2. 软件开发
    3. Linux filter过滤和转发控制

    Linux filter过滤和转发控制

    xiaoxiao2022-07-07  196

    2.filter过滤和转发控制 问题 本案例要求熟悉filter表的过滤和转发控制,练习以下操作: 利用ip_forward机制实现Linux路由/网关功能 针对Linux主机进行出站、入站控制 在Linux网关上实现数据包转发访问控制 方案 采用三台RHEL6虚拟机svr5、gw1、pc120,如图-2所示。其中,虚拟机svr5作为局域网络的测试机,接入NAT网络(virbr0);虚拟机pc120作为Internet的测试机,接入隔离网络(virbr1);虚拟机gw1作为网关/路由器,配置eth0、eth1两块网卡,分别接入两个网络virbr0、virbr1。 图-2 对于管理员来说,局域网客户机应该将默认网关指向本公司接入Internet的路由器的地址,即本例中的Linux网关;而Internet中各种客户机的默认网关却是未知的。因此,除了按照上述环境配好接口IP地址以外,内网测试机svr5还需要将默认网关指向Linux网关的内网接口192.168.4.1: [root@svr5 ~]# route -n | grep UG 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 eth0 步骤 实现此案例需要按照如下步骤进行。 步骤一:调整路由转发环境 本案例用到了192.168.4.0/24、174.16.16.0/24两个网段,若希望将Linux网关作为路由器使用,使两个网段互通,路由方面首先要解决以下两个问题: 为192.168.4.0/24网段的客户机添加到174.16.16.0/24网段的路由 为174.16.16.0/24网段的客户机添加到192.168.4.0/24网段的路由 其中,内网测试机svr5已经设置好默认网关,因此第一个问题解决;而第二个问题,只要为外网测试机pc120也添加默认网关(或者具体的静态路由)即可: [root@pc205 ~]# route add default gw 174.16.16.1 [root@pc205 ~]# route -n | grep UG 0.0.0.0 174.16.16.1 0.0.0.0 UG 0 0 0 eth0 步骤二:利用ip_forward机制实现Linux路由/网关功能 1) 开启路由之前,内外网无法互通 在主机svr5上ping主机pc120,丢包率100%: [root@svr5 ~]# ping -c4 -W2174.16.16.120 ping: bad linger time. [root@svr5 ~]# ping -c4 -W2 174.16.16.120 PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.

    — 174.16.16.120 ping statistics — 4 packets transmitted, 0 received, 100% packet loss, time 5002ms

    [root@svr5 ~]# 在主机pc120上ping主机svr5,丢包率100%: [root@pc205 ~]# ping -c4 -W2 192.168.4.5 PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data.

    — 192.168.4.5 ping statistics — 4 packets transmitted, 0 received, 100% packet loss, time 5002ms

    [root@pc205 ~]# 2)开启Linux网关的路由转发功能 使用sysctl可以直接修改运行中的ip_forward参数: [root@gw1 ~]# sysctl -a | grep ip_forward net.ipv4.ip_forward = 0 //默认未开启

    [root@gw1 ~]# sysctl -w net.ipv4.ip_forward=1 //开启转发功能 net.ipv4.ip_forward = 1 若希望固定此配置,推荐修改/etc/sysctl.conf配置文件: [root@svr5 ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 //查找更改为此行

    [root@svr5 ~]# sysctl -p //更新配置 net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 3) 开启路由之后,内外网可以互通 在主机svr5上ping主机pc120,正常获得响应: [root@svr5 ~]# ping -c4 -W2 174.16.16.120 PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data. 64 bytes from 174.16.16.120: icmp_seq=1 ttl=63 time=1.60 ms 64 bytes from 174.16.16.120: icmp_seq=2 ttl=63 time=0.608 ms 64 bytes from 174.16.16.120: icmp_seq=3 ttl=63 time=0.587 ms 64 bytes from 174.16.16.120: icmp_seq=4 ttl=63 time=1.10 ms

    — 174.16.16.120 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 0.587/0.975/1.606/0.419 ms [root@svr5 ~]# 在主机pc120上ping主机svr5,正常获得响应: [root@pc205 ~]# ping -c4 -W2 192.168.4.5 PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data. 64 bytes from 192.168.4.5: icmp_seq=1 ttl=63 time=0.802 ms 64 bytes from 192.168.4.5: icmp_seq=2 ttl=63 time=0.867 ms 64 bytes from 192.168.4.5: icmp_seq=3 ttl=63 time=1.13 ms 64 bytes from 192.168.4.5: icmp_seq=4 ttl=63 time=2.10 ms

    — 192.168.4.5 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3008ms rtt min/avg/max/mdev = 0.802/1.226/2.107/0.524 ms 步骤三:防火墙filter表的出站、入站访问控制 1)在网关gw1上限制ping测试(允许ping别人,禁止别人ping自己) 丢弃进来的ping请求包、允许进来的各种ping应答包(非请求包) [root@gw1 ~]# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP [root@gw1 ~]# iptables -A INPUT -p icmp ! --icmp-type echo-request -j ACCEPT 或者,允许出去的ping请求包、丢弃出去的各种ping应答包(非请求包) [root@gw1 ~]# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT [root@gw1 ~]# iptables -A OUTPUT -p icmp ! --icmp-type echo-request -j DROP 2)验证ping限制效果 在网关gw1上ping主机pc120,可以ping通: [root@gw1 ~]# ping -c4 -W2 174.16.16.120 PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data. 64 bytes from 174.16.16.120: icmp_seq=1 ttl=64 time=2.32 ms 64 bytes from 174.16.16.120: icmp_seq=2 ttl=64 time=0.226 ms 64 bytes from 174.16.16.120: icmp_seq=3 ttl=64 time=0.583 ms 64 bytes from 174.16.16.120: icmp_seq=4 ttl=64 time=0.239 ms

    — 174.16.16.120 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.226/0.844/2.328/0.868 ms 在主机pc205上ping网关gw1,丢包率为100%,实际上被防火墙封堵了: [root@pc205 ~]# ping -c4 -W2 174.16.16.1 PING 174.16.16.1 (174.16.16.1) 56(84) bytes of data.

