報(bào)文到達(dá)主機(jī)時(shí)---->做一些預(yù)處理prerouting-----> 路由轉(zhuǎn)換,--->審..."/>
您好,登錄后才能下訂單哦!
關(guān)于linux內(nèi)核防火墻netfilter詳解
信息流經(jīng)過(guò)linux主機(jī)時(shí)的一般處理流程:
信息流報(bào)文---->報(bào)文到達(dá)主機(jī)時(shí)---->做一些預(yù)處理prerouting-----> 路由轉(zhuǎn)換,--->審核--->postrouting--->路由選擇---->轉(zhuǎn)發(fā)出去--->
原理netfilter能實(shí)現(xiàn)防火墻功能是基于linux內(nèi)核調(diào)度實(shí)現(xiàn)。
[root@lib ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@lib ~]# systemctl start firewalld
查看其全部默認(rèn)規(guī)則
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 5656 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 286 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 42 packets, 4480 bytes)
pkts bytes target prot opt in out source destination
42 4480 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
3 390 IN_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
3 390 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
3 390 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 390 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
1 104 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@lib ~]#
[root@lib ~]# yum install firewall-config
打開(kāi)圖形防火墻配置命令
[root@lib ~]# firewall-config
neifilter功能模塊詳解
報(bào)文經(jīng)過(guò)的過(guò)程:
hook function:
prerouting
input
output
forward
postrouting
鏈(內(nèi)置): chian
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
功能:
filter:過(guò)濾,防火墻;
nat:network address translation;用于修改源IP或目標(biāo)IP,也可以改端口;
mangle:拆解報(bào)文,做出修改,并重新封裝起來(lái);
raw:關(guān)閉nat表上啟用的連接追蹤機(jī)制;
功能<--鏈:
高 raw:PREROUTING, OUTPUT
| mangle:PREROUTING,INPUT,F(xiàn)ORWARD,OUTPUT,POSTROUTING
nat:PREROUTING,[INPUT,]OUTPUT,POSTROUTING
低 filter:INPUT,F(xiàn)ORWARD,OUTPUT
報(bào)文流向:
流入本機(jī):PREROUTING --> INPUT
由本機(jī)流出:OUTPUT --> POSTROUTING
轉(zhuǎn)發(fā):PREROUTING --> FORWARD --> POSTROUTING
netfilter 防火墻規(guī)則可以通過(guò)iptables命令去管理
訪問(wèn)量多的放前面
規(guī)范小的放前面
iptables/netfilter
規(guī)則:
組成部分:根據(jù)規(guī)則匹配條件來(lái)嘗試匹配報(bào)文,一旦匹配成功,就由規(guī)則定義的處理動(dòng)作作出處理;
匹配條件:
基本匹配條件:內(nèi)建
擴(kuò)展匹配條件:由擴(kuò)展模塊定義;
處理動(dòng)作:
基本處理動(dòng)作:內(nèi)建
擴(kuò)展處理動(dòng)作:由擴(kuò)展模塊定義;
自定義處理機(jī)制:自定義鏈
iptables的鏈:內(nèi)置鏈和自定義鏈
內(nèi)置鏈:對(duì)應(yīng)于hook function
自定義鏈接:用于內(nèi)置鏈的擴(kuò)展和補(bǔ)充,可實(shí)現(xiàn)更靈活的規(guī)則管理機(jī)制;
添加規(guī)則時(shí)的考量點(diǎn):
(1) 要實(shí)現(xiàn)哪種功能:判斷添加到哪個(gè)表上;
(2) 報(bào)文流經(jīng)的路徑:判斷添加到哪個(gè)鏈上;
鏈:鏈上的規(guī)則次序,即為檢查的次序;因此,隱含一定的應(yīng)用法則:
(1) 同類(lèi)規(guī)則(訪問(wèn)同一應(yīng)用),匹配范圍小的放上面;
(2) 不同類(lèi)的規(guī)則(訪問(wèn)不同應(yīng)用),匹配到報(bào)文頻率較大的放在上面;
(3) 將那些可由一條規(guī)則描述的多個(gè)規(guī)則合并起來(lái);
(4) 設(shè)置默認(rèn)策略;
iptables命令:
高度模塊化,由諸多擴(kuò)展模塊實(shí)現(xiàn)其檢查條件或處理動(dòng)作的定義;
/usr/lib64/xtables/
IPv6:libip6t_
IPv4:libipt_, libxt_
iptables命令:
iptables [-t table] COMMAND chain [rulenum] [-m machename [per-match-options]] [-j targetname [per-target-options]] [options]
匹配條件:
基本匹配條件:
-s, -d, -p, -i, -o
擴(kuò)展匹配條件:
-m matchname per-match-options
處理動(dòng)作:
基本處理動(dòng)作:ACCEPT, DROP
擴(kuò)展處理動(dòng)作:REJECT,RETURN,LOG,REDIRECT,...
用戶自定義鏈:
COMMAND:
鏈管理:-N,-X,-E,-P,-F,-Z
規(guī)則管理:-A,-I,-R,-D
查看:-L,-n, -v, -x, --line-numbers
iptables/netfilter
規(guī)則:
組成部分:根據(jù)規(guī)則匹配條件來(lái)嘗試匹配報(bào)文,一旦匹配成功,就由規(guī)則定義的處理動(dòng)作作出處理;
匹配條件:
基本匹配條件:內(nèi)建
擴(kuò)展匹配條件:由擴(kuò)展模塊定義;
處理動(dòng)作:
基本處理動(dòng)作:內(nèi)建
擴(kuò)展處理動(dòng)作:由擴(kuò)展模塊定義;
自定義處理機(jī)制:自定義鏈
iptables的鏈:內(nèi)置鏈和自定義鏈
內(nèi)置鏈:對(duì)應(yīng)于hook function
自定義鏈接:用于內(nèi)置鏈的擴(kuò)展和補(bǔ)充,可實(shí)現(xiàn)更靈活的規(guī)則管理機(jī)制;
添加規(guī)則時(shí)的考量點(diǎn):
(1) 要實(shí)現(xiàn)哪種功能:判斷添加到哪個(gè)表上;
(2) 報(bào)文流經(jīng)的路徑:判斷添加到哪個(gè)鏈上;
鏈:鏈上的規(guī)則次序,即為檢查的次序;因此,隱含一定的應(yīng)用法則:
(1) 同類(lèi)規(guī)則(訪問(wèn)同一應(yīng)用),匹配范圍小的放上面;
(2) 不同類(lèi)的規(guī)則(訪問(wèn)不同應(yīng)用),匹配到報(bào)文頻率較大的放在上面;
(3) 將那些可由一條規(guī)則描述的多個(gè)規(guī)則合并起來(lái);
(4) 設(shè)置默認(rèn)策略;
iptables命令:
高度模塊化,由諸多擴(kuò)展模塊實(shí)現(xiàn)其檢查條件或處理動(dòng)作的定義;
/usr/lib64/xtables/
IPv6:libip6t_
IPv4:libipt_, libxt_
iptables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
規(guī)則格式:iptables [-t table] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]
-t table:
raw, mangle, nat, [filter]
COMMAND:
鏈管理:
-N:new, 自定義一條新的規(guī)則鏈;
[root@lib ~]# iptables -vnL in_web_rules
Chain in_web_rules (0 references) 引用計(jì)數(shù)為0
pkts bytes target prot opt in out source destination
[root@lib ~]#
-X: delete,刪除自定義的規(guī)則鏈;
注意:僅能刪除 用戶自定義的 引用計(jì)數(shù)為0的 空的 鏈;
[root@lib ~]# iptables -X in_web_rules
[root@lib ~]# iptables -vnL in_web_rules
iptables: No chain/target/match by that name.
