Linux防火墙之iptables入门

一、防火墙的概念

  什么是防火墙?防火墙是一台或一组设备,用以在网络间实施访问控制策略;事实上一个防火墙能够包含OSI模型中的很多层,并且可能会涉及进行数据包过滤的设备,它可以实施数据包检查和过滤,在更高的层次中对某应用程序实现某一策略,或做更多类似的事情。防火墙的功能主要是隔离功能,工作在网络或主机边缘,对进出网络或主机的数据包基于一定的规则检查,并在匹配某规则定义的行为进行处理的一组功能组件,基本上的实现都是默认情况下关闭所有的访问,只开放允许访问的策略;防火墙分主机防火墙、网络防火墙、硬件防火墙、软件防火墙、网络层防火墙、应用层防火墙等;主机防火墙指定的是针对服务当前主机做的访问策略的防火墙;网络防火墙指服务范围为防火墙一侧的局域网;硬件防火墙指在专用硬件级别实现部分功能的防火墙,另一部分功能基于软件实现;软件防火墙指运行于通用硬件平台之上的防火墙应用软件;网络层防火墙指OSI模型下四层的防火墙,主要针对OSI模型下四层的网络报文的访问策略控制;应用层防火墙/代理服务器指OSI模型中的应用层的防火墙,它主要在应用层进行操作,针对应用层的程序数据报文进行访问策略控制;

二、网络型防火墙和应用层防火墙的优缺点

  网络层防火墙主要是包过滤,网络层对数据包进行选择,选择的依据是系统内设置的过滤逻辑,被称为访问控制列表(ACL),通过检查数据流中每个数据的源地址,目标地址,所用端口和协议状态等因素,或他们的组合来取定是否允许该数据包通过;优点对用户来说透明,处理速度快且易于维护;缺点无法检查应用层数据,如病毒等;

  应用层防火墙我们又称代理服务型防火墙,它将所有跨越防火墙的网络通信链路分为两段;内外网用户的访问都是通过代理服务器上的“链路”来实现,这种防火墙优点是在应用层对数据进行检查,比较安全,确定是增加防火墙的负载。

  现实生产环境中所使用的防火墙一般都是二者结合体,即现检查网络数据,通过之后在送到应用层去检查。

三、iptables简介

  先来说说内核组件netfilter,它是Linux2.4以后的内核版本引入的一个子系统,它作为一个通用的、抽象的框架,提供一整套的hook(勾子)函数的管理机制,使得诸如数据包过滤、网络地址转换和基于协议类型的连接追踪成为了可能;它在内核中选取了五个位置放置了五个hook(勾子)函数分别是INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING,而这五个勾子函数向用户开放,用户可以通过一个命令工具(iptables)向其写入规则;从上面的介绍不难理解,iptables只是管理netfilter上规则的一个用户空间的工具,真正实现防火墙的功能是netfilter,我们知道内核空间的功能,用户是没有办法直接使用,必须通过用户空间的软件去调用才可以使用。这也不难说明了iptables它是一个工具,而不是一个服务。

四、iptables的组成以及数据包的传输过程

  iptables由五个表和五个链以及一些规则组成,五个表分别是filter、nat、mangle、raw、security,这五张表每张表都有不同的作用,filter表,主要是过滤报文策略的定义,根据预定义的规则过滤符合条件的数据包才允许或拒绝通行。nat表是地址转换规则表,它上面主要定义一些地址转换规则。mangle表是修改数据标记位规则表,raw是关闭NAT表上启用的连接跟踪机制,加快封包穿越防火墙速度,security用于强制访问控制(MAC)网络规则,有Linux安全模块(如selinux)实现;他们的优先级由高到低的顺序为security--->raw---->mangle---->nat---->filter

  五个内置的链(chain)就是我们上面说的五个勾子函数INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING,netfilter表和链对应关系如下图Linux防火墙之iptables入门_第1张图片

上图没有画出securiyt表所工作的链,它和filter表一样,都工作在INPUT、FORWARD、OUTPUT链上。上图主要是说明了五个表的工作位置,了解了表和链的对应关系,我们在来看看数据包过滤匹配流程Linux防火墙之iptables入门_第2张图片

