1.1 iptables命令帮助信息
[root@centos6 ~]# iptables -h # 详细信息可以使用man iptables获取
iptables v1.4.7
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
# 长格式和短格式多可以使用
Either long or short options are allowed.
# 向指定链中添加规则,默认从规则序号结尾进行添加
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
# 删除指定链里面规则策略
--delete -D chain Delete matching rule from chain
# 删除链上指定的规则序号(1=first)
--delete -D chain rulenum Delete rule rulenum (1 = first) from chain
# 向指定链中插入规则,默认插入规则到第一条,也可以指定插入位置
--insert -I chain [rulenum] Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum Replace rule rulenum (1 = first) in chain
# 查看iptables软件控制策略列表信息
--list -L [chain [rulenum]] List the rules in a chain or all chains
--list-rules -S [chain [rulenum]] Print the rules in a chain or all chains
# 清除所有规则,不会处理默认的规则
--flush -F [chain] Delete all rules in chain or all chains
# 链的计数器清零(数据包计数器与数据包字节计数器)
--zero -Z [chain [rulenum]] Zero counters in chain or all chains
# 创建新的用户定义链
--new -N chain Create a new user-defined chain
# 删除用户自定义的链
--delete-chain -X [chain] Delete a user-defined chain
# 改变链上的最终默认规则策略
--policy -P chain target· Change policy on chain to target
--ren -E old-chain new-chain Change chain name, (moving any references)
Options:
# 指定访问数据的协议类型(tcp|udp|icmp)
[!] --proto -p proto protocol: by number or name, eg. `tcp'
# 指定数据流量源地址或网段信息
[!] --source -s address[/mask][...] source specification
# 指定数据流量目标地址或网段信息
[!] --destination -d address[/mask][...] destination specification
# 指定数据流量进入接口信息(只能配置在INPUT链)
[!] --in-interface -i input name[+] network interface name ([+] for wildcard)
# 指定操作的动作(ACCEPT|DROP|REJECT)
--jump -j target target for rule (may load target extension)
--goto -g chain jump to chain with no return
# 调用扩展策略模块
--match -m match extended match (may load extension)
# 查看iptables软件控制策略列表里面的ip地址和端口信息,以数字表示
--numeric -n numeric output of addresses and ports
# 指定数据流量流出接口信息(只能配置在OUTPUT链)
[!] --out-interface -o output name[+] network interface name ([+] for wildcard)
# 查看iptables策略信息,指定查看相应表(不指定-t 默认查看filter)
--table -t table table to manipulate (default: `filter')
# 查看iptables策略详细信息
--verbose -v verbose mode
# 查看iptables策略信息是,显示每条规则序号信息
--line-numbers print line numbers when listing
# 扩展数字(显示精确数值)
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
# 查看iptables软件版本信息
[!] --version -V print package version.
