linux 防火牆 -netfilter
關於iptables
什麼是iptables?html
常見於linx系統下的應用層防火牆工具python
firewalld 和netfilter
Linux 防火牆-netfilter
- selinux 臨時關閉 setenforce 0
- selinux 永久關閉 vi /etc/selinux/config
- centos7 以前使用 netfilter防火牆
- centos7 以後使用 firewalld防火牆
- 關閉firewalld 開啓netfilter 方法
- systemctl stop firewalld
- systemctl disable firewalled
- yum install -y iptables-servicesx86_64
- systemctl enable iptables
- systemctl start iptables
示例
永久關閉selinuxlinux
[root@guo-001 ~]# vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled·····這邊關閉selinux 輸入disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
查看selinux 是否關閉windows
[root@guo-001 ~]# getenforce Disabled
臨時關閉selinuxcentos
[root@guo-001 ~]# setenforce 0 setenforce: SELinux is disabled
netfilter
centos 7 默認是關閉netfilter開啓firewalld ,首先須要先關閉firewalld 並開啓netfilterbash
關閉firewalld 開啓netfilter網絡
[root@guo-001 ~]# systemctl disable firewalld ······ 關閉firewalld開機啓動 [root@guo-001 ~]# systemctl stop firewalld ······ 中止firewalld 這個服務
而後須要安裝iptables 這個服務並開啓ssh
[root@guo-001 ~]# yum install -y iptables-services ······ 安裝iptables 服務 [root@guo-001 ~]# systemctl enable iptables ····· 設置開機啓動 Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@guo-001 ~]# systemctl start iptables ······ 開啓iptables 服務
iptables -nvL 查看防火牆的默認規則curl
[root@guo-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
30 2068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 19 packets, 1620 bytes)
pkts bytes target prot opt in out source destination
netfilter 5表5鏈介紹
- netfilter5個表
- filter表:用於過濾包,最經常使用的表,有INPUT鏈(做用於進入本機的包)、OUTPUT鏈(做用於本機送出的包)、FORWARD鏈(做用於那些跟本機無關的包)三個鏈。
- nat表:網絡地址轉換,有PREROUTING鏈(包剛剛到達防火牆時改變它的目的地址)、OUTPUT鏈(改變本地產生的包的目的地址)、POSTROUTING鏈(包即將離開防火牆時改變其源地址)三個鏈。
- mangle表
- raw表
- security表
- netfilter5個鏈
- INPUT:經過路由表後目的地爲本機
- OUTPUT:由本機產生,向外發出
- FORWARD:經過路由表後,目的地不爲本機
- PREROUTING:數據包進入路由表以前
- POSTROUTING:發送到網卡接口以前
iptables傳輸數據包的過程
一、當一個數據包進入網卡時,它首先進入PREROUTING鏈,內核根據數據包目的IP判斷是否須要轉送出去。 二、 若是數據包就是進入本機的,它就會沿着圖向下移動,到達INPUT鏈。數據包到了INPUT鏈後,任何進程都會收到它。本機上運行的程序能夠發送數據包,這些數據包會通過OUTPUT鏈,而後到達POSTROUTING鏈輸出。 三、若是數據包是要轉發出去的,且內核容許轉發,數據包就會如圖所示向右移動,通過FORWARD鏈,而後到達POSTROUTING鏈輸出。tcp
iptables 語法
- 查看iptables規則:iptables -nvL
- iptables -F清空規則
- service iptables save 保存規則
- iptables -t nat //-t 指定表,默認是filter表
- iptables -Z 能夠把計數器清零
- iptables -A INPUT -s192.168.5.1 -p tcp --sport 1234 -d 192.168.5.128 --dport 80 -j DROP
- iptables -I / -A / -D INPUT -s 1.1.1.1 -j DROP
- iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
- iptables -nvL --line-numbers
- iptables -D INPUT 1
- iptables -P INPUT DROP
iptables 規則保存文件 /etc/sysconfig/iptables
[root@xuexi-001 ~]# iptables -nvL······查看iptables規則
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
430 33327 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
68 6046 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 372 packets, 47469 bytes)
pkts bytes target prot opt in out source destination
[root@xuexi-001 ~]# iptables -F ······清空規則 [root@xuexi-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 6 packets, 396 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 400 bytes) pkts bytes target prot opt in out source destination
iptables 默認保存的規則文件
[root@xuexi-001 ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
查看nat 表規則
[root@xuexi-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
iptables -Z 能夠把計數器清零
[root@xuexi-001 ~]# iptables -Z ;iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
