29.1iptables
iptables基本用法
停止centos7上的firewalld
停止centos6上的iptables服务,即停止系统规则,系统默认规则在/etc/sysconfig/iptables;自定义iptables规则,以便实验
[[email protected] ~ ]#man iptables
#filter表,INPUT链
iptables -t filter -A INPUT -s 192.168.0.1 -j DROP[[email protected] ~ ]#systemctl stop firewalld
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~ ]#service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
#确认centos7上没有防火墙规则
[[email protected] ~ ]#iptables -vnL
Chain INPUT (policy ACCEPT 7174 packets, 1278K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 216 packets, 22376 bytes)
pkts bytes target prot opt in out source destination
#centos6上也停掉了系统防火墙规则
[[email protected] ~ ]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 默认filter表
[[email protected] ~]# iptables -A INPUT -s 192.168.31.6 -j DROP
[[email protected] ~]# iptables -vnL --line-number
Chain INPUT (policy ACCEPT 983 packets, 155K bytes)
num pkts bytes target prot opt in out source destination
1 16 1344 DROP all -- * * 192.168.31.6 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 168 packets, 16132 bytes)
num pkts bytes target prot opt in out source destination
[[email protected] ~ ]#ping 192.168.31.7 #不通
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
#-R替换target为REJECT -I为插入第一条,-A为append到最后
[[email protected] ~]# iptables -R INPUT 1 -s 192.168.31.6 -j REJECT
[[email protected] ~ ]#ping -c1 192.168.31.7
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
From 192.168.31.7 icmp_seq=1 Destination Port Unreachable
--- 192.168.31.7 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
[[email protected] ~ ]#ping 192.168.31.7
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
From 192.168.31.7 icmp_seq=1 Destination Port Unreachable
[[email protected] ~ ]#ssh 192.168.31.7
ssh: connect to host 192.168.31.7 port 22: Connection refused
[[email protected] ~]# iptables -I INPUT 2 -s 192.168.31.17 -j REJECT
[[email protected] ~]# iptables -vnL --line-number
Chain INPUT (policy ACCEPT 96 packets, 17804 bytes)
num pkts bytes target prot opt in out source destination
1 7 564 REJECT all -- * * 192.168.31.6 0.0.0.0/0 reject-with icmp-port-unreachable
2 0 0 REJECT all -- * * 192.168.31.17 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 832 bytes)
num pkts bytes target prot opt in out source destination [root@cos7 ~]# iptables -D INPUT 2 #删除第二条规则
#可以一下添加两条,和分别添加效果一样
[root@cos7 ~]# iptables -A INPUT -s 192.168.31.6,192.168.31.17 -j DROP
#取反
[root@cos7 ~]# iptables -A INPUT ! -s 192.168.31.1 -j DROP
如果防火墙该错,计划任务5分钟之后,执行防火墙备份策略
[root@cos7 ~]# iptables -P INPUT DROP #默认拒绝
Chain INPUT (policy DROP 0 packets, 0 bytes)
[root@cos7 ~]# iptables -P INPUT ACCEPT #默认拒绝
[root@cos7 ~]# iptables -A INPUT -j DROP #最后添加一条,若前面规则不匹配,则都拒绝
[root@cos7 ~]# iptables -A OUTPUT -d 192.168.31.6 -j REJECT
Chain OUTPUT (policy ACCEPT 35 packets, 3364 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 192.168.31.6 reject-with icmp-port-unreachable
[root@cos6 ~ ]#ping 192.168.31.7
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
[root@cos7 ~]# tcpdump -nn -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:33:56.891452 IP 192.168.31.6 > 192.168.31.7: ICMP echo request, id 11356, seq 1, length 64
17:33:57.891478 IP 192.168.31.6 > 192.168.31.7: ICMP echo request, id 11356, seq 2, length 64
[root@cos7 ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -d 192.168.31.6/32 -j REJECT --reject-with icmp-port-unreachable
[root@cos7 ~]# iptables -vnxL #-x exactly 更加精准显示数据大小,k,M#ping不同,但其它服务可以通,如ssh
