10.14 iptables语法
linux防火墙-netfilter
- 查看iptables规则:iptables -nvL
- iptables -F 清空规则
- service iptables save 保存规则
- iptables -t nat 参数-t 指定表
- iptables -Z 可以把计数器清零
- iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
- iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
- iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
- iptables -nvL --line-numbers
- iptables -D INPUT 1
- iptables -P INPUT DROP
iptables命令
- iptables -nvL 查看iptables默认规则
[root@hf-01 ~]# iptables -nvL //查看iptables规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
357 28956 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 184 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
18 1404 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 251 packets, 57368 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# - service iptables restart 重启iptables规则
[root@hf-01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@hf-01 ~]#- 存放默认规则的位置
- /etc/sysconfig/iptables
[root@hf-01 ~]# cat /etc/sysconfig/iptables //存放默认规则的位置
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@hf-01 ~]# iptables -F清空规则
- iptables -F清空规则
- 在清空规则后,再去查看,会发现没有规则了(但是在文件中依旧保存这规则)
[root@hf-01 ~]# iptables -F
[root@hf-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 576 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 636 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# - service iptables save 保存规则
- 若是在清空规则后,去执行service iptables save保存规则,那存放规则的文件也会变成所保存的规则
- 在iptables -F清空规则后,重启service restart iptables.service(重启服务器或者iptables规则),都会加载配置文件里面的规则
- 在重启规则后,会看到原先被清空的规则重新加载了
[root@hf-01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@hf-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 872 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 2048 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# - iptables -t nat -nvL 查看nat表中的规则
- 在不指定表的时候,默认就是 filter 表
iptables -Z 把计数器清零
- iptables -Z 把计数器清零
- 在查看filter表的时候,会看到第一列和第二列都是有数据的
- 第一列,是有多少个包
- 第二列,是数据量,数据大小(单位:bytes字节)
- 在查看filter表的时候,会看到第一列和第二列都是有数据的
[root@hf-01 ~]# iptables -Z; iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# - 这里会看到数字都清零了,但过一会再来查看,会看到数字又出现了(因为在每时每刻都在通信)
[root@hf-01 ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
52 3592 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 28 packets, 5152 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# iptables新增规则 -A
- 在iptables命令中,没有-t 指定表的时候,默认就是filter表
- iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
- -A,就是增加一条规则(这里针对的是INPUT链)
- 新增的规则会在规则的最后面
- -s ,指定来源IP
- -p,指定它的协议,是TCP,还是UDP,或者是ICMP协议
- -sport,来源的端口
- -d,指目标的IP
- -dport,指目标的端口
- -j,操作
- DROP,扔掉
- REJECT,拒绝
- -A,就是增加一条规则(这里针对的是INPUT链)
- DROP扔掉和REJECT拒绝,最终实现的效果是一样的,都是为了让数据包过不来,相当于把IP给封掉
- DROP和REJECT区别:
- DROP,在这个数据包来了之后,看都不看直接扔掉
- REJECT,在这个数据包来了之后,先看一看,看完之后,在拒绝
[root@hf-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP //新增规则
[root@hf-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
97 7172 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
27 2106 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 22 packets, 3768 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# iptables命令 参数 -I
- iptables -I INPUT -p tcp --dport 80 -j DROP
- 这里是简写,不指定来源IP,和目标IP,只写目标的端口——>但一定要指定tcp/ip
- 若是使用了 dport 或 sport ,那么前面必须 -p 指定它的协议
[root@hf-01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@hf-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
238 18252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
27 2106 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 2288 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# - -I和-A的区别:
- -I,表示插入
- -A,表示增加
- 若是规则添加到前面,则是优先过滤最前面的规则,然后再去往下一条条的执行
- 若是数据包匹配了第一条规则(同时满足两条规则),就会先匹配第一条规则。一旦匹配了第一条规则,那么数据包就会被抓取掉了,就不会再往下执行规则了
- 一旦匹配规则,立即执行
iptables命令参数-d 删除规则
- iptables -D INPUT -s 1.1.1.1 -j DROP 删除规则
[root@hf-01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP //删除规则
[root@hf-01 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP //删除规则
[root@hf-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
401 33844 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
27 2106 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 592 bytes)
pkts bytes target prot opt in out source destination
[root@hf-01 ~]# 根据编号删除规则
- 删除规则的另一种方法
- iptables -nvL --line-numbers 打印出规则的序列号
- 第一列就是number
[root@hf-01 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 605 53404 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 27 2106 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 47 packets, 7652 bytes)
num pkts bytes target prot opt in out source destination
[root@hf-01 ~]# iptables -D INPUT 7 //删除序列7的规则
[root@hf-01 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 662 57360 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 27 2106 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
num pkts bytes target prot opt in out source destination
[root@hf-01 ~]# iptables命令 参数 -P
- iptables -P OUTPUT DROP 默认的规则
- 链中,有一个默认的策略policy,policy ACCEPT表示这个链不加这些规则的话,那OUTPUT没有任何的规则,所以对于OUTPUT链的数据包来讲,policy ACCEPT就是由默认的策略来决定的
- 默认的策略是由ACCEPT来决定,所有的数据包只要是没有具体的规则来匹配,那么它就走默认的策略
- 链中,有一个默认的策略policy,policy ACCEPT表示这个链不加这些规则的话,那OUTPUT没有任何的规则,所以对于OUTPUT链的数据包来讲,policy ACCEPT就是由默认的策略来决定的
- 默认的规则最好不要去改变!!!
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录