[root@lib ~]#
-P:Policy,設(shè)置默認(rèn)策略;對(duì)filter表中的鏈而言,其默認(rèn)策略有:
ACCEPT:接受
DROP:丟棄
REJECT:拒絕
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@lib ~]# iptables -P FORWARD DROP
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy DROP 0 packets, 0 bytes)
[root@lib ~]# iptables -P FORWARD ACCEPT
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@lib ~]#
-E:重命名自定義鏈;引用計(jì)數(shù)不為0的自定義鏈不能夠被重命名,也不能被刪除;
規(guī)則管理:
[root@lib ~]# iptables -vnL in_web_rules
Chain in_web_rules (0 references)
pkts bytes target prot opt in out source destination
[root@lib ~]# iptables -E in_web_rules in_web_rules_new1
[root@lib ~]# iptables -vnL in_web_rules_new1
Chain in_web_rules_new1 (0 references)
pkts bytes target prot opt in out source destination
[root@lib ~]# iptables -vnL in_web_rules
iptables: No chain/target/match by that name.
[root@lib ~]#
-A:append,追加;
-I:insert, 插入,要指明位置,省略時(shí)表示第一條;
-D:delete,刪除;
(1) 指明規(guī)則序號(hào);
(2) 指明規(guī)則本身;
[root@lib ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]# iptables -D FORWARD 8 刪除第8條forward規(guī)則
[root@lib ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
-R:replace,替換指定鏈上的指定規(guī)則;
-F:flush,清空指定的規(guī)則鏈;
[root@lib ~]# iptables -vnL INPUT 查看INPUT鏈路規(guī)則
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
77 5976 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 1087 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
[root@lib ~]# iptables -F INPUT
[root@lib ~]# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 7 packets, 575 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
-Z:zero,置零;
iptables的每條規(guī)則都有兩個(gè)計(jì)數(shù)器:
(1) 匹配到的報(bào)文的個(gè)數(shù);
(2) 匹配到的所有報(bào)文的大小之和;
[root@lib ~]# iptables -Z INPUT
查看:
-L:list, 列出指定鏈上的所有規(guī)則;
-n:numberic,以數(shù)字格式顯示地址和端口號(hào);
-v:verbose,詳細(xì)信息;
-vv, -vvv
-x:exactly,顯示計(jì)數(shù)器結(jié)果的精確值;
--line-numbers:顯示規(guī)則的序號(hào);
[root@lib ~]# iptables -L -n
[root@lib ~]# iptables -L --line-numbers -v -n
[root@lib ~]# iptables -L --line-numbers -vv -n
[root@lib ~]# iptables -L --line-numbers -v -n -x
[root@lib ~]# iptables -vnxL --line-number
[root@lib ~]# iptables -vnxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8539 737755 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1168 173260 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
[root@lib ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@lib ~]#
chain:
PREROUTING,INPUT,F(xiàn)ORWARD,OUTPUT,POSTROUTING
匹配條件:
基本匹配條件:無(wú)需加載任何模塊,由iptables/netfilter自行提供;
[!] -s, --source address[/mask][,...]:檢查報(bào)文中的源IP地址是否符合此處指定的地址或范圍;
[!] -d, --destination address[/mask][,...]:檢查報(bào)文中的目標(biāo)IP地址是否符合此處指定的地址或范圍;
所有地址:0.0.0.0/0
[!] -p, --protocol protocol
protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or "all"
{tcp|udp|icmp}
[!] -i, --in-interface name:數(shù)據(jù)報(bào)文流入的接口;只能應(yīng)用于數(shù)據(jù)報(bào)文流入的環(huán)節(jié),只能應(yīng)用于PREROUTING,INPUT和FORWARD鏈;
[!] -o, --out-interface name:數(shù)據(jù)報(bào)文流出的接口;只能應(yīng)用于數(shù)據(jù)報(bào)文流出的環(huán)節(jié),只能應(yīng)用于FORWARD、OUTPUT和POSTROUTING鏈;
處理動(dòng)作:
-j targetname [per-target-options]
ACCEPT
DROP
REJECT
centos 7 有7張表
[root@lib ~]# iptables -L 默認(rèn)filter表
[root@lib ~]# iptables -t filter -L
[root@lib ~]# iptables -t mangle -L
[root@lib ~]# iptables -t raw -L
[root@lib ~]# iptables -t nat -L
[root@lib ~]# iptables -t security -L
[root@lib ~]# systemctl stop firewalld
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
例如允許192.168.0.0/24 網(wǎng)訪問(wèn)本機(jī)
[root@lib ~]# iptables -t filter -A INPUT -s 192.168.0.0/24 -d 192.168.0.103 -p tcp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 432 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 592 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
允許本機(jī)訪問(wèn)192.168.0.0/24網(wǎng)段
[root@lib ~]# iptables -t filter -A OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
254 18424 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 592 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#
-d , -p 不寫(xiě)代表所有
[root@lib ~]# iptables -P INPUT DROP
[root@lib ~]# iptables -P FORWARD DROP
[root@lib ~]# iptables -P OUTPUT DROP
DROP后建立起了白名單
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
381 27776 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 9064 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#
192.168.0.101ping 不通了192.168.0.103 ,英文其INPUT只開(kāi)放了tcp 協(xié)議流經(jīng)過(guò),ping是ICMP協(xié)議
C:\Users\kerberos>ping 192.168.0.103
Pinging 192.168.0.103 with 32 bytes of data:
Request timed out.
