Iptables-主机防火墙设置
Posted yanshicheng
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Iptables-主机防火墙设置相关的知识,希望对你有一定的参考价值。
基于Iptables构建主机防火墙
Iptables优点: 数据包过滤机制,它会对数据包包头数据进行分析。
1.1.1 加载相关薄块到内核
[[email protected] ~]# lsmod | egrep "nat|filter" iptable_filter 12810 0 ip_tables 27126 1 iptable_filter [[email protected] ~]# modprobe ip_tables [[email protected] ~]# modprobe iptable_filter [[email protected] ~]# modprobe iptable_nat [[email protected] ~]# modprobe ip_conntrack [[email protected] ~]# modprobe ip_conntrack_ftp [[email protected] ~]# modprobe ip_nat_ftp [[email protected] ~]# modprobe ipt_state [[email protected] ~]# lsmod | egrep "nat|filter" nf_nat_ftp 12770 0 nf_conntrack_ftp 18638 1 nf_nat_ftp iptable_nat 12875 0 nf_nat_ipv4 14115 1 iptable_nat nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4 nf_conntrack 133053 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4 iptable_filter 12810 0 ip_tables 27126 2 iptable_filter,iptable_nat libcrc32c 12644 3 xfs,nf_nat,nf_conntrack
1.1.2 清空防火墙规则
[[email protected] ~]# iptables -F [[email protected] ~]# iptables -X [[email protected] ~]# iptables -Z
1.1.3 允许ssh端口通信,本机lo通信
[[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT [[email protected] ~]# iptables -t filter -A INPUT -p tcp -s 192.168.10.1/24 -j ACCEPT [[email protected] ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [[email protected] ~]# iptables -t filter -A INPUT -i lo -j ACCEPT [[email protected] ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT [[email protected] ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
1.1.4 修改默认规则
[[email protected] ~]# iptables -P INPUT DROP [[email protected] ~]# iptables -P FORWARD DROP [[email protected] ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
1.1.5 配置允许网络地址段,如办公网络,对外开放端口80/443等
[[email protected] ~]# iptables -t filter -A INPUT -s 124.56.56.77/24 -p all -j ACCEPT [[email protected] ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 124.56.56.0/24 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 #设置对外提供服务开放端口 [[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT [[email protected] ~]# iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT [[email protected] ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT [[email protected] ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
1.1.6 允许关联数据包通过
#允许关联的包通过例如:FTP [[email protected] ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [[email protected] ~]# iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
1.1.7 保存规则
service iptables save
1.1.8 检查保存的防火墙规则
[[email protected] ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.21 on Sat Sep 1 14:07:33 2018 *nat :PREROUTING ACCEPT [16080:2838916] :INPUT ACCEPT [13058:2471258] :OUTPUT ACCEPT [45190:2717272] :POSTROUTING ACCEPT [45190:2717272] COMMIT # Completed on Sat Sep 1 14:07:33 2018 # Generated by iptables-save v1.4.21 on Sat Sep 1 14:07:33 2018 *filter :INPUT DROP [736:92755] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3:228] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.10.0/24 -p tcp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 124.56.56.0/24 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Sat Sep 1 14:07:33 2018
以上是关于Iptables-主机防火墙设置的主要内容,如果未能解决你的问题,请参考以下文章