做网站需要什么学历,做网站ppt,广西桂林农业学校,株洲建设网站制作目录 一、安全技术
1、安全技术
2、防火墙的分类
二、netfilter
1、netfilter简述
2、防火墙工具
1.iptables工具
2.netfilter的四表五链
3.内核中数据包的传输过程
4.三种报文流向
5.实操
总结#xff1a;本章主要介绍了安全技术与防火墙 一、安全技术
1、安全技…目录 一、安全技术
1、安全技术
2、防火墙的分类
二、netfilter
1、netfilter简述
2、防火墙工具
1.iptables工具
2.netfilter的四表五链
3.内核中数据包的传输过程
4.三种报文流向
5.实操
总结本章主要介绍了安全技术与防火墙 一、安全技术
1、安全技术
1、入侵检测系统
特点是不阻断任何网络访问量化、定位来自内外网络的威胁情况主要以提供报警和事后监督为主提供有针对性的指导措施和安全决策依据一般采用旁路部署方式
2、入侵防御系统
以透明模式工作分析数据包的内容如溢出攻击、拒绝服务攻击、系统漏洞等进行准确的分析判断在判定为攻击行为后立即予以 阻断主动而有效的保护网络的安全一般采用在线部署方式
3、防火墙
隔离功能工作在网络或主机边缘对进出网络或主机的数据包基于一定的规则检查并在匹配某规则时由规则定义的行为进行处理的一组功能的组件基本上的实现都是默 认情况下关闭所有的通过型访问只开放允许访问的策略
2、防火墙的分类
按保护范围划分 主机防火墙服务范围为当前一台主机 网络防火墙服务范围为防火墙一侧的局域网 按实现方式划分: 硬件防火墙在专用硬件级别实现部分功能的防火墙另一个部分功能基于软件实现如华为 山石hillstone,天融信启明星辰绿盟深信服, PaloAlto , fortinet, Cisco, Checkpoint NetScreen(Juniper2004年40亿美元收购)等 软件防火墙运行于通用硬件平台之上的防火墙的应用软件Windows 防火墙 ISA -- Forefront 按网络协议划分 网络层防火墙OSI模型下四层又称为包过滤防火墙 应用层防火墙/代理服务器proxy 代理网关OSI模型七层
二、netfilter
1、netfilter简述
Linux防火墙是由Netfilter组件提供的Netfilter工作在内核空间集成在linux内核中
Netfilter 是Linux 2.4.x之后新一代的Linux防火墙机制是linux内核的一个子系统。Netfilter采用模块化设计具有良好的可扩充性提供扩展各种网络服务的结构化底层框架。Netfilter与IP协议栈是无缝契合并允许对数据报进行过滤、地址转换、处理等操作
2、防火墙工具
防火墙工具有
1.iptables
2.firewalld
3.nftables
4.netfilter 1.iptables工具
iptables --version
[rootlocalhost ~]# iptables --version
iptables v1.4.21
[rootlocalhost ~]#
2.netfilter的四表五链
表中有链链中有规则
五链控制流量的时机
input 进入本机的流量
output 离开本机的流量
forward 转发
prerouting 路由选择前
postrouting 路由选择后
四表如何控制流量
raw表 确定是否对数据包进行状态跟踪
mangle表 为数据包设置标记优先级
nat表 修改数据包中的源目标IP地址或端口地址转化
filter表 确定是否放行该数据包过滤流量 3.内核中数据包的传输过程 当一个数据包进入网卡时数据包首先进入PREROUTING链内核根据数据包目的IP判断是否需要 转送出去 如果数据包是进入本机的数据包就会沿着图向下移动到达INPUT链。数据包到达INPUT链后 任何进程都会收到它。本机上运行的程序可以发送数据包这些数据包经过OUTPUT链然后到达 如果数据包是要转发出去的且内核允许转发数据包就会向右移动经过FORWARD链然后到达POSTROUTING链输出
4.三种报文流向
流入本机PREROUTING -- INPUT--用户空间进程 流出本机用户空间进程 --OUTPUT-- POSTROUTING 转发PREROUTING -- FORWARD -- POSTROUTING
5.实操
CentOS7默认使用firewalld防火墙没有安装iptables,若想使用iptables防火墙。必须先关闭firewalld防火墙再安装iptables
先准备环境
[rootlocalhost ~]# systemctl stop firewalld
[rootlocalhost ~]# systemctl disable --now firewalld.service
[rootlocalhost ~]# yum install -y iptables
已加载插件fastestmirror, langpacks
Loading mirror speeds from cached hostfile* base: mirrors.163.com* epel: mirrors.bfsu.edu.cn* extras: mirrors.163.com* updates: mirrors.ustc.edu.cn
软件包 iptables-1.4.21-35.el7.x86_64 已安装并且是最新版本
无须任何处理
[rootlocalhost ~]# 1.iptables语法