放其進(jìn)來(lái)
[root@lib ~]# iptables -t filter -A INPUT -s 192.168.0.101 -d 192.168.0.103 -p icmp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
766 57344 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
0 0 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
320 36208 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#
還是ping不通,因?yàn)闆](méi)有放其出去
C:\Users\kerberos>ping 192.168.0.103
Pinging 192.168.0.103 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.103:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\kerberos>
抓包可以看的出
[root@lib ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:18:21.075645 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 347, length 40
16:18:26.077079 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 348, length 40
16:18:31.079188 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 349, length 40
加一條規(guī)則,放其出去
[root@lib ~]# iptables -t filter -A OUTPUT -s 192.168.0.103 -d 192.168.0.101 -p icmp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1070 79152 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
6 360 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
484 53984 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
0 0 ACCEPT icmp -- 192.168.0.103 192.168.0.101
[root@lib ~]#
再ping
C:\Users\kerberos>ping 192.168.0.103
Pinging 192.168.0.103 with 32 bytes of data:
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\kerberos>
抓包
[root@lib ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:21:09.433967 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 352, length 40
16:21:09.434011 IP 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 352, length 40
16:21:10.442321 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 353, length 40
16:21:10.442357 IP 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 353, length 40
防火墻定制機(jī)制: 一般使用白名單機(jī)制,拒絕所有,允許特定。
[root@lib ~]# systemctl status firewalld
練習(xí):本機(jī)地址172.16.0.67
1、開(kāi)放本機(jī)的所有tcp服務(wù)給所有主機(jī);
# iptables -I INPUT -d 172.16.0.67 -p tcp -j ACCEPT
# iptables -I OUTPUT -s 172.16.0.67 -p tcp -j ACCEPT
2、開(kāi)放本機(jī)的所有udp服務(wù)給172.16.0.0/16網(wǎng)絡(luò)中的主機(jī),但不包含172.16.0.200;
# iptables -I INPUT 2 -d 172.16.0.67 -s 172.16.0.200 -p udp -j REJECT
# iptables -I INPUT 3 -d 172.16.0.67 -s 172.16.0.0/16 -p udp -j ACCEPT
# iptables -I OUTPUT 2 -s 172.16.0.67 -d 172.16.0.0/16 -p udp -j ACCEPT
3、默認(rèn)策略為REJECT;
擴(kuò)展:
1、僅開(kāi)放本機(jī)的ssh服務(wù)給172.16.0.0/16中的主機(jī),而且不包含172.16.0.200;
iptables/netfilter
framework: netfilter
五鏈:
PREROUTING,INPUT,F(xiàn)ORWARD,OUTPUT,POSTROUTING
filter:包過(guò)濾;
nat:地址轉(zhuǎn)換;
mangle:報(bào)文修改;
raw:關(guān)閉nat表上啟用的連接追蹤機(jī)制;
security:
filter:INPUT,F(xiàn)ORWARD,OUTPUT
nat:PREROUTING,INPUT,OUTPUT,POSTROUTING
mangle:PREROUTING,INPUT,F(xiàn)ORWARD,OUTPUT,POSTROUTING
raw:OUTPUT,PREROUTING
iptables命令:
iptables [-t table] COMMAND chain [rulenum] [-m machename [per-match-options]] [-j targetname [per-target-options]] [options]
匹配條件:
基本匹配條件:
-s, -d, -p, -i, -o
擴(kuò)展匹配條件:
-m matchname per-match-options
處理動(dòng)作:
基本處理動(dòng)作:ACCEPT, DROP
擴(kuò)展處理動(dòng)作:REJECT,RETURN,LOG,REDIRECT,...
用戶自定義鏈:
COMMAND:
鏈管理:-N,-X,-E,-P,-F,-Z
規(guī)則管理:-A,-I,-R,-D
查看:-L,-n, -v, -x, --line-numbers
大寫(xiě)處理
小寫(xiě)條件匹配
[root@lib ~]# rpm -ql iptables | grep -i -E 'tcp|icmp|upd'
/usr/lib64/xtables/libip6t_icmp6.so
/usr/lib64/xtables/libipt_icmp.so
/usr/lib64/xtables/libxt_TCPMSS.so
/usr/lib64/xtables/libxt_TCPOPTSTRIP.so
/usr/lib64/xtables/libxt_tcp.so
/usr/lib64/xtables/libxt_tcpmss.so
[root@lib ~]#
iptables(2)
iptables [-t table] COMMAND [chain] [PARAMETERS] [-m matchname [per-match-options]] [-j targetname [per-target-options]]
匹配條件:
基本匹配條件:PARAMETERS
擴(kuò)展匹配條件:
隱式擴(kuò)展:在使用-p選項(xiàng)指明了特定的協(xié)議時(shí),無(wú)需再同時(shí)使用-m選項(xiàng)指明擴(kuò)展模塊的擴(kuò)展機(jī)制;
顯式擴(kuò)展:必須使用-m選項(xiàng)指明要調(diào)用的擴(kuò)展模塊的擴(kuò)展機(jī)制;
隱式擴(kuò)展:不需要手動(dòng)加載擴(kuò)展模塊;因?yàn)樗鼈兪菍?duì)協(xié)議的擴(kuò)展,所以,但凡使用-p指明了協(xié)議,就表示已經(jīng)指明了要擴(kuò)展的模塊;
tcp:
[!] --source-port, --sport port[:port]:匹配報(bào)文的源端口;可以是端口范圍;
[!] --destination-port,--dport port[:port]:匹配報(bào)文的目標(biāo)端口;可以是端口范圍;
[!] --tcp-flags mask comp
mask is the flags which we should examine, written as a comma-separated list,例如 SYN,ACK,FIN,RST
comp is a comma-separated list of flags which must be set,例如SYN
例如:“--tcp-flags SYN,ACK,FIN,RST SYN”表示,要檢查的標(biāo)志位為SYN,ACK,FIN,RST四個(gè),其中SYN必須為1,余下的必須為0;
[!] --syn:用于匹配第一次握手,相當(dāng)于”--tcp-flags SYN,ACK,FIN,RST SYN“;
允許 192.168.0.0/24訪問(wèn)192.168.0.103 22端口服務(wù)
[root@lib ~]# iptables -I INPUT -s 192.168.0.0/24 -d 192.168.0.103 -p tcp --dport 22 -j ACCEPT I表示插入
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127 9148 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2221 175K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
10 600 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp dpt:22
1391 152K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
[root@lib ~]#
ssh 無(wú)法連接了,有問(wèn)題,貌似是客戶端連接ssh顯示端口不是22,而是一個(gè)隨機(jī)端口,不是這個(gè)原因,是上面OUTPUT 出口應(yīng)該是--sport 22
刪除重新配置
[root@lib ~]#iptables -D OUTPUT 1
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp --sport 22 -j ACCEPT
此時(shí)如果執(zhí)行 [root@lib ~]# iptables -F 就清理策略,就只剩默認(rèn)策略了,也就是 policy DROP
ssh 就連不上了
為了去除上面風(fēng)險(xiǎn)
指定下面規(guī)則,相當(dāng)于默認(rèn)策略 DROP ,但又沒(méi)有上面 iptables —F的風(fēng)險(xiǎn)
[root@lib ~]#iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]#iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]#iptables -P INPUT ACCEPT
[root@lib ~]#iptables -P OUTPUT ACCEPT
相當(dāng)于默認(rèn)策略的DROP
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 18 packets, 2660 bytes)
num pkts bytes target prot opt in out source destination
1 619 52768 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2 31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
3 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 215 39652 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
2 4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
3 30 2460 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
ping 自己 可以通
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.027/0.031/0.035/0.004 ms
回到之前的默認(rèn)策略
[root@lib ~]# iptables -P INPUT DROP
[root@lib ~]# iptables -P OUTPUT DROP
[root@lib ~]# iptables -D INPUT 3
[root@lib ~]# iptables -D OUTPUT 3
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 953 77040 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2 31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 396 60380 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
2 4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
ping自己,ping不同,過(guò)分緊張了
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root@lib ~]#
再回到production 模式
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]#
[root@lib ~]# iptables -P INPUT ACCEPT
[root@lib ~]# iptables -P OUTPUT ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1902 148K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
955 132K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