[[email protected] ~]# iptables -A INPUT -s 192.168.31.6 -p icmp -j REJECT
[[email protected] ~]# iptables -I INPUT -i lo -j ACCEPT
扩展选项,隐式扩展
#如下,如果需要使用libxt_tcp.so时,直接-p tcp协议,而无需用-m指定扩展模块,系统会自动加载模块
[[email protected] ~ ]#ls /usr/lib64/xtables/
libip6t_ah.so libipt_DNAT.so libxt_cluster.so libxt_ipvs.so libxt_sctp.so libxt_tcp.so
**省略**
[[email protected] ~ ]#systemctl stop firewalld
[[email protected] ~ ]#iptables -vnL –line-number
#xshell连接虚拟机使用,以防xshell终端被拒绝连接
[[email protected] ~ ]#iptables -I INPUT -s 192.168.31.1 -j ACCEPT
#端口连续
[[email protected] ~ ]#iptables -A INPUT -p tcp –dport 21:23 -j ACCEPT
#ftp服务,传输数据时,还需开启数据端口
#端口不连续,需安装扩展包,且为显示扩展,即-m 指定
[[email protected] ~ ]#rpm -ql iptables |grep multi
/usr/lib64/xtables/libxt_multiport.so
/usr/sbin/xtables-multi
#插入第二条,tcp 3次握手第一次请求建立连接时,拒绝,而已经连接的不受影响
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp –dport 22 –syn -j REJECT
#单方向可以ping通,利用ping协议中的icmp,icmp测试网络状态,8表示请求,0表示应答
[[email protected] ~ ]#iptables -I INPUT 2 -p icmp –icmp-type 8 -j REJECT
#icmp的0一定在OUTPUT链上,响应报文可以出去
[[email protected] ~ ]#iptables -A OUTPUT -p icmp –icmp-type 0 -j ACCEPT
#删除INPUT链中第2条规则
[[email protected] ~ ]#iptables -D INPUT 2
#samba服务可以访问,其它访问不了,139,445为smb,nmb名字解析不开,用ip访问
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp –dport 139 -j ACCEPT
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp –dport 445 -j ACCEPT
显示扩展
必须使用-m选项指明要调用的扩展模块的扩展机制,要手动加载扩展模块
自定义链
#命名链
[[email protected] ~ ]#iptables -N WEB
#重命名自定义链
[[email protected] ~ ]#iptables -E WEB WEB1
[[email protected] ~ ]#iptables -A WEB1 -p tcp –dport 443 -j ACCEPT
#关联WEB1链到INPUT链;类似函数
[[email protected] ~ ]#iptables -A INPUT -s 192.168.31.0/24 -j WEB1
#删除自定义链
#取消关联
[[email protected] ~ ]#iptables -D INPUT 6
[[email protected] ~ ]#iptables -D INPUT 6
#清空自定义链接内容规则
[[email protected] ~ ]#iptables -F WEB1
#删除自定义链WEB1
[[email protected] ~ ]#iptables -X WEB1
使用帮助:
CentOS 6: man iptables
CentOS 7: man iptables-extensions
multiport扩展
以离散方式定义多端口匹配,最多指定15个端口
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp -m multiport –dports 80,443,3306 -j ACCEPT
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp -m multiport –dports 80,443,3306,21:23 -j ACCEPT
iprange扩展
指明连续的(但一般不是整个网络)ip地址范围
[[email protected] ~ ]#iptables -I INPUT 2 -m iprange –src-range 192.168.31.6-192.168.31.27 -j ACCEPT
mac扩展
指明源MAC地址
[[email protected] ~ ]#iptables -I INPUT 2 -m mac –mac-source 00:0C:29:67:2D:A3 -j ACCEPT
string扩展
对报文中的应用层数据做字符串模式匹配检测
[[email protected] ~ ]#iptables -R INPUT 2 -m string –algo bm –string “google” -j ACCEPT
[[email protected] ~ ]#iptables -A INPUT -m string –algo bm –string “google” -j ACCEPT
time扩展
根据将报文到达的时间与指定的时间范围进行匹配
[[email protected] ~ ]#iptables -I INPUT 2 -m time –timestart 1:00:00 –timestop 04:00:00 –weekdays 2,4,6 -j REJECT
[[email protected] ~ ]#iptables -I INPUT 2 -m time –timestart 6:00:00 –timestop 10:00:00 –weekdays 2,4,6 -j REJECT
[[email protected] ~ ]#man iptables-extensions
connlimit扩展
根据每客户端IP做并发连接数数量匹配
可防止CC(Challenge Collapsar挑战黑洞)攻击
[[email protected] ~ ]#iptables -A INPUT -m connlimit –connlimit-above 100 -j REJECT
limit扩展
基于收发报文的速率做匹配
令牌桶过滤器
[[email protected] ~ ]#iptables -R INPUT 2 -m limit –limit 6/minute –limit-burst 5 -j ACCEPT
[[email protected] ~ ]#iptables -I INPUT 2 -p icmp -j REJECT
state扩展
根据”连接追踪机制“去检查连接的状态,较耗资源
[[email protected] ~ ]#iptables -A INPUT -m state –state NEW -j REJECT
[[email protected] ~ ]#iptables -A INPUT -m state –state ESTABLISHED -j ACCEPT
[[email protected] ~ ]#iptables -A INPUT -j REJECT
推荐阅读