Linux防火牆之iptables入門
1、防火牆的概念前端
什麼是防火牆?防火牆是一臺或一組設備,用以在網絡間實施訪問控制策略;事實上一個防火牆可以包含OSI模型中的不少層,而且可能會涉及進行數據包過濾的設備,它能夠實施數據包檢查和過濾,在更高的層次中對某應用程序實現某一策略,或作更多相似的事情。防火牆的功能主要是隔離功能,工做在網絡或主機邊緣,對進出網絡或主機的數據包基於必定的規則檢查,並在匹配某規則定義的行爲進行處理的一組功能組件,基本上的實現都是默認狀況下關閉全部的訪問,只開放容許訪問的策略;防火牆分主機防火牆、網絡防火牆、硬件防火牆、軟件防火牆、網絡層防火牆、應用層防火牆等;主機防火牆指定的是針對服務當前主機作的訪問策略的防火牆;網絡防火牆指服務範圍爲防火牆一側的局域網;硬件防火牆指在專用硬件級別實現部分功能的防火牆,另外一部分功能基於軟件實現;軟件防火牆指運行於通用硬件平臺之上的防火牆應用軟件;網絡層防火牆指OSI模型下四層的防火牆,主要針對OSI模型下四層的網絡報文的訪問策略控制;應用層防火牆/代理服務器指OSI模型中的應用層的防火牆,它主要在應用層進行操做,針對應用層的程序數據報文進行訪問策略控制;node
2、網絡型防火牆和應用層防火牆的優缺點linux
網絡層防火牆主要是包過濾,網絡層對數據包進行選擇,選擇的依據是系統內設置的過濾邏輯,被稱爲訪問控制列表(ACL),經過檢查數據流中每一個數據的源地址,目標地址,所用端口和協議狀態等因素,或他們的組合來取定是否容許該數據包經過;優勢對用戶來講透明,處理速度快且易於維護;缺點沒法檢查應用層數據,如病毒等;centos
應用層防火牆咱們又稱代理服務型防火牆,它將全部跨越防火牆的網絡通訊鏈路分爲兩段;內外網用戶的訪問都是經過代理服務器上的「鏈路」來實現,這種防火牆優勢是在應用層對數據進行檢查,比較安全,肯定是增長防火牆的負載。安全
現實生產環境中所使用的防火牆通常都是兩者結合體,即現檢查網絡數據,經過以後在送到應用層去檢查。bash
3、iptables簡介服務器
先來講說內核組件netfilter,它是Linux2.4之後的內核版本引入的一個子系統,它做爲一個通用的、抽象的框架,提供一整套的hook(勾子)函數的管理機制,使得諸如數據包過濾、網絡地址轉換和基於協議類型的鏈接追蹤成爲了可能;它在內核中選取了五個位置放置了五個hook(勾子)函數分別是INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING,而這五個勾子函數向用戶開放,用戶能夠經過一個命令工具(iptables)向其寫入規則;從上面的介紹不難理解,iptables只是管理netfilter上規則的一個用戶空間的工具,真正實現防火牆的功能是netfilter,咱們知道內核空間的功能,用戶是沒有辦法直接使用,必須經過用戶空間的軟件去調用纔可使用。這也不難說明了iptables它是一個工具,而不是一個服務。網絡
4、iptables的組成以及數據包的傳輸過程app
iptables由五個表和五個鏈以及一些規則組成,五個表分別是filter、nat、mangle、raw、security,這五張表每張表都有不一樣的做用,filter表,主要是過濾報文策略的定義,根據預約義的規則過濾符合條件的數據包才容許或拒絕通行。nat表是地址轉換規則表,它上面主要定義一些地址轉換規則。mangle表是修改數據標記位規則表,raw是關閉NAT表上啓用的鏈接跟蹤機制,加快封包穿越防火牆速度,security用於強制訪問控制(MAC)網絡規則,有Linux安全模塊(如selinux)實現;他們的優先級由高到低的順序爲security--->raw---->mangle---->nat---->filter框架
五個內置的鏈(chain)就是咱們上面說的五個勾子函數INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING,netfilter表和鏈對應關係以下圖
上圖沒有畫出securiyt表所工做的鏈,它和filter表同樣,都工做在INPUT、FORWARD、OUTPUT鏈上。上圖主要是說明了五個表的工做位置,瞭解了表和鏈的對應關係,咱們在來看看數據包過濾匹配流程
如上圖所示,從網絡A訪問網絡B,首先數據要先到達咱們防火牆的網卡上,內核根據數據包目的IP判斷是否須要轉送出去,在路由以前數據報文要經過raw、mangel、nat這三個表中的規則,若是經過了這三張表中的規則後,數據才能決定究竟是發往本機仍是經過本機轉發出去,若是是發往本機的,則數據會通過PREROUTING鏈,來到INPUT鏈,在進入用戶空間訪問用戶空間的應用進程時,數據首先要經過,INPUT鏈上的全部規則,才能夠訪問本機用戶空間的進程,用戶空間進程接受到遠端用戶請求的數據報文後,響應報文會來到OUTPUT鏈上,這個鏈主要檢查由本機發出的數據包,只有數據包知足出站規則後,它才能經過OUTPUT,當數據報文經過OUTPUT鏈後,數據報文會通過路由,來到POSTROUTING鏈,而後POSTROUTING鏈上的規則會對出站報文進行匹配,知足匹配策略POSTROUTING鏈放行或拒絕;若是數據包不是發往本機,則數據報文會通過PREROUTING鏈來到FORWARD鏈上,在FORWARD鏈上也有規則,數據符合FORWARD鏈上定義的規則,則經過或不經過(這個要看鏈上的處理動做怎麼定義的,咱們這裏假設是匹配經過,不匹配這不經過來講明數據報文過濾匹配流程),若是數據經過了FORWARD鏈上的全部規則,這時數據會再次通過路由來到POSTROUTING鏈,同理它須要經過POSTROUTING上的全部規則後才能把到達下一個網絡,從而實現數據包的轉發;
經過上圖,不難發現數據報文的流向有三種,第一種是到本機來到,第二種是從本機出去的,第三種是經由本機轉發的;流入本機的報文首先要經過PREROUTING鏈而後經過後來到INPUT鏈,經過後最後到達用戶空間進程;流出本機的數據報文走向是用戶空間進程---->OUTPUT---->POSTROUTING;經本機轉發出去的報文走向:PREROUTING --> FORWARD --> POSTROUTING
瞭解了數據報文的走向後,咱們在來講說路由功能和發生的時間點,報文進入本機後,內核經過數據報的目標ip來判斷此數據包是發往本機仍是轉發,若是是發往本機,則數據報文會送到INPUT鏈,若是不是發往本機的數據報文會送到FORWARD鏈,這時報文進入本機前端路由;在報文離開本機以前,內核會根據目標地址IP來判斷數據報文由那個接口送往下一跳(下一個網絡)
當一個數據包進入網卡時,數據包首先進入PREROUTING鏈,內核根據數據包目的IP判斷是否須要轉送出去;若是數據包就是進入本機的,數據包就會到達INPUT鏈。數據包到達INPUT鏈後,任何進程都會收到它。本機上運行的程序能夠發送數據包,這些數據包通過OUTPUT鏈,而後到達POSTROUTING鏈輸出;若是數據包是要轉發出去的,且內核容許轉發,數據包就會向右移動,通過FORWARD鏈,而後到達POSTROUTING鏈輸出;
5、ipatbles規則
規則(rule)是由匹配條件和匹配動做組成,根據規則的匹配條件嘗試匹配報文,對匹配成功的報文根據規則定義的處理動做做出處理。匹配條件有基本匹配條件和擴展匹配條件,基本匹配條件就是內建匹配條件,原生就有的,擴展匹配條件是由擴展模塊定義,須要安裝特定的模塊才能夠實現特定的擴展匹配;處理動做分基本處理動做,就是內建,原生支持的動做,擴展處理動做,由擴展模塊定義,還有就是用戶自定義處理(就是把匹配到達報文叫由自定義鏈來處理,這也是自定義鏈被主鏈調用的方式),iptables的鏈份內置鏈,和自定義鏈,內置的鏈就是對應五個勾子函數;自定義鏈式用於內置鏈的擴展和補充,可實現更靈活的規則管理機制,它只有被內置鏈調用才能生效;
iptables規則添加須要考量如下幾點
一、要實現那種功能,判斷規則該添加到那張表上的那個位置(iptables匹配規則的順序是從上至下依次匹配,匹配到了就安裝匹配到的處理動做作出處理,沒有匹配到就按默認動做處理,因此添加規則須要考慮添加到那個位置)
二、報文流經的路徑必須清楚,須要判斷把規則添加到哪一個鏈上
三、報文的流向,判斷源和目標
四、匹配規則,根據業務需求,怎麼去匹配規則
6、iptables命令使用和選項說明
[root@test ~]# iptables -h
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
[root@test ~]#
