iptables操作事例
#获取filter表中的规则链信息
[root@nginx02 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#创建一个自定义链名为IN_public
[root@nginx02 ~]# iptables -t filter -N IN_public
#查看filter链
[root@nginx02 ~]# iptables -t filter -L
...
Chain IN_public (0 references)
target prot opt source destination
#自定义链没有被引用,可以通过-E参数进行自定义链重命名
[root@nginx02 ~]# iptables -t filter -E IN_public OUT_public
[root@nginx02 ~]# iptables -t filter -L
...
Chain OUT_public (0 references)
target prot opt source destination
#清空链
[root@nginx02 ~]# iptables -F
#清除所有规则
[root@nginx02 ~]# iptables -X
#修改链的匹配规则
[root@nginx02 ~]# iptables -t filter -P FORWARD DROP
[root@nginx02 ~]# iptables -L -n
...
Chain FORWARD (policy DROP)
target prot opt source destination
...
#显示指定规则的号码
[root@nginx02 ~]# iptables -L -n --line-numbers
...
Chain IN_public (2 references)
num target prot opt source destination
1 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
...
#删除FORWARD链上的第9条规则
[root@nginx02 ~]# iptables -D FORWARD 9
#指定源地址为任意地址,目标地址为本机,且为TCP协议的所有数据包均放行
[root@nginx02 ~]# iptables -t filter -A INPUT -d 192.168.88.102 -p tcp -j ACCEPT
[root@nginx02 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.88.102
#指定由本机发出的TCP协议报文与任意主机进行通信都放行
[root@nginx02 ~]# iptables -t filter -A OUTPUT -s 192.168.88.102 -p tcp -j ACCEPT
[root@nginx02 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.88.102
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.88.102 0.0.0.0/0
#修改指定链的target为drop
[root@nginx02 ~]# iptables -P INPUT DROP
[root@nginx02 ~]# iptables -P OUTPUT DROP
[root@nginx02 ~]# iptables -P FORWARD DROP
[root@nginx02 ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.88.102
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.88.102 0.0.0.0/0
#开启本机[192.168.88.102]ping,80,22对外访问的规则
[root@nginx02 ~]# iptables -t filter -A INPUT -d 192.168.88.102 -p icmp -j ACCEPT
[root@nginx02 ~]# iptables -t filter -A OUTPUT -s 192.168.88.102 -p icmp -j ACCEPT
#放行SSH(22端口)服务
[root@nginx02 ~]# iptables -A OUTPUT -p tcp --sport=22 -s 192.168.88.102 -j ACCEPT
[root@nginx02 ~]# iptables -A INPUT -p tcp --dport=22 -d 192.168.88.102 -j ACCEPT
#放行http(80端口)服务
[root@nginx02 ~]# iptables -A OUTPUT -p tcp --sport=80 -s 192.168.88.102 -j ACCEPT
[root@nginx02 ~]# iptables -A INPUT -p tcp --dport=80 -d 192.168.88.102 -j ACCEPT
#查看设置的规则
[root@nginx02 ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.88.102 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.88.102 tcp dpt:80
ACCEPT icmp -- 0.0.0.0/0 192.168.88.102
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.88.102 0.0.0.0/0 tcp spt:22
ACCEPT tcp -- 192.168.88.102 0.0.0.0/0 tcp spt:80
ACCEPT icmp -- 192.168.88.102 0.0.0.0/0
#查看内核模块nf_conntrack
[root@nginx02 netfilter]# pwd
/lib/modules/3.10.0-862.el7.x86_64/kernel/net/netfilter
[root@nginx02 netfilter]# modinfo nf_conntrack_ftp
filename: /lib/modules/3.10.0-862.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell <rusty@rustcorp.com.au>
license: GPL
retpoline: Y
rhelversion: 7.5
srcversion: 83D9304C9B64D8FBC064040
depends: nf_conntrack
intree: Y
vermagic: 3.10.0-862.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: 3A:F3:CE:8A:74:69:6E:F1:BD:0F:37:E5:52:62:7B:71:09:E3:2B:96
sig_hashalgo: sha256
parm: ports:array of ushort
parm: loose:bool
#查看nf_conntrack当前连接数
[root@nginx02 netfilter]# cat /proc/sys/net/netfilter/nf_conntrack_count
1
#查看nf_conntrack表最大连接数
[root@nginx02 netfilter]# cat /proc/sys/net/netfilter/nf_conntrack_max
262144
#查看已经追踪到并记录下的连接
