iptables入门指南，Linux防火墙

Iptables is an extremely flexible firewall utility built for Linux operating systems. Whether you’re a novice Linux geek or a system administrator, there’s probably some way that iptables can be a great use to you. Read on as we show you how to configure the most versatile Linux firewall.

iptables是为Linux操作系统构建的极其灵活的防火墙实用程序。 不管您是Linux新手还是系统管理员，iptables都可以通过某种方式很好地使用您。 继续阅读，我们向您展示如何配置功能最丰富的Linux防火墙。

Photo by ezioman.

图片由 ezioman拍摄 。

关于iptables (About iptables)

iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.

iptables是一个命令行防火墙实用程序，它使用策略链来允许或阻止流量。 当连接尝试在您的系统上建立自己的连接时，iptables会在其列表中寻找一个规则来匹配它。 如果找不到，则采取默认操作。

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

iptables几乎总是预装在任何Linux发行版上。 要更新/安装它，只需获取iptables软件包：

sudo apt-get install iptables

sudo apt-get install iptables

There are GUI alternatives to iptables like Firestarter, but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.

有诸如Firestarter之类的 iptables的GUI替代品，但是一旦您掌握了一些命令，iptables并不难。 您在配置iptables规则时要格外小心，尤其是如果您通过SSH连接到服务器时，因为一个错误的命令会永久性地将您锁定，直到将其手动固定在物理机上为止。

链条类型 (Types of Chains)

iptables uses three different chains: input, forward, and output.

iptables使用三个不同的链：输入，转发和输出。

Input – This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

输入 –此链用于控制传入连接的行为。 例如，如果用户尝试通过SSH进入您的PC /服务器，则iptables将尝试将IP地址和端口与输入链中的规则进行匹配。

Forward – This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.

转发 -此链用于实际不在本地传递的传入连接。 想一想路由器-数据总是被发送到路由器，但实际上很少发送给路由器本身。 数据只是转发到其目标。 除非您在系统上进行某种形式的路由，NAT转换或其他需要转发的操作，否则您甚至都不会使用此链。

There’s one sure-fire way to check whether or not your system uses/needs the forward chain.

有一种确保方法可以检查您的系统是否使用/需要前向链。

iptables -L -v

iptables -L -v

The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.

上面的屏幕快照是运行了几周的服务器，对传入或传出连接没有任何限制。 如您所见，输入链处理了11GB的数据包，输出链处理了17GB的数据包。 另一方面，前向链不需要处理单个数据包。 这是因为服务器未进行任何类型的转发或被用作传递设备。

Output – This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.

输出 –此链用于传出连接。 例如，如果您尝试ping howtogeek.com，则iptables将在决定允许或拒绝连接尝试之前检查其输出链，以查看有关ping和howtogeek.com的规则。

The caveat

注意事项

Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.

尽管对外部主机执行ping操作似乎只需要遍历输出链，但请记住，要返回数据，也将使用输入链。 使用iptables锁定系统时，请记住许多协议将需要双向通信，因此输入和输出链都需要正确配置。 SSH是人们忘记在两个链上都允许的通用协议。

策略链默认行为 (Policy Chain Default Behavior)

Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?

在继续并配置特定规则之前，您将需要确定三个链的默认行为是什么。 换句话说，如果连接不符合任何现有规则，您希望iptables做什么？

To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.

要查看当前配置了哪些策略链以处理不匹配的流量，请运行iptables -L命令。

As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.

如您所见，我们还使用grep命令为我们提供了更清晰的输出。 在该屏幕截图中，我们的链目前被认为接受流量。

More times than not, you’ll want your system to accept connections by default. Unless you’ve changed the policy chain rules previously, this setting should already be configured. Either way, here’s the command to accept connections by default:

您会希望系统默认接受更多次连接。 除非您之前更改了策略链规则，否则应该已经配置了此设置。 无论哪种方式，以下是默认情况下接受连接的命令：

iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT

iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT

By defaulting to the accept rule, you can then use iptables to deny specific IP addresses or port numbers, while continuing to accept all other connections. We’ll get to those commands in a minute.

通过默认接受规则，您可以使用iptables拒绝特定的IP地址或端口号，同时继续接受所有其他连接。 我们将在一分钟内处理这些命令。

If you would rather deny all connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.

如果您想拒绝所有连接并手动指定要允许连接的连接，则应更改要删除的链的默认策略。 这样做可能仅对包含敏感信息且仅具有相同IP地址的服务器有用。

iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP

iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP

特定于连接的响应 (Connection-specific Responses)

With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.