# iptables -A INPUT -s 192.168.5.1 -p tcp --sport 1234 -d 192.168.5.128 --dport 80 -j DROP
- -A 添加一個規則
- -A INPUT針對INPUT 鏈添加一個規則
- -s 指定來源IP
- -p 指定協議(tcp,udp······)
- --sport 來源的端口
- -d 目標的IP
- --dport 目標的端口
- -j 操做方式
[root@xuexi-001 ~]# iptables -A INPUT -s192.168.5.1 -p tcp --sport 1234 -d 192.168.5.128 --dport 80 -j DROP
[root@xuexi-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
117 9196 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.5.1 192.168.5.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 16 packets, 1504 bytes)
pkts bytes target prot opt in out source destination
# iptables -I INPUT -s 192.168.5.1 -p tcp --sport 80 -d 192.168.5.128 --dport 80 -j DROP
- -I 插入到規則的最前面,優先執行。
[root@xuexi-001 ~]# iptables -I INPUT -s 192.168.5.1 -p tcp --sport 80 -d 192.168.5.128 --dport 80 -j DROP
[root@xuexi-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
0 0 DROP tcp -- * * 192.168.5.1 192.168.
501 36676 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/
0 0 DROP tcp -- * * 192.168.5.1 192.168.
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/
Chain OUTPUT (policy ACCEPT 5 packets, 716 bytes)
pkts bytes target prot opt in out source destinat
刪除規則第一種方法
[root@xuexi-001 ~]# iptables -D INPUT -s 192.168.5.1 -p tcp --sport 80 -d 192.168.5.128 --dport 80 -j DROP
[root@xuexi-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
653 48776 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.5.1 192.168.5.128 tcp spt:80 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 26 packets, 2408 bytes)
pkts bytes target prot opt in out source destination
iptables -nvL --line-numbers 刪除規則的第二種方法,先列出規則的編號,而後再使用 iptables -D INPUT 編號
[root@xuexi-001 ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 741 54604 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp -- * * 192.168.5.1 192.168.5.128 tcp spt:80 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 73 packets, 7792 bytes) num pkts bytes target prot opt in out source destination [root@xuexi-001 ~]# iptables -D INPUT 6 [root@xuexi-001 ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 820 59864 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 2812 bytes) num pkts bytes target prot opt in out source destination
iptables filter 表小案例
[root@xuexi-001 ~]# vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.5.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
[root@xuexi-001 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
110 7312 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.5.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@xuexi-001 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@xuexi-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34 2244 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 18 packets, 1688 bytes)
pkts bytes target prot opt in out source destination
[root@xuexi-001 ~]# ping www.qq.com
PING news.qq.com (182.254.50.164) 56(84) bytes of data.
64 bytes from 182.254.50.164 (182.254.50.164): icmp_seq=1 ttl=128 time=12.3 ms
64 bytes from 182.254.50.164 (182.254.50.164): icmp_seq=2 ttl=128 time=9.62 ms
^C
--- news.qq.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 9.629/10.995/12.361/1.366 ms
[root@xuexi-001 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@xuexi-001 ~]# ping www.qq.com
PING news.qq.com (182.254.50.164) 56(84) bytes of data.