提示:除了以上用-h來了解iptables的簡要用法和說明外,咱們還能夠經過man 8 iptables來了解每一個選項的詳細說明
-t選項表示指定表名,默認是filter表,-A表示追加規則到最後,-s表示指定源ip地址 -j 表示處理的動做;iptables命令大概能夠分二段段,第一段是指明規則位置,第二段是規則自己,規則又須要指明匹配條件和處理動做;上圖命令表示在INPUT鏈上的filter表上追加一條規則到最後,規則內容爲源地址爲192.168.0.1的報文將丟棄;注意-A後面須要跟鏈名,鏈名必須得大寫。
總結命令使用格式:iptables [-t tablesname] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]
tablesname: raw,mangle,nat,[filter]默認不指定就是filter;
COMMAND子命令,指明對規則的增刪查改
一、鏈管理
-N:new,自定義一條新的規則鏈
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 7 packets, 488 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 524 bytes) pkts bytes target prot opt in out source destination [root@test ~]# iptables -N my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1556 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]#
-X:delete,刪除自定義的空的規則鏈(刪除一條自定義鏈的前提是,自定義連未被主鏈引用,也就是引用計數爲0,其次是自定義鏈必須是空連,就是沒有任何規則的鏈)
[root@test ~]# iptables -A my_chain -s 192.168.0.0/24 -j ACCEPT [root@test ~]# iptables -A INPUT -s 192.168.0.0/24 -j my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 24 1688 my_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 1488 bytes) pkts bytes target prot opt in out source destination Chain my_chain (1 references) pkts bytes target prot opt in out source destination 24 1688 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]# iptables -X my_chain iptables: Too many links. [root@test ~]# iptables -F INPUT [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 25 packets, 1780 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 1552 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination 94 6516 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]# iptables -X my_chain iptables: Directory not empty. [root@test ~]# iptables -F my_chain [root@test ~]# iptables -X my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1556 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes) pkts bytes target prot opt in out source destination [root@test ~]#
-P:policy,設置默認策略;對filter表中的鏈而言,其默認策略有:ACCEPT接受,容許。DROP:丟棄
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 29890 packets, 10M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31689 packets, 26M bytes) pkts bytes target prot opt in out source destination [root@test ~]# iptables -P FORWARD ACCEPT [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 5 packets, 356 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) pkts bytes target prot opt in out source destination [root@test ~]# iptables -nvL
-E:重命名自定義連;
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 104 7344 you_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 37 packets, 4120 bytes) pkts bytes target prot opt in out source destination Chain you_chain (1 references) pkts bytes target prot opt in out source destination 104 7344 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]# iptables -E you_chain my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 178 12540 my_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes) pkts bytes target prot opt in out source destination Chain my_chain (1 references) pkts bytes target prot opt in out source destination 178 12540 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]#
提示:重命名自定義鏈,引用計數不爲零是能夠被重命名的
二、規則管理
-A:append ,追加規則到指定表達最後
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2208 340K my_chain all -- * * 192.168.0.0/24 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1382 packets, 253K bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (1 references)
pkts bytes target prot opt in out source destination
2208 340K ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2360 351K my_chain all -- * * 192.168.0.0/24 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1048 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (1 references)
