1
3. 配置test2 防火墙
[aaa@qq.com html]# iptables -I FORWARD 3 -p tcp -s 192.168.215.129 --dport 80 -j ACCEPT
[aaa@qq.com html]# iptables -I FORWARD 4 -p tcp -d 192.168.215.129 --sport 80 -j ACCEPT
[aaa@qq.com html]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.10.11 tcp spt:80
ACCEPT tcp -- 192.168.10.11 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.215.129 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.215.129 tcp spt:80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
验证:
4. 介绍一个模块:state,可以不用每次都添加两次防火墙规则
清除规则:
[aaa@qq.com html]# iptables -F
[aaa@qq.com html]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
此时又恢复到了test1和test3不通的情况
给test2配置
[aaa@qq.com html]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[aaa@qq.com html]# iptables -I FORWARD 2 -p tcp -s 192.168.10.11 --dport 80 -j ACCEPT
[aaa@qq.com html]# iptables -I FORWARD 3 -p tcp -s 192.168.215.129 --dport 80 -j ACCEPT
[aaa@qq.com html]# iptables -A FORWARD -j REJECT
[aaa@qq.com html]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.10.11 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.215.129 0.0.0.0/0 tcp dpt:80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
验证:
test1
[aaa@qq.com html]# curl 192.168.215.129
This is a test of test3 ...
test3
------------------------------------------------------------------------------------------------------- 返回目录