又或者可以這樣設(shè)置,對(duì)網(wǎng)卡進(jìn)行設(shè)置
[root@lib ~]# iptables -A INPUT -i ens33 -j REJECT
[root@lib ~]# iptables -A OUTPUT -o ens33 -j REJECT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2135 165K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
1 143 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1082 147K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
此時(shí)可以把第三條配置刪了
[root@lib ~]# iptables -D INPUT 3
[root@lib ~]# iptables -D OUTPUT 3
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2217 171K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
3 429 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1127 153K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.031/0.041/0.052/0.012 ms
[root@lib ~]#
samba 137,138 udp dns tcp53或者upd53
139,445 tcp
udp
[!] --source-port, --sport port[:port]:匹配報(bào)文的源端口;可以是端口范圍;
[!] --destination-port,--dport port[:port]:匹配報(bào)文的目標(biāo)端口;可以是端口范圍;
icmp
[!] --icmp-type {type[/code]|typename}
echo-request:8
echo-reply:0
[root@lib ~]# iptables -D INPUT 2
[root@lib ~]# iptables -D OUTPUT 2
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2453 187K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
38 5520 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1299 188K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
462 42904 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 192.168.0.101
PING 192.168.0.101 (192.168.0.101) 56(84) bytes of data.
From 192.168.0.103 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.0.103 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.0.101 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms
[root@lib ~]#
添加規(guī)則
放其出去
[root@lib ~]# iptables -I OUTPUT 2 -s 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3041 236K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
55 9273 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1715 235K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
0 0 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
486 50288 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
試著ping,可以ping出去,只是收不到reply而已,因?yàn)闆](méi)有配置
[root@lib ~]# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
[root@lamp ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:21:25.826655 IP 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 81, length 64
20:21:25.826691 IP 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 81, length 64
20:21:26.826886 IP 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 82, length 64
20:21:26.826909 IP 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 82, length 64
在給一條配置,可以接受reply
[root@lib ~]# iptables -I INPUT 2 -d 192.168.0.103 -p icmp --icmp-type 0/0 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3412 266K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
240 27642 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1923 271K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
679 79464 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.526 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.325 ms
^C
--- 192.168.0.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.325/0.425/0.526/0.102 ms
[root@lib ~]#
成功
別人ping其實(shí)不通的,因?yàn)闆](méi)有配置
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
^C
--- 192.168.0.103 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
[root@lamp ~]#
再配置
[root@lib ~]# iptables -I INPUT 3 -d 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT 3 -s 192.168.0.103 -p icmp --icmp-type 0/0 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4417 349K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
264 30983 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2599 346K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
712 89640 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.341 ms
64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.317 ms
^C
--- 192.168.0.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.317/0.329/0.341/0.012 ms
[root@lamp ~]#
配置samba 共享服務(wù)器規(guī)則
[root@lib ~]# iptables -I INPUT -d 192.168.0.103 -p udp --dport 137:138 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -p udp --sport 137:138 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1 packets, 356 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138
5246 420K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
857 119K REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 356 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 udp spts:137:138
3057 430K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
1257 253K REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
配置后還是無(wú)法telnet
[root@lamp ~]# telnet 192.168.0.103 137
Trying 192.168.0.103...
^C
[root@lamp ~]# telnet 192.168.0.103 138
Trying 192.168.0.103...
^C
[root@lamp ~]#
[root@lamp ~]# smbclient //192.168.0.103/HRDept -U smbuser4
Connection to 192.168.0.103 failed (Error NT_STATUS_IO_TIMEOUT)
[root@lamp ~]#
139 和445端口
顯式擴(kuò)展:必須要手動(dòng)加載擴(kuò)展模塊, [-m matchname [per-match-options]];
顯式擴(kuò)展:必須使用-m選項(xiàng)指明要調(diào)用的擴(kuò)展模塊的擴(kuò)展機(jī)制;
1、multiport
This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with one of the following protocols: tcp, udp, udplite, dccp and sctp.
以離散或連續(xù)的 方式定義多端口匹配條件,最多15個(gè);
[!] --source-ports,--sports port[,port|,port:port]...:指定多個(gè)源端口;
[!] --destination-ports,--dports port[,port|,port:port]...:指定多個(gè)目標(biāo)端口;
# iptables -I INPUT -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -j ACCEPT
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve
to multiple addresses, the command will fail. Rules are numbered starting at 1.
[root@lib ~]# iptables -R INPUT 2 -d 192.168.0.103 -p tcp -m multiport --dports 22,80,139,445 -j ACCEPT
[root@lib ~]# iptables -R OUTPUT 2 -s 192.168.0.103 -p tcp -m multiport --sport 22,80,139,445 -j ACCEPT
[root@lib ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138
152 10960 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22,80,139,445
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
3609 557K REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
249 54072 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 udp spts:137:138
9 1480 ACCEPT tcp -- 192.168.0.103 0.0.0.0/0 multiport sports 22,80,139,445
1 84 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
2645 863K REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# smbclient -L 192.168.0.103
Enter SAMBA\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
HRDept Disk HR share file
IPC$ IPC IPC Service (Samba 4.8.3)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
SAMBA LIB
[root@lamp ~]#
2、iprange
以連續(xù)地址塊的方式來(lái)指明多IP地址匹配條件;
[!] --src-range from[-to]
[!] --dst-range from[-to]
# iptables -I INPUT -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -j REJECT
# iptables -I OUTPUT -s 172.16.0.7 -p tcp -m multiport --sports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -j REJECT
3、time
This matches if the packet arrival time/date is within a given range.
