linux's docs

18.4.0: 防火墙-iptables


1. 工具:iptables

简介:
linux防火墙主要分为两种,TCP Wrapper(根据程序管控)和netfilter(根据封包过滤),其中netfilter机制下的工具既为iptables,是通过直接分析封包表头资料来打过过滤的效果。
作用:ipv4过滤和network address translation的管理工具
语法:
iptables [-t table][-A|-I|-D] chaintype [-p protocol] [-s sourceIP] [--dport port number] -j 规则 iptables [-t table] {-A|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]

参数:

  • -nvL 查看表规则,n为Numeric数字格式输出,v为Verbose冗长格式输出,L为list当前表规则
  • -t table指定表,默认filter表
  • -F flush清空规则
  • -Z zero清空计数器
  • -I insert插入一条规则
  • -A append增加一条规则
  • -D delete删除指定的规则
  • -p protocol指定协议TCP\UDP\ICMP等
  • -P policy默认策略 accpet或drop
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
  • -s 源ip
  • --dport 端口号
  • --line-numbers 查看规则行号

iptables服务相关操作:

  • 服务
    service iptables restart
    service iptables save(保存到/etc/sysconfig/iptables)
  • 备份及恢复
    iptables-save > filename
    iptables-restore < filename

table与chain:
4表5链(优先级,raw>mangle>nat>filter)
raw-将访问的包不做跟踪,主要用来处理大量连接的情况,避免ip_conntrack出现表满报错的情况

  • chains
    PREROUTING
    OUTPUT
    mangle-This table is used for specialized packet alteration.
  • chains
    INPUT
    FORWARD
    POSTROUTING
    PREROUTING
    OUTPUT
    nat-This table is consulted when a packet that creates a newconnection is encountered.
  • chains
    PREROUTING
    OUTPUT
    POSTROUTING
    filter-管理本机封包进出的规则
  • chains
    INPUT
    FORWARD
    OUTPUT

用法举例:

## -A与-I增加规则的区别

# -A增加的是在最后
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:ssh

# -I 添加的规则在最上面
iptables -I INPUT -p tcp -s 172.16.0.0/24 --dport 22 -j ACCEPT
iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  172.16.0.0/24        anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

## 在同一个chain(INPUT)里规则排在上下的区别
# 规则的匹配是由上至下的;
# 匹配到了第一条满足的规则后即执行离开,不再匹配下面的规则
# INPUT<--data content
#     |
# ----------
# RULE 1 -- 执行 1   
# ...
# RULE 2 --执行 2
# ...
# RULE 3 --执行 3
# ...
# ----------
# 假如你有两条规则,一条是全部接收,一条是全部抛弃,则在上面的生效

# -F清空规则
iptables -F
iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 2016 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 16 packets, 1696 bytes)
 pkts bytes target     prot opt in     out     source               destination

# iptables配置文件,默认的规则
# 重启服务,配置文件中的配置会重新加载
service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   432 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
 pkts bytes target     prot opt in     out     source               destination

# 查看配置文件规则
cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

# --line-numbers查看行号,然后根据规则行号操作规则
iptables --line-numbers -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      204 17168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5      345 32182 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 128 packets, 19904 bytes)
num   pkts bytes target     prot opt in     out     source               destination

# 指定行号 -Z清除其计数器
iptables -Z INPUT 1
iptables --line-numbers -nvL INPUT |grep 1
1      6 11704 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

# 指定行号 -D删除该规则
iptables -D INPUT 10

线上机器实践过程

# iptables文件并未存在,可能是因为线上机器从来没有开过iptables服务的原因
cd /etc/sysconfig/
ls iptables      

# 启动iptables服务,然后手工save规则
service iptables start
service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

# 编辑配置文件来修改默认规则
vi iptables
**************************************
# Generated by iptables-save v1.4.7 on Wed Feb  4 03:41:46 2015
*raw
:PREROUTING ACCEPT [830056:419977881]
:OUTPUT ACCEPT [762900:149099657]
COMMIT
# Completed on Wed Feb  4 03:41:46 2015
# Generated by iptables-save v1.4.7 on Wed Feb  4 03:41:46 2015
*nat
:PREROUTING ACCEPT [35775:2152330]
:POSTROUTING ACCEPT [33531:2422620]
:OUTPUT ACCEPT [33531:2422620]
COMMIT
# Completed on Wed Feb  4 03:41:46 2015
# Generated by iptables-save v1.4.7 on Wed Feb  4 03:41:46 2015
*mangle
:PREROUTING ACCEPT [830056:419977881]
:INPUT ACCEPT [830056:419977881]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [762900:149099657]
:POSTROUTING ACCEPT [762900:149099657]
COMMIT
# Completed on Wed Feb  4 03:41:46 2015
# Generated by iptables-save v1.4.7 on Wed Feb  4 03:41:46 2015
*filter
:INPUT ACCEPT [830056:419977881]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [762900:149099657]
COMMIT
# Completed on Wed Feb  4 03:41:46 2015
**************************************

# 编辑完重启服务
service iptables restart

Contents