获取帮助:
centos 6 :man iptables
centos 7: man iptables-extensions
扩展匹配:
隐式扩展:当使用-p指定某一协议之后,协议自身所支持的扩展就叫做隐式扩展、使用[tcp|udp|icmp]指定某特定协议后、自动能对协议进行扩展。可省略 -m 选项
-p tcp
--dport PORT [-PORT];目标端口匹配
--sport PORT [-PORT] :源端口
--tcp-flags:
SYN ,ACK ,FIN ,RST ,PSH ,URG
--syn : #简写,新建链接时第一次请求
-p udp
--dport
--sport
-p icmp
--icmp-type
0: echo-reply
8: echo-request
#只允许本机ping ,不响应 ping 包
iptables -I INPUT -d 192.168.100.230 -p icmp --icmp-type 0 -j ACCEPT
[root@nginx etc]# iptables -I INPUT -d 10.2.61.22 -p tcp --dport 22 -j ACCEPT
[root@nginx etc]#
[root@nginx etc]# iptables -I OUTPUT -s 10.2.61.22 -p tcp --sport 22 -j ACCEPT
[root@nginx etc]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
158 12612 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpt:22
1153 83636 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22
9 700 ACCEPT all -- ens192 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1688 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 tcp spt:22
895 90672 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0
13 1004 ACCEPT all -- * ens192 0.0.0.0/0 0.0.0.0/0
[root@nginx etc]# iptables -I INPUT -d 10.2.61.22 -p tcp --dport 22:8080 -j ACCEPT #多个端口
[root@nginx etc]# iptables -A INPUT -d 10.2.61.22 -p icmp --icmp-type 0 -j ACCEPT #INPUT 允许应答报文 ,只能自己ping 别人,不响应ping
[root@nginx etc]# iptables -A OUTPUT -s 10.2.61.22 -p icmp --icmp-type 8 -j ACCEPT #OUTPUT 允许请求报文
显示扩展:必须要明确指定的扩展模块
-m
1.multiport 扩展
1.multiport 扩展
以离散方式定义多端口匹配,最多15 个端口
[!] --source-ports,--sports port[,port|,port:port]...#指明多个源端口
[!] --destination-ports,--dports port[,port|,port:port]...#指明多个目标端口
[!] --ports port[,port|,port:port]... #同时匹配源和目的端口
列子: 同时限制22,80 端口
iptables -I INPUT -s 192.168.0.0/16 -d 192.168.100.230 -p tcp -m multiport --dports 80,22 -j ACCEPT
[root@nginx /]# iptables -I INPUT -d 10.2.61.22 -p tcp -m multiport --dports 22,80 -j ACCEPT
[root@nginx /]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 10.2.61.22 multiport dports 22,80
[root@nginx /]# iptables -I OUTPUT -s 10.2.61.22 -p tcp -m multiport --sports 22,80 -j ACCEPT
[root@nginx /]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
446 38871 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 22,80
2341 192K ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpts:22:8080
732 57576 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.2.61.22 icmptype 0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 544 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 22,80
2499 463K ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 tcp spt:22
0 0 ACCEPT icmp -- * * 10.2.61.22 0.0.0.0/0 icmptype 8
[root@nginx /]#
2.iprange 扩展
2.iprange 扩展
指明连续的IP 地址范围 ,一般不能扩展为整个网络
[!] --src-range from[-to] #连续的源地址范围
[!] --dst-range from[-to] #连续的目的地址范围
iptables -I INPUT -d 192.168.100.230 -p tcp -m multiport --dports 22:23,25,80 -m iprange --src-range 192.168.100.2-192.168.100.199 -j ACCEPT
iptables -I OUTPUT -s 192.168.100.230 -p tcp -m multiport --sports 22:23,25,80 -m iprange --dst-range 192.168.100.2-192.168.100.199 -j ACCEPT
[root@nginx ~]# iptables -I INPUT -d 10.2.61.22 -p tcp -m multiport --dports 8080,8090 -m iprange --src-range 10.2.61.1-10.2.61.100 -j ACCEPT #地址范文在一个 C 段中
[root@nginx ~]# iptables -I OUTPUT -s 10.2.61.22 -p tcp -m multiport --sports 8080,8090 -m iprange --dst-range 10.2.61.1-10.2.61.100 -j ACCEPT
3.string 扩展
3.string 扩展
检查报文中出现的字符串
--algo {bm|kmp}
bm = Boyer-Moore,
kmp = Knuth-Pratt-Morris
--from offset #左偏移
--from offset #右偏移
[!] --string pattern
iptables -I OUTPUT -m string --algo bm --string 'test' -j LOG
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG
iptables -I OUTPUT -s 192.168.100.150 -m string --algo bm --string 'test' -j REJECT
[root@nginx ~]# iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /' -j LOG
[root@nginx ~]# tail -f /var/log/messages
Feb 19 02:50:54 nginx systemd-logind: New session 1882 of user root.