--timestart hh:mm[:ss]
--timestop hh:mm[:ss]
[!] --weekdays day[,day...]
[!] --monthdays day[,day...]
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--kerneltz:使用內(nèi)核配置的時(shí)區(qū)而非默認(rèn)的UTC;
4、string 檢查字符編碼后的字符是否匹配
This modules matches a given string by using some pattern matching strategy.
--algo {bm|kmp} 算法
[!] --string pattern
[!] --hex-string pattern
--from offset
--to offset
~]# iptables -I OUTPUT -m string --algo bm --string "gay" -j REJECT
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG
# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|net‐
filter|03|org|00|'
5、connlimit 拒絕服務(wù)***,限制單客戶端訪問(wèn)并發(fā)數(shù)
Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
--connlimit-upto n
--connlimit-above n
防火墻的默認(rèn)規(guī)則是拒絕的,所以低于就允許,
~]# iptables -I INPUT -d 172.16.0.7 -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT
[root@lib ~]# systemctl start mariadb
[root@lib ~]#
[root@lib ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> create user 'test'@'%' IDENTIFIED BY 'test';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> select user,host from mysql.user where user = 'test';
+------+------+
| user | host |
+------+------+
| test | % |
+------+------+
1 row in set (0.00 sec)
MariaDB [(none)]>
訪問(wèn)不了
[root@lamp ~]# mysql -u test -h 192.168.0.103 -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.103' (110)
[root@lamp ~]#
添加防火墻規(guī)則
[root@lib ~]# iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.103 -p tcp --dport 3306 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT 2 -d 192.168.0.0/24 -s 192.168.0.103 -p tcp --sport 3306 -j ACCEPT
[root@lib ~]# iptables -vnL | grep 3306
1 60 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:3306
0 0 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:3306
[root@lib ~]#
[root@lamp ~]# mysql -u test -h 192.168.0.103 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
修改第一條進(jìn)站規(guī)則,同一個(gè)客戶端連接大于2條,就拒絕多余的連接,就是檢查其TCP3次握手次數(shù)
[root@lib ~]# iptables -R INPUT 2 -d 192.168.0.103 -s 192.168.0.0/24 -p tcp --dport 3306 -m connlimit --connlimit-upto 2 -j ACCEPT
[root@lib ~]# iptables -vnL | grep 3306
0 0 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:3306 #conn src/32 <= 2
11 952 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:3306
[root@lib ~]#
6、limit 從報(bào)文發(fā)包速率來(lái)限制,令牌方式
This module matches at a limited rate using a token bucket filter.
--limit rate[/second|/minute|/hour|/day]
--limit-burst number 可以收集多少個(gè)令牌環(huán)
~]# iptables -I OUTPUT -s 172.16.0.7 -p icmp --icmp-type 0 -j ACCEPT
限制本機(jī)某tcp服務(wù)接收新請(qǐng)求的速率:--syn, -m limit
[root@lamp ~]# wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home%3A/matthewdva%3A/build%3A/EPEL%3A/el7/CentOS_7/x86_64/hping3-0.0.20051105-24.el7.x86_64.rpm
[root@lamp ~]# yum intall hping3-0.0.20051105-24.el7.x86_64.rpm
[root@lamp ~]# rpm -ql hping3
/usr/sbin/hping
/usr/sbin/hping2
/usr/sbin/hping3
#iptables -I INPUT 6 -d 192.168.0.103 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 20/minute -j ACCEPT
#iptables -I OUTPUT 6 -s 192.168.0.103 -p icmp --icmp-type 0 -j ACCEPT
對(duì)于web 新請(qǐng)求數(shù)進(jìn)行限制 限制本機(jī)某tcp服務(wù)接收新請(qǐng)求的速率:--syn, -m limit
7、state
The "state" extension is a subset of the "conntrack" module. "state" allows access to the connection tracking state for this packet.
[!] --state state
INVALID, ESTABLISHED, NEW, RELATED or UNTRACKED.
NEW: 新連接請(qǐng)求;
ESTABLISHED:已建立的連接;
INVALID:無(wú)法識(shí)別的連接;
RELATED:相關(guān)聯(lián)的連接,當(dāng)前連接是一個(gè)新請(qǐng)求,但附屬于某個(gè)已存在的連接;
UNTRACKED:未追蹤的連接;
鏈接追蹤,查詢?cè)趦?nèi)存中記錄
state擴(kuò)展:
內(nèi)核模塊裝載:
nf_conntrack
nf_conntrack_ipv4
手動(dòng)裝載:
nf_conntrack_ftp
追蹤到的連接: 在并發(fā)訪問(wèn)量大的模式中,不建議開(kāi)啟
/proc/net/nf_conntrack
[root@lib ~]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.0.103 dst=192.168.0.101 sport=22 dport=56005 src=192.168.0.101 dst=192.168.0.103 sport=56005 dport=22 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.0.101 dst=192.168.0.103 sport=53484 dport=80 src=192.168.0.103 dst=192.168.0.101 sport=80 dport=53484 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.0.101 dst=192.168.0.103 sport=53483 dport=80 src=192.168.0.103 dst=192.168.0.101 sport=80 dport=53483 [ASSURED] mark=0 zone=0 use=2
[root@lib ~]#
調(diào)整可記錄的連接數(shù)量最大值:
/proc/sys/net/nf_conntrack_max
[root@lib ~]# cat /proc/sys/net/nf_conntrack_max
25432
[root@lib ~]#
超時(shí)時(shí)長(zhǎng): 不同協(xié)議,超時(shí)時(shí)長(zhǎng)不同
/proc/sys/net/netfilter/*timeout*
[root@lib ~]# cat /proc/sys/net/netfilter/timeout
15
600
30
10
60
432000
120
30
300
60
120
120
300
30
180
[root@lib ~]# ls -lt /proc/sys/net/netfilter/
total 0
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_acct
-r--r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_buckets
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_checksum
-r--r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_count
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_events
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_events_retry_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_expect_max
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_generic_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_helper
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_icmp_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_log_invalid
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_max
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_be_liberal
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_loose
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_max_retrans
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_close
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_close_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_established
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_fin_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_last_ack
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_max_retrans
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_syn_recv
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_syn_sent
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_time_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_unacknowledged
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_timestamp
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_udp_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_udp_timeout_stream
dr-xr-xr-x 1 root root 0 Aug 4 21:53 nf_log
[root@lib ~]#
清空所有規(guī)則
[root@lib ~]# iptables -F
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
-I 默認(rèn)插入第一規(guī)則, -A 在前面規(guī)則后追加規(guī)則
建立規(guī)則
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -p tcp -m multiport --dports 22:23,80,139,445,3306 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -I INPUT -d 192.168.0.103 -m state --state ESTABLISHED -j ACCEPT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -m state --state ESTABLISHED -j ACCEPT
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 1339 109K ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
3 3 164 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,137,138,139,445,3306 state NEW
4 52 2992 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 773 116K ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 50 4472 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
NTP出站同步時(shí)間服務(wù)器
[root@lib ~]# iptables -I OUTPUT 2 -s 192.168.0.103 -p udp -m multiport --dports 123,323 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2146 181K ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 2 120 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
3 3 164 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,137,138,139,445,3306 state NEW
4 52 2992 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1321 191K ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 50 4472 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# iptables -I INPUT 2 -d 192.168.0.103 -p udp --dport 137:138 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 247 22635 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 6 312 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 167 30990 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
samba ssh mysql httpd都可以訪問(wèn),
[root@lamp ~]# smbclient //192.168.0.103/HRDept -U smbuser4
Enter SAMBA\smbuser4's password:
Try "help" to get a list of possible commands.