1.2 防火墙相关内核模块
1.2.1 iptables默认加载的内核模块
[root@centos6 ~]# lsmod | egrep "nat|filter|ipt" iptable_nat 5923 0 nf_nat 22676 1 iptable_nat ip6table_filter 2889 1 ip6_tables 18796 1 ip6table_filter nf_conntrack_ipv4 9186 5 iptable_nat,nf_nat nf_conntrack 79537 5 iptable_nat,nf_nat,nf_conntrack_ipv6,nf_conntrack_ipv4,xt_state iptable_filter 2793 1 ip_tables 17895 2 iptable_nat,iptable_filter ipt_REJECT 2383 2
1.2.2 加载防火墙模块到内核中
# 防火墙相关模块 modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state <- centos6版本系统中可忽略此模块的加载
[root@centos6 ~]# modprobe nf_conntrack [root@centos6 ~]# lsmod | egrep "nf" nf_conntrack_ipv6 7985 3 nf_defrag_ipv6 26468 1 nf_conntrack_ipv6 nf_conntrack 79537 2 nf_conntrack_ipv6,xt_state ipv6 336368 267 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
1.2.3 lsmod查看内核模块命令说明
- 模块介绍说明:
| 模块 | 模块说明 |
| ip_tables | 防火墙的核心模块,负责维护防火墙的规则表,通过这些规则,实现防火墙的核心功能。归纳起来主要有三种功能:包过滤(filter)、NAT以及包处理(Mangle) |
| iptable_filter | 防火墙数据包过滤模块,实现对数据包的过滤和放行功能 |
| iptable_nat | 防火墙数据包转发模块,用于对数据包进行修改,从而实现数据转发的目的 |
| ip_conntrack | 主要用于修改应用层协议控制包,务必重要的作用就是实现NAT |
| ip_conntrack_ftp | 与FTP服务NAT映射相关的模块 |
| ip_nat_ftp | 与FTP服务NAT映射相关的模块 |
| ipt_state | 防火墙状态信息模块,在新版CentOS6系统中已经忽略此模块的加载 |
1.3 测试iptables规则
1.3.1 启动和查看iptables状态
[root@centos6 ~]# service iptables start [root@centos6 ~]# /etc/init.d/iptables start
- 启动并查看iptables状态
[root@centos6 ~]# service iptables start [root@centos6 ~]# service iptables status Table: filter # 默认表是filter表 Chain INPUT (policy ACCEPT) # 表示当所有规则都不匹配时的默认规则 num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited # 以上信息是INPUT链下面的规则信息 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited # 以上信息是FORWARD链下面的规则信息 Chain OUTPUT (policy ACCEPT) num target prot opt source destination # 以上信息是OUTPUT链下面的规则信息
1.3.2 无法启动iptables的解决方法
1.3.2.1 No config file
【问题现象】:
[root@centos6 ~]# service iptables start iptables: No config file. [WARNING]
【解决办法】:
【setup】—>【Firewall configuration】—>选择【Enabled】
1.3.2.2 无法开启Enable选项
【问题现象】:
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
【解决办法】:
开启系统总线服务即可,并且可以设置为开机自启动:
[root@centos6 ~]# dbus-daemon --system # dbus是一个消息传递系统,应用程序间可以通过它来相互传递消息,dbus-daemon是一个守护进程 # 在rc.sysinit最后添加一行dbus-daemon --system,这样系统启动时avahi就不会出问题了。
字符集问题
1.3.3 清除默认规则
iptables -F # 清除所有规则,不会处理默认的规则 iptables -X # 删除用户自定义的链 iptables -Z # 链的计数器清零(数据包计数器与数据包字节计数器)
- 清除规则
[root@test ~]# iptables -F [root@test ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
1.3.4 配置禁止规则
- 禁止ssh默认22端口
[root@centos6 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 456 bytes)
pkts bytes target prot opt in out source destination
- 命令说明:
- iptables默认是frlter表,因此可以不加-t参数指定filter表
- 其中INPUT和DROP要大写
- -p参数包括all、tcp、udp、icmp,默认all
- --jump -j基本的处理行为:ACCEPT(接受)DROP(丢弃)REJECT(拒绝)
- 比较:DROP优于REJECT,有响应表示拒绝,没响应表示丢弃
- 命令执行的规则仅仅在内存里临时生效
- 恢复刚才断掉的SSH连接
- 去机房重启系统或者登陆服务器删除刚才的禁止规则
- 让机房人员重启服务器或者让机房人员拿用户密码登录进去
- 通过服务器的远程管理卡管理(推荐)
- 先写一个定时任务,每5分钟就停止防火墙
- 测试环境测试好,写成脚本,批量执行
# 利用-I参数实现强行阻止访问22端口,将此规则放在第一位
[root@centos6 ~]# iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
123 10872 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 456 bytes)
pkts bytes target prot opt in out source destination
提示:
使用-I和-A的顺序,防火墙的过滤根据规则顺序决定:
- -A是添加规则到指定链的结尾,最后一条
- -I 是添加规则到指定链的开头,即第一条;也可以指定插入位置
企业应用-A和-I说明:
