Linux防火牆之iptables基本匹配條件和隱式擴展匹配條件
1、iptables的基本匹配條件html
上一篇博文咱們說到了iptables的基本工做原理、數據報文在內核的走向和管理鏈、管理規則、以及查看規則、導入和導出規則;回顧請參考http://www.javashuo.com/article/p-wbokolmo-co.html,今天咱們再來講說iptables的基本匹配條件。docker
iptables的基本匹配條件也叫通用匹配條件,是iptables/netfilter原生自帶的,無需加載模塊,通俗的講就是iptables這個命令的原生選項。iptables基本匹配條件有如下幾種bash
一、[!] -s,--source addresss[/mask][,…]:表示匹配報文段源ip地址或範圍,它能夠是一個ip地址,也能夠是一個網段地址,網段地址須要寫明子網掩碼,其中子網掩碼支持225.255.0.0的方式,也支持數字表示,好比192.168.0.0/24。同時它也支持取反。網絡
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
461 33551 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14 packets, 1320 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.1.0/24 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 192.168.0.0/255.255.255.0 -j ACCEPT
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.232 192.168.0.99
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
[root@test ~]# iptables -A my_chain ! -s 192.168.10.0/24 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
946 67475 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.232 192.168.0.99
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * !192.168.10.0/24 0.0.0.0/0
[root@test ~]#
二、-d,--destination address[/mask][,…]:表示匹配報文的目標ip地址或範圍,它同-s的用法同樣,支持單臺主機或一個網段,網段需寫明子網掩碼,子網掩碼支持數字表示,也支持子網掩碼地址的方式表示。同時它也支持對匹配的條件取反。框架
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 22 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.10 -p tcp --dport 3306 -j DROP
[root@test ~]# iptables -A my_chain -d 192.168.10.0/24 -p tcp --dport 25 -j DROP
[root@test ~]# iptables -A my_chain ! -d 192.168.11.0/255.255.255.0 -p tcp --dport 123 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1698 123K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.10 tcp dpt:3306
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.10.0/24 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 !192.168.11.0/24 tcp dpt:123
[root@test ~]#
三、[!] -p, --protocol protocol:指定協議,可以使用數字如0(all);protocol: tcp, udp, icmp, icmpv6, udplite,esp, ah, sctp, mh or「all「 參考:/etc/protocolstcp
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1752 126K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --dport 80 -j DROP
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --dport 23 -j DROP
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --sport 25 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p icmp --icmp-type 0 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p icmp --icmp-type 8 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2487 179K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 47 packets, 4340 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:80
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp spt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 0
0 0 ACCEPT icmp -- * * 192.168.0.232 192.168.0.99 icmptype 8
[root@test ~]# iptables -A my_chain ! -p udp -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2586 186K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:80
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp spt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 0
0 0 ACCEPT icmp -- * * 192.168.0.232 192.168.0.99 icmptype 8
0 0 ACCEPT !udp -- * * 0.0.0.0/0 0.0.0.0/0
[root@test ~]#
提示:-p指定某一協議時,每每會有該協議的一些隱式擴展的選項,好比咱們指定-p tcp 表示指定協議類型爲tcp 後面指定的源端口或者目標端口 就是tcp模塊的隱式。通俗講就是咱們指定了協議爲tcp 能夠不用明確的用-m 再指定其模塊,這種機制咱們叫隱式擴展。上面的例子用到了隱式擴展到有 tcp 的 --sport --dport ;icmp 協議的--icmp-type;固然-p指定協議的類型也能夠用! 來對它取反,表示匹配除了指定的協議覺得的全部協議的報文,若是不用-p 指定協議表示匹配全部協議的報文工具
四、[!] -i, --in-interface name:報文流入的接口;只能應用於數據報文流入環節,只應用於INPUT、FORWARD、PREROUTING鏈以及自定義鏈。oop
[root@test ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0
valid_lft forever preferred_lft forever
inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fe51:af3c/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:63:ab:82:55 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.0.0/24 -i enp2s0 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2911 209K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- enp2s0 * 192.168.0.0/24 0.0.0.0/0
[root@test ~]# iptables -A OUTPUT -i enp2s0 -j ACCEPT
iptables v1.4.21: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
[root@test ~]#
提示:自定義添加到規則能夠被任意主鏈所引用。不存在自定義鏈上的規則不適用主鏈,但主鏈上能夠引用它的,只是說主鏈引用後,規則不生效,匹配不到報文。-i 表示指定網絡報文流入的接口,因此這個基本匹配條件,只能用於報文可以進來的鏈上,好比PREROUTING、INPUT、FORWARD這三個主鏈,以及自定義鏈,一般狀況,若是寫到自定義鏈,都是被這三個主鏈所引用,除此以外,被OUTPUT、和POSTROUTING所引用,規則是無效的,不能匹配到報文。3d
五、[!] -o, --out-interface name:報文流出的接口;只能應用於數據報文流出的環節,只應用於FORWARD、OUTPUT、POSTROUTING鏈以及自定義鏈code
[root@test ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0
valid_lft forever preferred_lft forever
inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fe51:af3c/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:63:ab:82:55 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 4512 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -o enp2s0 -j ACCEPT
[root@test ~]# iptables -A INPUT -o enp2s0 -j DROP
iptables v1.4.21: Can't use -o with INPUT
Try `iptables -h' or 'iptables --help' for more information.