Feb 19 02:50:54 nginx systemd: Starting Session 1882 of user root.
Feb 19 03:01:01 nginx systemd: Started Session 1883 of user root.
Feb 19 03:01:01 nginx systemd: Starting Session 1883 of user root.
Feb 19 03:24:42 nginx systemd-logind: Removed session 1882.
Feb 19 03:24:58 nginx systemd: Started Session 1884 of user root.
Feb 19 03:24:58 nginx systemd-logind: New session 1884 of user root.
Feb 19 03:24:58 nginx systemd: Starting Session 1884 of user root.
Feb 19 03:53:52 nginx kernel: IN=ens192 OUT= MAC=00:0c:29:a9:72:71:00:0c:29:73:98:2f:08:00 SRC=10.2.61.21 DST=10.2.61.22 LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=59396 DF PROTO=TCP SPT=36804 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0
Feb 19 03:56:36 nginx kernel: IN=ens192 OUT= MAC=00:0c:29:a9:72:71:00:0c:29:73:98:2f:08:00 SRC=10.2.61.21 DST=10.2.61.22 LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=7382 DF PROTO=TCP SPT=36806 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0
4.time 扩展 :定时执行策略
4.time 扩展 :定时执行策略
-m time --weekdays Sa,Su
-m time --datestart 2007-12-24 --datestop 2007-12-27
-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59
-m time --timestart 12:30 --timestop 13:30
-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28
-m time --weekdays Mo --timestart 23:00 --timestop 01:00
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] #起始日期
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] #结束日期
#限制在某个时间段内拒绝某些请求
iptables -IINPUT -d 192.168.100.230 -p tcp --dport 80 -m time --timestart 14:00 --timestop 16:00 -j REJECT
#一周内固定时间限制
iptables -I FORWARD -s 172.17.1.132 -d 192.168.1.119 -m time --timestart 09:40 --timestop 09:59 --weekdays Wed,Thu -j DROP
[root@nginx ~]# iptables -I INPUT -p tcp -d 10.2.61.22 --dport 80 -m time --timestart 20:00 --timestop 06:00 -j REJECT #晚上八点早上6点禁止访问
5.connlimit #并发连接限制 ,单个地址或者地址块
[!] --connlimit-above n #链接上限
--connlimit-upto n #链接数量小于 n
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 2 -j REJECT
iptables -I INPUT -d 192.168.100.230 -p tcp --syn --dport 22 -m connlimit --connlimit-above 4 -j REJECT
[root@nginx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 152 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 #conn src/32 > 3 reject-with icmp-port-unreachable
514 42092 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 REJECT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
2 228 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 STRING match "GET /" ALGO name bm TO 65535 LOG flags 0 level 4
7 379 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
23 1189 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080,8090 source IP range 10.0.0.1-10.0.0.255
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080:8090 source IP range 10.0.0.1-10.0.0.255
0 0 tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080
0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.2.61.22 icmptype 0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 15 packets, 1106 bytes)
pkts bytes target prot opt in out source destination
6 1102 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
16 2176 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
0 0 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080,8090 destination IP range 10.0.0.1-10.0.0.255
0 0 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080:8090 destination IP range 10.0.0.1-10.0.0.255
3521 586K ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 22,80
2499 463K ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 tcp spt:22
