iptables的规则整理使用

近期断断续续参考和整理了iptables的使用。
iptables是Linux实现过滤包的一个应用程序,是打开服务器的最后一扇大门,也称之为Linux的防火墙。使用得当,可以对访问的可疑IP实现控制,特别恶意攻击时直接将其拒绝门外。目前只对IPV4过来的包起作用,IPV6不行。
环境: CENTOS 6.2 (final)

1.基础应用 a.安装位置
[root@localhost ~]# which iptables
/sbin/iptables
b.查看iptables状态
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
c.关闭iptables
[root@localhost ~]# service iptables stop
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Unloading modules: [  OK  ]
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
d.开启iptables
[root@localhost ~]# service iptables start
iptables: Applying firewall rules: [  OK  ]
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
e.iptables的自启动
chkconfig iptables on
chkconfig iptables off
2.基本用法
基本操作
-A(append) 在链尾添加一条规则;
-I(insert) 插入规则;
-D(delete) 删除规则;
-R(replace) 替代一条规则;
-L(list) 列出规则。

响应操作
ACCEPT 接收该数据报;
DROP 丢弃该数据报;
REJECT 拒绝该数据 有些OS是用的DENY

目标操作
-p(protocol) 指定协议(tcp/icmp/udp/...);
-s(source) 源地址(ip address/masklen);
-d(destination) 目的地址(ip address/masklen);
--sport 源端口 source port
--dport 目标端口 destination port

状态 -m state --state(INVALID,ESTABLISHED,NEW和RELATED)
INVALID 失效的连接
ESTABLISHED 已经建立的连接
NEW 新的连接
RELATED 相关的连接

规则链
– INPUT              输入
– OUTPUT           输出
– FORWARD         filter
– PREROUTING     nat(network address translator)
– POSTROUTING   nat 查看
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       all  --  192.168.2.137        anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             192.168.2.137       reject-with icmp-port-unreachable
删除
iptables -D INPUT 1
或者
iptables -D INPUT -s 192.168.2.137 -j DROP
iptables -D OUTPUT -d 192.168.2.137 -j REJECT

清除所有规则
iptables -F

3.iptables的保存
[root@localhost ~]# iptables-save -c > ./kenyon.iptables.bak
[root@localhost ~]# more kenyon.iptables.bak
# Generated by iptables-save v1.4.7 on Fri Nov 16 01:07:34 2012
*filter
:INPUT ACCEPT [8145:7631364]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4758:209361]
COMMIT
# Completed on Fri Nov 16 01:07:34 2012
[root@localhost ~]#
或者
[root@localhost ~]# /etc/init.d/iptables save                                   --保存在默认路径文件/etc/sysconfig/iptables
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
[root@localhost ~]#
示例:
开启ssh
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT     --写两次防止OUT规则是DROP时开启不生效,以下类似,略去OUTPUT

开启80WEB端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

开启邮件服务110端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT

开启FTP的21端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

开启DNS的53端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT

开启5432端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

开启一段端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 65520:65534 -j ACCEPT

允许ping
[root@localhost ~]#  iptables -A OUTPUT -p icmp -j ACCEPT
[root@localhost ~]#  iptables -A INPUT -p icmp -j ACCEPT

关闭其他端口
[root@localhost ~]# iptables -A OUTPUT -p tcp --sport 31335 -j DROP
[root@localhost ~]# iptables -A OUTPUT -p tcp --dport 31335 -j DROP

拒绝接受某个IP的包
[root@localhost ~]# iptables -A INPUT -s 192.168.2.137  -j DROP

拒绝发送到某个IP的包
[root@localhost ~]# iptables -A OUTPUT -d 192.168.2.137  -j REJECT

拒绝接受某一段IP的包
[root@localhost ~]# iptables -A INPUT -s 192.168.2.0/24  -j DROP

拒绝某个mac地址的包(不能用在output和postrouting)
[root@localhost ~]# iptables -A INPUT -m mac --mac-source 00:0C:29:AB:4B:FF -j DROP

允许已经建立的和相关的连接
[root@localhost ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
参考:http://www.cnblogs.com/JemBai/archive/2009/03/19/1416364.html

你可能感兴趣的:(linux,iptables)