Linux下iptables防火墻與NAT應用

What is iptables(from WIKI)

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.

iptables內建表與鏈之關係圖（來自鳥哥）：(http://linux.vbird.org/linux_server/0250simple_firewall.php#netfilter)

環境

• Debian10 IPA:10.225.99.76/16
• Win10 IPA:10.225.99.49/16
• iptables V1.8.2

iptables命令基本用法

root@YoungDebian:~# iptables -help
iptables v1.8.2
Usage: iptables -[ACD] chain rule-specification [options]
	iptables -I chain [rulenum] rule-specification [options]
	iptables -R chain rulenum rule-specification [options]
	iptables -D chain rulenum [options]
	iptables -[LS] [chain [rulenum]] [options]
	iptables -[FZ] [chain] [options]
	iptables -[NX] chain
	iptables -E old-chain-name new-chain-name
	iptables -P chain target [options]
	iptables -h (print this help information)

查看某表內容

iptables -t tablename -L
iptables -t nat -L

刪除某表某鏈規則

iptables -t tablename -L --line-number #查看row號方便刪除特定row
iptables -t tablename -D chainname linenumber
iptables -t nat -D POSTROUTING 1

讓別人無法ping到本機

DROP規則會直接把封包discard掉，故不會回應。而REJECT會明確拒絕。 * 無回應：

root@YoungDebian:/usr/bin# iptables -t filter -A INPUT -p icmp -j DROP

* 顯示unreachable:

root@YoungDebian:/usr/bin# iptables -t filter -A INPUT -p icmp -j REJECT

僅允許某一IP網段 SSH連線到主機：

向filter表中加入規則以對封包的特定屬性進行過濾。 注意iptables後加入的規則優先級低於先加入者

root@YoungDebian:/usr/bin# iptables -t filter -A INPUT -s 10.225.99.49/16 -p tcp --dport 22 -j ACCEPT
root@YoungDebian:/usr/bin# iptables -t filter -A INPUT -p tcp --dport 22 -j REJECT

使用iptables建立SNAT以使得Netns正常聯網

用Netns模擬私有網段下電腦通過NAT共享一個public IP上網的情況。

Topology:

• 開啟host ipv4 packet forwarding（封包轉發）:

  root@YoungDebian:/# nano /etc/sysctl.conf
  root@YoungDebian:/# sysctl -p

  

• 加入POSTROUTING鏈規則（SNAT）

  root@YoungDebian:/# iptables -t nat -A POSTROUTING -s 10.0.0.2 -o ens33 -j SNAT --to 10.225.99.76
  root@YoungDebian:/# ip netns exec net1 ping 8.8.8.8
  PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
  64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=4.13 ms
  64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=6.51 ms
  ^C
  --- 8.8.8.8 ping statistics ---

  也可以使用參數MASQUERADE，實現動態的SNAT轉換目標IP選擇。如使用ADSL上網時常常拿到動態的公網IP，這時可以使用如下完成動態映射：

  root@YoungDebian:/# iptables -t nat -A POSTROUTING -s 10.0.0.2 -o ens33 -j MASQUERADE

將服務端口通過DNAT進行轉變(SSH為例)

用DNAT(PREROUTING鏈)將對Host的22023Port映射到22port。

iptables -t nat -A PREROUTING -p tcp -d 10.225.99.76 --dport 22023 -j DNAT --to 10.225.99.76:22

C:\Users\24743>ssh -p 22023 aozy@10.225.99.76
aozy@10.225.99.76's password:
Linux YoungDebian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb  3 14:25:03 2021 from 10.225.99.49
Linux YoungDebian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb  3 14:25:03 2021 from 10.225.99.49
aozy@YoungDebian:~$ exit
logout
Connection to 10.225.99.76 closed.

将服務listen在Netns內（以ssh為例）

首先拓撲如下：

將到host22023port的封包轉到netns網卡的22port：

root@YoungDebian:/# iptables -t nat -A PREROUTING -p tcp -d 10.225.99.76 --dport 22023 -j DNAT --to 10.0.0.2:22

關閉host端的ssh服務並開啟netns端的ssh服務: 因為systemctl管理的systemd是一個daemon進程，所以沒有對netns整合，不可以直接用systemctl在netns中開啓，需如下直接開啓sshd:

root@YoungDebian:/# systemctl stop sshd
root@YoungDebian:~# ip netns exec net1 /usr/sbin/sshd -o PidFile=/run/sshd-net1.pid
root@YoungDebian:~# ip netns exec net1 netstat -anp | grep "sshd"
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3555/sshd           
tcp6       0      0 :::22                   :::*                    LISTEN      3555/sshd        

注意: 假如報錯Missing privilege separation directory: /run/sshd 則在/run下mkdir sshd即可。

驗證連接：

C:\Users\24743>ssh -p 22023 aozy@10.225.194.210
aozy@10.225.194.210's password:
Linux YoungDebian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 24 17:44:25 2021 from 10.225.152.51
Linux YoungDebian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 24 17:44:25 2021 from 10.225.152.51
aozy@YoungDebian:~$

後記

• 為主機配置防火墻時，可以先將所有連線擋下，具體用到一些服務時再用特定規則打開一些連線。

• NAT與NAPT(PAT)之間關係：NAPT是NAT的一種實現方式，實現了多Private IP共享同一Public IP。NAPT是NAT最多用的實現方式，所以常常也直接稱為NAT。

  NAT changes the IP address in the header of an IP packet as it traverses a routing device and allows a different set of IP addresses to be used for traffic within a local network than that defined for external traffic. NAPT is a special type of NAT in which multiple private IP addresses are mapped to a single IP address or to a small group of public IP addresses. Therefore, NAPT involves multiple translation of IP addresses. NAPT is the most used NAT. Therefore, most of the time, NAPT is called NAT.