   如上图所示,从网络A访问网络B,首先数据要先到达我们防火墙的网卡上,内核根据数据包目的IP判断是否需要转送出去,在路由之前数据报文要通过raw、mangel、nat这三个表中的规则,如果通过了这三张表中的规则后,数据才能决定到底是发往本机还是通过本机转发出去,如果是发往本机的,则数据会经过PREROUTING链,来到INPUT链,在进入用户空间访问用户空间的应用进程时,数据首先要通过,INPUT链上的所有规则,才可以访问本机用户空间的进程,用户空间进程接受到远端用户请求的数据报文后,响应报文会来到OUTPUT链上,这个链主要检查由本机发出的数据包,只有数据包满足出站规则后,它才能通过OUTPUT,当数据报文通过OUTPUT链后,数据报文会经过路由,来到POSTROUTING链,然后POSTROUTING链上的规则会对出站报文进行匹配,满足匹配策略POSTROUTING链放行或拒绝;如果数据包不是发往本机,则数据报文会经过PREROUTING链来到FORWARD链上,在FORWARD链上也有规则,数据符合FORWARD链上定义的规则,则通过或不通过(这个要看链上的处理动作怎么定义的,我们这里假设是匹配通过,不匹配这不通过来说明数据报文过滤匹配流程),如果数据通过了FORWARD链上的所有规则,这时数据会再次经过路由来到POSTROUTING链,同理它需要通过POSTROUTING上的所有规则后才能把到达下一个网络,从而实现数据包的转发;

  通过上图,不难发现数据报文的流向有三种,第一种是到本机来到,第二种是从本机出去的,第三种是经由本机转发的;流入本机的报文首先要通过PREROUTING链然后通过后来到INPUT链,通过后最后到达用户空间进程;流出本机的数据报文走向是用户空间进程---->OUTPUT---->POSTROUTING;经本机转发出去的报文走向:PREROUTING --> FORWARD --> POSTROUTING

  了解了数据报文的走向后,我们在来说说路由功能和发生的时间点,报文进入本机后,内核通过数据报的目标ip来判断此数据包是发往本机还是转发,如果是发往本机,则数据报文会送到INPUT链,如果不是发往本机的数据报文会送到FORWARD链,这时报文进入本机前端路由;在报文离开本机之前,内核会根据目标地址IP来判断数据报文由那个接口送往下一跳(下一个网络)

Linux防火墙之iptables入门_第3张图片

   当一个数据包进入网卡时,数据包首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去;如果数据包就是进入本机的,数据包就会到达INPUT链。数据包到达INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包经过OUTPUT链,然后到达POSTROUTING链输出;如果数据包是要转发出去的,且内核允许转发,数据包就会向右移动,经过FORWARD链,然后到达POSTROUTING链输出;

五、ipatbles规则

  规则(rule)是由匹配条件和匹配动作组成,根据规则的匹配条件尝试匹配报文,对匹配成功的报文根据规则定义的处理动作作出处理。匹配条件有基本匹配条件和扩展匹配条件,基本匹配条件就是内建匹配条件,原生就有的,扩展匹配条件是由扩展模块定义,需要安装特定的模块才可以实现特定的扩展匹配;处理动作分基本处理动作,就是内建,原生支持的动作,扩展处理动作,由扩展模块定义,还有就是用户自定义处理(就是把匹配到达报文叫由自定义链来处理,这也是自定义链被主链调用的方式),iptables的链分内置链,和自定义链,内置的链就是对应五个勾子函数;自定义链式用于内置链的扩展和补充,可实现更灵活的规则管理机制,它只有被内置链调用才能生效;

  iptables规则添加需要考量以下几点

  1、要实现那种功能,判断规则该添加到那张表上的那个位置(iptables匹配规则的顺序是从上至下依次匹配,匹配到了就安装匹配到的处理动作做出处理,没有匹配到就按默认动作处理,所以添加规则需要考虑添加到那个位置)

  2、报文流经的路径必须清楚,需要判断把规则添加到哪个链上

  3、报文的流向,判断源和目标

  4、匹配规则,根据业务需求,怎么去匹配规则

六、iptables命令使用和选项说明

[root@test ~]# iptables -h
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
[root@test ~]# 

  提示:除了以上用-h来了解iptables的简要用法和说明外,我们还可以通过man  8 iptables来了解每个选项的详细说明

Linux防火墙之iptables入门_第4张图片

     -t选项表示指定表名,默认是filter表,-A表示追加规则到最后,-s表示指定源ip地址 -j 表示处理的动作;iptables命令大概可以分二段段,第一段是指明规则位置,第二段是规则本身,规则又需要指明匹配条件和处理动作;上图命令表示在INPUT链上的filter表上追加一条规则到最后,规则内容为源地址为192.168.0.1的报文将丢弃;注意-A后面需要跟链名,链名必须得大写。