一般封IP地址时或进行策略配置就需要利用-I参数,因为-I参数会将规则列表最前面,会优先执行封IP策略,如果使用-A参数可能和之前的规则冲突,从而造成封不住IP的问题。
- 删除多余的规则
- 第一种删除规则策略方法(利用规则序列号删除):
[root@centos6 ~]# iptables -D INPUT 2 [root@centos6 ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
- 第二种删除iptables防火墙规则策略方法:
[root@centos6 ~]# iptables -t filter -D INPUT -p tcp --dport 22 -j DROP [root@centos6 ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
- 匹配端口范围
- 禁止23-80之间所有端口:
[root@centos6 ~]# iptables -A INPUT -p tcp --dport 23:80 -j DROP
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 2104 bytes)
pkts bytes target prot opt in out source destination
6 312 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 4008 bytes)
pkts bytes target prot opt in out source destination
# 查看当前运行的端口
[root@centos6 ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:70 0.0.0.0:* LISTEN 26266/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1304/sshd
tcp 0 0 :::70 :::* LISTEN 26266/nginx
tcp 0 0 :::22 :::* LISTEN 1304/sshd
# 测试连接情况
[c:\~]$ telnet 10.0.0.102 70
Connecting to 10.0.0.102:70...
Could not connect to '10.0.0.102' (port 70): Connection failed.
- 允许部分端口开放:
[root@centos6 ~]# iptables -I INPUT -p tcp -m multiport --dport 22,23,70,80 -j ACCEPT # 必须使用-m
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
61 4680 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,23,70,80
6 312 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35 packets, 4232 bytes)
pkts bytes target prot opt in out source destination
# 测试连通性
[c:\~]$ telnet 10.0.0.102 70
Connecting to 10.0.0.102:70...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
- 禁止网段连入(禁止0.0.0网段)
- 从源地址网段禁止访问:
[root@centos6 ~]# iptables -A INPUT -i eth0 -s 10.0.0.0/24 -j DROP # 登录其他主机使用SSH连接172.16.1.0段网卡 [root@centos7 ~]# ssh 172.16.1.102 [email protected]'s password: Last login: Mon Dec 4 17:12:10 2017 from 10.0.0.1 [root@test ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 10.0.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
- 从目的地址网段禁止访问:
[root@centos6 ~]# iptables -A INPUT -i eth0 -d 10.0.0.0/24 -j DROP # 登录其他主机使用SSH连接172.16.1.0段网卡 [root@centos7 ~]# ssh 172.16.1.102 [email protected]'s password: Last login: Mon Dec 4 17:12:10 2017 from 10.0.0.1 [root@test ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 10.0.0.0/24 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
- 禁止单个IP的访问
- 从入网卡进行禁止:
[root@centos6 ~]# iptables -A INPUT -i eth0 -s 10.0.0.103 -j DROP [root@centos6 ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 10.0.0.103 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination # 从禁止IP访问测试 [root@centos7 ~]# ping 10.0.0.102 PING 10.0.0.102 (10.0.0.102) 56(84) bytes of data. ^C --- 10.0.0.102 ping statistics --- 543 packets transmitted, 0 received, 100% packet loss, time 542269ms
- 从出网卡进行禁止:
[root@centos6 ~]# iptables -A OUTPUT -o eth0 -s 10.0.0.102 -j DROP # 登录其他主机使用SSH连接172.16.1.0段网卡 [root@centos7 ~]# ssh 172.16.1.102 [email protected]'s password: Last login: Mon Dec 4 17:12:10 2017 from 10.0.0.1 [root@centos7 ~]# iptables -nvL Chain INPUT (policy ACCEPT 64 packets, 7751 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 36 packets, 5549 bytes) pkts bytes target prot opt in out source destination 27 3220 DROP all -- * eth0 10.0.0.102 0.0.0.0/0
- 除了0.0.0网段都禁止
