Linux下主机充当防火墙的巧妙应用之iptables(3)

二、基本配置及概念理解

1. 配置SNAT允许内网访问外网

[root@gjp99 ~]# iptables  -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth1 -j MASQUERADE

[root@gjp99 ~]# iptables -L  -t nat  -n     --line-number   查看
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
num  target         prot opt    source               destination        
1    MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0          

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination 

2.客户机测试能否正常访问internet网？

客户机ip：192.168.2.1/24  网关：192.168.2.254  DNS:222.88.88.88

 

C:\Documents and Settings\Administrator>ping 192.168.101.254

Pinging 192.168.101.254 with 32 bytes of data:

Reply from 192.168.101.254: bytes=32 time=3ms TTL=63
Reply from 192.168.101.254: bytes=32 time=1ms TTL=63

C:\Documents and Settings\Administrator>ftp 192.168.101.6 //ftp无法正常访问
Connected to 192.168.101.6.
220 Microsoft FTP Service
User (192.168.101.6:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.

2.对input  、output 及FORWARD的理解

[root@gjp99 ~]# iptables -L –n             //  默认接受，防火墙默认拒绝
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

以防ssh掉线，先把ssh添加进来！

[root@gjp99 ~]# iptables -A INPUT -s 192.168.2.2 -p tcp --dport 22 -j ACCEPT
[root@gjp99 ~]# iptables -P INPUT DROP   //由于把ssh先添加过来，所以没有出现中断

[root@gjp99 ~]# iptables -L -v -n
Chain INPUT (policy DROP 1 packets, 229 bytes)
pkts bytes target     prot opt in     out     source               destination        
   93  6340 ACCEPT     tcp  --  *      *       192.168.2.2          0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT 51 packets, 2866 bytes)
pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 1036 packets, 97752 bytes)
pkts bytes target     prot opt in     out     source               destination

观察由于INPUT需要OUTPUT的响应，所以，input一旦DROP,现在内网是无法ping通网关的！

C:\Documents and Settings\Administrator>ping 192.168.2.254

Pinging 192.168.2.254 with 32 bytes of data:

Request timed out.
Request timed out.

OUTPUT 的响应指向ssh的源ip

[root@gjp99 ~]# iptables -A OUTPUT -d 192.168.2.2 -p tcp --sport 22 -j ACCEPT
[root@gjp99 ~]# iptables -P OUTPUT DROP

[root@gjp99 ~]# iptables -L -n --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  192.168.2.2          0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  0.0.0.0/0            192.168.2.2         tcp spt:22

INPUT 与 OUTPUT 的状态不影响内部主机上网

C:\Documents and Settings\Administrator>ping IP

Pinging [119.75.218.77] with 32 bytes of data:

Reply from 119.75.218.77: bytes=32 time=40ms TTL=55
Reply from 119.75.218.77: bytes=32 time=38ms TTL=55

上网穿越的是FORWARD,所以，一旦FORWARD被拒绝掉，则内网与外网无法通信！

[root@gjp99 ~]# iptables -P FORWARD DROP 

C:\Documents and Settings\Administrator>ping
Ping request could not find host Please check the name and try again.

客户机已无法上网！为了安全，还是默认拒绝为好！