iptables(netfilter)防火墙详解

iptables 有三个表,分别是filter, nat, mangle


filter 默认有三个chain链,分别是INPUT, FORWARD, OUTPUT

[root@localhost ~]# iptables -t filter -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

 1425  122K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    1   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

 1462  162K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


Chain OUTPUT (policy ACCEPT 1410 packets, 125K bytes)

 pkts bytes target     prot opt in     out     source               destination


nat 默认有三个chain链,分别是PREROUTING, POSTROUTING, OUTPUT

[root@localhost ~]# iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


mangle 默认有五个chain链,分别是PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

[root@localhost ~]# iptables -t mangle -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination


filter 主要用于过滤数据包(常用)

查看防火墙filter表现有规则,默认是filter,所以这里的-t filter可以忽略

[root@localhost ~]# iptables -nvL -t filter

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

 1713  146K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    1   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

 1606  181K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


Chain OUTPUT (policy ACCEPT 1661 packets, 150K bytes)

 pkts bytes target     prot opt in     out     source               destination


清空防火墙规则数据包计数器,默认是filter,所以这里的-t filter可以忽略

[root@localhost ~]# iptables -Z -t filter


一次性清空防火墙规则,默认是filter,所以这里的-t filter可以忽略

[root@localhost ~]# iptables -F -t filter


保存防火墙配置到/etc/sysconfig/iptables

[root@localhost ~]# service iptables save

iptables:将防火墙规则保存到 /etc/sysconfig/iptables:     [确定]


备份防火墙配置

[root@localhost ~]# iptables-save > 1.ipt


恢复防火墙配置

[root@localhost ~]# iptables-restore < 1.ipt


更改防火墙总开关为默认DROP丢弃、REJECT拒绝、ACCEPT允许,新装系统总开关默认是允许,这条命令需慎用,因为一旦设置为DROP或REJECT,远程也将被断开

[root@localhost ~]# iptables -P INPUT DROP


插入防火墙规则

[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 80 -s 192.168.10.111 -j DROP

指定表是  filter

指定链是  INPUT

INPUT前面的参数如果是-A表示增加,结果是这条规则在filter最底,-I表示插入,在filter最上面,-D是删除(匹配后再删除)这条规则

指定协议是  tcp

指定端口是  80

指定源IP是  192.168.10.111

指定动作是  DROP


匹配规则删除,把上面的规则删除

[root@localhost ~]# iptables -t filter -D INPUT -p tcp --dport 80 -s 192.168.10.111 -j DROP


你可能感兴趣的:(iptables(netfilter)防火墙详解)