欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

29.1iptables

程序员文章站 2022-05-28 12:35:17
...

iptables基本用法
停止centos7上的firewalld
停止centos6上的iptables服务,即停止系统规则,系统默认规则在/etc/sysconfig/iptables;自定义iptables规则,以便实验

[[email protected] ~ ]#man iptables
#filter表,INPUT链 
iptables -t filter -A INPUT -s 192.168.0.1 -j DROP
[[email protected] ~ ]#systemctl stop firewalld
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~ ]#service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
#确认centos7上没有防火墙规则

[[email protected] ~ ]#iptables -vnL
Chain INPUT (policy ACCEPT 7174 packets, 1278K bytes)
 pkts bytes target     prot opt in     out     source     destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source     destination         

Chain OUTPUT (policy ACCEPT 216 packets, 22376 bytes)
 pkts bytes target     prot opt in     out     source     destination 
#centos6上也停掉了系统防火墙规则
[[email protected] ~ ]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source    destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source    destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source    destination 

默认filter表

[[email protected] ~]# iptables -A INPUT -s 192.168.31.6 -j DROP
[[email protected] ~]# iptables -vnL --line-number
Chain INPUT (policy ACCEPT 983 packets, 155K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       16  1344 DROP       all  --  *      *       192.168.31.6         0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 168 packets, 16132 bytes)
num   pkts bytes target     prot opt in     out     source               destination 
[[email protected] ~ ]#ping 192.168.31.7   #不通
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.

#-R替换target为REJECT   -I为插入第一条,-A为append到最后
[[email protected] ~]# iptables -R INPUT 1 -s 192.168.31.6 -j REJECT

[[email protected] ~ ]#ping -c1 192.168.31.7
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
From 192.168.31.7 icmp_seq=1 Destination Port Unreachable

--- 192.168.31.7 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

[[email protected] ~ ]#ping  192.168.31.7
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
From 192.168.31.7 icmp_seq=1 Destination Port Unreachable

[[email protected] ~ ]#ssh 192.168.31.7
ssh: connect to host 192.168.31.7 port 22: Connection refused
[[email protected] ~]# iptables -I INPUT 2 -s 192.168.31.17 -j REJECT

[[email protected] ~]# iptables -vnL --line-number
Chain INPUT (policy ACCEPT 96 packets, 17804 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        7   564 REJECT     all  --  *      *       192.168.31.6         0.0.0.0/0            reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       192.168.31.17        0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 832 bytes)
num   pkts bytes target     prot opt in     out     source               destination  
[root@cos7 ~]# iptables -D INPUT 2 #删除第二条规则
#可以一下添加两条,和分别添加效果一样
[root@cos7 ~]# iptables -A INPUT -s 192.168.31.6,192.168.31.17 -j DROP
#取反
[root@cos7 ~]# iptables -A INPUT ! -s 192.168.31.1 -j DROP

如果防火墙该错,计划任务5分钟之后,执行防火墙备份策略
[root@cos7 ~]# iptables -P INPUT DROP  #默认拒绝
Chain INPUT (policy DROP 0 packets, 0 bytes)
[root@cos7 ~]# iptables -P INPUT ACCEPT  #默认拒绝
[root@cos7 ~]# iptables -A INPUT  -j DROP  #最后添加一条,若前面规则不匹配,则都拒绝

[root@cos7 ~]# iptables -A OUTPUT -d 192.168.31.6 -j REJECT
Chain OUTPUT (policy ACCEPT 35 packets, 3364 bytes)
 pkts bytes target     prot opt in     out     source       destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0    192.168.31.6  reject-with icmp-port-unreachable
[root@cos6 ~ ]#ping 192.168.31.7
PING 192.168.31.7 (192.168.31.7) 56(84) bytes of data.
[root@cos7 ~]# tcpdump -nn -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:33:56.891452 IP 192.168.31.6 > 192.168.31.7: ICMP echo request, id 11356, seq 1, length 64
17:33:57.891478 IP 192.168.31.6 > 192.168.31.7: ICMP echo request, id 11356, seq 2, length 64
[root@cos7 ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -d 192.168.31.6/32 -j REJECT --reject-with icmp-port-unreachable
[root@cos7 ~]# iptables -vnxL   #-x exactly 更加精准显示数据大小,k,M

#ping不同,但其它服务可以通,如ssh
[[email protected] ~]# iptables -A INPUT -s 192.168.31.6 -p icmp -j REJECT

[[email protected] ~]# iptables -I INPUT -i lo -j ACCEPT


扩展选项,隐式扩展
#如下,如果需要使用libxt_tcp.so时,直接-p tcp协议,而无需用-m指定扩展模块,系统会自动加载模块
[[email protected] ~ ]#ls /usr/lib64/xtables/
libip6t_ah.so libipt_DNAT.so libxt_cluster.so libxt_ipvs.so libxt_sctp.so libxt_tcp.so
**省略**
[[email protected] ~ ]#systemctl stop firewalld
[[email protected] ~ ]#iptables -vnL –line-number

