LINUX防火墙iptables基本命令

原创

入九天 2018-04-06 22:38:23 ©著作权

文章标签 iptables命令 文章分类 运维

©著作权归作者所有：来自51CTO博客作者入九天的原创作品，请联系作者获取转载授权，否则将追究法律责任

一、认识iptables 二、Iptables命令 2.1、语法：iptables -t table 命令 chain rules -j target table：有filter、nat、mangle，默认是filter 命令： -L 或 --list 查看iptables规则列表 [root@appex ~]# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-v 显示更多设置，-n 以数字形式显示IP地址和端口 [root@appex ~]#iptables -L FORWARD -nv Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000 0 0 ACCEPT all -- * * 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5 0 0 DROP all -- * * 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
-P 或 --policy 定义默认策略 [root@appex ~]# iptables -t filter -P FORWARD DROP
[root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy DROP) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@appex ~]# iptables -t filter -P FORWARD ACCEPT [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-A 或--append 在规则列表的最后增加一条规则 [root@appex ~]#iptables -t filter -A FORWARD -p icmp -j DROP [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy DROP) target prot opt source destination
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-I或--insert 在规则列表的最前面插入一条规则 [root@appex ~]# iptables -t filter -I FORWARD 2 -p icmp -j ACCEPT [root@appex ~]# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy DROP) target prot opt source destination
DROP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-R或--replace 替换规则列表中的某条规则 [root@appex ~]#iptables -t filter -R FORWARD 2 -p icmp -j DROP [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy DROP) target prot opt source destination
DROP icmp -- anywhere anywhere
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-D或--delete 从规则列表中删除一条规则 [root@appex ~]#iptables -t filter -D FORWARD 2 [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy DROP) target prot opt source destination
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-F或--flush 删除表中所有的规则 [root@appex ~]#iptables -t filter -F [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy DROP) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
2.2、Iptables匹配选项 -i或--in-interface 指定数据包从哪块网络接口进入，如eth0、eth1等 -o或--out-interface 指定数据包从哪块网络接口输出，如eth0、eth1等 [root@appex ~]# iptables -t filter -I FORWARD -i eth0 -j DROP [root@appex ~]# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-p或--protocol 指定数据包匹配的协议，如TCP、UDP、ICMP等 -s或--source 指定数据包匹配的源地址 -d或--destination 指定数据包匹配的目的地址 --sport 指定数据包匹配的源端口号，可以使用”起始端口号：结束端口号”的格式指定一个范围 --dport 指定数据包匹配的目标端口号，可以使用”起始端口号：结束端口号”的格式指定一个范围 [root@appex ~]# iptables -t filter -I FORWARD -p tcp -s 10.0.0.90/32 -d 10.0.0.80/32 --dport 3389 -j DROP [root@appex ~]# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@appex ~]#iptables -t filter -I FORWARD -p tcp -s 10.0.0.0/24 -d 10.10.10.0/24 --dport 3389 -j DROP [root@appex ~]# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
DROP tcp -- 10.0.0.0/24 10.0.10.0/24 tcp dpt:ms-wbt-server DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
2.3、Iptables使用扩展选项 限制网速：-m limit --limit 控制瞬间爆发流量：-m limit --limit-burst [root@appex ~]# iptables -t filter -F [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@appex ~]# iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j ACCEPT [root@appex ~]#iptables -t filter -A FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j DROP //超过的就drop [root@appex ~]#iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5 DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5 Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@appex ~]#iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit-burst 1000 -j ACCEPT [root@appex ~]#iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5 DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5 Chain OUTPUT (policy ACCEPT) target prot opt source destination
2.4、处理动作 -j 参数用来指定要进行的处理动作，常用的处理动作包括：ACCEPT、REJECT、DROP、REDIRCT、MASQUERADE、LOG、DNAT、SNAT、MIRROR、QUEUE、RETURN、MARK Filter表能使用的主要动作： ACCEPT:将封包放行，进行完此处理动作后，将不再匹配其他规则，直接跳往下一个规则链 REJECT:拦截该封包，并传送封包通知对方，进行完此处理动作后，将不再匹配其他规则，直接中断过滤程序 DROP:丢弃封包不予处理，进行完此处理动作后，将不再匹配其他规则，直接中断过滤程序。 三、保存和还原iptables设置 3.1、保存修改的iptables到配置文件中 [root@appex ~]# /etc/rc.d/init.d/iptables save 3.2、查看iptables的配置文件 [root@appex ~]# cat /etc/sysconfig/iptables 3.3、保存修改的iptables到一个文件中及从文件中导入到iptables中 [root@appex ~]# iptables-save >iptables.conf1 [root@appex ~]# iptables-restore< iptables.conf1 四、配置NAT实现网络地址转换 [root@appex ~]# ifconfig eth0:0 10.0.0.81 netmask 255.255.255.0 [root@appex ~]#ip addr show eth0:0 2: eth0: < BROADCAST,MULTICAST,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:21:85:0e brd ff:ff:ff:ff:ff:ff inet 10.0.0.80/24 brd 10.0.0.255 scope global eth0 inet 10.0.0.81/24 brd 10.0.0.255 scope global secondary eth0:0 inet6 fe80::20c:29ff:fe21:850e/64 scope link valid_lft forever preferred_lft forever [root@appex ~]# iptables -t nat -L POSTROUTING Chain POSTROUTING (policy ACCEPT) target prot opt source destination
[root@appex ~]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j SNAT --to-source 10.0.0.80-10.0.0.81 [root@appex ~]#iptables -t nat -L POSTROUTING -nv Chain POSTROUTING (policy ACCEPT 3 packets, 205 bytes) pkts bytes target prot opt in out source destination
0 0 SNAT all -- - eth0 10.0.10.0/24 0.0.0.0/0 to:10.0.0.80-10.0.0.81
五、mangle表的应用 --ttl-inc 1 --ttl-dec 2 --ttl-set 40 [root@appex ~]#iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
[root@appex ~]# iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-inc 1 [root@appex ~]#iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-dec 2 [root@appex ~]# iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 40 [root@appex ~]#iptables -t mangle -L PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination
TTL all -- anywhere anywhere TTL decrement by 2 TTL all -- anywhere anywhere TTL increment by 1 TTL all -- anywhere anywhere TTL set to 40