[root@centos6 ~]# iptables -A INPUT ! -s 10.0.0.0/24 -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 9 packets, 664 bytes)
pkts bytes target prot opt in out source destination
4 240 DROP all -- * * !10.0.0.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 728 bytes)
pkts bytes target prot opt in out source destination
提示:CentOS 5中的“!”在参数和网段之间,即 “-s ! 10.0.0.0/24”
- 禁止ping主机
[root@centos6 ~]# iptables -A INPUT -p icmp -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 576 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 584 bytes)
pkts bytes target prot opt in out source destination
# 测试
[c:\~]$ ping 10.0.0.102
正在 Ping 10.0.0.102 具有 32 字节的数据:
请求超时。
请求超时。
- 允许单一IP ping主机
[root@centos6 ~]# iptables -I INPUT -i eth0 -s 10.0.0.1 -p icmp --icmp-type 8 -j ACCEPT
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- eth0 * 10.0.0.1 0.0.0.0/0 icmp type 8
133 11100 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)
pkts bytes target prot opt in out source destination
# 测试
[c:\~]$ ping 10.0.0.102
正在 Ping 10.0.0.102 具有 32 字节的数据:
来自 10.0.0.102 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.102 的回复: 字节=32 时间<1ms TTL=64
[root@centos7 ~]# ping 10.0.0.102
PING 10.0.0.102 (10.0.0.102) 56(84) bytes of data.
^C
--- 10.0.0.102 ping statistics ---
543 packets transmitted, 0 received, 100% packet loss, time 542269ms
提示:只有类型8是真正会影响ping,或者也可以采用any;
icmp类型:
0 Echo Reply——回显应答(Ping应答)
8 Echo request——回显请求(Ping请求)
了解更多icmp类型:http://www.cnitblog.com/yang55xiaoguang/articles/59581.html
- 匹配网络状态
[root@centos6 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@centos6 ~]# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@centos6 ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
提示:状态连接要有进有出。
- 连接状态信息参数详细说明:
| state
[!] --state state |
This module, when combined with connection tracking, allows access to the connection tracking state for this packet.
这个模块当结合连接追踪时,允许访问数据包的连接追踪状态 Where state is a comma separated list of the connection states to match. 这里的连接状态匹配列表采用逗号进行分割状态 |
| INVALID | meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don’t correspond to any known connection
由于一些问题无法识别的数据包,其中包含内存不足和ICMP协议错误,而这样的会话连接并不对应已知的连接状态,即无法是被的无效或非法连接状态 |
| ESTABLISHED | meaning that the packet is associated with a connection which has seen packets in both directions
数据包和一个连接有关联,这个连接上可以在两个方向上都能看见这个数据包,即连接会话已建立的状态 |
| NEW | meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions
数据包开启了一个新的连接,否则也可以说一个连接上两个方向都没有看见过这个数据包,即新建立会话连接状态 |
| RELATED | meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error
数据包开启了一个新的连接,但是与一个已经存在的连接相关联,比如FTP数据传输,或ICMP错误,即在已建立会话连接上,继续建立连接 |
- 匹配网络限制策略
[root@centos6 ~]# iptables -I INPUT -s 10.0.0.0/24 -p icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 5 -j ACCEPT
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 32 packets, 2352 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 10.0.0.0/24 0.0.0.0/0 icmp type 8 limit: avg 6/min burst 5
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1800 bytes)
pkts bytes target prot opt in out source destination
- 命令说明:
- -m limit --limit n/{second/minute/hour}:指定时间内的请求数据包的个数为“n”,后面为时间单位:秒/分/时
- --limit-burst 5:在同一时间内允许通过的请求包的个数,不指定默认值为5
- 命令实现原理:
当匹配规则的数据包个数达到5个(--limit-burst 5)上限时,将自动限制流入的数据包为每分钟6个(-m limit --limit 6/min),以此达到限制网速的目的。
我的微信
如果有技术上的问题可以扫一扫我的微信