pkts bytes target prot opt in out source destination
2360 351K ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.99
[root@test ~]#
-I:insert, 插入,要指明位置,省略時表示第一條;
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 195 packets, 13312 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 121 packets, 12112 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 41319 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -I my_chain -d 192.168.0.99 -p tcp --dport 80 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 124 packets, 10836 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 114 packets, 10648 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -I my_chain 2 -d 192.168.0.99 -p tcp --dport 8080 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 620 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 1176 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]#
-D:delete,刪除;刪除規則需啊喲指明規則序號,或者明規則自己
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 18 packets, 1136 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 3072 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -D my_chain 1
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -D my_chain -d 192.168.0.99 -p tcp --dport 8080 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]#
-R:replace,替換指定鏈上的指定規則;需指明替換第幾條規則
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -R my_chain 1 -d 192.168.0.100 -p tcp --dport 22 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:22
[root@test ~]#
-F:flush,清空指定的規則鏈;若爲指定鏈 ,則表示清空filter表所在的全部鏈
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 38 packets, 2560 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29 packets, 3648 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:22
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 16 packets, 1108 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11 packets, 1028 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 41319 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 80 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
139 9668 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 13824 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
-Z:zero,置零指定鏈上的計數器,若爲指定則表示,清空filter表所在的全部鏈上的規則計數器;iptables的每條規則都有兩個計數器:(1) 匹配到的報文的個數;(2) 匹配到的全部報文的大小之和;
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
783 59868 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
50 4212 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27 packets, 3364 bytes)
pkts bytes target prot opt in out source destination
8 672 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -Z OUTPUT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
822 62468 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
60 5052 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -Z
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31 2124 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1764 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
二、查看指定鏈上的規則
-L:list, 列出指定鏈上的全部規則;-n:numberic,以數字格式顯示地址和端口;-v:verbose,詳細信息,支持-vv -vvv來指定詳細程度
