一、iptables流程图
流入本机:A ---> PREROUTING ---> INPUT ---> B
流出本机:OUTPUT ---> POSTROUTING ---> B
经过本机:A ---> OUTPUT ---> POSTROUTING | ---> PREROUTING ---> FORWARD ---> POSTROUTING ---> C ---> PREROUTING ---> INPUT ---> B
# filter表 [root@m01 ~]# iptables -v -L -t filter Chain INPUT (policy ACCEPT 762 packets, 52163 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 454 packets, 41474 bytes) pkts bytes target prot opt in out source destination
# nat表 [root@m01 ~]# iptables -v -L -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
# mangle表 [root@m01 ~]# iptables -v -L -t mangle Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
# raw表 [root@m01 ~]# iptables -v -L -t raw Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
filter:负责做过滤功能 INPUT、FORWARD、OUTPUT
nat:网络地址转换 PREROUTING、INPUT、OUTPUT、POSTROUTING
raw:负责数据包跟踪 PREROUTING、OUTPUT
mangle:负责修改数据包内容 PREROUTING、INPUT、FORWARD、OUTPUT、POSTROUTING
二、iptables的使用
1、查看iptables是否启用
[root@m01 ~]# systemctl status iptables
2、查看iptables是否安装
[root@m01 ~]# rpm -q iptables
3、安装iptables
[root@m01 ~]# yum install iptables*
4、启动iptables
[root@m01 ~]# systemctl start iptables
5、关闭firewalld
[root@m01 ~]# systemctl disable --now firewalld
格式:iptables -t 表名 选项 链名称 条件 动作
-t 指定操作的表(默认是filter表)
-L,--list 列出当前的规则
-v 显示数据包和数据包大小
-n 不反解地址
-A,--append 追加一条规则到链中
-I,--insert 插入一跳规则,插入到顶部
-F,--flush 清空
-Z,--zero 清空计数器(包数量、包大小)
-D,--delete 删除链中的规则
-R,--replace 修改
-S,--list-rules 列出所有的规则
-N,--new-chain 创建一个自定义 链
-X,--delete-chain 删除一个自定义链
-P,--policy 指定链的默认策略
三、iptables动作
ACCEPT 将数据包放行,进行完此处理动作后,将不再比对其它规则,直接跳往下一个规则链
REJECT 拦阻该数据包,并传送数据包通知对方
DROP 丢弃包不予处理,进行完此处理动作后,将不再比对其它规则,直接中断过滤程序
REDIRECT 将包重新导向到另一个端口,进行完此处理动作后,将会继续比对其它规则
四、iptables基本的条件匹配
TCP(http)
UDP
ICMP(ping) # curl www.baidu.com
ALL
五、-s源地址、-d目标地址
-s源地址:发送请求的地址
-d目标地址:访问的地址
六、--sport源端口、--dport目标端口
--sport源端口:发送请求的端口
--dport目标端口:访问的端口
七、-i、-o、-m、-j动作
-i:进来的网卡
-o:出去的网卡
-m:指定模块
-j:转发动作
-p:指定协议
案例:
查看本机端口占用的命令:[root@m01 ~]# netstat -nutlp
案例1:只允许22端口可以访问,其它端口全部无法访问
[root@m01 ~]# iptables -t filter -A INPUT -p TCP --dport 22 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -j DROP
[root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 217 14392 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 27 1368 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 57 packets, 7412 bytes) pkts bytes target prot opt in out source destination
案例2:只允许22,80,443端口可以访问,其它端口全部无法访问
[root@m01 ~]# iptables -t filter -A INPUT -p TCP --dport 22 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP --dport 80 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP --dport 443 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -j DROP
[root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 398 26360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 20 packets, 1596 bytes) pkts bytes target prot opt in out source destination
案例3:只允许22,80,443端口可以访问,其它端口全部无法访问,但是本机可以访问百度
案例4:要求使用192.168.15.81能够通过22端口链接,但是其它的不行
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -d 192.168.15.81 --dport 22 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -j DROP
ssh root@192.168.15.81
案例5:只允许192.168.15.71能够通过22端口链接,其它的不行
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -s 192.168.15.71 -d 192.168.15.81 --dport 22 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -j DROP
[root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 62 6349 ACCEPT tcp -- * * 192.168.15.71 192.168.15.81 tcp dpt:22 35 2056 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 58 packets, 8625 bytes) pkts bytes target prot opt in out source destination
案例6:要求192.168.15.71对外部不可见
[root@prometheus ~]# iptables -t filter -A INPUT -p TCP -d 192.168.15.71 -j DROP
[root@m01 ~]# ssh root@192.168.15.71 ssh: connect to host 192.168.15.71 port 22: Connection timed out [root@m01 ~]# ssh root@172.16.1.71 The authenticity of host '172.16.1.71 (172.16.1.71)' can't be established. ECDSA key fingerprint is SHA256:S/BCftO+BZNLg69kYTIBvspxOtPvoQIXXja1Kkba9Ik. ECDSA key fingerprint is MD5:03:10:d6:43:01:d8:3d:c4:92:ad:51:1b:6f:2e:40:94. Are you sure you want to continue connecting (yes/no)? yes
案例7:要求使用eth0网卡的所有请求全部拒绝
[root@prometheus ~]# iptables -t filter -A INPUT -p TCP -i eth0 -j DROP
[root@m01 ~]# ssh root@192.168.15.71 ssh: connect to host 192.168.15.71 port 22: Connection timed out [root@m01 ~]# ssh root@172.16.1.71 root@172.16.1.71's password:
[root@prometheus ~]# iptables -vnL Chain INPUT (policy ACCEPT 46 packets, 5229 bytes) pkts bytes target prot opt in out source destination 19 1808 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 43 packets, 6881 bytes) pkts bytes target prot opt in out source destination
