iptables基本应用#man iptables
iptables [-t table] -[AD] chainrule-specification [options]
iptables [-t table] -I chain [rulenum] rule-specification
[options]
iptables [-t table] -R chain rulenum rule-specification
[options]
iptables [-t table] -D chain rulenum[options]
iptables [-t table] -[LFZ] [chain][options]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target[options]
iptables [-t table] -E old-chain-namenew-chain-name
-t table:
Filter,nat,mangle,raw
链管理:
-F:flush,清空规则链,省略链,表示清空指定表上的所有的链:
-N:new,自定义规则链
-X:drop,删除用户自定义的空的规则链;
-Z:zero,清零,置零规则计数器
-P:policy,这指定链设定默认策略,对filter表中的链而言,默认策略通常有ACCEPT(接受),DROP(丢弃),REJECT (拒绝)
-E:rename,重全名自定义链,引用计数不为0的自定义链,无法改名,也无法删除
规则管理:
-A:append,将新规则追加于指定链的尾部
-I:insert,将新规则插入至指定链的指定位置
-D:delete,删除指定链上的指定规则
有两种:
1. 指定匹配条件
2. 指定规则编号
-R:replace,替换指定链上的指定规则
查看:
-L:list,列出指定链上的所有规则
-n:numberic,以数字格式显示地址和端口号
-v:verbose,显示详细信息
-vv,-vvv
--line-numbers:显示规则编号
-x:exactly,显示计数器计数结果的精确值
在Filter链上添加一条新链:
[root@node229 ~]# iptables -t filter -NIN_putlic
[root@node229 ~]# iptables -L
Chain INPUT (policy ACCEPT) #默认策略
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain IN_putlic (0 references)
target prot opt source destination
对自定义链重命名:
[root@node229 ~]# iptables -t filter -EIN_putlic OUT_public
[root@node229 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain OUT_public (0 references)
target prot opt source destination
修改指定链的默认规则:
[root@node229 ~]# iptables -t filter -P FORWARDDROP|ACCEPT
[root@node229 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
删除指定链的规则:
[root@node229 ~]# iptables -t filter -A FORWARD -s192.168.2.0/24 -j ACCEPT
[root@node229 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@node229 ~]# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.2.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@node229 ~]# iptables -D FORWARD 1
[root@node229 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
查看规则的详细信息:
[root@node229 ~]# iptables -L -n –v|-vv
Chain INPUT (policy ACCEPT 728K packets, 132Mbytes)
pkts bytestarget prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytestarget prot opt in out source destination
Chain OUTPUT (policy ACCEPT 678K packets, 116Mbytes)
pkts bytestarget prot opt in out source destination
[root@node229 ~]# iptables -L -v -x
Chain INPUT (policy ACCEPT 3097652 packets,564353113 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2836516 packets,492809363 bytes)
pkts bytes target prot opt in out source
规则匹配条件:
基本匹配:
[!]-s,--src,--sourceIP|Netaddr :检查报文中的源IP地址是否符合此处指定的地址的范围
[!]-d,--dst,--destinationIP|Netaddr : 检查报文中的目标IP地址是否符合此处指定的地址的范围
[!]-p,--protocol {tcp|udp|icmp} :检查报文中的协议,即IP首部中的protocols所标识的协议
[!]-i,--in-interface interface:数据报文的流入接口;仅能用于PREROUTING,INPUT,FORWARD链
[!]-o,--out-interfaceinterface: 数据报文的流出接口;仅能用于FORWARD,OUTPUT,POSTROUTING链
目标:
-jTARGET: jump指定的TARGET
ACCEPT:授受
DROP:丢弃
REJECT:拒绝
RETURN:返回调用链
REDIRECT:端口重定向
LOG:记录日志
MARK:做防火墙标记
DNAT:目标地址转换
SNAT:源地址转换
MASQUERADE:地址伪装
自定义链:由自定义链上的规则进行匹配检查
允许所有的TCP协议访问主机:
[root@node229 ~]# iptables -t filter -A INPUT -d192.168.2.229 -p tcp -j ACCEPT
[root@node229 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.2.229
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
配置从本机出发的所有的TCP报文允许通过:
root@node229 ~]# iptables -t filter -A OUTPUT -s192.168.2.229 -p tcp -j ACCEPT
配置默认规则:
[root@node229 ~]# iptables -P INPUT DROP
[root@node229 ~]# iptables -P OUTPUT DROP
[root@node229 ~]# iptables -P FORWARD DROP
