在Linux上使用iptables

This guide will attempt to explain how to use iptables on linux in easy to understand language.

本指南将尝试以易于理解的语言解释如何在Linux上使用iptables。

Contents [hide] 1 Overview 2 Usage 2.1 Blocking a Single IP Address 2.2 Allowing All Traffic from an IP Address 2.3 Blocking a Port From All Addresses 2.4 Allowing a Single Port from a Single IP 2.5 Viewing the Current Rules 2.6 Clearing the Current Rules 2 Usage 3 Distribution-Specific 3.1 Gentoo 3 Distribution-Specific

内容 [隐藏] 1概述 2用法 2.1阻止单个IP地址 2.2允许来自IP地址的所有流量 2.3从所有地址阻止端口 2.4允许来自单个IP的单个端口 2.5查看当前规则 2.6清除当前规则 2用法 3特定于发行版 3.1 Gentoo 3特定于发行版

总览(Overview)

Iptables is a rule-based firewall, which will process each rule in order until it finds one that matches.

iptables是基于规则的防火墙，它将按顺序处理每个规则，直到找到匹配的规则。

Todo: include example here

待办事项：在此处包括示例

用法(Usage)

The iptables utility is typically pre-installed on your linux distribution, but isn’t actually running any rules. You’ll find the utility here on most distributions:

iptables实用程序通常预先安装在Linux发行版上，但实际上并未运行任何规则。 您可以在大多数发行版中找到该实用程序：

/sbin/iptables

阻止单个IP地址 (Blocking a Single IP Address)

You can block an IP by using the -s parameter, replacing 10.10.10.10 with the address that you are trying to block. You’ll note in this example that we used the -I parameter (or –insert works too) instead of the append, because we want to make sure this rule shows up first, before any allow rules.

您可以使用-s参数来阻止IP，将10.10.10.10替换为您尝试阻止的地址。 您将在此示例中注意到，我们使用-I参数(或-insert也可以)而不是附加参数，因为我们希望确保在任何允许规则之前先显示此规则。

/sbin/iptables -I INPUT -s 10.10.10.10 -j DROP

允许来自IP地址的所有流量 (Allowing All Traffic from an IP Address)

You can alternately allow all traffic from an IP address by using the same command as above, but replacing DROP with ACCEPT. You need to make sure that this rule appears first, before any DROP rules.

您可以使用与上述相同的命令来交替允许来自IP地址的所有流量，但用ACCEPT代替DROP。 您需要确保在任何DROP规则之前先出现此规则。

/sbin/iptables -A INPUT -s 10.10.10.10 -j ACCEPT

从所有地址阻止端口 (Blocking a Port From All Addresses)

You can block a port entirely from being accessed over the network by using the the –dport switch and adding the port of the service you want to block. In this example, we’ll block the mysql port:

您可以使用–dport开关并添加要阻止的服务的端口来完全阻止端口通过网络访问。 在此示例中，我们将阻止mysql端口：

/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

允许来自单个IP的单个端口 (Allowing a Single Port from a Single IP)

You can add the -s command along with the –dport command to further limit the rule to a specific port:

您可以将-s命令和–dport命令一起添加，以进一步将规则限制为特定端口：

/sbin/iptables -A INPUT -p tcp -s 10.10.10.10 --dport 3306 -j ACCEPT

查看当前规则 (Viewing the Current Rules)

You can view the current rules using the following command:

您可以使用以下命令查看当前规则：

/sbin/iptables -L

This should give you an output similar to the following:

这将为您提供类似于以下内容的输出：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.1.1/24  anywhere            
ACCEPT     all  --  10.10.10.0/24       anywhere             
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh 
DROP       tcp  --  anywhere             anywhere            tcp dpt:mysql

The actual output will be a bit longer, of course.

当然，实际输出会更长一些。

清除当前规则 (Clearing the Current Rules)

You can clear out all the current rules by using the flush parameter. This is very useful if you need to put the rules in the correct order, or when you are testing.

您可以使用flush参数清除所有当前规则。 如果您需要按正确的顺序放置规则或进行测试，这将非常有用。

/sbin/iptables --flush

特定于分布 (Distribution-Specific)

While most Linux distributions include a form of iptables, some of them also include wrappers which make the management a little easier. Most often these “addons” take the form of init scripts which take care of initializing iptables on startup, though some distributions also include full-blown wrapper applications which attempt to simplify the common case.

尽管大多数Linux发行版都包含iptables形式，但其中一些还包含包装器，这使管理工作更容易一些。 通常，这些“附加组件”采取init脚本的形式，该脚本负责在启动时初始化iptables，尽管某些发行版还包括成熟的包装器应用程序，这些应用程序试图简化这种常见情况。

Gentoo (Gentoo)

The iptables init script on Gentoo is capable of handling many common scenarios. For starters, it allows you to configure iptables to load on startup (usually what you want):

Gentoo上的iptables初始化脚本能够处理许多常见情况。 对于初学者，它允许您配置iptables以在启动时加载(通常是您想要的)：

rc-update add iptables default

Using the init script, it is possible to load and clear the firewall with an easy-to-remember command:

使用init脚本，可以使用易于记忆的命令加载和清除防火墙：

/etc/init.d/iptables start
/etc/init.d/iptables stop

The init script handles the details of persisting your current firewall configuration on start/stop. Thus, your firewall is always in the state you left it. If you need to manually save a new rule, the init script can handle this as well:

初始化脚本处理在启动/停止时持久保留当前防火墙配置的详细信息。 因此，防火墙始终处于离开状态。 如果您需要手动保存新规则，则初始化脚本也可以处理此问题：

/etc/init.d/iptables save

Additionally, you can restore your firewall to the previous saved state (for the case where you were experimenting with rules and now want to restore the previous working configuration):

此外，您可以将防火墙还原到以前的保存状态(对于正在尝试使用规则但现在想要还原以前的工作配置的情况)：

/etc/init.d/iptables reload

Finally, the init script can put iptables into a “panic” mode, where all incoming and outgoing traffic is blocked. I’m not sure why this mode is useful, but all Linux firewalls seem to have it.

最后，init脚本可以将iptables置于“紧急”模式，在该模式下，所有传入和传出流量都将被阻止。 我不确定为什么该模式有用，但是所有Linux防火墙似乎都有它。

/etc/init.d/iptables panic

Warning: Don’t initiate the panic mode if you are connected to your server via SSH; you will be disconnected! The only time you should put iptables into panic mode is while you are physically in front of the computer.

警告：如果通过SSH连接到服务器，请不要启动紧急模式； 您将断开连接！ 唯一应该使iptables进入紧急模式的时间是当您物理上在计算机前面时。

翻译自: https://www.howtogeek.com/168132/using-iptables-on-linux/