iptables
规则操作
-A 新增规则
-D 删除规则
-R 修改规则
-I 插入规则
-L 列出规则
-F 清空规则
通用参数:
-p 协议
-s 源地址
-d 目标地址
-sport 源端口
-dport 目标端口
-i 入口网卡
-o 出口网卡
动作:
DROP 丢弃
ACCEPT 接受
REJECT 拒绝
示例
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@liutao ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@liutao ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT [root@liutao ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
ICMP防御规则
[root@liutao ~]# iptables -A INPUT -m conntrack -p icmp --icmp-type 3 --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT [root@liutao ~]# iptables -A INPUT -m conntrack -p icmp --icmp-type 11 --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT [root@liutao ~]# iptables -A INPUT -m conntrack -p icmp --icmp-type 12 --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT [root@liutao ~]# iptables -P INPUT DROP [root@liutao ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED icmp parameter-problem Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
规则说明
-m conntrack 表示使用了conntrack模块来允许处于特定状态的包;在这个规则中,允许那些已经链接的包(ESTABLISHED、RELATED),也允许新的数据包
-p 配置ICMP协议
--icmp-type 允许那些特定类型的icmp信息
ICPM协议类型
type3
type11
type12
type0和type8
type5
只有上面那3条规则是没法防止攻击的
所以在设定了安全规则后,就可以屏蔽所有未经过允许的包,从而将规则从黑名单模式调整为更加安全的白名单模式
iptables -P INPUT DROP
浙公网安备 33010602011771号