Linux网络安全技术与实现(使用)

防火墙有两种：数据包过滤、应用层防火墙 200人以下的需要128MB的数据包过滤防火墙就够了 防火墙结构：单机防火墙、网关式防火墙、透明防火墙 DMZ网关式防火墙

image.png

DMZ网关式防火墙改良版 NAT功能

image.png

透明式防火墙 新一代防火墙 网桥功能

image.png

防火墙核心功能：filter nat mangle raw filter input forward output nat prerouting postrouting ouput mangle prerouting input forward output postrouting raw prerouting output input 进来 output 出去 forward 中转路过 优先匹配

iptables -L iptables -F clear iptables -A add new rule -I input new rule -R replace old rule -D delete old rule iptables -t filter iptables -t net iptables -t mangle iptables -t raw

iptables -t filter -L INPUT iptables -t filter -F iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -P FORWARD DROP //默认不转发 iptables -t filter -I INPUT 2 -p tcp -j ACCEPT iptables -t filter -R INPUT 2 -p tcp -j ACCEPT //第二条规则被替换 iptables -t filter -D INPUT 2 //删除第二条规则 iptables -A INPUT -p icmp -s ip -j DROP //删除从IP进入到本地的所有 //DROP ACCEPT REJECT iptables -A INPUT -p all -s 192.168.1.0/24 -d 192.168.0.1 -j ACCEPT

image.png

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j DROP

单机防火墙实例INPUT

image.png

数据包状态：ESTABLISHED NEW RELATED INVALID

shell

image.png

网关式防火墙filter 简单网关式防火墙shell

image.png

nat设置 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 10.1.0.200 如果公网IP不固定 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE 多对多NAT iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 10.1.0.200-10.1.0.205

image.png

image.png

代码语言：javascript复制

不允许所有人访问www.playboy.com
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d www.playboy.com -j DROP
iptables -A INPUT -p icmp -j DROP
![image.png](https://upload-images.jianshu.io/upload_images/9967595-1574aa11b8f2963e.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-c3786e353ab87e36.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
tcp-flags
![image.png](https://upload-images.jianshu.io/upload_images/9967595-54cd4fad20922858.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-b06a034d9cc00e17.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
--mac-source
![image.png](https://upload-images.jianshu.io/upload_images/9967595-6033ea4910c37cad.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
multiport
iptables -A INPUT -p tcp --syn -m state --state NEW -m multiport --dports 21,22,23,99 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLESHED,RELATED -j ACCEPT
-m owner --uid-owner jacky 
![image.png](https://upload-images.jianshu.io/upload_images/9967595-6889a0d4bae429f1.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-60dd24948fb8419d.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
-m iprange --src-range 192.0.1-192.0.64
![image.png](https://upload-images.jianshu.io/upload_images/9967595-28a854fe51090738.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
iprange --src-range  --dst-range
-m ttl --ttl-eq 64
pkttype
![image.png](https://upload-images.jianshu.io/upload_images/9967595-18bb90da6c6e819f.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
mtu -m length --length 
![image.png](https://upload-images.jianshu.io/upload_images/9967595-b3c7d5219d024e13.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
limit限制包数量
iptables -A INPUT -p icmp -m limit --limit 6/m --limit -burst 10 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
recent 显示ssh密码尝试次数
https://www.cnblogs.com/hiloves/archive/2011/07/19/2109899.html
recent 限制80端口每秒内只能由10个链接，超过次数记录日志和拒绝
 iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j LOG --log-prefix 'DDOS:' --log-ip-options
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j DROP
recent 
http://www.path8.net/tn/archives/5867
string 对数据内容进行过滤
![image.png](https://upload-images.jianshu.io/upload_images/9967595-0439fd6444cf0cef.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-c2abe6b5e42f9036.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
connlimit 限制连接数量
![image.png](https://upload-images.jianshu.io/upload_images/9967595-97fa74a8b4dd8b48.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
connbytes限制下载量
quota每天只能下载500M
![image.png](https://upload-images.jianshu.io/upload_images/9967595-4ff5935171e7ece6.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
time 设置规则的生效时间
![image.png](https://upload-images.jianshu.io/upload_images/9967595-43e265cd4ea83432.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-7e0762706fedfb67.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
conntrack 为 state加强版
![image.png](https://upload-images.jianshu.io/upload_images/9967595-cbad9cc57a28051f.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-220fd6e9af9bbef5.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
statistic
![image.png](https://upload-images.jianshu.io/upload_images/9967595-ebf96e872c4454ba.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-2f77ea7c0daac107.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
hastlimit
![image.png](https://upload-images.jianshu.io/upload_images/9967595-17ed950a04a486eb.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
u32
自定义用户链
REJECT自定义错误信息
![image.png](https://upload-images.jianshu.io/upload_images/9967595-3b643c1934bb58c5.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
-j LOG记录日志
![image.png](https://upload-images.jianshu.io/upload_images/9967595-e1ede44b6bf79658.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-e43a3ba9234839ee.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
![image.png](https://upload-images.jianshu.io/upload_images/9967595-3e71272f3a8914b2.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)

网络安全 nat NAT网关 http shell

0 人点赞