[root@nginx02 net]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.88.1 dst=192.168.88.102 sport=51385 dport=22 src=192.168.88.102 dst=192.168.88.1 sport=22 dport=51385 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431982 ESTABLISHED src=192.168.88.1 dst=192.168.88.102 sport=50469 dport=22 src=192.168.88.102 dst=192.168.88.1 sport=22 dport=50469 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431986 ESTABLISHED src=192.168.88.1 dst=192.168.88.102 sport=51384 dport=22 src=192.168.88.102 dst=192.168.88.1 sport=22 dport=51384 [ASSURED] mark=0 zone=0 use=2
#通过dmesg查看nf_conntrack的信息
[root@nginx02 netfilter]# dmesg | grep nf_conntrack
[ 232.452376] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
[root@nginx02 netfilter]# cat /proc/sys/net/netfilter/nf_conntrack_buckets
65536
[root@nginx02 netfilter]# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
432000
#通过内核参数查看命令,查看所有参数配置
[root@nginx02 netfilter]# sysctl -a | grep conntrack
#一次放行多个端口(-m multiport)
[root@nginx02 netfilter]# iptables -I OUTPUT -s 192.168.88.102 -p tcp -m multiport --sport=22,80 -j ACCEPT
[root@nginx02 netfilter]# iptables -I INPUT -d 192.168.88.102 -p tcp -m multiport --dport=22,80 -j ACCEPT
#指定IP地址范围(-m iprange)放行
[root@nginx02 ~]# iptables -I INPUT -d 192.168.88.102 -p tcp -m iprange --src-range=192.168.88.1-192.168.88.100 -m multiport --dport=22,80 -j ACCEPT
[root@nginx02 ~]# iptables -I OUTPUT -s 192.168.88.102 -p tcp -m iprange --dst-range=192.168.88.1-192.168.88.100 -m multiport --sport=22,80 -j ACCEPT
#string扩展
[root@nginx02 ~]# iptables -I OUTPUT -m string --algo='bm' --string='movie' -j REJECT
#time扩展(注意时间格式问题)
[root@nginx02 ~]# iptables -I INPUT -d 192.168.88.102 -p tcp --dport 80 -m time --timestart 23:39 --timestop 23:45 -j REJECT
#connlimit(同一主机并发连接数限制),限制连接上限为3
[root@nginx02 ~]# iptables -I INPUT -p tcp -d 192.168.88.102 --dport 22 -m connlimit --connlimit-above=3 -j REJECT
#limit扩展,基于收发报文速率做检查
#--limit表示速率,--limit-burst表示上限
[root@nginx02 ~]# iptables -A INPUT -d 192.168.88.102 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 30/minute -j ACCEPT
#--state扩展
#开通22端口
[root@nginx02 ~]# iptables -I INPUT -d 192.168.88.102 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@nginx02 ~]# iptables -I OUTPUT -s 192.168.88.102 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#开通ping请求
[root@nginx02 ~]# iptables -I INPUT -d 192.168.88.102 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@nginx02 ~]# iptables -I OUTPUT -s 192.168.88.102 -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
#------------------开放被动模式的ftp服务
#安装vsftpd服务
[root@nginx02 netfilter]# yum install -y vsftpd
#1)装载nf_conntrack_ftp模块
[root@nginx02 netfilter]# modprobe nf_conntrack_ftp
[root@nginx02 netfilter]# lsmod | grep ftp
nf_conntrack_ftp 18638 0
nf_conntrack 133053 7 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6
#2)放行请求报文
#命令连接:NEW,ESTABLISH
#数据连接:RELATED,ESTABLISHED
#放行命令连接
[root@nginx02 ~]# iptables -I INPUT -d 192.168.88.102 -p tcp -m multiport --dport 21,22,80 -m state --state NEW -j ACCEPT
#放行数据连接
[root@nginx02 ~]# iptables -I INPUT -d 192.168.88.102 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#3)放行响应报文
[root@nginx02 ~]# iptables -I INPUT -s 192.168.88.102 -p tcp -m state --state ESTABLISHED -j ACCEPT
#------------------开放被动模式的ftp服务
#----------------保存和重载规则
#保存规则
[root@nginx02 ~]# iptables-save > /etc/sysconfig/iptables
#重载规则
[root@nginx02 ~]# iptables-restore < /etc/sysconfig/iptables