[root@test ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere test tcp dpt:41319 ACCEPT icmp -- anywhere test icmp echo-request Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- test anywhere icmp echo-reply Chain my_chain (0 references) target prot opt source destination [root@test ~]# iptables -Ln iptables: No chain/target/match by that name. [root@test ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 192.168.0.99 tcp dpt:41319 ACCEPT icmp -- 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) target prot opt source destination [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 4 packets, 284 bytes) pkts bytes target prot opt in out source destination 205 14232 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 73 6132 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 160 packets, 18172 bytes) pkts bytes target prot opt in out source destination 73 6132 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]# iptables -nL -vv Chain INPUT (policy ACCEPT 4 packets, 284 bytes) pkts bytes target prot opt in out source destination 244 16780 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 93 7812 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 185 packets, 21408 bytes) pkts bytes target prot opt in out source destination 93 7812 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination libiptc vlibxtables.so.10. 1544 bytes. Table `filter' Hooks: pre/in/fwd/out/post = ffffffff/0/220/2b8/ffffffff Underflows: pre/in/fwd/out/post = ffffffff/188/220/378/ffffffff Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 6 Flags: 00 Invflags: 00 Counters: 244 packets, 16780 bytes Cache: 00000000 Match name: `tcp' Target name: `' [40] verdict=NF_ACCEPT Entry 1 (200): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 93 packets, 7812 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 2 (392): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 4 packets, 284 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 3 (544): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=NF_DROP Entry 4 (696): SRC IP: 192.168.0.99/255.255.255.255 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 93 packets, 7812 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 5 (888): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 185 packets, 21408 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 6 (1040): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`my_chain' Entry 7 (1216): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=RETURN Entry 8 (1368): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`ERROR' [root@test ~]# iptables -nL -vvv Chain INPUT (policy ACCEPT 4 packets, 284 bytes) pkts bytes target prot opt in out source destination 288 18748 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 97 8148 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 264 packets, 32648 bytes) pkts bytes target prot opt in out source destination 97 8148 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination libiptc vlibxtables.so.10. 1544 bytes. Table `filter' Hooks: pre/in/fwd/out/post = ffffffff/0/220/2b8/ffffffff Underflows: pre/in/fwd/out/post = ffffffff/188/220/378/ffffffff Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 6 Flags: 00 Invflags: 00 Counters: 288 packets, 18748 bytes Cache: 00000000 Match name: `tcp' Target name: `' [40] verdict=NF_ACCEPT Entry 1 (200): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 97 packets, 8148 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 2 (392): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 4 packets, 284 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 3 (544): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=NF_DROP Entry 4 (696): SRC IP: 192.168.0.99/255.255.255.255 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 97 packets, 8148 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 5 (888): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 264 packets, 32648 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 6 (1040): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`my_chain' Entry 7 (1216): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=RETURN Entry 8 (1368): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`ERROR' [root@test ~]#
