【CentOS 7筆記43】,防火牆和iptables filter表#

時間  2019-12-09
標籤 CentOS 7筆記43 防火牆 iptables filter 欄目 系統網絡 简体版
原文   原文鏈接

shallow丿ovelinux

firewalld和netfilter

  • setenforce 0 #臨時關閉selinux
  • /etc/selinux/config #永久關閉selinux
  • CentOS 7版本開始使用firewalld防火牆,以前的版本用netfilter防火牆
  • 關閉firewalld開啓netfilter方法
  • systemctl stop firewalld
  • systemctl disable firewalld
  • yum install -y iptables-services
  • systemctl enable iptables
  • systemctl start iptables
[root@localhost ~]# vi /etc/selinux/config
	# This file controls the state of SELinux on the system.
	# SELINUX= can take one of these three values:
	#     enforcing - SELinux security policy is enforced.
	#     permissive - SELinux prints warnings instead of enforcing.
	#     disabled - No SELinux policy is loaded.
	SELINUX=enforcing
	# SELINUXTYPE= can take one of these two values:
	#     targeted - Targeted processes are protected,
	#     minimum - Modification of targeted policy. Only selected processes are protected.
	#     mls - Multi Level Security protection.
	SELINUXTYPE=targeted

將SELINUX=enforcing改成SELINUX=disabled將永久關閉selinuxvim

[root@localhost ~]# getenforce
	Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
	Permissive

關閉firewalldbash

[root@localhost ~]# systemctl disable firewalld
	Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
	Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# yum install -y iptables-services
	Loaded plugins: fastestmirror
	Loading mirror speeds from cached hostfile
	 * epel: mirrors.tongji.edu.cn
	Resolving Dependencies
	--> Running transaction check
	---> Package iptables-services.x86_64 0:1.4.21-18.2.el7_4 will be installed
	--> Processing Dependency: iptables = 1.4.21-18.2.el7_4 for package: iptables-services-1.4.21-18.2.el7_4.x86_64
	--> Running transaction check
	---> Package iptables.x86_64 0:1.4.21-13.el7 will be updated
	---> Package iptables.x86_64 0:1.4.21-18.2.el7_4 will be an update
	--> Finished Dependency Resolution

	Dependencies Resolved

	===================================================================================================
	 Package                     Arch             Version                      Repository         Size
	===================================================================================================
	Installing:
	 iptables-services           x86_64           1.4.21-18.2.el7_4            updates            51 k
	Updating for dependencies:
	 iptables                    x86_64           1.4.21-18.2.el7_4            updates           428 k

	Transaction Summary
	===================================================================================================
	Install  1 Package
	Upgrade             ( 1 Dependent package)

	Total download size: 479 k
	Downloading packages:
	Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
	(1/2): iptables-services-1.4.21-18.2.el7_4.x86_64.rpm                       |  51 kB  00:00:00     
	(2/2): iptables-1.4.21-18.2.el7_4.x86_64.rpm                                | 428 kB  00:00:00     
	---------------------------------------------------------------------------------------------------
	Total                                                              599 kB/s | 479 kB  00:00:00     
	Running transaction check
	Running transaction test
	Transaction test succeeded
	Running transaction
	  Updating   : iptables-1.4.21-18.2.el7_4.x86_64                                               1/3 
	  Installing : iptables-services-1.4.21-18.2.el7_4.x86_64                                      2/3 
	  Cleanup    : iptables-1.4.21-13.el7.x86_64                                                   3/3 
	  Verifying  : iptables-services-1.4.21-18.2.el7_4.x86_64                                      1/3 
	  Verifying  : iptables-1.4.21-18.2.el7_4.x86_64                                               2/3 
	  Verifying  : iptables-1.4.21-13.el7.x86_64                                                   3/3 