    — 174.16.16.1 ping statistics — 4 packets transmitted, 0 received, 100% packet loss, time 5001ms

    [root@pc205 ~]# 3)针对网关gw1上的FTP服务做访问控制 快速安装、启用vsftpd服务: [root@gw1 ~]# yum -y install vsftpd … … [root@gw1 ~]# service vsftpd restart … … 禁止从主机pc120访问本机的FTP服务: [root@gw1 ~]# iptables -A INPUT -s 174.16.16.120 -p tcp --dport 20:21 -j DROP [root@gw1 ~]# iptables -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp – 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmp !type 8 DROP tcp – 174.16.16.120 0.0.0.0/0 tcp dpts:20:21 4)测试FTP访问控制效果 在被封堵的主机pc120上,访问gw1的FTP服务将会失败: [root@pc205 ~]# ftp 174.16.16.1 ftp: connect: 连接超时 ftp> quit [root@pc205 ~]# 在其他主机(比如svr5)上,可以正常访问gw1的FTP服务: [root@svr5 ~]# ftp 174.16.16.1 Connected to 174.16.16.1 (174.16.16.1). 220 (vsFTPd 2.2.2) Name (174.16.16.1:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. [root@svr5 ~]# 步骤四:防火墙filter表的转发访问控制 1)INPUT、OUTPUT链对转发数据包不起作用 根据步骤三在gw1上设置的防火墙规则: [root@gw1 ~]# iptables -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp – 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmp !type 8 DROP tcp – 174.16.16.120 0.0.0.0/0 tcp dpts:20:21 其他主机ping网关gw1会被拒绝,但是经过防火墙ping其他主机不受影响。比如从主机pc120上ping主机svr5是可以的: [root@pc205 ~]# ping -c4 -W2 174.16.16.1 //入站ping测试被拒 PING 174.16.16.1 (174.16.16.1) 56(84) bytes of data.

    — 174.16.16.1 ping statistics — 4 packets transmitted, 0 received, 100% packet loss, time 5002ms

    [root@pc205 ~]# ping -c4 -W2 192.168.4.5 //转发ping测试允许 PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data. 64 bytes from 192.168.4.5: icmp_seq=1 ttl=63 time=0.520 ms 64 bytes from 192.168.4.5: icmp_seq=2 ttl=63 time=0.919 ms 64 bytes from 192.168.4.5: icmp_seq=3 ttl=63 time=0.650 ms 64 bytes from 192.168.4.5: icmp_seq=4 ttl=63 time=1.97 ms

    — 192.168.4.5 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3007ms rtt min/avg/max/mdev = 0.520/1.014/1.970/0.571 ms [root@pc205 ~]# 2)在网关gw1上设置转发限制 禁止转发来自或发往网段174.16.16.0/24的ping测试包: [root@gw1 ~]# iptables -A FORWARD -p icmp -s 174.16.16.0/24 -j DROP [root@gw1 ~]# iptables -A FORWARD -p icmp -d 174.16.16.0/24 -j DROP 确认当前防火墙规则: [root@gw1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp – 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmp !type 8 DROP tcp – 174.16.16.120 0.0.0.0/0 tcp dpts:20:21

    Chain FORWARD (policy ACCEPT) target prot opt source destination DROP icmp – 174.16.16.0/24 0.0.0.0/0 DROP icmp – 0.0.0.0/0 174.16.16.0/24

    Chain OUTPUT (policy ACCEPT) target prot opt source destination 3)测试ping转发限制效果 在主机svr5上ping主机pc120,对gw1来说属于转发(FORWARD),因此被拒绝: [root@svr5 ~]# ping -c4 -W2 174.16.16.120 PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data.

    — 174.16.16.120 ping statistics — 4 packets transmitted, 0 received, 100% packet loss, time 5001ms

    [root@svr5 ~]# 在主机gw1上ping主机svr5,这个对gw1来说属于出站(OUTPUT),不受限制: [root@gw1 ~]# ping -c4 -W2 174.16.16.120 PING 174.16.16.120 (174.16.16.120) 56(84) bytes of data. 64 bytes from 174.16.16.120: icmp_seq=1 ttl=64 time=0.602 ms 64 bytes from 174.16.16.120: icmp_seq=2 ttl=64 time=0.426 ms 64 bytes from 174.16.16.120: icmp_seq=3 ttl=64 time=0.517 ms 64 bytes from 174.16.16.120: icmp_seq=4 ttl=64 time=0.507 ms

    — 174.16.16.120 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 0.426/0.513/0.602/0.062 ms [root@gw1 ~]#

    最新回复(0)