rhce实验之使用iptables构建一个防火墙
时间:2009-03-19 来源:jacky.lee
rhce实验之使用iptables构建一个防火墙
实验环境说明:
两台linux,server4和server5,一台windows xp。在server5上构建防火墙策略,其他两台作为客户端测试。
server4:192.168.1.14
server5:192.168.1.15
windows:192.168.1.156
server5上的配置如下:
首先删除已经存在的chains,重置所有chains上的默认规则,刷新所有规则:
[root@server5 ~]# iptables -F;iptables -X
[root@server5 ~]# for chain in INPUT FORWARD OUTPUT;do iptables -P $chain ACCEPT;done;
[root@server5 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination 1.阻止所有从邻近的主机(server4)进来的连接: [root@server5 ~]# iptables -A INPUT -s 192.168.1.14 -m state --state NEW -j DROP server4上做通过ssh做测试: [root@server4 ~]# ssh server5 ssh: connect to host server5 port 22: Connection timed out
这样,server4上不能连接server5。 2.限制从邻近的(server5)进来的icmp echo-request(回应请求)包: [root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -m limit --limit 6/minute --limit-burst 3 -j ACCEPT [root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -j DROP windows上做ping测试: C:\Documents and Settings\jacky.lee>ping server5 Pinging server5.rhel5.com [192.168.1.15] with 32 bytes of data: Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Request timed out. Ping statistics for 192.168.1.15:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms 看,ping了三次,到第四次就丢包了吧。 server5上做测试: [root@server5 ~]# ping xzxj
PING xzxj (192.168.1.156) 56(84) bytes of data. ......... 一直就这样,从server5上ping不通windows主机! 红色部分要是看不明白,请参考我的另一篇关于iptables的文档: http://blog.chinaunix.net/u1/36549/showart_373517.html
[root@server5 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination 1.阻止所有从邻近的主机(server4)进来的连接: [root@server5 ~]# iptables -A INPUT -s 192.168.1.14 -m state --state NEW -j DROP server4上做通过ssh做测试: [root@server4 ~]# ssh server5 ssh: connect to host server5 port 22: Connection timed out
这样,server4上不能连接server5。 2.限制从邻近的(server5)进来的icmp echo-request(回应请求)包: [root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -m limit --limit 6/minute --limit-burst 3 -j ACCEPT [root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -j DROP windows上做ping测试: C:\Documents and Settings\jacky.lee>ping server5 Pinging server5.rhel5.com [192.168.1.15] with 32 bytes of data: Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Request timed out. Ping statistics for 192.168.1.15:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms 看,ping了三次,到第四次就丢包了吧。 server5上做测试: [root@server5 ~]# ping xzxj
PING xzxj (192.168.1.156) 56(84) bytes of data. ......... 一直就这样,从server5上ping不通windows主机! 红色部分要是看不明白,请参考我的另一篇关于iptables的文档: http://blog.chinaunix.net/u1/36549/showart_373517.html
相关阅读 更多 +