	Installed:
	  iptables-services.x86_64 0:1.4.21-18.2.el7_4                                                     

	Dependency Updated:
	  iptables.x86_64 0:1.4.21-18.2.el7_4                                                              

	Complete!
[root@localhost ~]# systemctl enable iptables
	Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   45  2996 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		1   244 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 25 packets, 2628 bytes)
	 pkts bytes target     prot opt in     out     source               destination

netfilter5表5鏈介紹

  • filter表用於過濾包,最經常使用的表,有INPUT、FORWARD、OUTPUT三個鏈網絡

  • nat表用於網絡地址轉換,有PREROUTING、OUTPUT、POSTROUTING三個鏈app

  • managle表用於給數據包作標記,幾乎用不到tcp

  • raw表能夠實現不追蹤某些數據包this

  • security表在CentOS 6中並無,用於強制訪問控制(MAC)的網絡規則.net

  • 數據包流向與netfilter的5個鏈rest

  • PREROUTING:數據包進入路由表以前code

  • INPUT:經過路由表後目的地爲本機

  • FORWARD:經過路由表後,目的地不爲本機

  • OUTPUT:由本機產生,向外發出

  • POSTROUTING:發送到網卡接口以前

iptables filter表

  • iptables -F #清空全部規則
  • service iptables save #保存規則
  • iptables -t nat #-t指定表
  • iptables -Z #將計數器清零
  • iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
  • iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
  • iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
  • iptables -nvL --line-numbers
  • iptables -D INPUT 1
  • iptables -P INPUT DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  193 12868 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		6   552 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	   10  2365 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 112 packets, 12324 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables規則記錄在/etc/sysconfig/iptables的配置文件中

[root@localhost ~]# cat /etc/sysconfig/iptables
	# sample configuration for iptables service
	# you can edit this manually or use system-config-firewall
	# please do not ask us to add additional ports/services to this default configuration
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# cat /etc/sysconfig/iptables
	# sample configuration for iptables service
	# you can edit this manually or use system-config-firewall
	# please do not ask us to add additional ports/services to this default configuration
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT

重啓服務,iptables規則重置

[root@localhost ~]# service iptables restart
	Redirecting to /bin/systemctl restart iptables.service
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		8   576 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 5 packets, 716 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# service iptables save
[root@localhost ~]# iptables -t filter -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   68  4536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		1   229 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 38 packets, 5024 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -t nat -nvL
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables -Z #將計數器清零pkts和bytes

[root@localhost ~]# iptables -Z ; iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP/REJECT

iptables -A #插入到後面

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  354 23684 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   13  1196 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  383 47064 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 23 packets, 2212 bytes)
	 pkts bytes target     prot opt in     out     source               destination

0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80

iptables -I #插入到前面

[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
	  513 35132 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   13  1196 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  384 47308 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 7 packets, 1156 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables -D #刪除

[root@localhost ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  605 42492 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   17  1564 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  672 75245 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 19 packets, 1972 bytes)
	 pkts bytes target     prot opt in     out     source               destination  
[root@localhost ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  744 55092 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   18  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  673 75489 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
	 pkts bytes target     prot opt in     out     source               destination

刪除iptables的規則,可是從新書寫一條規則或許太麻煩或者忘記規則的寫法時

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
	  912 70948 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   18  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 7 packets, 1364 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables -nvL --line-number

[root@localhost ~]# iptables -nvL --line-number
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
	2     1010 77416 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
	3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
	4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	5       18  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	6      674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
	7        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 59 packets, 7820 bytes)
	num   pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -D INPUT 7
	iptables: Index of deletion too big.
[root@localhost ~]# iptables -D INPUT 6
[root@localhost ~]# iptables -nvL --line-number
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1     1165 87732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
	2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
	3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	4       19  1748 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	5      674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 42 packets, 4056 bytes)
	num   pkts bytes target     prot opt in     out     source               destination

iptables -P #默認規則

[root@localhost ~]# iptables -P OUTPUT DROP

終端使用DROP規則會使本來數據包在22端口通訊,接收不了數據,在返回給客戶端再返回給終端,結果到達不了終端,而後接收不了數據就會致使斷開終端鏈接,解決辦法到主機上將規則改回ACCEPT

[root@localhost ~]# iptables -nvL --line-number
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1     1165 87732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
	2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
	3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	4       19  1748 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	5      674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy DROP 37 packets, 24648 bytes)
	num   pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -P OUTPUT ACCEPT

