29 Dec 2014
简介:
linux防火墙主要分为两种,TCP Wrapper(根据程序管控)和netfilter(根据封包过滤),其中netfilter机制下的工具既为iptables,是通过直接分析封包表头资料来打过过滤的效果。
作用:ipv4过滤和network address translation的管理工具
语法:
iptables [-t table][-A|-I|-D] chaintype [-p protocol] [-s sourceIP] [--dport port number] -j 规则
iptables [-t table] {-A|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
参数:
-nvL 查看表规则,n为Numeric数字格式输出,v为Verbose冗长格式输出,L为list当前表规则-t table指定表,默认filter表-F flush清空规则-Z zero清空计数器-I insert插入一条规则-A append增加一条规则-D delete删除指定的规则-p protocol指定协议TCP\UDP\ICMP等-P policy默认策略 accpet或drop-s 源ip--dport 端口号--line-numbers 查看规则行号iptables服务相关操作:
service iptables restartservice iptables save(保存到/etc/sysconfig/iptables)iptables-save > filenameiptables-restore < filenametable与chain:
4表5链(优先级,raw>mangle>nat>filter)
raw-将访问的包不做跟踪,主要用来处理大量连接的情况,避免ip_conntrack出现表满报错的情况
用法举例:
## -A与-I增加规则的区别 # -A增加的是在最后 iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:ssh # -I 添加的规则在最上面 iptables -I INPUT -p tcp -s 172.16.0.0/24 --dport 22 -j ACCEPT iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 172.16.0.0/24 anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ## 在同一个chain(INPUT)里规则排在上下的区别 # 规则的匹配是由上至下的; # 匹配到了第一条满足的规则后即执行离开,不再匹配下面的规则 # INPUT<--data content # | # ---------- # RULE 1 -- 执行 1 # ... # RULE 2 --执行 2 # ... # RULE 3 --执行 3 # ... # ---------- # 假如你有两条规则,一条是全部接收,一条是全部抛弃,则在上面的生效 # -F清空规则 iptables -F iptables -nvL Chain INPUT (policy ACCEPT 28 packets, 2016 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 1696 bytes) pkts bytes target prot opt in out source destination # iptables配置文件,默认的规则 # 重启服务,配置文件中的配置会重新加载 service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6 432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination # 查看配置文件规则 cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # --line-numbers查看行号,然后根据规则行号操作规则 iptables --line-numbers -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 204 17168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 345 32182 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 128 packets, 19904 bytes) num pkts bytes target prot opt in out source destination # 指定行号 -Z清除其计数器 iptables -Z INPUT 1 iptables --line-numbers -nvL INPUT |grep 1 1 6 11704 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED # 指定行号 -D删除该规则 iptables -D INPUT 10
线上机器实践过程
# iptables文件并未存在,可能是因为线上机器从来没有开过iptables服务的原因 cd /etc/sysconfig/ ls iptables # 启动iptables服务,然后手工save规则 service iptables start service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] # 编辑配置文件来修改默认规则 vi iptables ************************************** # Generated by iptables-save v1.4.7 on Wed Feb 4 03:41:46 2015 *raw :PREROUTING ACCEPT [830056:419977881] :OUTPUT ACCEPT [762900:149099657] COMMIT # Completed on Wed Feb 4 03:41:46 2015 # Generated by iptables-save v1.4.7 on Wed Feb 4 03:41:46 2015 *nat :PREROUTING ACCEPT [35775:2152330] :POSTROUTING ACCEPT [33531:2422620] :OUTPUT ACCEPT [33531:2422620] COMMIT # Completed on Wed Feb 4 03:41:46 2015 # Generated by iptables-save v1.4.7 on Wed Feb 4 03:41:46 2015 *mangle :PREROUTING ACCEPT [830056:419977881] :INPUT ACCEPT [830056:419977881] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [762900:149099657] :POSTROUTING ACCEPT [762900:149099657] COMMIT # Completed on Wed Feb 4 03:41:46 2015 # Generated by iptables-save v1.4.7 on Wed Feb 4 03:41:46 2015 *filter :INPUT ACCEPT [830056:419977881] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [762900:149099657] COMMIT # Completed on Wed Feb 4 03:41:46 2015 ************************************** # 编辑完重启服务 service iptables restart