0 0 ACCEPT icmp -- * * 10.2.61.22 0.0.0.0/0 icmptype 8
[root@nginx ~]# iptables -I INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT #限制ssh 新建链接数量为3 ,首先需要有放行的策略 ,否则拒绝了 -.-
[root@nginx ~]# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT #插入序号为1 的规则
6.limit 扩展
基于收发报文的速率做检查
令牌桶过滤器:
--limit rate[/second|/minute|/hour|/day]
--limit-burst number #限制超过这个值 策略开始进行匹配计数
iptables -A INPUT -d 192.168.100.230 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 30/minute -j ACCEPT
#限制 icmp ping 包峰值 5 个 ,每分钟30 个。
7.state 扩展
根据链接追踪机制检查链接的状态
调整链接追踪功能所能容纳的最大链接数量
/proc/sys/net/nf_conntrack_max #追踪链接的最大限制
cat /proc/net/nf_conntrack #追踪信息
#不同协议或链接的追踪时长
/proc/sys/net/netfilter/[root@nginx ~]# cat /proc/sys/net/netfilter/nf_conntrack_max #centos7 查看链接追中最大限制
65536
可追踪的链接状态:
NEW :新发出的请求,链接追踪模板中不存在此链接的相关信息,因此识别为第一次发起的请求
ESTABLISHED :NEW 状态后,链接追踪模板中为其建立的条目失效前期间所进行的通信状态
RELATED :相关的链接,如ftp 协议的命令链接和数据链接的关系叫做相关链接
INVALIDE :无法识别的链接
--state state
--state STATE1,STATE2
iptables -I INPUT -p tcp -d 192.168.100.230 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#对于访问本机的80 端口 ,只允许NEW 和ESTABLISHED 状态链接,访问 对于 80 端口的回应只允许回应ESTABLISHED
[root@nginx ~]# iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@nginx ~]# iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
[root@nginx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
7 374 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
1619 129K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 152 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 #conn src/32 > 3 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 10.2.61.22 tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
2 228 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 STRING match "GET /" ALGO name bm TO 65535 LOG flags 0 level 4
7 379 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
23 1189 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080,8090 source IP range 10.0.0.1-10.0.0.255
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080:8090 source IP range 10.0.0.1-10.0.0.255
0 0 tcp -- * * 0.0.0.0/0 10.2.61.22 multiport dports 8080
0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.2.61.22 icmptype 0
252 25105 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.100.230 icmptype 8 limit: avg 30/min burst 5
151 12612 ACCEPT icmp -- * * 0.0.0.0/0 10.2.61.22 icmptype 8 limit: avg 30/min burst 5
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
6 1102 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
6 1102 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
16 2176 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
0 0 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080,8090 destination IP range 10.0.0.1-10.0.0.255
0 0 ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 8080:8090 destination IP range 10.0.0.1-10.0.0.255
5219 899K ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 multiport sports 22,80
2499 463K ACCEPT tcp -- * * 10.2.61.22 0.0.0.0/0 tcp spt:22
0 0 ACCEPT icmp -- * * 10.2.61.22 0.0.0.0/0 icmptype 8
125 10428 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
[root@nginx ~]# iptables -L -n --line-number
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED #iptables 规则匹配从上往下,NEW 状态第一次,把 ESTABLISHED 放在第一位增加后续访问的命中率,提升速度
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080,8090,8888 state NEW
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED #OUTPUT 规则中允许进入的数据就允许出去,
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
[root@nginx ~]#
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