  总结命令使用格式:iptables [-t tablesname] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]

  tablesname: raw,mangle,nat,[filter]默认不指定就是filter;

  COMMAND子命令,指明对规则的增删查改

    1、链管理

    -N:new,自定义一条新的规则链

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 7 packets, 488 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5 packets, 524 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -N my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 22 packets, 1556 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]#

    -X:delete,删除自定义的空的规则链(删除一条自定义链的前提是,自定义连未被主链引用,也就是引用计数为0,其次是自定义链必须是空连,就是没有任何规则的链)

[root@test ~]# iptables -A my_chain -s 192.168.0.0/24 -j ACCEPT
[root@test ~]# iptables -A INPUT -s 192.168.0.0/24 -j my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   24  1688 my_chain   all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 1488 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   24  1688 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test ~]# iptables -X my_chain
iptables: Too many links.
[root@test ~]# iptables -F INPUT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 25 packets, 1780 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 1552 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
   94  6516 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test ~]# iptables -X my_chain
iptables: Directory not empty.
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -X my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 22 packets, 1556 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# 

    -P:policy,设置默认策略;对filter表中的链而言,其默认策略有:ACCEPT接受,允许。DROP:丢弃

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29890 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 31689 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -P FORWARD ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 356 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -nvL

    -E:重命名自定义连;

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  104  7344 you_chain  all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 37 packets, 4120 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain you_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  104  7344 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test ~]# iptables -E you_chain my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  178 12540 my_chain   all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  178 12540 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test ~]#

  提示:重命名自定义链,引用计数不为零是可以被重命名的

  2、规则管理

    -A:append ,追加规则到指定表达最后

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2208  340K my_chain   all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1382 packets, 253K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2208  340K ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2360  351K my_chain   all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 10 packets, 1048 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2360  351K ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.0.99        
[root@test ~]# 

    -I:insert, 插入,要指明位置,省略时表示第一条;

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 195 packets, 13312 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 121 packets, 12112 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 41319 -j ACCEPT 
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# iptables -I my_chain -d 192.168.0.99 -p tcp --dport 80 -j ACCEPT           
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 124 packets, 10836 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 114 packets, 10648 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# iptables -I  my_chain 2 -d 192.168.0.99 -p tcp --dport 8080 -j ACCEPT 
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 620 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 1176 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# 

    -D:delete,删除;删除规则需啊哟指明规则序号,或者明规则本身

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 18 packets, 1136 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17 packets, 3072 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# iptables -D my_chain 1
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# iptables -D my_chain -d 192.168.0.99 -p tcp --dport 8080 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# 

    -R:replace,替换指定链上的指定规则;需指明替换第几条规则

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
[root@test ~]# iptables -R my_chain 1 -d 192.168.0.100 -p tcp --dport 22 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            192.168.0.100        tcp dpt:22
[root@test ~]# 

    -F:flush,清空指定的规则链;若为指定链 ,则表示清空filter表所在的所有链

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 38 packets, 2560 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 29 packets, 3648 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            192.168.0.100        tcp dpt:22
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 16 packets, 1108 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 11 packets, 1028 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 41319 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 80 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  139  9668 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:80
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  200 13824 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# 

    -Z:zero,置零指定链上的计数器,若为指定则表示,清空filter表所在的所有链上的规则计数器;iptables的每条规则都有两个计数器:(1) 匹配到的报文的个数;(2) 匹配到的所有报文的大小之和;

[root@test ~]# iptables -nvL 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  783 59868 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
   50  4212 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 27 packets, 3364 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   672 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -Z OUTPUT 
[root@test ~]# iptables -nvL      
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  822 62468 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
   60  5052 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -Z
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   31  2124 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19 packets, 1764 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]#

  2、查看指定链上的规则

    -L:list, 列出指定链上的所有规则;-n:numberic,以数字格式显示地址和端口;-v:verbose,详细信息,支持-vv -vvv来指定详细程度

[root@test ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             test                 tcp dpt:41319
ACCEPT     icmp --  anywhere             test                 icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  test                 anywhere             icmp echo-reply

