3.22 10.15-10.18听课笔记

Posted 2020-10-28

Iptables

语法

 

[[email protected] ~]# iptables –nvl 查看iptables默认规则

iptables v1.4.21: unknown option "-nvl"

Try `iptables -h' or 'iptables --help' for more information.

[[email protected] ~]# iptables -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 2947  230K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          

    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22

   34  5641 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

 

Chain OUTPUT (policy ACCEPT 2151 packets, 318K bytes)

 pkts bytes target     prot opt in     out     source               destination       

 

默认iptables规则保存位置：

[[email protected] ~]# cat /etc/sysconfig/iptables

# sample configuration for iptables service

# you can edit this manually or use system-config-firewall

# please do not ask us to add additional ports/services to this default configuration

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

 

[[email protected] ~]# iptables –F 清空所有规则

[[email protected] ~]# service iptables save 将当前规则保存到配置文件中

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ]

[[email protected] ~]#

 

只要没有保存规则，重启服务后规则就会恢复默认配置；

刚修改过的规则仅在当前内存中生效

 

[[email protected] ~]# iptables -t filter –nvL –t指定表操作

Chain INPUT (policy ACCEPT 172 packets, 12679 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 

Chain OUTPUT (policy ACCEPT 102 packets, 9696 bytes)

 pkts bytes target     prot opt in     out     source               destination        

[[email protected] ~]# iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

[[email protected] ~]# iptables –Z 清空规则的数据包过滤信息

 

[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP

-A：表示add，增加规则

INPUT 针对input链

-s 指定来源ip

-p 指定协议（tcp、udp…）

--sport 来源端口

-d 目标ip

-dport 目标端口

-j 指定执行的操作

DROP 丢弃数据(reject 拒绝)，drop会在不给对方任何信息的情况下直接丢弃数据；reject会丢弃数据，但会给对方信息

 

[[email protected] ~]# iptables -I INPUT -p tcp --dport 80 -j DROP

[[email protected] ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ]

[[email protected] ~]# iptables -nvL

Chain INPUT (policy ACCEPT 47 packets, 3468 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination        

 

Chain OUTPUT (policy ACCEPT 34 packets, 3648 bytes)

 pkts bytes target     prot opt in     out     source               destination        

-I与-A的区别：-I相当于插队，会将规则插入队伍最前列；-A是添加规则，会将规则添加在队伍最后

[[email protected] ~]# iptables -D INPUT -p tcp --dport 80 -j DROP 删除一条规则

 

[[email protected] ~]# iptables -nvL --line-number 按序列号删除规则

Chain INPUT (policy ACCEPT 53 packets, 3921 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

1        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

 

Chain OUTPUT (policy ACCEPT 34 packets, 2932 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

[[email protected] ~]# iptables -D INPUT 1

[[email protected] ~]# iptables -nvL --line-number

Chain INPUT (policy ACCEPT 5 packets, 388 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

 

Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

[[email protected] ~]#

[[email protected] ~]# iptables -P OUTPUT DROP 设置output链的默认策略为drop

 

Iptables filter小案例

 

-t用于指定表，默认不加-t则为filter表

-p 定义默认策略