提示:使用查看子命令-L若是有其餘修飾子命令的選項和-L合併時,須要把 其餘修飾該命令的選項須要放在-L 前面,不然會把其選項識別成鏈名
-x:exactly,顯示計數器結果的精確值,而非單位轉換後的易讀值
--line-numbers:顯示規則的序號;可縮寫爲--line-num
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 7 packets, 502 bytes) pkts bytes target prot opt in out source destination 7196 322K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 459 38556 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13994 packets, 13M bytes) pkts bytes target prot opt in out source destination 459 38556 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 7 packets, 502 bytes) num pkts bytes target prot opt in out source destination 1 7227 324K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 2 459 38556 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14018 packets, 13M bytes) num pkts bytes target prot opt in out source destination 1 459 38556 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) num pkts bytes target prot opt in out source destination [root@test ~]# iptables -nvL --line-num Chain INPUT (policy ACCEPT 7 packets, 502 bytes) num pkts bytes target prot opt in out source destination 1 7240 325K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 2 459 38556 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14031 packets, 13M bytes) num pkts bytes target prot opt in out source destination 1 459 38556 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) num pkts bytes target prot opt in out source destination [root@test ~]#
-S selected,以iptables-save 命令格式顯示鏈上規則
[root@test ~]# iptables -S -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N my_chain -A INPUT -d 192.168.0.99/32 -p tcp -m tcp --dport 41319 -j ACCEPT -A INPUT -d 192.168.0.99/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s 192.168.0.99/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT [root@test ~]#
提示:若是有須要,能夠將其輸出重定向到一個文件中去,可是導出的內容不能用於規則導入到文件,也就是說導出的文件不能用來重載iptables規則表
四、規則的導出和導入
iptables規則導出到指定文件
[root@test ~]# iptables-save > iptables.txt [root@test ~]# cat iptables.txt # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *security :INPUT ACCEPT [122:11155] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [100:10857] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *mangle :PREROUTING ACCEPT [122:11155] :INPUT ACCEPT [122:11155] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [100:10857] :POSTROUTING ACCEPT [100:10857] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *raw :PREROUTING ACCEPT [122:11155] :OUTPUT ACCEPT [100:10857] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [5:280] :POSTROUTING ACCEPT [5:280] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *filter :INPUT ACCEPT [40:5587] :FORWARD DROP [0:0] :OUTPUT ACCEPT [100:10857] :my_chain - [0:0] -A INPUT -d 192.168.0.99/32 -p tcp -m tcp --dport 41319 -j ACCEPT -A INPUT -d 192.168.0.99/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s 192.168.0.99/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT COMMIT # Completed on Thu Feb 6 00:01:22 2020 [root@test ~]#
提示:保存規則使用iptables-save命令,它默認是把鏈上的全部規則打印到標準輸出,若是須要保存到指定文件須要用到輸出重定向到指定文件便可
iptables規則的導入
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
54895 2298K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
75 6300 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 117K packets, 130M bytes)
pkts bytes target prot opt in out source destination
75 6300 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 27 packets, 1976 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1816 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables-restore < iptables.txt
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 1636 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
