Linux网络安全技术与实现(使用)

防火墙有两种：数据包过滤、应用层防火墙
200人以下的需要128MB的数据包过滤防火墙就够了
防火墙结构：单机防火墙、网关式防火墙、透明防火墙
DMZ网关式防火墙

image.png

DMZ网关式防火墙改良版 NAT功能

image.png
透明式防火墙 新一代防火墙 网桥功能
image.png

---

防火墙核心功能：filter nat mangle raw
filter input forward output
nat prerouting postrouting ouput
mangle prerouting input forward output postrouting
raw prerouting output
input 进来 output 出去 forward 中转路过
优先匹配

---

iptables -L
iptables -F clear
iptables -A add new rule
-I input new rule
-R replace old rule
-D delete old rule
iptables -t filter
iptables -t net
iptables -t mangle
iptables -t raw

---

iptables -t filter -L INPUT
iptables -t filter -F
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -P FORWARD DROP //默认不转发
iptables -t filter -I INPUT 2 -p tcp -j ACCEPT
iptables -t filter -R INPUT 2 -p tcp -j ACCEPT //第二条规则被替换
iptables -t filter -D INPUT 2 //删除第二条规则
iptables -A INPUT -p icmp -s ip -j DROP //删除从IP进入到本地的所有
//DROP ACCEPT REJECT
iptables -A INPUT -p all -s 192.168.1.0/24 -d 192.168.0.1 -j ACCEPT

image.png

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j DROP

---

单机防火墙实例INPUT

image.png
数据包状态：ESTABLISHED NEW RELATED INVALID
shell
image.png

---

网关式防火墙filter
简单网关式防火墙shell

image.png

nat设置
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 10.1.0.200
如果公网IP不固定
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
多对多NAT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 10.1.0.200-10.1.0.205

image.png
image.png

不允许所有人访问www.playboy.com
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d www.playboy.com -j DROP
iptables -A INPUT -p icmp -j DROP
![image.png](https://img.haomeiwen.com/i9967595/1574aa11b8f2963e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/c3786e353ab87e36.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
tcp-flags
![image.png](https://img.haomeiwen.com/i9967595/54cd4fad20922858.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/b06a034d9cc00e17.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
--mac-source
![image.png](https://img.haomeiwen.com/i9967595/6033ea4910c37cad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
multiport
iptables -A INPUT -p tcp --syn -m state --state NEW -m multiport --dports 21,22,23,99 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLESHED,RELATED -j ACCEPT
-m owner --uid-owner jacky 
![image.png](https://img.haomeiwen.com/i9967595/6889a0d4bae429f1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/60dd24948fb8419d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
-m iprange --src-range 192.0.1-192.0.64
![image.png](https://img.haomeiwen.com/i9967595/28a854fe51090738.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
iprange --src-range  --dst-range
-m ttl --ttl-eq 64
pkttype
![image.png](https://img.haomeiwen.com/i9967595/18bb90da6c6e819f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
mtu -m length --length 
![image.png](https://img.haomeiwen.com/i9967595/b3c7d5219d024e13.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
limit限制包数量
iptables -A INPUT -p icmp -m limit --limit 6/m --limit -burst 10 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
recent 显示ssh密码尝试次数
https://www.cnblogs.com/hiloves/archive/2011/07/19/2109899.html
recent 限制80端口每秒内只能由10个链接，超过次数记录日志和拒绝
 iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j LOG --log-prefix 'DDOS:' --log-ip-options
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j DROP
recent 
http://www.path8.net/tn/archives/5867
string 对数据内容进行过滤
![image.png](https://img.haomeiwen.com/i9967595/0439fd6444cf0cef.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/c2abe6b5e42f9036.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
connlimit 限制连接数量
![image.png](https://img.haomeiwen.com/i9967595/97fa74a8b4dd8b48.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
connbytes限制下载量
quota每天只能下载500M
![image.png](https://img.haomeiwen.com/i9967595/4ff5935171e7ece6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
time 设置规则的生效时间
![image.png](https://img.haomeiwen.com/i9967595/43e265cd4ea83432.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/7e0762706fedfb67.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
conntrack 为 state加强版
![image.png](https://img.haomeiwen.com/i9967595/cbad9cc57a28051f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/220fd6e9af9bbef5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
statistic
![image.png](https://img.haomeiwen.com/i9967595/ebf96e872c4454ba.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/2f77ea7c0daac107.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
hastlimit
![image.png](https://img.haomeiwen.com/i9967595/17ed950a04a486eb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
u32
自定义用户链
REJECT自定义错误信息
![image.png](https://img.haomeiwen.com/i9967595/3b643c1934bb58c5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
-j LOG记录日志
![image.png](https://img.haomeiwen.com/i9967595/e1ede44b6bf79658.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/e43a3ba9234839ee.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![image.png](https://img.haomeiwen.com/i9967595/3e71272f3a8914b2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)