#xshell连接虚拟机使用,以防xshell终端被拒绝连接
[[email protected] ~ ]#iptables -I INPUT -s 192.168.31.1 -j ACCEPT

#端口连续
[[email protected] ~ ]#iptables -A INPUT -p tcp –dport 21:23 -j ACCEPT
#ftp服务,传输数据时,还需开启数据端口
#端口不连续,需安装扩展包,且为显示扩展,即-m 指定
[[email protected] ~ ]#rpm -ql iptables |grep multi
/usr/lib64/xtables/libxt_multiport.so
/usr/sbin/xtables-multi

#插入第二条,tcp 3次握手第一次请求建立连接时,拒绝,而已经连接的不受影响
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp –dport 22 –syn -j REJECT

#单方向可以ping通,利用ping协议中的icmp,icmp测试网络状态,8表示请求,0表示应答
[[email protected] ~ ]#iptables -I INPUT 2 -p icmp –icmp-type 8 -j REJECT
#icmp的0一定在OUTPUT链上,响应报文可以出去
[[email protected] ~ ]#iptables -A OUTPUT -p icmp –icmp-type 0 -j ACCEPT
#删除INPUT链中第2条规则
[[email protected] ~ ]#iptables -D INPUT 2

#samba服务可以访问,其它访问不了,139,445为smb,nmb名字解析不开,用ip访问
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp –dport 139 -j ACCEPT
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp –dport 445 -j ACCEPT


显示扩展
必须使用-m选项指明要调用的扩展模块的扩展机制,要手动加载扩展模块

自定义链
#命名链
[[email protected] ~ ]#iptables -N WEB
#重命名自定义链
[[email protected] ~ ]#iptables -E WEB WEB1
[[email protected] ~ ]#iptables -A WEB1 -p tcp –dport 443 -j ACCEPT
#关联WEB1链到INPUT链;类似函数
[[email protected] ~ ]#iptables -A INPUT -s 192.168.31.0/24 -j WEB1

#删除自定义链
#取消关联
[[email protected] ~ ]#iptables -D INPUT 6
[[email protected] ~ ]#iptables -D INPUT 6
#清空自定义链接内容规则
[[email protected] ~ ]#iptables -F WEB1
#删除自定义链WEB1
[[email protected] ~ ]#iptables -X WEB1

使用帮助:
CentOS 6: man iptables
CentOS 7: man iptables-extensions

multiport扩展
以离散方式定义多端口匹配,最多指定15个端口
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp -m multiport –dports 80,443,3306 -j ACCEPT
[[email protected] ~ ]#iptables -I INPUT 2 -p tcp -m multiport –dports 80,443,3306,21:23 -j ACCEPT

iprange扩展
指明连续的(但一般不是整个网络)ip地址范围
[[email protected] ~ ]#iptables -I INPUT 2 -m iprange –src-range 192.168.31.6-192.168.31.27 -j ACCEPT

mac扩展
指明源MAC地址
[[email protected] ~ ]#iptables -I INPUT 2 -m mac –mac-source 00:0C:29:67:2D:A3 -j ACCEPT

string扩展
对报文中的应用层数据做字符串模式匹配检测
[[email protected] ~ ]#iptables -R INPUT 2 -m string –algo bm –string “google” -j ACCEPT
[[email protected] ~ ]#iptables -A INPUT -m string –algo bm –string “google” -j ACCEPT

time扩展
根据将报文到达的时间与指定的时间范围进行匹配
[[email protected] ~ ]#iptables -I INPUT 2 -m time –timestart 1:00:00 –timestop 04:00:00 –weekdays 2,4,6 -j REJECT
[[email protected] ~ ]#iptables -I INPUT 2 -m time –timestart 6:00:00 –timestop 10:00:00 –weekdays 2,4,6 -j REJECT
[[email protected] ~ ]#man iptables-extensions

connlimit扩展
根据每客户端IP做并发连接数数量匹配
可防止CC(Challenge Collapsar挑战黑洞)攻击
[[email protected] ~ ]#iptables -A INPUT -m connlimit –connlimit-above 100 -j REJECT

limit扩展
基于收发报文的速率做匹配
令牌桶过滤器
[[email protected] ~ ]#iptables -R INPUT 2 -m limit –limit 6/minute –limit-burst 5 -j ACCEPT
[[email protected] ~ ]#iptables -I INPUT 2 -p icmp -j REJECT

state扩展
根据”连接追踪机制“去检查连接的状态,较耗资源
[[email protected] ~ ]#iptables -A INPUT -m state –state NEW -j REJECT
[[email protected] ~ ]#iptables -A INPUT -m state –state ESTABLISHED -j ACCEPT
[[email protected] ~ ]#iptables -A INPUT -j REJECT

相关标签: iptables

推荐阅读