一、iptables添加白名单规则
############## # 允许lo, PING, 以及所有内部发起的访问 ############## iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -j ACCEPT -s 10.0.0.0/8 iptables -A INPUT -j ACCEPT -s 172.16.0.0/12 iptables -A INPUT -j ACCEPT -s 192.168.0.0/16
二、添加规则:设置禁止所有IP访问指定端口8075
[root@zabbix_server ~]# iptables -I INPUT -p tcp --dport 8075 -j DROP
测试telnet
[root@zabbix_server ~]# telnet 127.0.0.1 8075 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection timed out
三、删除规则:
1、查询规则编号
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 83 packets, 4016 bytes) num pkts bytes target prot opt in out source destination 1 8 408 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 2 144M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 4037 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 5 4085 218K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 22638 1169K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 7 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 8 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 9 76134 4093K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051
可以看到禁止访问8075的规则编号为1
2、删除指定规则编号的规则
[root@zabbix_server ~]# iptables -D INPUT 1
再查询
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 20 packets, 961 bytes) num pkts bytes target prot opt in out source destination 1 144M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 4038 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 4 4087 218K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 5 22644 1169K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 6 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 7 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 8 76156 4094K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051 9 44 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dp
已经删除了,测试telnet
[root@zabbix_server ~]# telnet 127.0.0.1 8075 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
四、设置指定IP访问指定端口8075
1、添加规则:禁止所有IP访问8075
[root@zabbix_server ~]# iptables -I INPUT -p tcp --dport 8075 -j DROP [root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 3 packets, 156 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 2 145M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 4038 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 5 4090 219K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 22650 1169K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 7 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 8 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 9 76183 4095K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051 10 44 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3000 11 7 284 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5672 12 2 80 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dp
2、添加规则:允许127.0.0.1访问8075
[root@zabbix_server ~]# iptables -I INPUT -s 127.0.0.1 -p tcp --dport 8075 -j ACCEPT
3、查询规则:
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 20 packets, 1004 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:8075 2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 3 145M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 4039 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 6 4096 219K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 7 22660 1170K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 8 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 9 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050
规则已经添加,测试
[root@zabbix_server ~]# telnet 127.0.0.1 8075 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
本机可以访问8075,其他机器上不能访问8075
[root@localhost etc]# telnet 172.28.18.75 8075
Trying 172.28.18.75...
telnet: connect to address 172.28.18.75: Connection timed out
4、允许172.28.18.71可以访问8075,(172.28.18.71是需要访问8075的服务器)
[root@zabbix_server ~]# iptables -I INPUT -s 172.28.18.71 -p tcp --dport 8075 -j ACCEPT
查看规则
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 9 packets, 456 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 172.28.18.71 0.0.0.0/0 tcp dpt:8075 2 3 132 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:8075 3 7 420 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 4 145M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 4040 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 6 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 7 4100 219K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 8 22674 1171K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
在172.28.18.71上测试telnet 8075
[root@localhost etc]# telnet 172.28.18.75 8075 Trying 172.28.18.75... Connected to 172.28.18.75. Escape character is '^]'.
访问成功
保存规则
iptables-save > /etc/iptables.rules
加载规则
iptables-restore < /etc/iptables.rules
或者
[root@zabbix_server ~]# service iptables save
iptables:将防火墙规则保存到 /etc/sysconfig/iptables:[确定]
重启服务
[root@zabbix_server ~]# service iptables save iptables:将防火墙规则保存到 /etc/sysconfig/iptables:[确定] [root@zabbix_server ~]# service iptables restart iptables:将链设置为政策 ACCEPT:filter [确定] iptables:清除防火墙规则:[确定] iptables:正在卸载模块:[确定] iptables:应用防火墙规则:[确定]
五、设置指定IP访问一个端口范围段(8000-9000)
[root@zabbix_server ~]# iptables -I INPUT -s 172.28.18.71 -p tcp --dport 8000:9000 -j ACCEPT
六、设置指定IP访问多个端口列表(22,80,3306,6672,9000),每次添加端口数量不能超过15个
[root@zabbix_server ~]# iptables -I INPUT -s 172.28.18.71 -p tcp -m multiport --dports 22,80,3306,6672,9000 -j ACCEPT
七、iptables的DROP和REJECT的区别
DROP
功能:直接丢弃数据包,不发送任何响应给发送方。
效果:从发送方的角度来看,请求像是被“忽略”了,没有任何反馈。
telnet无响应
[hlcti@localip ~]$ telnet 172.28.17.156 9500 Trying 172.28.17.156...
适用场景:
增加安全性:攻击者无法得知端口是否开放。
防止端口扫描:让对方认为端口是“隐形的”。
节省带宽:不需要发送拒绝的响应。
REJECT
功能:拒绝数据包,同时向发送方发送一个拒绝响应(如 ICMP 错误消息)。
效果:发送方会收到明确的“拒绝”反馈。
telnet响应被拒绝
[hlcti@localip ~]$ telnet 172.28.17.156 9500 Trying 172.28.17.156... telnet: connect to address 172.28.17.156: Connection refused
适用场景:
浙公网安备 33010602011771号