【9.25】日常运维——netfilter 表、iptables 语法
10.12 firewalld 和 netfilter
- selinux 临时关闭
[root@arslinux-01 ~]# setenforce 0
[root@arslinux-01 ~]# getenforce
Permissive
- selinux 永久关闭
在配置文件 /etc/selinux/config 中将SELINUX=改为 disable
[root@arslinux-01 ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disable
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
permissive 不会发生阻断,会提醒,不会显示出来,只是记录信息
-
CentOS7 之前版本使用的是 netfilter 防火墙,CentOS7 开始使用 firewalld 防火墙
但是 iptables 工具用法是一样的 -
打开 netfilter,关闭firewalld
[root@arslinux-01 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@arslinux-01 ~]# systemctl stop firewalld
[root@arslinux-01 ~]# yum install -y iptables-services
过程略
[root@arslinux-01 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@arslinux-01 ~]# systemctl start iptables
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 1924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 16 packets, 1488 bytes)
pkts bytes target prot opt in out source
10.13 netfilter 5 表 5 链介绍
-
netfilter 的5个表:filter,nat,mangle,raw,security
-
filter 有3个链:
INPUT 作用于进入本机的包
FORWARD 作用于和本机无关的包
OUTPUT 作用于送出本机的包 -
nat 有 3 个链:
PREROUTING 包在刚刚到达防火墙时改变包的目标地址
OUTPUT 改变本地产生的包的目标地址
POSTROUTING 作用是在包将离开防火墙时改变包源地址 -
managle,raw,security 表基本用不到,因此不用关注,只需要关注 filter 和 nat 即可
-
iptables传输数据包的过程图示:
参考:http://www.cnblogs.com/metoy/p/4320813.html
数据包进入网卡,首先进入 PREROUTING 链判断目标 IP,如果不是本机,那么转发出去,要经过 FORWARD 链,到 POSTROUTING 链输出
如果 PREOUTING 判断 IP 是本机,那么会进入 INPUT 链,进入到本机内核,处理完后,发送出去,经过 OUTPUT 链,最后到 POSTROUTING 链输出
总结:
如果是本机 PREROUTING ——> INPUT ——> OUTPUT ——> POSTROUTING
如果不是本机 PREROUTING ——> FORWARD ——> POSTROUTING
10.14 iptables 语法
- iptables -nvL 查看 iptables 规则
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
93 6690 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
14 1877 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 85 packets, 7970 bytes)
pkts bytes target prot opt in out source destination
- iptables 规则保存在 /etc/sysconfig/iptables
[root@arslinux-01 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
- iptables -F 清空 iptables 规则
[root@arslinux-01 ~]# iptables -F
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 34 packets, 2244 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 1688 bytes)
pkts bytes target prot opt in out source destination
规则只是暂时清空,并没有从配置文件中清空,如果重启服务,规则还会被加载,从而生效
如果想要永久生效,需要写入配置文件,可以执行 service iptables save
- service iptables save 保存 iptables 规则
[root@arslinux-01 ~]# service iptables save
- 重启服务器或重启服务会重新加载 iptables 规则
[root@arslinux-01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14 924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 864 bytes)
pkts bytes target prot opt in out source destination
重启服务器或者重启iptables规则,都会去加载配置文件 /etc/sysconfig/iptables 中的规则
-
默认 iptables 查看的时 netfilter 表的规则 iptables -t netfilter -nvL(不加 -t 就是filter表)
-
iptables -t nat -nvL 查看 nat 表的规则
[root@arslinux-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- iptables -Z 清除计数器
[root@arslinux-01 ~]# iptables -Z;iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables 常用选项
- iptables 常用选项
选项 | 含义 |
---|---|
-A | 增加一条规则 INPUT:针对的链 |
-s | 指定来源ip(source) |
-p | 指定协议(tcp、udp、icmp) |
–sport | 来源端口 |
-d | 目标的 ip |
–dport | 目标端口 |
-j | 操作 (DROP扔掉 / REJECT 拒绝,DROP直接丢掉;REJECT看下告诉他不行) |
-I | 插入 |
-i | 指定网卡 |
- iptables -A 增加 iptables 规则(排队到最后)
[root@arslinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
413 28732 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 946 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes)
pkts bytes target prot opt in out source destination
- iptables -I 插入规则到最前(相当于插队)
[root@arslinux-01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
524 36068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 946 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
如果前面匹配过,后面就不会再被匹配了
- iptables -D 删除规则
[root@arslinux-01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
584 40828 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 946 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
如果需要删除的规则很长,规则已经记不清楚了, iptables -D 不太好删除
那么可以用简便的方法来删除
- iptables 删除规则(简单方法)
1,先给规则一个规则号;2,再删除规则号对应的规则
[root@arslinux-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 654 45448 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 5 1175 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 32 packets, 4368 bytes)
num pkts bytes target prot opt in out source destination
[root@arslinux-01 ~]# iptables -D INPUT 7
[root@arslinux-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 717 49616 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 5 1175 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 10 packets, 2232 bytes)
num pkts bytes target prot opt in out source destination
- iptables -i 指定网卡
[root@arslinux-01 ~]# iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
- 默认规则:数据包如果没有具体规则来匹配,那么就走默认的策略 policy
- 更改默认策略:iptables -P OUTPUT DROP(运行的话,远程连接就会被禁掉,只能到主机去修改规则)
[root@arslinux-01 ~]# iptables -P OUTPUT DROP
- 改回策略:iptables -P OUTPUT ACCEPT (放行)
[root@arslinux-01 ~]# iptables -P OUTPUT ACCEPT
DROP / REJECT / ACCEPT
10.15 iptables filter 表案例
- iptables 小案例
[root@arslinux-01 ~]# vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.194.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
:wq
ipt="/usr/sbin/iptables"
定义一个变量 ipt,方便简单,路径要写全局路径
$ipt -F
清空掉原本的规则
$ipt -P INPUT DROP
定义默认策略 INPUT DROP掉
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
OUTPUT 和 FORWARD 全部 ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
加入规则:-m state 指定状态,指定让 RELATED,ESTABLISHED 状态放行
$ipt -A INPUT -s 192.168.194.0/24 -p tcp --dport 22 -j ACCEPT
增加规则:网段为 192.168.194.0/24 ,端口为 22 的数据包放行
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
80 和 21 端口数据包放行
- 实际操作:
[root@arslinux-01 ~]# sh /usr/local/sbin/iptables.sh
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
32 2112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.194.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1596 bytes)
pkts bytes target prot opt in out source destination
- 恢复默认状态:
[root@arslinux-01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2640 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 21 packets, 1964 bytes)
pkts bytes target prot opt in out source destination
-
icmp 示例:
ping 本机 ip可以 ping 通 -
互联网也可以 ping 通
[root@arslinux-01 ~]# ping www.baidu.com
PING www.baidu.com (192.168.194.150) 56(84) bytes of data.
64 bytes from www.baidu.com (192.168.194.150): icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from www.baidu.com (192.168.194.150): icmp_seq=2 ttl=64 time=0.042 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.030/0.036/0.042/0.006 ms
- 加上规则后,无法 ping 本机,但可以 ping 外网
[root@arslinux-01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
iptables -I INPUT -p icmp --icmp-type 8 -j DROP