7 588 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
7 588 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:導入規則的文件內容必須是iptables-save 導出的文件,不能用iptables -S 導出的文件還原。
-n, --noflush:不清除原有規則導入
[root@test ~]# iptables -F
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 3306 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 48 packets, 3468 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:3306
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34 packets, 3028 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables-restore -n iptables.txt
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:3306
24 1636 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:-n選項是不清空原有非自定義鏈上的規則,對於自定義鏈不論是否引用都會被清空
-t, --test:僅分析生成規則集,但不提交
[root@test ~]# iptables -F [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 24 packets, 1708 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1548 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]# iptables-restore -t iptables.txt [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 98 packets, 7096 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 72 packets, 7188 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]#
提示:以上導出和導入規則適用centos6 和centos7
centos6除上面的方式能夠導入和導出規則,它還能夠用service iptables save 或者/etc/init.d/iptables save 使用腳原本保存iptables規則
[root@test-node1 ~]#cat /etc/redhat-release CentOS release 6.7 (Final) [root@test-node1 ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 25 1728 you_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 2272 bytes) pkts bytes target prot opt in out source destination Chain you_chain (1 references) pkts bytes target prot opt in out source destination 25 1728 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test-node1 ~]#service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@test-node1 ~]#cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Feb 6 00:49:32 2020 *filter :INPUT ACCEPT [22:1656] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [82:8776] :you_chain - [0:0] -A INPUT -s 192.168.0.0/24 -j you_chain -A you_chain -s 192.168.0.0/24 -j ACCEPT COMMIT # Completed on Thu Feb 6 00:49:32 2020 [root@test-node1 ~]
提示:在centos6上使用腳本的方式去導出iptables規則,它默認覆蓋保存在/etc/sysconfig/iptables文件
centos6導入規則
[root@test-node1 ~]#iptables -F [root@test-node1 ~]#iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1556 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14 packets, 1304 bytes) pkts bytes target prot opt in out source destination Chain you_chain (0 references) pkts bytes target prot opt in out source destination [root@test-node1 ~]#service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@test-node1 ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 19 1332 you_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes) pkts bytes target prot opt in out source destination Chain you_chain (1 references) pkts bytes target prot opt in out source destination 19 1332 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test-node1 ~]#
提示:導入規則centos6 用restart 來導入,不是restore。
相關文章
- 1. Linux防火牆之iptables(1)
- 2. linux 防火牆 iptables
- 3. linux-防火牆iptables
- 4. linux防火牆(iptables)
- 5. Linux防火牆Iptables
- 6. linux iptables 防火牆
- 7. Linux iptables防火牆
- 8. 防火牆 iptables
- 9. Iptables防火牆
- 10. iptables防火牆
- 更多相關文章...
- • 使用TCP協議檢測防火牆 - TCP/IP教程
- • Memcached入門教程 - NoSQL教程
- • YAML 入門教程
- • Java Agent入門實戰(一)-Instrumentation介紹與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Linux防火牆之iptables(1)
- 2. linux 防火牆 iptables
- 3. linux-防火牆iptables
- 4. linux防火牆(iptables)
- 5. Linux防火牆Iptables
- 6. linux iptables 防火牆
- 7. Linux iptables防火牆
- 8. 防火牆 iptables
- 9. Iptables防火牆
- 10. iptables防火牆