smb: \>
[root@lamp ~]# mysql -u test -h 192.168.0.103 -ptest
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
對(duì)于ftp 進(jìn)行定義規(guī)則
[root@lib ~]# systemctl start vsftpd
[root@lib ~]#
裝載模塊,追蹤ftp
[root@lib ~]# modinfo nf_conntrack_ftp
filename: /lib/modules/3.10.0-514.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell <rusty@rustcorp.com.au>
license: GPL
rhelversion: 7.3
srcversion: D43BF56A22E3D137BA1227B
depends: nf_conntrack
intree: Y
vermagic: 3.10.0-514.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: D4:88:63:A7:C1:6F:CC:27:41:23:E6:29:8F:74:F0:57:AF:19:FC:54
sig_hashalgo: sha256
parm: ports:array of ushort
parm: loose:bool
[root@lib ~]# lsmod | grep nf_conntrack_ftp
[root@lib ~]# modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp
nf_conntrack_ftp 18638 0
nf_conntrack 111302 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[root@lib ~]#
改造開(kāi)發(fā)21 端口和RELATED 狀態(tài)的入站規(guī)則
[root@lib ~]# iptables -R INPUT 3 -d 192.168.0.103 -p tcp -m multiport --dports 21:23,80,139,445,3306 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -R INPUT 1 -d 192.168.0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@lib ~]#
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 14 1008 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 182 34934 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
訪問(wèn)ftp成功
[root@lamp ~]# ftp 192.168.0.103
Connected to 192.168.0.103 (192.168.0.103).
220 (vsFTPd 3.0.2)
Name (192.168.0.103:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,103,146,162).
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp>
[root@lamp ~]# yum install telnet-server --downloadonly --downloaddir=/tmp/
[root@lamp ~]# scp -p /tmp/telnet-server-0.17-64.el7.x86_64.rpm 192.168.0.103:/tmp/
root@192.168.0.103's password:
telnet-server-0.17-64.el7.x86_64.rpm 100% 41KB 40.8KB/s 00:00
[root@lamp ~]#
[root@lib vsftpd]# yum install /tmp/telnet-server-0.17-64.el7.x86_64.rpm
啟動(dòng)telnet 服務(wù)
[root@lib vsftpd]# systemctl start telnet.socket
[root@lib vsftpd]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Sun 2019-08-04 23:59:04 CST; 5s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
Aug 04 23:59:04 lib systemd[1]: Listening on Telnet Server Activation Socket.
Aug 04 23:59:04 lib systemd[1]: Starting Telnet Server Activation Socket.
[root@lib vsftpd]#
對(duì)telnet加日志規(guī)則
[root@lib vsftpd]# iptables -I INPUT 3 -d 192.168.0.103 -p tcp --dport 23 -m state --state NEW -j LOG
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 26 2000 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 191 37230 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# telnet 192.168.0.103
Trying 192.168.0.103...
Connected to 192.168.0.103.
Escape character is '^]'.
Kernel 3.10.0-514.el7.x86_64 on an x86_64
lib login: test12
Password:
Last login: Mon Aug 5 00:04:03 from lib
[test12@lib ~]$
[root@lib log]# tail -f messages
Aug 5 00:04:01 lib systemd: Started Session 1106 of user root.
Aug 5 00:04:01 lib systemd: Starting Session 1106 of user root.
Aug 5 00:04:03 lib systemd: Created slice user-1050.slice.
Aug 5 00:04:03 lib systemd: Starting user-1050.slice.
Aug 5 00:04:03 lib systemd-logind: New session 1107 of user test12.
Aug 5 00:04:03 lib systemd: Started Session 1107 of user test12.
Aug 5 00:04:03 lib systemd: Starting Session 1107 of user test12.
Aug 5 00:04:17 lib systemd-logind: Removed session 1107.
Aug 5 00:04:17 lib systemd: Removed slice user-1050.slice.
Aug 5 00:04:17 lib systemd: Stopping user-1050.slice.
Aug 5 00:04:31 lib kernel: IN=ens33 OUT= MAC=00:0c:29:b7:65:02:00:0c:29:20:7b:a8:08:00 SRC=192.168.0.102 DST=192.168.0.103 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=43583 DF PROTO=TCP SPT=51302 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 5 00:04:31 lib systemd: Started Telnet Server (192.168.0.102:51302).
Aug 5 00:04:31 lib systemd: Starting Telnet Server (192.168.0.102:51302)...
Aug 5 00:04:36 lib systemd: Created slice user-1050.slice.
Aug 5 00:04:36 lib systemd: Starting user-1050.slice.
Aug 5 00:04:36 lib systemd-logind: New session 1108 of user test12.
Aug 5 00:04:36 lib systemd: Started Session 1108 of user test12.
Aug 5 00:04:36 lib systemd: Starting Session 1108 of user test12.
[root@lib log]# iptables -R INPUT 3 -d 192.168.0.103 -p tcp --dport 23 -m state --state NEW -j LOG --log-prefix "access telnet"
[root@lib log]#
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37 2872 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 199 39934 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
日志有前綴了
[root@lib log]# tail -f messages
Aug 5 00:09:10 lib kernel: access telnetIN=ens33 OUT= MAC=00:0c:29:b7:65:02:58:fb:84:0c:97:07:08:00 SRC=192.168.0.101 DST=192.168.0.103 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=14262 DF PROTO=TCP SPT=60250 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 5 00:09:10 lib systemd: Started Telnet Server (192.168.0.101:60250).
