Iptables-主机防火墙设置

Posted 2021-01-03 yanshicheng

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了Iptables-主机防火墙设置相关的知识，希望对你有一定的参考价值。

基于Iptables构建主机防火墙

Iptables优点：数据包过滤机制，它会对数据包包头数据进行分析。

1.1.1 加载相关薄块到内核

[[email protected] ~]# lsmod | egrep "nat|filter"
iptable_filter         12810  0 
ip_tables              27126  1 iptable_filter
[[email protected] ~]# modprobe ip_tables
[[email protected] ~]# modprobe iptable_filter
[[email protected] ~]# modprobe iptable_nat
[[email protected] ~]# modprobe ip_conntrack
[[email protected] ~]# modprobe ip_conntrack_ftp
[[email protected] ~]# modprobe ip_nat_ftp
[[email protected] ~]# modprobe ipt_state
[[email protected] ~]# lsmod | egrep "nat|filter"
nf_nat_ftp             12770  0 
nf_conntrack_ftp       18638  1 nf_nat_ftp
iptable_nat            12875  0 
nf_nat_ipv4            14115  1 iptable_nat
nf_nat                 26787  2 nf_nat_ftp,nf_nat_ipv4
nf_conntrack          133053  6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter         12810  0 
ip_tables              27126  2 iptable_filter,iptable_nat
libcrc32c              12644  3 xfs,nf_nat,nf_conntrack

1.1.2 清空防火墙规则

[[email protected] ~]# iptables -F 
[[email protected] ~]# iptables -X 
[[email protected] ~]# iptables -Z

1.1.3 允许ssh端口通信，本机lo通信

[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
[[email protected] ~]# iptables -t filter -A INPUT -p tcp -s 192.168.10.1/24 -j ACCEPT 
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

[[email protected] ~]# iptables -t filter -A INPUT -i lo -j ACCEPT
[[email protected] ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

1.1.4 修改默认规则

[[email protected] ~]# iptables -P INPUT DROP
[[email protected] ~]# iptables -P FORWARD DROP
[[email protected] ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

1.1.5 配置允许网络地址段，如办公网络，对外开放端口80/443等

[[email protected] ~]# iptables -t filter -A INPUT -s 124.56.56.77/24 -p all -j ACCEPT
[[email protected] ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  124.56.56.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0  
#设置对外提供服务开放端口
[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
[[email protected] ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[[email protected] ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

1.1.6 允许关联数据包通过

#允许关联的包通过例如：FTP
[[email protected] ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[[email protected] ~]# iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

1.1.7 保存规则

service iptables save

1.1.8 检查保存的防火墙规则

[[email protected] ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Sat Sep  1 14:07:33 2018
*nat
:PREROUTING ACCEPT [16080:2838916]
:INPUT ACCEPT [13058:2471258]
:OUTPUT ACCEPT [45190:2717272]
:POSTROUTING ACCEPT [45190:2717272]
COMMIT
# Completed on Sat Sep  1 14:07:33 2018
# Generated by iptables-save v1.4.21 on Sat Sep  1 14:07:33 2018
*filter
:INPUT DROP [736:92755]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:228]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p tcp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 124.56.56.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Sep  1 14:07:33 2018

以上是关于Iptables-主机防火墙设置的主要内容，如果未能解决你的问题，请参考以下文章

Iptables - 基础概念

iptables防火墙设置实例

linux中iptables防火墙怎么设置

使用iptables作为网络防火墙构建安全的网络环境

iptables 主机防火墙

iptables防火墙