一、拒绝全部主机ping当前的主机。centos
[root@centos181 ~]#iptables -AINPUT -p icmp -j REJECT
二、本机可以访问别的机器的HTTP服务,可是别的机器没法访问本机。bash
[root@centos181 ~]#iptables -A -d 本机IP INPUT -p tcp --dport 80 -m state --state NEW -j REJECT
三、当咱们发现有 ip 恶意***咱们得时候,咱们能够经过对防火墙设定规则来进行控制。因此咱们能够并发
添加connlimit模块来实现对最大并发得控制。请写出步骤ssh
[root@centos181 ~]#iptables -A INPUT -d 本机IP -m connlimit --connlimit-above 10 -j REJECT
四、实践题tcp
实验前提需求ide
| 主机名 | IP地址 | 充当角色 |
|---|---|---|
| A7 | 192.168.1.128(仅主机)eth0 | 互联网服 务器 |
| A8 | 192.168.1.129(仅主机)/eth1 10.0.0.8(NAT)/eth0 NAT设备他有一个 是连接外网的ip有一个是连接内网的ip。 | 防火墙 NAT设备 |
| B8 | 10.0.0.18(NAT)eth0 | 局域网服 务器 |
如今我在外地出差使用A7互联网主机,可是如今因为公司有业务须要我 ssh 连接到内网、这时候 我就连接咱们公司同事在防火墙上配置相关规则让我连接进公司内网测试
请写出实现过程:code
[root@A8 ~]#echo 1 > /proc/sys/net/ipv4/ip_forward
[root@A8 ~]#cat /proc/sys/net/ipv4/ip_forward
1
[root@A8 ~]#iptables -t nat -A PREROUTING -d 192.168.1.129 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.18
[root@A8 ~]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.1.129 tcp dpt:22 to:10.0.0.18
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
#测试
[root@A7 ~]#ssh 192.168.1.129
The authenticity of host '192.168.1.129 (192.168.1.129)' can't be established.
ECDSA key fingerprint is SHA256:E8oPeOCT9o7kxsRDLmQ9KsGiv/P0G4sRDLmQT9o7kxoU.
ECDSA key fingerprint is MD5:7f:0e:8e:a7:37:eb:37:41:d8:52:bf:a5:ad:f2:ff:ea.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.129' (ECDSA) to the list of known hosts.
root@192.168.1.129's password:
Last login: Sat Sep 20 11:16:00 2020 from 10.0.0.1