使用172.16.1.71登录进来的窗口,不允许访问百度
[root@prometheus ~]# iptables -t filter -I OUTPUT -p TCP -o eth1 -j DROP
案例8:要求访问服务器的8080端口转发至80端口
[root@m01 ~]# iptables -t nat -A PREROUTING -p TCP --dport 8080 -j REDIRECT --to-port 80
[root@m01 ~]# iptables -vnL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 80 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
案例9:要求只允许windows通过ssh连接192.168.15.81,其它的拒绝
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -s 192.168.15.1 -d 192.168.15.81 --dport 22 -j ACCEPT
[root@m01 ~]# iptables -t filter -A INPUT -p TCP --dport 22 -j DROP
[root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 161 10636 ACCEPT tcp -- * * 192.168.15.1 192.168.15.81 tcp dpt:22 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes) pkts bytes target prot opt in out source destination
八、模块
拓展iptables的功能
-m:指定模块
1、连续匹配多个端口(multiport)
--dports:指定多个端口(不同端口之间以逗号分割,连续的端口使用冒号分割)
例:要求将22,80,443以及30000-50000之间所有的端口向外暴露,其它端口拒绝
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -m multiport --dports 22,80,443,30000:50000 -j ACCEPT [root@m01 ~]# iptables -t filter -A INPUT -p TCP -j DROP [root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 113 7484 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80,443,30000:50000 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes) pkts bytes target prot opt in out source destination
2、指定一段连续的ip地址范围(iprange)
--src-range from[-to]:源地址范围
--dst-range from[-to]:目标地址范围
例:要求192.168.15.1-192.168.15.10之间的所有IP能够连接192.168.15.81,其它拒绝
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -m iprange --src-range 192.168.15.1-192.168.15.10 -j ACCEPT [root@m01 ~]# iptables -t filter -A INPUT -p TCP -j DROP [root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 114 7524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.15.1-192.168.15.10 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes) pkts bytes target prot opt in out source destination
3、匹配指定字符串(string)
--string pattern:指定要匹配的字符串
--algo{bm|kmp}:匹配的查询算法
例:要求访问数据包中包含HelloWorld的数据不允许通过
[root@m01 ~]# cd /usr/share/nginx/html/
[root@m01 html]# echo "HelloWorld" >> index.html
[root@m01 html]# echo "Hello" >> demo.html
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -m string --string "HelloWorld" --algo kmp -j DROP
4、根据时间段匹配报文(time)UTC时间
--timestart hh:mm[:ss] # 开始时间
--timestop hh:mm[:ss] # 结束时间
--monthdays day[,day...] # 指定一个月的某一天
--weekdays day[,day...] # 指定周
例:要求每天的12到13点之间,不允许访问
[root@m01 ~]# iptables -t filter -A INPUT -p TCP -m time --timestart 4:00 --timestop 5:00 -j DROP [root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 67 packets, 4588 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 04:00:00 to 05:00:00 UTC Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 39 packets, 3500 bytes) pkts bytes target prot opt in out source destination
5、icmp模块
--icmp-type {type[/code]|typename}
echo-request (8) 请求
echo-reply (0) 回应
例:禁ping,默认本机无法ping别人,别人无法ping自己
[root@m01 ~]# iptables -t filter -A INPUT -p ICMP -m icmp --icmp-type "echo-request" -j DROP [root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 35 packets, 2336 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 19 packets, 1764 bytes) pkts bytes target prot opt in out source destination
6、限制链接数,并发连接数(connlimit)
--connlimit-upto n # 如果现有连接数小于或等于n则匹配
--connlimit-above n # 如果现有连接数大于n则匹配
例:要求主机连接最多有2个
[root@m01 ~]# iptables -t filter -A INPUT -p TCP --dport 22 -m connlimit --connlimit-above 2 -j DROP [root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 40 packets, 2640 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 #conn src/32 > 2 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 21 packets, 1948 bytes) pkts bytes target prot opt in out source destination
7、针对报文速率进行限制,秒、分钟、小时、天(limit)
--limit rate[/second|/minute|/hour|/day] # 报文数量
--limit-burst number # 报文数量(默认:5)
例:要求限制速率在500k/s左右
[root@m01 ~]# dd if=/dev/zero of=1.txt bs=100M count=30 # 生成文件
[root@m01 ~]# scp 1.txt root@192.168.15.71:/root # 远程传输
[root@m01 ~]# iptables -t filter -A OUTPUT -p TCP -m limit --limit 333/s -j ACCEPT [root@m01 ~]# iptables -t filter -A OUTPUT -p TCP -j DROP [root@m01 ~]# iptables -vnL Chain INPUT (policy ACCEPT 29 packets, 1924 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 51 4848 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 333/sec burst 5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
浙公网安备 33010602011771号