Chain my_chain (0 references)
target     prot opt source               destination         
[root@test ~]# iptables -Ln
iptables: No chain/target/match by that name.
[root@test ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.0.99         tcp dpt:41319
ACCEPT     icmp --  0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
target     prot opt source               destination         
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 4 packets, 284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  205 14232 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
   73  6132 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 160 packets, 18172 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   73  6132 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -nL -vv 
Chain INPUT (policy ACCEPT 4 packets, 284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  244 16780 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
   93  7812 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 185 packets, 21408 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   93  7812 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
libiptc vlibxtables.so.10. 1544 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = ffffffff/0/220/2b8/ffffffff
Underflows: pre/in/fwd/out/post = ffffffff/188/220/378/ffffffff
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 192.168.0.99/255.255.255.255
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 244 packets, 16780 bytes
Cache: 00000000
Match name: `tcp'
Target name: `' [40]
verdict=NF_ACCEPT

Entry 1 (200):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 192.168.0.99/255.255.255.255
Interface: `'/................to `'/................
Protocol: 1
Flags: 00
Invflags: 00
Counters: 93 packets, 7812 bytes
Cache: 00000000
Match name: `icmp'
Target name: `' [40]
verdict=NF_ACCEPT

Entry 2 (392):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 4 packets, 284 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 3 (544):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_DROP

Entry 4 (696):
SRC IP: 192.168.0.99/255.255.255.255
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 1
Flags: 00
Invflags: 00
Counters: 93 packets, 7812 bytes
Cache: 00000000
Match name: `icmp'
Target name: `' [40]
verdict=NF_ACCEPT

Entry 5 (888):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 185 packets, 21408 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 6 (1040):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`my_chain'

Entry 7 (1216):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN

Entry 8 (1368):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'

[root@test ~]# iptables -nL -vvv
Chain INPUT (policy ACCEPT 4 packets, 284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  288 18748 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
   97  8148 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 264 packets, 32648 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  8148 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
libiptc vlibxtables.so.10. 1544 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = ffffffff/0/220/2b8/ffffffff
Underflows: pre/in/fwd/out/post = ffffffff/188/220/378/ffffffff
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 192.168.0.99/255.255.255.255
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 288 packets, 18748 bytes
Cache: 00000000
Match name: `tcp'
Target name: `' [40]
verdict=NF_ACCEPT

Entry 1 (200):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 192.168.0.99/255.255.255.255
Interface: `'/................to `'/................
Protocol: 1
Flags: 00
Invflags: 00
Counters: 97 packets, 8148 bytes
Cache: 00000000
Match name: `icmp'
Target name: `' [40]
verdict=NF_ACCEPT

Entry 2 (392):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 4 packets, 284 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 3 (544):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_DROP

Entry 4 (696):
SRC IP: 192.168.0.99/255.255.255.255
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 1
Flags: 00
Invflags: 00
Counters: 97 packets, 8148 bytes
Cache: 00000000
Match name: `icmp'
Target name: `' [40]
verdict=NF_ACCEPT

Entry 5 (888):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 264 packets, 32648 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 6 (1040):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`my_chain'

Entry 7 (1216):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN

Entry 8 (1368):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'

[root@test ~]# 

  提示:使用查看子命令-L如果有其他修饰子命令的选项和-L合并时,需要把 其他修饰该命令的选项需要放在-L 前面,否则会把其选项识别成链名

    -x:exactly,显示计数器结果的精确值,而非单位转换后的易读值

Linux防火墙之iptables入门_第5张图片

     --line-numbers:显示规则的序号;可缩写为--line-num

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 7 packets, 502 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7196  322K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
  459 38556 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13994 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  459 38556 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 7 packets, 502 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     7227  324K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
2      459 38556 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 14018 packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      459 38556 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -nvL --line-num
Chain INPUT (policy ACCEPT 7 packets, 502 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     7240  325K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
2      459 38556 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 14031 packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      459 38556 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# 

    -S selected,以iptables-save 命令格式显示链上规则

[root@test ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N my_chain
-A INPUT -d 192.168.0.99/32 -p tcp -m tcp --dport 41319 -j ACCEPT
-A INPUT -d 192.168.0.99/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 192.168.0.99/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT
[root@test ~]# 