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
238 16280 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 61 packets, 5724 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
[root@test ~]#
提示:一樣-o表示匹配網絡報文的出口接口,不能用於網絡報文入口的鏈上。在iptables/netfilter框架中,報文的出口只通過FORWARD、OUTPUT和POSTROUTING這三個主鏈,即使咱們在自定義鏈上用-o來指定匹配出口的網絡接口,也只有被FORWARD、OUTPUT或者POSTROUTING這三個主鏈所引用才能生效,匹配到報文,用在INPUT或PREROUTING鏈上iptables是不容許的。能夠看到FORWARD這個鏈上便可以匹配網絡報文的入口接口和出口接口。
2、tcp/udp/icmp隱式擴展選項說明
iptables的匹配條件分基本匹配條件和擴展匹配條件,擴展匹配條件裏有顯示擴展和隱式擴展,從字面上很好理解,顯示就是明確指定嘛 ,隱式就是不明確指定,一般擴展匹配條件是須要加載擴展模塊(/usr/lib64/xtables/*.so)方可生效;隱式擴展咱們能夠理解爲,當咱們使用-p 去指定協議時無需再用-m再指定其模塊,就可使用其擴展模塊中的選項,也就是說不須要咱們手動的去加載模塊,-p 所指定的協議,會幫咱們加載。(這個僅我的理解哈)
一、tcp協議的隱式擴展選項說明
[!] --source-port, --sport port[:port]:匹配報文源端口,可爲端口範圍,當端口連續時能夠用:來表示;好比21:25,表示匹配21,22,23,24,25這些連續的端口。
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
878 58520 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --sport 22 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1324 93312 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34 packets, 3144 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spt:22
[root@test ~]#
提示:以上添加到規則表示匹配源地址爲192.168.0.232 目標地址爲192.168.0.99 的tcp報文,而且源端口爲22 的報文,若是匹配到這樣的報文,給予放行操做。固然若是是匹配一個連續的端口能夠寫成:來表示中間連續的端口,它也支持對源端口取反,表示匹配除了指定的端口之外的全部端口以下所示
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --sport 23:30 -j ACCEPT
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spt:22
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spts:23:30
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp ! --sport 40:50 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1519 107K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spt:22
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spts:23:30
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spts:!40:50
[root@test ~]#
[!] --destination-port,--dport port[:port]:匹配報文目標端口,可爲範圍,當端口連續是也能夠用:來代替連續中間的端口,同--sport用法同樣
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 22 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 23:25 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp ! --dport 80 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpts:23:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:!80
[root@test ~]#
[!] --tcp-flags mask comp表示匹配符合指定標誌的數據報文,mask表示需檢查的標誌爲列表,用逗號分隔,例如SYN,ACK,FIN,RST;comp表示mask列表中必須爲1的標誌爲列表,沒有指定表示必須爲0用逗號分隔
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 22 packets, 1556 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j ACCEPT
[root@test ~]# iptables -A my_chain -p tcp --tcp-flags ALL ALL -j DROP
[root@test ~]# iptables -A my_chain -p tcp --tcp-flags ALL NONE -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 47 packets, 3830 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39 packets, 3630 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
[root@test ~]#
提示:以上規則表示匹配tcp報文,syn=1 其餘標誌位爲0的報文給予容許放行,匹配全部標誌位爲1的報文給予丟棄,匹配到全部標誌爲0的報文給予丟棄。這個擴展選項也支持取反,表示出了指定的標誌位的全部報文。
[!] --syn:用於匹配TCP第一次握手報文,它至關於--tcp-flags SYN,ACK,FIN,RST SYN
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 73 packets, 5582 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 61 packets, 6538 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
[root@test ~]# iptables -A INPUT -p tcp --syn -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 11 packets, 804 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 864 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
[root@test ~]#
二、udp協議的隱式擴展選項說明
[!] --source-port, --sport port[:port]:匹配報文的源端口或端口範圍,當端口連續可使用:來代替連續的中間端口
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1636 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A OUTPUT -p udp --sport 928 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p udp --sport 111:123 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p udp ! --sport 323 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 14 packets, 1028 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1144 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:111:123