[root@node229 ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.2.229
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.2.229 0.0.0.0/0
允许ICMP报文通过:
[root@node229 ~]# iptables -A INPUT -d192.168.2.229 -p icmp -j ACCEPT
[root@node229 ~]# iptables -A OUTPUT -s192.168.2.229 -p icmp -j ACCEPT
[root@node229 ~]# iptables -L -n
Chain INPUT (policy DROP)
target protopt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.2.229
ACCEPT icmp -- 0.0.0.0/0 192.168.2.229
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.2.229 0.0.0.0/0
ACCEPT icmp -- 192.168.2.229 0.0.0.0/0
删除链上的规则:
[root@node229 ~]# iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.2.229
2 ACCEPT icmp -- 0.0.0.0/0 192.168.2.229
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.2.229 0.0.0.0/0
2 ACCEPT icmp -- 192.168.2.229 0.0.0.0/0
[root@node229 ~]# iptables -D INPUT 2
[root@node229 ~]# iptables -D OUTPUT 2
[root@node229 ~]# iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.2.229
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.2.229 0.0.0.0/0
通过接口进行限制:
[root@node229 ~]# iptables -A INPUT -d 192.168.2.229 -i eth0 -j ACCEPT
[root@node229 ~]# iptables -A OUTPUT -s 192.168.2.229-o eth0 -j ACCEPT
[root@node229 ~]# iptables -L -n --line-numbers -v
Chain INPUT (policy DROP 821 packets, 120K bytes)
num pktsbytes target prot opt in out source destination
1 173833353K ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.229
2 64 6846 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.2.229
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pktsbytes target prot opt in out source destination
Chain OUTPUT (policy DROP 1468K packets, 106Mbytes)
num pktsbytes target prot opt in out source destination
1 148232912K ACCEPT tcp -- * * 192.168.2.229 0.0.0.0/0
2 21 1943 ACCEPT all -- * eth0 192.168.2.229
* * :表示任意接口都可以
Eth0:表示从eth0接口通过数据报文
扩展匹配: [CentOS 6.x]
-m match_name –spec_options
[root@node1 ~]# rpm -ql iptables
/lib64/xtables/libipt_CLUSTERIP.so
/lib64/xtables/libipt_DNAT.so
/lib64/xtables/libipt_ECN.so
/lib64/xtables/libipt_LOG.so
/lib64/xtables/libipt_MASQUERADE.so
/lib64/xtables/libipt_MIRROR.so
/lib64/xtables/libipt_NETMAP.so
隐式扩展:对-p protocol指明的协议进行的扩展,可省略-m选项
-ptcp
--dport PORT[-PORT]:目标端口,可以是单个端口,也可以是连续多个端口
--sport PORT[-PORT]:源端口
--tcp-flagsLIST1 LIST2:检查LIST1 所指明的所有标志位,且这其中,LIST2所表示出的所有标记位必须为1,而余下的必须为0,没有LIST1中指明的,不作检查
SYN,ACK,FIN,RST,PSH,URG
Eg:--tcp-flags SYN,ACK,FIN,RST SYN
只检查SYN,ACK,FIN,RST,并且SYN为1,其它的为0
--syn:检查是否为TCP连接请求的第一次请求相当于:(--tcp-flags SYN,ACK,FIN,RST SYN)
-pudp
--dport
--sport
-picmp
--icmp-type
ICMP响应报文的种类:
可用数字表示其类型:
0:echo-reply #本机收到对方给于报文的响应是0
8:echo-request #ping对方,本机发送的报文类型是8
如果要想测试通过,要删除默认规则:
-A INPUT -j REJECT --reject-withicmp-host-prohibited
-A FORWARD -j REJECT --reject-withicmp-host-prohibited
允许ping通其它人,其它人ping不了本主机:
[root@node2~]# iptables -A OUTPUT -s 192.168.0.3 -picmp --icmp-type 8 -j ACCEPT
[root@node2 ~]# iptables -A INPUT -d 192.168.0.3 -p icmp--icmp-type 0 -j ACCEPT
[root@node2~]# ping 192.168.0.2
PING192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from192.168.0.2: icmp_seq=1 ttl=64 time=0.528 ms
允许其它主机ping 本机配置:
[root@node2~]# iptables -A INPUT -d 192.168.0.3 -p icmp --icmp-type 8 -j ACCEPT
[root@node2~]# iptables -A OUTPUT -s 192.168.0.3 -p icmp --icmp-type 0 -j ACCEPT
[root@node1~]# ping 192.168.0.3
PING192.168.0.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from192.168.0.3: icmp_seq=30 ttl=64 time=0.387 ms
64 bytes from192.168.0.3: icmp_seq=31 ttl=64 time=0.309 ms