iptables [-t 表名] 管理选项 [链名] [匹配条件] [-j 控制类型]
如果不用-t指定默认是filter
2.数据包的常见控制类型
-ACCEPT允许数据包通过
-DROP直接丢弃数据包
-REJECT拒绝数据包通过
-LOG日志添加备注传递数据包给下一条规则
-SNAT修改数据包的源地址
-DNAT修改数据包的目的地址
-MASQUERADE伪装成一个非固定公网IP地址
3.iptables的管理选项
-A在指定链末尾追加
-I在指定链中插入新策略未指定默认第一条
-P修改策略
-D删除策略
-v详细信息
-n数字化
-L防火墙列表
-s指定源地址
-j跳转
-t指定表
-F清空策略
-d目的地址
4.添加与查看
[rootlocalhost ~]# iptables -t filter -A INPUT -p tcp -jACCEPT
[rootlocalhost ~]# iptables -t filter -I INPUT -p udp -jACCEPT
[rootlocalhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 1 76 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 118 8020 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 18 packets, 1336 bytes)pkts bytes target prot opt in out source destination Chain VL (0 references)pkts bytes target prot opt in out source destination 5.删除和追加
追加
pc1
[rootlocalhost ~]# iptables -A INPUT -s 172.16.114.20 -j DROP遇到172.16.114.20的流量都丢弃
pc2
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
^C
--- 172.16.114.10 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10004ms[rootlocalhost ~]# 追加策略后策略生效ping的包全部丢失
[rootlocalhost ~]# iptables -A INPUT -s 172.16.114.20 -j DROP
[rootlocalhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 50 packets, 3872 bytes)pkts bytes target prot opt in out source destination 12 1000 DROP all -- * * 172.16.114.20 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1260 bytes)pkts bytes target prot opt in out source destination Chain VL (0 references)pkts bytes target prot opt in out source destination
[rootlocalhost ~]# iptables -D INPUT 1
[rootlocalhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 364 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 384 bytes)pkts bytes target prot opt in out source destination Chain VL (0 references)pkts bytes target prot opt in out source destination
[rootlocalhost ~]# pc1删除策略后
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
64 bytes from 172.16.114.10: icmp_seq1 ttl64 time0.767 ms
64 bytes from 172.16.114.10: icmp_seq2 ttl64 time1.13 ms
64 bytes from 172.16.114.10: icmp_seq3 ttl64 time0.504 ms
^C
--- 172.16.114.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev 0.504/0.800/1.131/0.259 ms
[rootlocalhost ~]# pc2可以ping通了 设置白名单
iptables -P INPUT DROP
iptables -s 172.16.114.10 -P INPUT DROP
iptables v1.4.21: Illegal option -s with this commandTry iptables -h or iptables --help for more information.