64 bytes from 182.254.50.164 (182.254.50.164): icmp_seq=1 ttl=128 time=10.9 ms
64 bytes from 182.254.50.164 (182.254.50.164): icmp_seq=2 ttl=128 time=10.1 ms
^C
--- news.qq.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.189/10.588/10.987/0.399 ms
windows 上面ping linux ping不通
C:\Users\Administrator>ping 192.168.5.130
正在 Ping 192.168.5.130 具備 32 字節的數據:
請求超時。
請求超時。
[root@xuexi-001 ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP
iptables 規則組成
數據包訪問控制
- ACCEPT:接收,容許經過
- DROP:丟棄,直接丟棄不查看
- REJECT:拒絕,不查看
數據包改寫
- SNAT:源地址進行改寫(發起端改寫)
- DNAT:目標地址進行改寫
信息記錄
- LOG: 將對應的訪問狀況進行記錄成日誌
組成部分
| iptables | table | command | chain | Parameter&Xmatch | target |
|---|---|---|---|---|---|
| iptables | -t filter/nat | -A | INPUT | -p tcp | -j ACCEPT |
| iptables | -D | FORWARD | -s | DROP | |
| iptables | -L | OUTPUT | -d | REJECT | |
| iptables | -F | PREROUTING | --sport | DNAT | |
| iptables | -P | POSTROUTING | --dport | SNAT | |
| iptables | -I | --dports | |||
| iptables | -R | -m tcp/state/multiport | |||
| iptables | -n |
- table : -t filter / nat 指定表
- command: -A :追加一條規則。 -D:刪除。-L :顯示當前規則。-F:將現有的規則進行清理。-P:設置默認的iptables 規則。 -I:插入一條規則,默認是第一條規則。
- chain:五條鏈
- Parameter&Xmatch:-p :指定協議。-s :發起源。 -d:目標地址 --sport:源端口。--dport:目標端口。--dports:端口段。
- target:ACCEPT:接收,容許經過。DROP:丟棄,直接丟棄不查看。REJECT:拒絕,不查看。
iptabels配置 場景一
規則一:對全部的地址開放本機的tcp(80、2二、10-21)端口的訪問
規則二:容許對全部的地址開放本機的基於ICMP協議的數據包訪問
規則三:其餘未被容許的端口禁止訪問
iptables
-L :列出以前設置過的iptabels 規則 -n: 不顯示主機名 -F:清除以前設置過的規則
[root@xuexi-001 ~]# iptables -F [root@xuexi-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 28 packets, 1848 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1412 bytes) pkts bytes target prot opt in out source destination
規則一:對全部的地址開放本機的tcp(80、2二、10-21)端口的訪問
[root@xuexi-001 ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT [root@xuexi-001 ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@xuexi-001 ~]# iptables -I INPUT -p tcp --dport 10:21 -j ACCEPT [root@xuexi-001 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpts:10:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
規則二:容許對全部的地址開放本機的基於ICMP協議的數據包訪問
[root@xuexi-001 ~]# iptables -I INPUT -p icmp -j ACCEPT [root@xuexi-001 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpts:10:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
規則三:其餘未被容許的端口禁止訪問
[root@xuexi-001 ~]# iptables -A INPUT -j REJECT [root@xuexi-001 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpts:10:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
查看開啓的服務端口
[root@xuexi-001 ~]# netstat -lnutp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 920/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1116/master tcp6 0 0 :::22 :::* LISTEN 920/sshd tcp6 0 0 ::1:25 :::* LISTEN 1116/master udp 0 0 127.0.0.1:323 0.0.0.0:* 543/chronyd udp6 0 0 ::1:323 :::* 543
在第二臺機器上進行掃描能夠訪問的端口
[root@localhost ~]# nmap -sS -p 0-1000 192.168.5.130 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-16 16:44 CST Nmap scan report for 192.168.5.130 Host is up (0.00048s latency). Not shown: 987 filtered ports PORT STATE SERVICE 10/tcp closed unknown 11/tcp closed systat 12/tcp closed unknown 13/tcp closed daytime 14/tcp closed unknown 15/tcp closed netstat 16/tcp closed unknown 17/tcp closed qotd 18/tcp closed unknown 19/tcp closed chargen 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp open ssh 80/tcp closed http······由於在第一臺機器上80端口以前並無開啓,因此這邊是關閉狀態。 MAC Address: 00:0C:29:B3:A2:BF (VMware) Nmap done: 1 IP address (1 host up) scanned in 17.72 seconds
這樣設置後存在的問題:
1 本機沒法訪問本機
[root@xuexi-001 ~]# telnet 127.0.0.1 22 Trying 127.0.0.1... ^C [root@xuexi-001 ~]# ping 127.0.0.1 22 PING 22 (0.0.0.22) 56(124) bytes of data. ^C --- 22 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 2999ms
2本機沒法訪問其餘主機
[root@xuexi-001 ~]# curl http://www.baidu.com curl: (6) Could not resolve host: www.baidu.com; 未知的錯誤
解決方法:
1開放本機的迴環地址
[root@xuexi-001 ~]# iptables -I INPUT -i lo -j ACCEPT [root@xuexi-001 ~]# telnet 127.0.0.1 22 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_7.4 Connection closed by foreign host.