Aug 5 00:09:10 lib systemd: Starting Telnet Server (192.168.0.101:60250)...
Aug 5 00:09:13 lib systemd: Created slice user-1050.slice.
Aug 5 00:09:13 lib systemd: Starting user-1050.slice.
Aug 5 00:09:13 lib systemd-logind: New session 1112 of user test12.
Aug 5 00:09:13 lib systemd: Started Session 1112 of user test12.
Aug 5 00:09:13 lib systemd: Starting Session 1112 of user test12.
Aug 5 00:10:01 lib systemd: Started Session 1113 of user root.
Aug 5 00:10:01 lib systemd: Starting Session 1113 of user root.
處理動(dòng)作(跳轉(zhuǎn)目標(biāo)):
-j targetname [per-target-options]
簡(jiǎn)單target:
ACCEPT, DROP
擴(kuò)展target:
REJECT
This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal.
--reject-with type
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreach‐ able, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited (*), which return the appropriate ICMP error message
(icmp-port-unreachable is the default).
LOG
Turn on kernel logging of matching packets.
--log-level
--log-prefix
默認(rèn)日志保存于/var/log/messages
RETURN:
返回調(diào)用者;
自定義鏈做為target:
[root@lib ~]# iptables -N in_ping_rules
[root@lib ~]# iptables -A in_ping_rules -d 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -I in_ping_rules -d 192.168.0.103 -s 192.168.0.101 -p icmp -j REJECT
[root@lib ~]# iptables --line-numbers -vnL
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 69 5272 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 222 45494 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 96 8256 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
Chain in_ping_rules (0 references) 無(wú)效的,需要被調(diào)用才行
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- 192.168.0.101 192.168.0.103 reject-with icmp-port-unreachable
2 0 0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
[root@lib ~]#
[root@lib ~]# iptables -I INPUT 5 -d 192.168.0.103 -p icmp -j in_ping_rules
[root@lib ~]# iptables --line-numbers -vnL
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 84 6368 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 in_ping_rules icmp -- 0.0.0.0/0 192.168.0.103
6 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 232 48662 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED 萬(wàn)能的,能進(jìn)來(lái)就能出去
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 96 8256 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
Chain in_ping_rules (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- 192.168.0.101 192.168.0.103 reject-with icmp-port-unreachable
2 0 0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
[root@lib ~]#
可以ping通
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.604 ms
64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.834 ms
^C
--- 192.168.0.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.604/0.719/0.834/0.115 ms
[root@lamp ~]#
[root@lib ~]# iptables -X in_ping_rules ,這條規(guī)則被調(diào)用著,不可刪除。
iptables: Too many links.
[root@lib ~]#
保存和載入規(guī)則:
保存:iptables-save > /PATH/TO/SOME_RULE_FILE
重載:iptabls-restore < /PATH/FROM/SOME_RULE_FILE
-n, --noflush:不清除原有規(guī)則
-t, --test:僅分析生成規(guī)則集,但不提交
CentOS 6:
保存規(guī)則:
service iptables save
保存規(guī)則于/etc/sysconfig/iptables文件,覆蓋保存;
重載規(guī)則:
service iptables restart
默認(rèn)重載/etc/sysconfig/iptables文件中的規(guī)則
配置文件:/etc/sysconfig/iptables-config
CentOS 7:
(1) 自定義Unit File,進(jìn)行iptables-restore;
(2) firewalld服務(wù);
(3) 自定義腳本;
規(guī)則優(yōu)化的思路:
使用自定義鏈管理特定應(yīng)用的相關(guān)規(guī)則,模塊化管理規(guī)則;
(1) 優(yōu)先放行雙方向狀態(tài)為ESTABLISHED的報(bào)文;
(2) 服務(wù)于不同類(lèi)別的功能的規(guī)則,匹配到報(bào)文可能性更大的放前面;
(3) 服務(wù)于同一類(lèi)別的功能的規(guī)則,匹配條件較嚴(yán)格的放在前面;
(4) 設(shè)置默認(rèn)策略:白名單機(jī)制
(a) iptables -P,不建議;
(b) 建議在規(guī)則的最后定義規(guī)則做為默認(rèn)策略;
關(guān)閉服務(wù)器80 主動(dòng)往外的鏈接,即出站不為NEW 狀態(tài),只能為ESTABLISHED,防止***
iptables/netfilter:
netfilter: raw 鏈接追蹤,mangle報(bào)文修改, nat地址轉(zhuǎn)換, filter
PREROUTING --> INPUT
PREROUTING --> FORWARD --> POSTROUTING
OUTPUT --> POSTROUTING
filter:INPUT,F(xiàn)ORWARD,OUTPUT
nat:PREROUTING,INPUT,OUTPUT,POSTROUTING
iptables:
[-t table] COMMAND [chain] rule-specification
-m matchname [per-match-options]
-t targetname [per-target-options]
[options]
匹配 條件:
基本匹配條件:-s, -d, -p, -m, -i, -o
擴(kuò)展匹配條件:
隱式擴(kuò)展:
-p tcp: --dport, --sport, --tcp-flags, --syn
-p udp:--dport, --sport
-p imcp: --icmp-type
顯式擴(kuò)展:
multiport:--sports, --dports
iprange:--src-range, --dst-range
time:--timestart, --timestop, --weekdays, --monthdays, --datestart, --datestop
string:--algo {bm|kmp}, --string
connlimit:--connlimit-upto, --connlimit-above
limit:--limit, --limit-burst
state:--state
NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED
target:
-j:
ACCEPT/DROP
REJECT:--reject-with
LOG:--log-level, --log-prefix
自定義鏈
RETURN
iptables-save/iptables-restore
iptables(3)
iptables/netfilter網(wǎng)絡(luò)防火墻:
(1) 網(wǎng)關(guān);
(2) filter表的FORWARD鏈;
要注意的問(wèn)題:
(1) 請(qǐng)求-響應(yīng)報(bào)文均會(huì)經(jīng)由FORWARD鏈,要注意規(guī)則的方向性;
(2) 如果要啟用conntrack機(jī)制,建議將雙方向的狀態(tài)為ESTABLISHED的報(bào)文直接放行;
隱藏內(nèi)網(wǎng)IP地址,內(nèi)網(wǎng)IP訪問(wèn)外網(wǎng)服務(wù)器時(shí),源IP地址都轉(zhuǎn)換位外網(wǎng)網(wǎng)關(guān)的IP地址
NAT: Network Address Translation
請(qǐng)求報(bào)文:由管理員定義;
響應(yīng)報(bào)文:由NAT的conntrack機(jī)制自動(dòng)實(shí)現(xiàn);
請(qǐng)求報(bào)文:
改源地址:SNAT,MASQUERADE
改目標(biāo)地址:DNAT
iptables/netfilter:
NAT定義在nat表;
PREROUTING,INPUT,OUTPUT,POSTROUTING
SNAT:POSTROUTING 改源IP
DNAT:PREROUTING 改目標(biāo)IP
PAT: 改源端口
云端外網(wǎng)IP服務(wù)器 ,注意鏈接追蹤數(shù)量
target:
SNAT:
This target is only valid in the nat table, in the POSTROUTING and INPUT chains, and user-defined chains which are only called from those chains.