[rootlocalhost ~]# iptables -I INPUT 2 -i lo -j ACCEPT
[rootlocalhost ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq1 ttl64 time0.041 ms
64 bytes from 127.0.0.1: icmp_seq2 ttl64 time0.079 ms
64 bytes from 127.0.0.1: icmp_seq3 ttl64 time0.134 ms
64 bytes from 127.0.0.1: icmp_seq4 ttl64 time0.072 ms
^C
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev 0.041/0.081/0.134/0.034 ms
iptables -t filter -A INPUT ! -p icmp -j ACCEPT
[rootlocalhost ~]# iptables -F
[rootlocalhost ~]# iptables -P INPUT ACCEPT
[rootlocalhost ~]#
pc1配置只允许172.16.114.20访问
[rootlocalhost ~]# iptables -A INPUT -s 172.16.114.20 -j ACCEPT
[rootlocalhost ~]# iptables -A INPUT -i lo -j ACCEPT
[rootlocalhost ~]# iptables -A INPUT -j REJECT
pc2可以看见连接上了
[rootlocalhost ~]# ssh 172.16.114.10
The authenticity of host 172.16.114.10 (172.16.114.10) cant be established.
ECDSA key fingerprint is SHA256:Zujj39bI5gmpNp7llhmoG7MsStyii22ClbiRDXhzdi0.
ECDSA key fingerprint is MD5:28:e5:a5:7a:6a:1f:0c:05:12:3a:bd:21:9e:ab:0d:90.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 172.16.114.10 (ECDSA) to the list of known hosts.
root172.16.114.10s password:
Last login: Wed Nov 29 18:29:35 2023 from 172.16.114.1
[rootlocalhost ~]# pc1可以看见连接不上了
[C:\~]$ ssh 172.16.114.10Connecting to 172.16.114.10:22...
Could not connect to 172.16.114.10 (port 22): Connection failed.Type help to learn how to use Xshell prompt.
[C:\~]$ 设置黑名单
pc1:
[rootlocalhost ~]# iptables -P INPUT ACCEPT
[rootlocalhost ~]# iptables -A INPUT -s 172.16.114.20 -j REJECTpc2:
[rootlocalhost ~]# ssh 172.16.114.10
ssh: connect to host 172.16.114.10 port 22: Connection refused
[rootlocalhost ~]# 可以看见pc2黑名单连接不上了
6.隐含扩展
icmp扩展模块
pc1可以ping pc2
pc2不可以ping pc1
pc1:
[rootlocalhost ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
64 bytes from 172.16.114.10: icmp_seq1 ttl64 time0.312 ms
64 bytes from 172.16.114.10: icmp_seq2 ttl64 time1.97 ms
^C
--- 172.16.114.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev 0.312/1.145/1.978/0.833 ms
[rootlocalhost ~]# iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
64 bytes from 172.16.114.10: icmp_seq1 ttl64 time0.444 ms
64 bytes from 172.16.114.10: icmp_seq2 ttl64 time0.707 ms
^C
--- 172.16.114.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev 0.444/0.575/0.707/0.133 ms
[rootlocalhost ~]# iptables -A INPUT -p icmp -j REJECT
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
64 bytes from 172.16.114.10: icmp_seq1 ttl64 time0.961 ms
64 bytes from 172.16.114.10: icmp_seq2 ttl64 time0.616 ms
64 bytes from 172.16.114.10: icmp_seq3 ttl64 time1.01 ms
^C
--- 172.16.114.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev 0.616/0.865/1.019/0.179 ms
[rootlocalhost ~]# pc2
[rootlocalhost ~]# iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
[rootlocalhost ~]# ping 172.16.114.20
PING 172.16.114.20 (172.16.114.20) 56(84) bytes of data.
