LINUX防火牆iptables基本命令

時間 2019-11-06

原文原文鏈接

1、認識iptables

2、Iptables命令
2.一、語法：iptables -t table 命令 chain rules -j target
table：有filter、nat、mangle，默認是filter
命令：
-L 或 --list 查看iptables規則列表
[root@appex ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-v 顯示更多設置，-n 以數字形式顯示IP地址和端口
[root@appex ~]#iptables -L FORWARD -nv
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000
0 0 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
0 0 DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
-P 或 --policy 定義默認策略
[root@appex ~]# iptables -t filter -P FORWARD DROP
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@appex ~]# iptables -t filter -P FORWARD ACCEPT
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-A 或--append 在規則列表的最後增長一條規則
[root@appex ~]#iptables -t filter -A FORWARD -p icmp -j DROP
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-I或--insert 在規則列表的最前面插入一條規則
[root@appex ~]# iptables -t filter -I FORWARD 2 -p icmp -j ACCEPT
[root@appex ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-R或--replace 替換規則列表中的某條規則
[root@appex ~]#iptables -t filter -R FORWARD 2 -p icmp -j DROP
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-D或--delete 從規則列表中刪除一條規則
[root@appex ~]#iptables -t filter -D FORWARD 2
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-F或--flush 刪除表中全部的規則
[root@appex ~]#iptables -t filter -F
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.二、Iptables匹配選項
-i或--in-interface 指定數據包從哪塊網絡接口進入，如eth0、eth1等
-o或--out-interface 指定數據包從哪塊網絡接口輸出，如eth0、eth1等
[root@appex ~]# iptables -t filter -I FORWARD -i eth0 -j DROP
[root@appex ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-p或--protocol 指定數據包匹配的協議，如TCP、UDP、ICMP等
-s或--source 指定數據包匹配的源地址
-d或--destination 指定數據包匹配的目的地址
--sport 指定數據包匹配的源端口號，能夠使用」起始端口號：結束端口號」的格式指定一個範圍
--dport 指定數據包匹配的目標端口號，能夠使用」起始端口號：結束端口號」的格式指定一個範圍
[root@appex ~]# iptables -t filter -I FORWARD -p tcp -s 10.0.0.90/32 -d 10.0.0.80/32 --dport 3389 -j DROP
[root@appex ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@appex ~]#iptables -t filter -I FORWARD -p tcp -s 10.0.0.0/24 -d 10.10.10.0/24 --dport 3389 -j DROP
[root@appex ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 10.0.0.0/24 10.0.10.0/24 tcp dpt:ms-wbt-server
DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.三、Iptables使用擴展選項
限制網速：-m limit --limit
控制瞬間爆發流量：-m limit --limit-burst
[root@appex ~]# iptables -t filter -F
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@appex ~]# iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j ACCEPT
[root@appex ~]#iptables -t filter -A FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j DROP //超過的就drop
[root@appex ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@appex ~]#iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit-burst 1000 -j ACCEPT
[root@appex ~]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.四、處理動做
-j 參數用來指定要進行的處理動做，經常使用的處理動做包括：ACCEPT、REJECT、DROP、REDIRCT、MASQUERADE、LOG、DNAT、SNAT、MIRROR、QUEUE、RETURN、MARK
Filter表能使用的主要動做：
ACCEPT:將封包放行，進行完此處理動做後，將再也不匹配其餘規則，直接跳往下一個規則鏈
REJECT:攔截該封包，並傳送封包通知對方，進行完此處理動做後，將再也不匹配其餘規則，直接中斷過濾程序
DROP:丟棄封包不予處理，進行完此處理動做後，將再也不匹配其餘規則，直接中斷過濾程序。
3、保存和還原iptables設置
3.一、保存修改的iptables到配置文件中
[root@appex ~]# /etc/rc.d/init.d/iptables save
3.二、查看iptables的配置文件
[root@appex ~]# cat /etc/sysconfig/iptables
3.三、保存修改的iptables到一個文件中及從文件中導入到iptables中
[root@appex ~]# iptables-save >iptables.conf1
[root@appex ~]# iptables-restore< iptables.conf1
4、配置NAT實現網絡地址轉換
[root@appex ~]# ifconfig eth0:0 10.0.0.81 netmask 255.255.255.0
[root@appex ~]#ip addr show eth0:0
2: eth0: < BROADCAST,MULTICAST,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:21:85:0e brd ff:ff:ff:ff:ff:ff
inet 10.0.0.80/24 brd 10.0.0.255 scope global eth0
inet 10.0.0.81/24 brd 10.0.0.255 scope global secondary eth0:0
inet6 fe80::20c:29ff:fe21:850e/64 scope link
valid_lft forever preferred_lft forever
[root@appex ~]# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@appex ~]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j SNAT --to-source 10.0.0.80-10.0.0.81
[root@appex ~]#iptables -t nat -L POSTROUTING -nv
Chain POSTROUTING (policy ACCEPT 3 packets, 205 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- - eth0 10.0.10.0/24 0.0.0.0/0 to:10.0.0.80-10.0.0.81
5、mangle表的應用
--ttl-inc 1
--ttl-dec 2
--ttl-set 40
[root@appex ~]#iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@appex ~]# iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-inc 1
[root@appex ~]#iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-dec 2
[root@appex ~]# iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 40
[root@appex ~]#iptables -t mangle -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL decrement by 2
TTL all -- anywhere anywhere TTL increment by 1
TTL all -- anywhere anywhere TTL set to 40 網絡