--to-source [ipaddr[-ipaddr]]
DNAT:
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.
--to-destination [ipaddr[-ipaddr]][:port[-port]]
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target.
SNAT場(chǎng)景中應(yīng)用于POSTROUTING鏈上的規(guī)則實(shí)現(xiàn)源地址轉(zhuǎn)換,但外網(wǎng)地址不固定時(shí),使用此target;
REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.
--to-ports port[-port]
layer7
主機(jī)A: 192.168.10.2 服務(wù)器C: 172.16.0.67
主機(jī)B路由功能 INC1: 192.168.10.254 INC2: 172.16.0.6 開(kāi)啟IPv4 forware功能
添加路由
#route add -net 192.168.10.0/24 gw 172.16.0.6
添加防火墻規(guī)則
#iptables -A FORWARD -j REJECT
請(qǐng)求報(bào)文出去
#iptables -I FORWARD -s 192.168.10.0/24 -p tcp --dport 80 -j ACCEPT
響應(yīng)報(bào)文回來(lái)
#iptables -I FORWARD -d 192.168.10.0/24 -p tcp --sdport 80 -j ACCEPT
####################
使用狀態(tài)鏈接 內(nèi)網(wǎng)主機(jī)可以訪問(wèn)外網(wǎng)任何網(wǎng)絡(luò)服務(wù),外網(wǎng)不能訪問(wèn)內(nèi)網(wǎng)
#iptables -D FORWARD 1
#iptables -D FORWARD 1
#iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT
#iptables -I FORWARD 2 -s 192.169.10.0/24 -m state --state NEW -j ACCEPT
####################
開(kāi)放內(nèi)網(wǎng)一個(gè)服務(wù)給外網(wǎng)訪問(wèn)
#iptables -I FORWARD 3 -d 192.169.10.0/24 -p tcp --dport 80 -m state --state NEW -j ACCEPT
開(kāi)放多個(gè)服務(wù)費(fèi)外網(wǎng)訪問(wèn)
#iptables -R FORWARD -3 -d 192.168.10.2 -p tcp -m multiport --dports 21:23,80,139,445 -m state --state NEW -j ACCEPT
#iptables -I FORWARD 4 -d 192.168.10.2 -p udp --dport 137:138 -m state --state NEW -j ACCEPT
#modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp
[root@lib ~]#
[root@lib ~]# modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 18638 0
nf_conntrack 111302 1 nf_conntrack_ftp
[root@lib ~]#
開(kāi)機(jī)會(huì)失效,
IPTABLES_MODULES=""
[root@lib ~]#
開(kāi)放ftp訪問(wèn)
#iptables -I FORWARD 5 -d 192.168.10.2 -p tcp -m state --state RELATED -j ACCEPT
#NAT 功能實(shí)現(xiàn)
#iptables -F FORWARD
內(nèi)網(wǎng)主機(jī)訪問(wèn)外網(wǎng)服務(wù),隱藏內(nèi)網(wǎng)IP,通過(guò)構(gòu)建SNAT實(shí)現(xiàn)
#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.0.6
DNAT 實(shí)現(xiàn)
外網(wǎng)訪問(wèn)內(nèi)網(wǎng)服務(wù)
#iptables -t nat -F
#iptables -t nat -A PREROUTING -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2
PAT 實(shí)現(xiàn) 也可以通過(guò)DNAT實(shí)現(xiàn)
外網(wǎng)訪問(wèn)內(nèi)網(wǎng)服務(wù)80, 實(shí)際是訪問(wèn)8080
#iptables -t nat -R PREROUTING 1 -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:8080
#iptables -A FORWARD -s 172.16.0.200 -p tcp --dport 8080 -d 192.168.10.2 -j REJECT
本地端口映射
#iptables -A PREROUTING -t nat -d 192.168.10.2 -p tcp --dport 80 -j REDIRECT --to-ports 8080
tcp_wrapper:
庫(kù)文件:libwrap.so,tcp包裝器;
判斷一個(gè)服務(wù)程序是否能夠由tcp_wrapper進(jìn)行訪問(wèn)控制的方法:
(1) 動(dòng)態(tài)鏈接至libwrap.so庫(kù);
ldd /PATH/TO/PROGRAM
libwrap.so
(2) 靜態(tài)編譯libwrap.so庫(kù)文件至程序中:
strings /PATH/TO/PGRGRAM
hosts_access
配置文件:/etc/hosts.allow, /etc/hosts.deny
See 'man 5 hosts_options' and 'man 5 hosts_access' for information on rule syntax.
配置文件語(yǔ)法:
daemon_list : client_list[ : option : option ...]
daemon_list:程序文件名稱(chēng)列表
(1) 單個(gè)應(yīng)用程序文件名;
(2) 程序文件名列表,以逗號(hào)分隔;
(3) ALL:所有受tcp_wrapper控制的應(yīng)用程序文件;
client_list:
(1) 單個(gè)IP地址或主機(jī)名;
(2) 網(wǎng)絡(luò)地址:n.n.n.n/m.m.m.m,n.n.n.;
(3) 內(nèi)建的ACL:
ALL:所有客戶端主機(jī);
LOCAL:Matches any host whose name does not contain a dot character.
UNKNOWN
KNOWN
PARANOID
OPERATORS:
EXCEPT
list1 EXCEPT list2 EXCEPT list3
sshd: 172.16. EXCEPT 172.16.100. EXCEPT 172.16.100.68
[ : option : option ...]
deny:拒絕,主要用于hosts.allow文件中定義“拒絕”規(guī)則;
allow:允許,主要用于hosts.deny文件中定義”允許“規(guī)則;
spawn:生成,發(fā)起,觸發(fā)執(zhí)行用戶指定的任意命令,此處通常用于記錄日志;
vsftpd: 172.16. : spawn /bin/echo $(date) login attempt from %c to %s >> /var/log/tcp_wrapper.log
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。