LINUX防火墙iptables基本命令-白红宇

LINUX防火墙iptables基本命令

阅读量：6946 次

发布时间：2019-06-27

本文共 8495 字，大约阅读时间需要 28 分钟。

一、认识iptables

二、Iptables命令

2.1、语法：iptables -t table 命令 chain rules -j target

table：有filter、nat、mangle，默认是filter

命令：

-L 或 --list 查看iptables规则列表

[root@appex ~]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-v 显示更多设置，-n 以数字形式显示IP地址和端口

[root@appex ~]#iptables -L FORWARD -nv

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000

0 0 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5

0 0 DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5

-P 或 --policy 定义默认策略

[root@appex ~]# iptables -t filter -P FORWARD DROP

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@appex ~]# iptables -t filter -P FORWARD ACCEPT

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-A 或--append 在规则列表的最后增加一条规则

[root@appex ~]#iptables -t filter -A FORWARD -p icmp -j DROP

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

DROP icmp -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-I或--insert 在规则列表的最前面插入一条规则

[root@appex ~]# iptables -t filter -I FORWARD 2 -p icmp -j ACCEPT

[root@appex ~]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

DROP icmp -- anywhere anywhere

ACCEPT icmp -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-R或--replace 替换规则列表中的某条规则

[root@appex ~]#iptables -t filter -R FORWARD 2 -p icmp -j DROP

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

DROP icmp -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-D或--delete 从规则列表中删除一条规则

[root@appex ~]#iptables -t filter -D FORWARD 2

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

DROP icmp -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-F或--flush 删除表中所有的规则

[root@appex ~]#iptables -t filter -F

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

2.2、Iptables匹配选项

-i或--in-interface 指定数据包从哪块网络接口进入，如eth0、eth1等

-o或--out-interface 指定数据包从哪块网络接口输出，如eth0、eth1等

[root@appex ~]# iptables -t filter -I FORWARD -i eth0 -j DROP

[root@appex ~]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

-p或--protocol 指定数据包匹配的协议，如TCP、UDP、ICMP等

-s或--source 指定数据包匹配的源地址

-d或--destination 指定数据包匹配的目的地址

--sport 指定数据包匹配的源端口号，可以使用”起始端口号：结束端口号”的格式指定一个范围

--dport 指定数据包匹配的目标端口号，可以使用”起始端口号：结束端口号”的格式指定一个范围

[root@appex ~]# iptables -t filter -I FORWARD -p tcp -s 10.0.0.90/32 -d 10.0.0.80/32 --dport 3389 -j DROP

[root@appex ~]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server

DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@appex ~]#iptables -t filter -I FORWARD -p tcp -s 10.0.0.0/24 -d 10.10.10.0/24 --dport 3389 -j DROP

[root@appex ~]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP tcp -- 10.0.0.0/24 10.0.10.0/24 tcp dpt:ms-wbt-server

DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server

DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

2.3、Iptables使用扩展选项

限制网速：-m limit --limit

控制瞬间爆发流量：-m limit --limit-burst

[root@appex ~]# iptables -t filter -F

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@appex ~]# iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j ACCEPT

[root@appex ~]#iptables -t filter -A FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j DROP //超过的就drop

[root@appex ~]#iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5

DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@appex ~]#iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit-burst 1000 -j ACCEPT

[root@appex ~]#iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000

ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5

DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

2.4、处理动作

-j 参数用来指定要进行的处理动作，常用的处理动作包括：ACCEPT、REJECT、DROP、REDIRCT、MASQUERADE、LOG、DNAT、SNAT、MIRROR、QUEUE、RETURN、MARK

Filter表能使用的主要动作：

ACCEPT:将封包放行，进行完此处理动作后，将不再匹配其他规则，直接跳往下一个规则链

REJECT:拦截该封包，并传送封包通知对方，进行完此处理动作后，将不再匹配其他规则，直接中断过滤程序

DROP:丢弃封包不予处理，进行完此处理动作后，将不再匹配其他规则，直接中断过滤程序。

三、保存和还原iptables设置

3.1、保存修改的iptables到配置文件中

[root@appex ~]# /etc/rc.d/init.d/iptables save

3.2、查看iptables的配置文件

[root@appex ~]# cat /etc/sysconfig/iptables

3.3、保存修改的iptables到一个文件中及从文件中导入到iptables中

[root@appex ~]# iptables-save >iptables.conf1

[root@appex ~]# iptables-restore< iptables.conf1

四、配置NAT实现网络地址转换

[root@appex ~]# ifconfig eth0:0 10.0.0.81 netmask 255.255.255.0

[root@appex ~]#ip addr show eth0:0

2: eth0: < BROADCAST,MULTICAST,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:21:85:0e brd ff:ff:ff:ff:ff:ff

inet 10.0.0.80/24 brd 10.0.0.255 scope global eth0

inet 10.0.0.81/24 brd 10.0.0.255 scope global secondary eth0:0

inet6 fe80::20c:29ff:fe21:850e/64 scope link

valid_lft forever preferred_lft forever

[root@appex ~]# iptables -t nat -L POSTROUTING

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

[root@appex ~]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j SNAT --to-source 10.0.0.80-10.0.0.81

[root@appex ~]#iptables -t nat -L POSTROUTING -nv

Chain POSTROUTING (policy ACCEPT 3 packets, 205 bytes)

pkts bytes target prot opt in out source destination

0 0 SNAT all -- - eth0 10.0.10.0/24 0.0.0.0/0 to:10.0.0.80-10.0.0.81

五、mangle表的应用

--ttl-inc 1

--ttl-dec 2

--ttl-set 40

[root@appex ~]#iptables -t mangle -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

[root@appex ~]# iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-inc 1

[root@appex ~]#iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-dec 2

[root@appex ~]# iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 40

[root@appex ~]#iptables -t mangle -L PREROUTING

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

TTL all -- anywhere anywhere TTL decrement by 2

TTL all -- anywhere anywhere TTL increment by 1

TTL all -- anywhere anywhere TTL set to 40

转载于:https://blog.51cto.com/13162375/2095290

你可能感兴趣的文章

1111111

查看>>

XStream将java对象转换为xml时，对象字段中的下划线“_”，转换后变成了两个的解决办法...

查看>>

弱符号与强符号，弱引用与强引用

查看>>

009PHP文件处理——文件处理 file_get_contents file_put_contents fgetc fgets fgetss

查看>>

spring boot项目在外部tomcat环境下部署

查看>>

基于C#在Mongodb的Skip-Limit和Where-Limit的分页对比并且含mongodb帮助类的源码

查看>>

060——VUE中vue-router之路由嵌套在文章系统中的使用方法：

查看>>

tenda某路由器信息泄露查找

查看>>

uva 10710 - Chinese Shuffle(完美洗牌)

[HTML5] Semantics for accessibility

查看>>

Win10下安装Ubuntu16.04虚拟机并搭建TensorFlow1.3环境

查看>>

leetcode 108. Convert Sorted Array to Binary Search Tree

查看>>

【商城购物车】购物车逻辑

查看>>