^C
--- 172.16.114.20 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms[rootlocalhost ~]# multiport扩展模块
pc1:
[rootlocalhost ~]# iptables -t filter -A INPUT -s 172.16.114.10 -p tcp -m multiport --dport 22,80 -j REJECT
[rootlocalhost ~]# pc2:
[rootlocalhost ~]# ssh 172.16.114.20
ssh: connect to host 172.16.114.20 port 22: Connection refused
[rootlocalhost ~]# curl 172.16.114.20
curl: (7) Failed connect to 172.16.114.20:80; 拒绝连接
[rootlocalhost ~]# 可以看见这里pc2连接不上
iprange扩展
pc1
[rootlocalhost ~]# iptables -A INPUT -m iprange --src-range 172.16.114.20-172.16.114.21 -j REJECT
[rootlocalhost ~]# 设置这些地址的主机无法访问pc1
pc2
ltiport --dport 22,80 -j REJECT
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
From 172.16.114.10 icmp_seq1 Destination Port Unreachable
From 172.16.114.10 icmp_seq2 Destination Port Unreachable
^C
--- 172.16.114.10 ping statistics ---
2 packets transmitted, 0 received, 2 errors, 100% packet loss, time 1000ms[rootlocalhost ~]# 7.时间设置
[rootlocalhost ~]# date
2023年 11月 29日 星期三 19:38:54 CST
[rootlocalhost ~]# date -u
2023年 11月 29日 星期三 11:39:02 UTC
[rootlocalhost ~]# iptables -A INPUT -m time --timestart 14:00 --time 16:00 -j REJECT
iptables v1.4.21: unknown option --time
Try iptables -h or iptables --help for more information.
[rootlocalhost ~]# rpm -ql iptables|grep time
/usr/lib64/xtables/libxt_time.so
[rootlocalhost ~]# state模块
pc1
64 bytes from 172.16.114.20: icmp_seq133 ttl64 time1.09 ms
64 bytes from 172.16.114.20: icmp_seq134 ttl64 time0.857 ms
64 bytes from 172.16.114.20: icmp_seq135 ttl64 time0.899 ms
64 bytes from 172.16.114.20: icmp_seq136 ttl64 time3.09 ms
64 bytes from 172.16.114.20: icmp_seq137 ttl64 time0.250 ms
64 bytes from 172.16.114.20: icmp_seq138 ttl64 time0.561 ms
64 bytes from 172.16.114.20: icmp_seq139 ttl64 time0.544 ms
64 bytes from 172.16.114.20: icmp_seq140 ttl64 time1.68 ms
64 bytes from 172.16.114.20: icmp_seq141 ttl64 time1.25 ms
64 bytes from 172.16.114.20: icmp_seq142 ttl64 time0.238 ms
64 bytes from 172.16.114.20: icmp_seq143 ttl64 time0.612 ms
64 bytes from 172.16.114.20: icmp_seq144 ttl64 time1.03 ms
64 bytes from 172.16.114.20: icmp_seq145 ttl64 time0.711 ms
64 bytes from 172.16.114.20: icmp_seq146 ttl64 time1.10 ms
64 bytes from 172.16.114.20: icmp_seq147 ttl64 time1.28 ms
64 bytes from 172.16.114.20: icmp_seq148 ttl64 time0.795 ms
64 bytes from 172.16.114.20: icmp_seq149 ttl64 time0.601 ms
64 bytes from 172.16.114.20: icmp_seq150 ttl64 time0.591 ms
64 bytes from 172.16.114.20: icmp_seq151 ttl64 time0.522 ms
64 bytes from 172.16.114.20: icmp_seq152 ttl64 time1.50 ms[rootlocalhost ~]# iptables -A INPUT -m state --state NEW -j REJECT
[rootlocalhost ~]# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
[rootlocalhost ~]# pc2:
[rootlocalhost ~]# ping 172.16.114.10
PING 172.16.114.10 (172.16.114.10) 56(84) bytes of data.
From 172.16.114.10 icmp_seq1 Destination Port Unreachable
From 172.16.114.10 icmp_seq2 Destination Port Unreachable
From 172.16.114.10 icmp_seq3 Destination Port Unreachable
^C
--- 172.16.114.10 ping statistics ---
3 packets transmitted, 0 received, 3 errors, 100% packet loss, time 2002ms[rootlocalhost ~]# 这里可以看见在访问的主机正常访问设置后其他主机访问不了了
总结本章主要介绍了安全技术与防火墙
