centos 系统 iptables 应用实例详解

概述

此篇文章记录,通过xl2tp二层传输协议，在阿里云服务器中启用 iptables 服务，把特定端口转发至公司ARM服务器的组网应用。
从而解决公司ARM服务器与阿里云服务器之间专用网络传输功能。

在CentOS 7或RHEL 7或Fedora中防火墙由firewalld来管理，系统默认开启 firewalld 服务;
系统一般都默认安装 iptables 工具,但没有开启 iptables.services 服务，如果使用 iptables 的功能，
可以关闭 firewalld 服务，并开启 iptables.services 服务。

实例如下:

关闭 firewall 功能

systemctl stop firewalld   
systemctl mask firewalld

开启 iptables 服务

yum install iptables-services   # 安装iptables-services
systemctl enable iptables       # 设置开机启动

eg:
# 开启 iptables 服务
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl start iptables
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: active (exited) since Fri 2021-12-24 10:51:06 CST; 1s ago
  Process: 17134 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 17176 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 17176 (code=exited, status=0/SUCCESS)

Dec 24 10:51:06 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Starting IPv4 firewall with iptables...
Dec 24 10:51:06 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17176]: iptables: Applying firewall rules: [  OK  ]
Dec 24 10:51:06 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Started IPv4 firewall with iptables.

# 停止 iptables 服务
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl stop iptables
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-12-24 10:50:49 CST; 7s ago
  Process: 17134 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 17098 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 17098 (code=exited, status=0/SUCCESS)

Dec 24 10:34:41 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Starting IPv4 firewall with iptables...
Dec 24 10:34:41 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17098]: iptables: Applying firewall rules: [  OK  ]
Dec 24 10:34:41 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Started IPv4 firewall with iptables.
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Stopping IPv4 firewall with iptables...
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17134]: iptables: Setting chains to policy ACCEPT: nat raw mangle filter [  OK  ]
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17134]: iptables: Flushing firewall rules: [  OK  ]
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Stopped IPv4 firewall with iptables.

# 从新装载配置参数
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl reload iptables
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# 

# 保存设置,在centos系统中iptables-save 重启后内容会丢失,采用下面命令是没问题。
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

firewall 服务与 iptables 服务共同有效

如果要添加范围例外端口,如 1000-2000。需要启用区域端口和协议组合。
具体语法如下:

firewall-cmd [--zone=] --add-port=[-]/ [--timeout=]
eg:
firewall-cmd --zone=public --add-port=80/tcp --permanent （--permanent永久生效，没有此参数重启后失效）
firewall-cmd --zone=public --add-port=1000-2000/tcp --permanent 

此篇记录文章选择是关闭 firewall 服务功能，使用 iptables 实现网络应用搭建。

iptables 规则配置如下 第一步 在 nat 表 PREROUTING 链 添加 DNAT 规则

# 外网访问 指定端口 9990 和 9991          阿里云固定IP                                                                                                   转发至 xl2tp 内网
iptables -t nat -A PREROUTING -p tcp -d 39.99.xx.xxx/255.255.255.255 -m tcp --dport 9990 -m comment --comment "@redirect[0]" -j DNAT --to-destination 172.168.1.128:9990
iptables -t nat -A PREROUTING -p tcp -d 39.99.xx.xxx/255.255.255.255 -m tcp --dport 9991 -m comment --comment "@redirect[0]" -j DNAT --to-destination 172.168.1.128:9991
iptables -t nat -A OUTPUT -j ACCEPT
# 访问外网                         xl2tp内网ip                    阿里云虚拟机出口 ip
iptables -t nat -A POSTROUTING -s 172.168.1.0/24 -j SNAT --to-source 172.26.43.146  

第二步 在 filter 表 FORWARD 链 添加 转发 规则

iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT

第三步 保存配置参数、并启动 iptables 服务

[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# service iptables save               # 保存参数
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl start iptables            # 启动 iptables 服务

[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# iptables -L -v                      # filter 表 chains 内容
Chain INPUT (policy ACCEPT 43 packets, 2913 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4079  213K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp-data
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
 3926  845K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1256 91699 ACCEPT     all  --  any    any     anywhere             anywhere            
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7594 1941K ACCEPT     all  --  any    any     anywhere             anywhere    

[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# iptables -L -v -t nat             # nat 表 chains 内容
Chain PREROUTING (policy ACCEPT 111 packets, 7453 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7   388 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:osm-oev  to:172.168.1.128:9991
    0     0 DNAT       udp  --  any    any     anywhere             anywhere             udp dpt:osm-oev  to:172.168.1.128:9991

Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  732 49635 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT 95 packets, 6734 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  253 17012 SNAT       all  --  any    any     172.168.1.0/24       anywhere             to:172.26.43.146
[root@iZ8vbdsaostzzry9mmk5lrZ ~]#          

第四步 开启 centos系统 ip_forward 功能

[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# cat /etc/sysctl.conf 
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.ip_forward = 1                          # 增加 ip_forward 配置

# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2

# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

kernel.sysrq = 1

[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl restart network  # 重启 centos 网络服务

第五步 配置ARM服务器路由表

                 阿里云IP       ARM服务器局域网关
sudo route add -host 39.99.xx.xx  gw 192.168.1.1     # ARM服务器通过局域建立xl2tp传输链路
                     XL2TP服务端IP地址
sudo route add default gw 172.168.1.99               # ARM服务器缺省路由、下一跳 IP 地址

sudo route del default gw 192.168.1.1                # 删除默认缺省路由条目

sudo route add -host 114.114.114.114 gw 172.168.1.99 # 测试路由条目

网络测试验证日志

使用过程因网络服务或网络变化，系统会自动添加缺省路由。通过 metric 值优选缺省路由也是可行的，路由信息如下:

# ARM服务器路由表
robot@ubuntu:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.168.1.99    0.0.0.0         UG    10     0        0 ppp0
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 enp0s3
39.99.232.232   192.168.1.1     255.255.255.255 UGH   0      0        0 enp0s3
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp0s3
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.168.1.99    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s3

# 网络访问信息
robot@ubuntu:~$ ping www.qq.com
PING ins-r23tsuuf.ias.tencent-cloud.net (101.91.22.57) 56(84) bytes of data.
64 bytes from 101.91.22.57 (101.91.22.57): icmp_seq=1 ttl=51 time=47.8 ms
64 bytes from 101.91.22.57 (101.91.22.57): icmp_seq=2 ttl=51 time=48.4 ms
^C
--- ins-r23tsuuf.ias.tencent-cloud.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 47.754/48.059/48.365/0.305 ms

# traceroute 路由选择是xl2tp的ip地址
robot@ubuntu:~$ traceroute www.qq.com
traceroute to www.qq.com (101.91.22.57), 30 hops max, 60 byte packets
 1  172.168.1.99 (172.168.1.99)  15.899 ms  15.885 ms  15.920 ms
 2  10.130.125.26 (10.130.125.26)  15.936 ms 10.130.123.26 (10.130.123.26)  15.967 ms  15.920 ms
 3  11.73.0.97 (11.73.0.97)  15.908 ms 11.73.0.189 (11.73.0.189)  15.899 ms 11.73.0.37 (11.73.0.37)  15.846 ms

至此，网络环境搭建和测试就完成了。
在此提示:请记着在阿里云虚拟机管理、在端口转发中添加 9990 和 9991 端口，否则外网访问时，就被阿里云 firewall 阻止了。

参考连接:
https://blog.csdn.net/c233728461/article/details/52679558
https://blog.csdn.net/u011537073/article/details/82685586
https://www.jianshu.com/p/807fcc9197f3