配置了默认的链策略后，您就可以开始向iptables添加规则，以便它在遇到与特定IP地址或端口的连接时知道该怎么做。 在本指南中，我们将介绍三种最基本且最常用的“响应”。

Accept – Allow the connection.

接受 –允许连接。

Drop – Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

降 -降的连接，像什么都没发生。 如果您不希望源代码意识到您的系统存在，那么最好。

Reject – Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

拒绝 –不允许连接，但发回错误。 如果您不希望特定的源连接到系统，但又希望他们知道您的防火墙阻止了它们，那么这是最好的选择。

The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.

展示这三个规则之间差异的最好方法是显示PC尝试使用为每个设置配置的iptables ping Linux计算机时的状态。

Allowing the connection:

允许连接：

Dropping the connection:

断开连接：

Rejecting the connection:

拒绝连接：

允许或阻止特定的连接 (Allowing or Blocking Specific Connections)

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

配置了策略链后，您现在可以配置iptables以允许或阻止特定的地址，地址范围和端口。 在这些示例中，我们将连接设置为DROP ，但是您可以根据需要以及如何配置策略链将它们切换为ACCEPT或REJECT 。

Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.

注意：在这些示例中，我们将使用iptables -A将规则附加到现有链中。 iptables从其列表的顶部开始，遍历每条规则，直到找到匹配的规则。 如果您需要在另一个规则之上插入一条规则，则可以使用iptables -I [chain] [number]来指定它应该在列表中的数字。

Connections from a single IP address

来自单个IP地址的连接

This example shows how to block all connections from the IP address 10.10.10.10.

此示例显示如何阻止来自IP地址10.10.10.10的所有连接。

iptables -A INPUT -s 10.10.10.10 -j DROP

iptables -A INPUT -s 10.10.10.10 -j DROP

Connections from a range of IP addresses

来自多个IP地址的连接

This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.

本示例说明了如何阻止10.10.10.0/24网络范围内的所有IP地址。 您可以使用网络掩码或标准斜杠表示法来指定IP地址范围。

iptables -A INPUT -s 10.10.10.0/24 -j DROP

iptables -A INPUT -s 10.10.10.0/24 -j DROP

or

要么

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

Connections to a specific port

与特定端口的连接

This example shows how to block SSH connections from 10.10.10.10.

本示例说明如何阻止来自10.10.10.10的SSH连接。

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses.  If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.

您可以将“ ssh”替换为任何协议或端口号。 代码的-p tcp部分告诉iptables协议使用哪种连接。 如果要阻止使用UDP而不是TCP的协议，则必须使用-p udp 。

This example shows how to block SSH connections from any IP address.

本示例说明如何阻止来自任何IP地址的SSH连接。

iptables -A INPUT -p tcp --dport ssh -j DROP

iptables -A INPUT -p tcp --dport ssh -j DROP

连接状态 (Connection States)

As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?

正如我们前面提到的，许多协议将需要双向通信。 例如，如果要允许SSH连接到系统，则输入和输出链都需要添加一条规则。 但是，如果只希望允许SSH进入系统怎么办？ 不会将规则添加到输出链还允许传出SSH尝试吗？

That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.

这就是进入连接状态的地方，它为您提供了允许双向通信但仅允许建立单向连接的能力。 看一下这个示例，其中允许从10.10.10.10开始的SSH连接，但不允许到10.10.10.10的SSH连接。 但是，只要会话已经建立，系统就可以通过SSH发送回信息，这使得这两个主机之间可以进行SSH通信。

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT

保存更改 (Saving Changes)

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes.  This command can differ depending on your distribution:

下次重新启动iptables服务时，除非您执行命令来保存更改，否则对iptables规则所做的更改将被废弃。 此命令可能会有所不同，具体取决于您的分发：

Ubuntu:

Ubuntu：

sudo /sbin/iptables-save

sudo /sbin/iptables-save

Red Hat / CentOS:

红帽/ CentOS：

/sbin/service iptables save

/sbin/service iptables save

Or

要么

/etc/init.d/iptables save

/etc/init.d/iptables save

其他命令 (Other Commands)

List the currently configured iptables rules:

列出当前配置的iptables规则：

iptables -L

iptables -L

Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.

添加-v选项将为您提供数据包和字节信息，添加-n将以数字方式列出所有内容。 换句话说，主机名，协议和网络以数字形式列出。

To clear all the currently configured rules, you can issue the flush command.

要清除所有当前配置的规则，可以发出flush命令。

iptables -F

iptables -F

翻译自: https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/