Incoming Traffic | | V +----------+ |PREROUTING| +----------+ | raw | <--------------+ | mangle | | | nat | | +----------+ | | | | | Routing | +- Decision -+ | | | | | | | V V | Local Remote | Destination Destination | | | | | | | V V | +--------+ +---------+ | | INPUT | | FORWARD | | +--------+ +---------+ | | mangle | | mangle | | | filter | | filter | | +--------+ +---------+ | | | | | | | V | | Local | | Machine | | | | | | | | V | | Routing | | Decision | | | | | | | | V | | +--------+ | | | OUTPUT | | | +--------+ | | | raw | | | | mangle | | | | nat | | | | filter | | | +--------+ | | | | | | +-------------+ | | | POSTROUTING | Local +----> +-------------+ --> Traffic | mangle | | nat | +-------------+ | | V Outgoing Traffic
Redhat / CentOS
You can check to see if iptables is installed on your system by:
[root@database ~]# rpm -q iptables iptables-1.3.5-5.3.el5_4.1
And to see if iptables is actually running, we can check that the iptables modules are loaded and use the -L switch to inspect the currently loaded rules:
[root@database ~]# lsmod | grep ip_tables ip_tables 55201 2 iptable_nat,iptable_filter x_tables 50505 6 ipt_MASQUERADE,iptable_nat,xt_state,ipt_REJECT,xt_tcpudp,ip_tables
[root@database ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination
If iptables is not running, you can enable it by running:
# system-config-securitylevel
列出规则链
列出INPUT,OUTPUT,FORWARD规则 iptables -L 列出NAT规则 iptables -t nat -L 列出过滤规则 iptables -t filter -L
刷新规则
/sbin/iptables -F /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT
# Accept tcp packets on destination port 22 (SSH) iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Accept tcp packets on destination port 22 (SSH) from private LAN iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
# WWW /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTPS /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Tomcat /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# SMTP /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTPS /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT # POP3 /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP3S /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT # IMAP /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAPS /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 --dport 67 -j ACCEPT iptables -A INPUT -p UDP -i eth0 --dport 68 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 137 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 145 -j ACCEPT iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 138 -j ACCEPT iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 139 -j ACCEPT
accept_redirects
# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
or
# sysctl net.ipv4.conf.all.accept_redirects="0"
使自己不能ping 通 127.0.0.1 iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP 192.168.0.0/24 网段无法ping能本机 iptables -A INPUT -s 192.168.0.0/24 -p icmp -j DROP 禁所有机器 # iptables -A INPUT -s 0/0 -p icmp -j DROP # ICMP(PING) 接受 ! echo-request iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT
# Open ports for outbound established connections $IPT -A OUTPUT -p tcp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT $IPT -A OUTPUT -p udp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
本地不允许ping 192.168.0.0/24
iptables -A OUTPUT -s 192.168.0.0/24 -p icmp -j DROP
禁所本地ping任何机器
# iptables -A OUTPUT -s 0/0 -p icmp -j DROP
# ICMP(PING) 接受 ! echo-request
iptables -A OUTPUT -p icmp --icmp-type ! echo-request -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
# Network 1 forwarded outgoing client request to network 2 iptables -A FORWARD -i eth1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -o eth1 -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A INPUT -i ppp0 -j ACCEPT
# Accept packets from trusted IP addresses iptables -A INPUT -s 192.168.0.4 -j ACCEPT # change the IP address as appropriate # Accept packets from trusted IP addresses iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # using standard slash notation iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask # Accept packets from trusted IP addresses iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
# Accept tcp packets on destination port 6881 (bittorrent) iptables -A INPUT -p tcp --dport 6881 -j ACCEPT # Accept tcp packets on destination ports 6881-6890 iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
NEW — A packet requesting a new connection, such as an HTTP request.
ESTABLISHED — A packet that is part of an existing connection.
RELATED — A packet that is requesting a new connection but is part of an existing connection. For example, FTP uses port 21 to establish a connection, but data is transferred on a different port (typically port 20).
INVALID — A packet that is not part of any connections in the connection tracking table.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
重定向规则
端口重定向 # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2401 将80端口重定向到8080 # iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080
端口转发
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -d 192.168.3.9 -p tcp -m tcp --dport 1000 -j DNAT --to-destination 192.168.3.137:8080 iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -d 192.168.3.137 -p tcp -m tcp --dport 8080 -j SNAT --to-source 192.168.3.9
iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -t nat -I POSTROUTING -j MASQUERADE sudo iptables -t nat -A POSTROUTING -j MASQUERADE -s 172.16.0.0/24 -d 0.0.0.0/0 sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o eth1 -s 172.16.1.0/24 -d 0.0.0.0/0 sudo iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -o eth1 -s 172.16.1.0/24 -d 0.0.0.0/0
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
If you have a default policy of DROP in your FORWARD chain, you must append a rule to forward all incoming HTTP requests so that destination NAT routing is possible. To do this, use the following command:
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT
This rule forwards all incoming HTTP requests from the firewall to the intended destination; the Apache HTTP Server behind the firewall.
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -d 202.103.96.10 -j DNAT --to-destination 192.168.0.10 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 202.96.244.56
# # DMZ zone # $iptables -t nat -A PREROUTING -p TCP -m multiport -i eth0 --dport 22,25,113,80,8080 -j DNAT --to 10.0.0.10 $iptables -t nat -A PREROUTING -p UDP -i eth0 --dport 25 -j DNAT --to-destination 10.0.0.10
DNAT ppp0/eth0
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to-destination <web server ip> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80
[root@linux iptables]# modprobe ipv6 [root@linux iptables]# modprobe ip6_tables [root@linux iptables]# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support? 'ip6tables' firewalling (IPv6)!" [root@linux iptables]# ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT
例 23.1.
/sbin/iptables -F /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited sysctl net.ipv4.ip_forward=1