2 iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@xuexi-001 ~]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@xuexi-001 ~]# curl -I http://www.baidu.com HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: Keep-Alive Content-Length: 277 Content-Type: text/html Date: Sat, 16 Jun 2018 15:41:44 GMT Etag: "575e1f60-115" Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT Pragma: no-cache Server: bfe/1.0.8.18
補充:只容許192.168.5.132 這臺機器訪問http服務
[root@xuexi-001 ~]# iptables -I INPUT -p tcp -s 192.168.5.132 --dport 80 -j ACCEPT
機器二192.168.5.132測試
[root@localhost ~]# telnet 192.168.5.130 80 Trying 192.168.5.130... telnet: connect to address 192.168.5.130: Connection refused
iptables 規則備份和恢復
- service iptables save ······會把規則保存到/etc/sysconfig/iptables文件中
- 把iptables 規則備份到指定的文件中 my.ipt iptables-save > my.ipt
[root@xuexi-001 ~]# iptables-save > my.ipt [root@xuexi-001 ~]# cat my.ipt # Generated by iptables-save v1.4.21 on Sun Jun 17 00:10:39 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [94:8140] -A INPUT -s 192.168.5.132/32 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 10:21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Sun Jun 17 00:10:39 2018
- 恢復剛纔備份的規則 iptables-restore < my.ipt
[root@xuexi-001 ~]# iptables -F [root@xuexi-001 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@xuexi-001 ~]# iptables-restore < my.ipt [root@xuexi-001 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.5.132 0.0.0.0/0 tcp dpt:80 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:10:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
相關文章
- 1. Linux防火牆之Netfilter
- 2. Linux防火牆iptables/netfilter(一)
- 3. linux 防火牆-iptables-netfilter
- 4. Linux防火牆netfilter iptable
- 5. 防火牆netfilter~iptables
- 6. iptables(防火牆)與netfilter
- 7. Linux防火牆
- 8. Linux網絡,防火牆,netfilter,iptables語法
- 9. linux防火牆 iptables/netfilter詳解
- 10. Linux防火牆-SELinux、netfilter、iptables、ifconfig
- 更多相關文章...
- • 使用TCP協議檢測防火牆 - TCP/IP教程
- • 防止使用TCP協議掃描端口 - TCP/IP教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • 互聯網組織的未來:剖析GitHub員工的任性之源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 融合阿里雲,牛客助您找到心儀好工作
- 2. 解決jdbc(jdbctemplate)在測試類時不報錯在TomCatb部署後報錯
- 3. 解決PyCharm GoLand IntelliJ 等 JetBrains 系列 IDE無法輸入中文
- 4. vue+ant design中關於圖片請求不顯示的問題。
- 5. insufficient memory && Native memory allocation (malloc) failed
- 6. 解決IDEA用Maven創建的Web工程不能創建Java Class文件的問題
- 7. [已解決] Error: Cannot download ‘https://start.spring.io/starter.zip?
- 8. 在idea讓java文件夾正常使用
- 9. Eclipse啓動提示「subversive connector discovery」
- 10. 帥某-技巧-快速轉帖博主文章(article_content)
歡迎關注本站公眾號,獲取更多信息
相關文章