-s #源ip -p #指定協議 --sport #源端口號 -d #目標ip --dport #目標端口號 -j #行爲

#iptables小案例

vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -J ACCEPT
$ipt -A INPUT -p tcp --dprot 80 -j ACCEPT
$ipt -A INPUT -p tcp --dprot 21 -j ACCEPT

icmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@localhost ~]# vim /usr/local/sbin/iptables.sh
	#!/bin/bash
	ipt="/usr/sbin/iptables"
	$ipt -F
	$ipt -P INPUT DROP
	$ipt -P OUTPUT ACCEPT
	$ipt -P FORWARD ACCEPT
	$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT
	$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
	$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

在tcp協議裏ESTABLISHED是保持鏈接,RELATED狀態

[root@localhost ~]# w
	 22:10:01 up 1 day, 20:48,  2 users,  load average: 0.00, 0.01, 0.05
	USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
	root     tty1      06:40   15:23m  0.42s  0.42s -bash
	root     pts/0     21:50    1.00s  0.45s  0.00s w
[root@localhost ~]# sh /usr/local/sbin/iptables.sh 
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy DROP 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   28  1848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     tcp  --  *      *       192.168.133.0/24     0.0.0.0/0            tcp dpt:22
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy DROP 1 packets, 229 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   41  2712 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     tcp  --  *      *       192.168.133.0/24     0.0.0.0/0            tcp dpt:22
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 27 packets, 3628 bytes)
	 pkts bytes target     prot opt in     out     source               destination  
[root@localhost ~]# service iptables restart	#此命令爲重啓iptables服務
	Redirecting to /bin/systemctl restart iptables.service

能夠看出pkts bytes的值正在增加

icmp案例 Windows

C:\Users\Administrator>ping 192.168.9.134
	
	正在 Ping 192.168.9.134 具備 32 字節的數據:
	來自 192.168.9.134 的回覆: 字節=32 時間<1ms TTL=64
	來自 192.168.9.134 的回覆: 字節=32 時間<1ms TTL=64
	來自 192.168.9.134 的回覆: 字節=32 時間<1ms TTL=64
	來自 192.168.9.134 的回覆: 字節=32 時間<1ms TTL=64

	192.168.9.134 的 Ping 統計信息:
	    數據包: 已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失),
	往返行程的估計時間(以毫秒爲單位):
	    最短 = 0ms,最長 = 0ms,平均 = 0ms

Linux

[root@localhost ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP

使icmp被禁止了,--icmp-type 8指icmp8種類型

Windows

C:\Users\Administrator>ping 192.168.9.134

	正在 Ping 192.168.9.134 具備 32 字節的數據:
	請求超時。
	請求超時。
	請求超時。
	請求超時。

	192.168.9.134 的 Ping 統計信息:
	    數據包: 已發送 = 4,已接收 = 0,丟失 = 4 (100% 丟失),

Linux

[root@localhost ~]# ping www.qq.com
	PING www.qq.com (120.198.201.156) 56(84) bytes of data.
	64 bytes from 120.198.201.156: icmp_seq=1 ttl=128 time=32.3 ms
	64 bytes from 120.198.201.156: icmp_seq=2 ttl=128 time=11.9 ms
	64 bytes from 120.198.201.156: icmp_seq=3 ttl=128 time=28.6 ms
	^C
	--- www.qq.com ping statistics ---
	3 packets transmitted, 3 received, 0% packet loss, time 2004ms
	rtt min/avg/max/mdev = 11.991/24.342/32.349/8.862 ms
[root@localhost ~]# ping 192.168.9.134
	PING 192.168.9.134 (192.168.9.134) 56(84) bytes of data.
	^C
	--- 192.168.9.134 ping statistics ---
	5 packets transmitted, 0 received, 100% packet loss, time 4001ms

ping外網能夠,但ping本機就不行

出現的問題,這裏我在作實驗時,在/etc/hosts裏設置了192.168.9.134 www.qq.com致使ping不通,緣由是ping本身的本機ip

[root@localhost ~]# ping www.qq.com
	PING www.qq.com (192.168.9.134) 56(84) bytes of data.
	^C
	--- www.qq.com ping statistics ---
	11 packets transmitted, 0 received, 100% packet loss, time 10000ms

本機能夠ping到外網,但使得外部ping不到主機

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程