  提示:如果有需要,可以将其输出重定向到一个文件中去,但是导出的内容不能用于规则导入到文件,也就是说导出的文件不能用来重载iptables规则表

  4、规则的导出和导入

  iptables规则导出到指定文件

[root@test ~]# iptables-save > iptables.txt 
[root@test ~]# cat iptables.txt 
# Generated by iptables-save v1.4.21 on Thu Feb  6 00:01:22 2020
*security
:INPUT ACCEPT [122:11155]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100:10857]
COMMIT
# Completed on Thu Feb  6 00:01:22 2020
# Generated by iptables-save v1.4.21 on Thu Feb  6 00:01:22 2020
*mangle
:PREROUTING ACCEPT [122:11155]
:INPUT ACCEPT [122:11155]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100:10857]
:POSTROUTING ACCEPT [100:10857]
COMMIT
# Completed on Thu Feb  6 00:01:22 2020
# Generated by iptables-save v1.4.21 on Thu Feb  6 00:01:22 2020
*raw
:PREROUTING ACCEPT [122:11155]
:OUTPUT ACCEPT [100:10857]
COMMIT
# Completed on Thu Feb  6 00:01:22 2020
# Generated by iptables-save v1.4.21 on Thu Feb  6 00:01:22 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5:280]
:POSTROUTING ACCEPT [5:280]
COMMIT
# Completed on Thu Feb  6 00:01:22 2020
# Generated by iptables-save v1.4.21 on Thu Feb  6 00:01:22 2020
*filter
:INPUT ACCEPT [40:5587]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [100:10857]
:my_chain - [0:0]
-A INPUT -d 192.168.0.99/32 -p tcp -m tcp --dport 41319 -j ACCEPT
-A INPUT -d 192.168.0.99/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 192.168.0.99/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT
COMMIT
# Completed on Thu Feb  6 00:01:22 2020
[root@test ~]# 

  提示:保存规则使用iptables-save命令,它默认是把链上的所有规则打印到标准输出,如果需要保存到指定文件需要用到输出重定向到指定文件即可

  iptables规则的导入

[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
54895 2298K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
   75  6300 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 117K packets, 130M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   75  6300 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 27 packets, 1976 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 20 packets, 1816 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables-restore < iptables.txt 
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   24  1636 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
    7   588 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7   588 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# 

  提示:导入规则的文件内容必须是iptables-save 导出的文件,不能用iptables -S 导出的文件还原。

    -n, --noflush:不清除原有规则导入

[root@test ~]# iptables -F
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 3306 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 48 packets, 3468 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:3306

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 34 packets, 3028 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables-restore -n iptables.txt 
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:3306
   24  1636 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.99         tcp dpt:41319
    4   336 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.99         icmptype 8

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   336 ACCEPT     icmp --  *      *       192.168.0.99         0.0.0.0/0            icmptype 0

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# 

  提示:-n选项是不清空原有非自定义链上的规则,对于自定义链不管是否引用都会被清空

    -t, --test:仅分析生成规则集,但不提交

[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1708 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17 packets, 1548 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]# iptables-restore -t iptables.txt 
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 98 packets, 7096 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 72 packets, 7188 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain my_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test ~]#

  提示:以上导出和导入规则适用centos6 和centos7 

  centos6除上面的方式可以导入和导出规则,它还可以用service iptables save 或者/etc/init.d/iptables save 使用脚本来保存iptables规则

[root@test-node1 ~]#cat /etc/redhat-release 
CentOS release 6.7 (Final)
[root@test-node1 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  1728 you_chain  all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 2272 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain you_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   25  1728 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test-node1 ~]#service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@test-node1 ~]#cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Feb  6 00:49:32 2020
*filter
:INPUT ACCEPT [22:1656]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [82:8776]
:you_chain - [0:0]
-A INPUT -s 192.168.0.0/24 -j you_chain 
-A you_chain -s 192.168.0.0/24 -j ACCEPT 
COMMIT
# Completed on Thu Feb  6 00:49:32 2020
[root@test-node1 ~]

  提示:在centos6上使用脚本的方式去导出iptables规则,它默认覆盖保存在/etc/sysconfig/iptables文件

  centos6导入规则

[root@test-node1 ~]#iptables -F
[root@test-node1 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 22 packets, 1556 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 14 packets, 1304 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain you_chain (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[root@test-node1 ~]#service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@test-node1 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   19  1332 you_chain  all  --  *      *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain you_chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   19  1332 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
[root@test-node1 ~]#

  提示:导入规则centos6 用restart 来导入,不是restore。

你可能感兴趣的:(Linux防火墙之iptables入门)