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:!323
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
[!] --destination-port,--dport port[:port]:匹配報文的目標端口或端口範圍,當端口連續可使用:來代替連續的中間端口
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 73 packets, 5156 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 54 packets, 6288 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:111:123
1 76 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:!323
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p udp --dport 928 -j ACCEPT
[root@test ~]# iptables -A INPUT -p udp --dport 111:123 -j ACCEPT
[root@test ~]# iptables -A INPUT -p udp ! --dport 323 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 14 packets, 1028 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:111:123
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:!323
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1160 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:111:123
1 76 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:!323
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
三、icmp協議的隱式擴展選項
[!] --icmp-type {type[/code]|typename}
type/code 的值表明意義
備註:此圖片來源網絡
從上面的表能夠看到不一樣的type,所表達的意思不一樣,就拿icmp最經常使用的兩個類型,0和8來講,0表示icmp的應答數據包類型,就比如咱們去用ping工具去探測遠端主機是否存活,能夠向遠端主機發送icmp協議的8號類型的數據包,對方收到這種類型的數據包,若是正常存活,它會回覆一個icmp0號類型的消息,不然它會恢復一個其餘類型的數據包(一般狀況在對方主機沒有設置任何針對icmp協議報文的控制時)
在iptables裏容許咱們去ping對方,不容許對方ping咱們
[root@test ~]# iptables -F
[root@test ~]# iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
[root@test ~]# iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
[root@test ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 25 packets, 1780 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:把以上三條規則添加到iptabels中就能夠實現咱們本機發出去的icmp類型爲8 的報文能夠正常放行,從對方主機返回icmp類型爲0的應答報文能夠正常放行,同時明確指定發往本機icmp類型爲8的請求報文給予丟棄操做
提示:這樣是能夠拒絕別人用ping工具來探測咱們防火牆主機是否存活,固然這樣設置後,咱們本身想探測都不行了,要想設置本身能夠探測,咱們能夠在規則裏添加對應的規則。明確放行特定的icmp數據報文
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 30 packets, 2084 bytes)
pkts bytes target prot opt in out source destination
15 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
35 2940 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1780 bytes)
pkts bytes target prot opt in out source destination
36 3024 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -I INPUT -s 192.168.0.151 -p icmp --icmp-type 8 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -d 192.168.0.151 -p icmp --icmp-type 0 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 528 bytes)
pkts bytes target prot opt in out source destination
12 1008 ACCEPT icmp -- * * 192.168.0.151 0.0.0.0/0 icmptype 8
15 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
46 3864 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 764 bytes)
pkts bytes target prot opt in out source destination
36 3024 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.151 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:若是OUTPUT鏈的默認處理動做是DROP 須要配置以上兩條規則,若是默認規則是ACCEPT 那麼在INPUT鏈上添加一條容許指定源ip的報文容許就能夠了
提示:能夠看到添加了指定的源ip主機容許規則後,用對應的主機ping防火牆主機了。
以上就是tcp、udp、icmp這三種協議的經常使用隱式擴展選項。
相關文章
- 1. Linux防火牆之iptables常用擴展匹配條件(一)
- 2. Linux防火牆之iptables經常使用擴展匹配條件(二)
- 3. Linux防火牆之iptables經常使用擴展匹配條件(一)
- 4. LINUX iptables防火牆規則的匹配條件
- 5. 【Iptables】08 Iptables擴展匹配條件之state擴展模塊
- 6. iptables原理;編寫語法;通用匹配條件;顯示匹配條件;隱藏匹配條件;
- 7. iptables之四擴展匹配及網絡防火牆功能
- 8. 4.防火牆--匹配數據包(iptables)
- 9. iptables匹配條件總結(一)
- 10. Linux防火牆的匹配規則
- 更多相關文章...
- • Scala 模式匹配 - Scala教程
- • Rust 條件語句 - RUST 教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IDEA下SpringBoot工程配置文件沒有提示
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Linux防火牆之iptables常用擴展匹配條件(一)
- 2. Linux防火牆之iptables經常使用擴展匹配條件(二)
- 3. Linux防火牆之iptables經常使用擴展匹配條件(一)
- 4. LINUX iptables防火牆規則的匹配條件
- 5. 【Iptables】08 Iptables擴展匹配條件之state擴展模塊
- 6. iptables原理;編寫語法;通用匹配條件;顯示匹配條件;隱藏匹配條件;
- 7. iptables之四擴展匹配及網絡防火牆功能
- 8. 4.防火牆--匹配數據包(iptables)
- 9. iptables匹配條件總結(一)
- 10. Linux防火牆的匹配規則