iptables
iptables基本语法
iptables应用
-L默认这三个表,默认是filter表
[root@qq ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@qq ~]#
查看nat表
[root@qq ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@qq ~]#
查看mangle表
[root@qq ~]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@qq ~]#
查看raw表
[root@qq ~]# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@qq ~]#
CentOS 7的表
[root@xx ~]# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@xx ~]#
删除用户自定义的空链
[root@xx ~]# iptables -X
添加自定义表链
[root@xx ~]# iptables -t filter -N IN_putlic
[root@xx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain IN_putlic (0 references)
target prot opt source destination
[root@xx ~]#
给未使用的自定义链改名
[root@xx ~]# iptables -t filter -E IN_putlic OUT_public
[root@xx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain OUT_public (0 references)
target prot opt source destination
[root@xx ~]#
修改filter表中FORWARK链默认策略为DROP
[root@xx ~]# iptables -t filter -P FORWARD DROP
[root@xx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@xx ~]#
更改回来:
[root@xx ~]# iptables -t filter -P FORWARD ACCEPT
[root@xx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@xx ~]#
显示每个链下面规则的编号
[root@xx ~]# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
删除INPUT链表里面的第五条规则
[root@xx ~]# iptables -D INPUT 5
[root@xx ~]# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
不做计数换算
[root@xx ~]# iptables -L -n -v -x
Chain INPUT (policy ACCEPT 1 packets, 229 bytes)
pkts bytes target prot opt in out source destination
379 2××× ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 153 packets, 24335 bytes)
pkts bytes target prot opt in out source destination
[root@xx ~]#
让任意IP能够访问10.201.106.130的tcp协议
[root@xx ~]# iptables -t filter -A INPUT -d 10.201.106.130 -p tcp -j ACCEPT
[root@xx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 10.201.106.130
放行本机所有TCP协议出去
[root@xx ~]# iptables -t filter -A OUTPUT -s 10.201.106.130 -p tcp -j ACCEPT
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 976 ACCEPT tcp -- * * 10.201.106.130 0.0.0.0/0
将INPUT,OUTPUT,FORWARD三个表里的默认链改为DROP,由于之前已经放通了所有TCP协议,所以ssh没有断开
[root@xx ~]# iptables -P INPUT DROP
[root@xx ~]# iptables -P OUTPUT DROP
[root@xx ~]# iptables -P FORWARD DROP
[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1098 82320 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.201.106.130
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
140 15988 ACCEPT tcp -- * * 10.201.106.130 0.0.0.0/0
[root@xx ~]#
清空所有规则
[root@xx ~]# iptables -F
允许icmp(ping)
防火墙需要做双向规则
[root@xx ~]# iptables -A INPUT -d 10.201.106.130 -p icmp -j ACCEPT
[root@xx ~]# iptables -A OUTPUT -s 10.201.106.130 -p icmp -j ACCEPT
限定了流入流出端口
1、首先删除之前的icmp规则
[root@xx ~]# iptables -D OUTPUT 2
[root@xx ~]# iptables -D INPUT 6
[root@xx ~]# iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 10.201.106.130
Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 10.201.106.130 0.0.0.0/0
[root@xx ~]#
2、设置报文流入流出的网络接口
[root@xx ~]# iptables -A INPUT -d 10.201.106.130 -i eth0 -j ACCEPT
[root@xx ~]# iptables -A OUTPUT -s 10.201.106.130 -o eth0 -j ACCEPT
[root@xx ~]#
3、加-v查看列表,in,out已经限定了流入流出端口
[root@xx ~]# iptables -L -n --line-numbers -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2088 156K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 2 120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.201.106.130
6 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 10.201.106.130
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 876 88688 ACCEPT tcp -- * * 10.201.106.130 0.0.0.0/0
2 0 0 ACCEPT all -- * eth0 10.201.106.130 0.0.0.0/0
[root@xx ~]#
iptables插入规则
1、放通本机的SSH流量
1.1
[root@xx ~]# iptables -I INPUT -d 10.201.106.130 -p tcp --dport 22 -j ACCEPT
[root@xx ~]# iptables -I OUTPUT -s 10.201.106.130 -p tcp --sport 22 -j ACCEPT
[root@xx htdocs]# iptables -L -n --line-numbe
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 10.201.106.130
2 ACCEPT tcp -- 0.0.0.0/0 10.201.106.130 tcp dpt:22
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 10.201.106.130 0.0.0.0/0
2 ACCEPT tcp -- 10.201.106.130 0.0.0.0/0 tcp spt:22
1.2 启动httpd服务测试
[root@xx ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2016-08-25 21:16:59 CST; 3 weeks 1 days ago
Docs: man:httpd(8)
1.3 关闭所有策略后
[root@xx htdocs]# iptables -t filter -P FORWARD DROP
[root@xx htdocs]# iptables -t filter -P INPUT DROP
[root@xx htdocs]# iptables -t filter -P OUTPUT DROP
[root@xx htdocs]# iptables -D INPUT 1
[root@xx htdocs]# iptables -D OUTPUT 1
[root@xx htdocs]# iptables -L -n --line-numbe
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 10.201.106.130 tcp dpt:22
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 10.201.106.130 0.0.0.0/0 tcp spt:22
[root@xx htdocs]#
2、只允许自己ping出去,不许ping进来
[root@xx htdocs]# iptables -A OUTPUT -s 10.201.106.130 -p icmp --icmp-type 8 -j ACCEPT
[root@xx htdocs]# iptables -A INPUT -d 10.201.106.130 -p icmp --icmp-type 0 -j ACCEPT
测试:
[root@xx htdocs]# ping 10.201.106.1
PING 10.201.106.1 (10.201.106.1) 56(84) bytes of data.
64 bytes from 10.201.106.1: icmp_seq=1 ttl=64 time=0.550 ms
64 bytes from 10.201.106.1: icmp_seq=2 ttl=64 time=0.542 m
客户端测试:
