iptables
包过滤防火墙 iptables filewalld
- 网络层
- 地址 {目的地址 源地址}
- 协议 {ip icmp arp rarp}
- 传输层
- 协议 {tcp udp}
- 端口 {目的端口 源端口}
-代理服务器防火墙{ 应用防火墙 }
- 常用的软件防火墙有两种
linux下: squid
Windows: ISA { Internet security acceleration }
- 网络层
- 地址 {目的地址 源地址}
- 协议 {ip icmp arp rarp}
- 传输层
- 协议 {tcp udp}
- 端口 {目的端口 源端口}
- 应用层
账号 内容 域名 url
链表chain
nat
POSTROUTING //路由判断之后的nat SNAT 内网-->外网
PREROUTING //路由判断之前的nat DNAT 外网-->内网
filter
INPUT //针对主机自身服务进行过滤
OUTPUT //过滤始发地是本机的策略
FORWARD //过滤经过本主机的流量
mangle
POSTROUTING
PREROUTING
INPUT
OUTPUT
FORWARD
语法
iptables -t 类型 指令 chain名称 选项 参数
类型
-t nat
filter
mangle
指令
-A --append 追加 chain 后边加编号
-I --insert 插入 chain 后边加编号
-D --delete 删除 chain 后边加编号
-R --replace 替换 chain 后边加编号
-F --flush //清空链规则
-N --new //自定义新链
-X //删除自定义的空链
-P --policy //默认允许所有
来源
-s --source 地址/子网/网段
地址 192.168.2.100
子网 192.168.2.32/27
网段 192.168.2.0/24
-i ens33 //进口网卡名称
目标
-d --destination 地址/子网/网段
地址 192.168.2.100
子网 192.168.2.32/27
网段 192.168.2.0/24
-o ens33 //出口网卡名称
协议
-p tcp/udp/icmp
tcp
--dport 3389
--sport 3389
udp
--dport 8080
--sport 8080
icmp
--icmp-type echo-request
--icmp-type echo-reply
-j SNAT/DNAT/MASQUERADE/ACCEPT/REJECT/DROP/REDIRECT/MARK
MASQUERADE 伪装用来应对像PPPoE这种地址总是变化的情况
常用模块
-m mac/iprange/string
mac
[!] --mac-source XX:XX:XX:XX:XX:XX
iprange
[!] --src-range ip[-ip] Match source IP in the specified range
[!] --dst-range ip[-ip] Match destination IP in the specified range
string
--algo kmp Algorithm //算法
--icase Ignore case (default: 0)
[!] --string string Match a string in a packet
time
--datestart time Start and stop time, to be given in ISO 8601 //绝对时间
--datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]]) //绝对时间
--timestart time Start and stop daytime (hh:mm[:ss]) //周期时间
--timestop time (between 00:00:00 and 23:59:59) //周期时间
[!] --monthdays value List of days on which to match, separated by comma
(Possible days: 1 to 31; defaults to all)
[!] --weekdays value List of weekdays on which to match, sep. by comma
(Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7
Defaults to all weekdays.)
multiport
[!] --source-ports port[,port:port,port...]
--sports ...
match source port(s)
[!] --destination-ports port[,port:port,port...]
--dports ...
match destination port(s)
[!] --ports port[,port:port,port]
match both source and destination port(s)
- 查看Linux路由表
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.169.255.254 0.0.0.0 UG 100 0 0 ens33
172.169.0.0 0.0.0.0 255.255.0.0 U 100 0 0 ens33
- 安装iptables-services
[root@localhost ~]# rpm -qa |grep iptables
iptables-1.4.21-35.el7.x86_64
[root@localhost ~]# yum -y install iptables-services
[root@localhost ~]# service iptables start
Redirecting to /bin/systemctl start iptables.service
[root@localhost ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
- 查看iptables策略
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
- 查看核心转发功能是否打开
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@localhost ~]# cat /etc/sysctl.d/99-sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]#
- 查看nat信息
[root@localhost ~]# iptables -t nat -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 16 packets, 2677 bytes)
pkts bytes target prot opt in out source destination
- 根据序号删除一条规则,默认是filter规则列表
[root@localhost ~]# iptables -L FORWARD -n --line-number
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.8-192.168.2.13
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
5 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
6 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
7 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
8 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
9 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
11 DROP tcp -- 192.168.29.129 0.0.0.0/0 tcp dpt:80
[root@localhost ~]# iptables -D FORWARD 1
[root@localhost ~]# iptables -L FORWARD -n --line-number
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
10 DROP tcp -- 192.168.29.129 0.0.0.0/0 tcp dpt:80
[root@localhost ~]#
- 添加一条nat规则
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e0:a4:fe brd ff:ff:ff:ff:ff:ff
inet 172.169.10.2/16 brd 172.169.255.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::af06:1875:6b81:99b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e0:a4:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.29.128/24 brd 192.168.29.255 scope global noprefixroute dynamic ens36
valid_lft 1620sec preferred_lft 1620sec
inet6 fe80::126:9a10:e289:eb01/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.29.0/24 ! -d 192.168.29.0/24 -j SNAT --to-source 172.169.10.2
[root@localhost ~]# iptables -t nat -L POSTROUTING 5 -n -v --line
5 0 0 SNAT all -- * * 192.168.29.0/24 !192.168.29.0/24 to:172.169.10.2
[root@localhost ~]# ping -I 192.168.29.128 172.169.10.3
PING 172.169.10.3 (172.169.10.3) from 192.168.29.128 : 56(84) bytes of data.
64 bytes from 172.169.10.3: icmp_seq=1 ttl=64 time=0.716 ms
64 bytes from 172.169.10.3: icmp_seq=2 ttl=64 time=0.328 ms
64 bytes from 172.169.10.3: icmp_seq=3 ttl=64 time=0.334 ms
64 bytes from 172.169.10.3: icmp_seq=4 ttl=64 time=0.368 ms
^C
--- 172.169.10.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.328/0.436/0.716/0.163 ms
[root@localhost ~]#
- 根据序号删除nat规则列表
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- 172.169.0.0/16 !172.169.0.0/16 to:172.172.10.1
[root@localhost ~]# iptables -t nat -D POSTROUTING 1
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]#
- 根据序号替换nat规则列表
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- 172.169.0.0/16 !172.169.0.0/16 to:172.172.10.1
[root@localhost ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.29.0/24 ! -d 192.168.29.0/24 -j SNAT --to-source 172.169.10.2
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]#
- 需要将外网192.168.29.129访问本地IP(192.168.29.128)的3389端口转换为访问192.168.29.1的3389端口
[root@localhost ~]# iptables -t nat -A PREROUTING -s 192.168.29.129 -d 192.168.29.128 -i ens36 -p tcp --dport 3389 -j DNAT --to-destination 192.168.29.1:3389
[root@localhost ~]# iptables -t nat -L PREROUTING 4 -n -v --line
4 0 0 DNAT tcp -- ens36 * 192.168.29.129 192.168.29.128 tcp dpt:3389 to:192.168.29.1:3389
[root@localhost ~]# iptables -t nat -A POSTROUTING -o ens36 -s 192.168.29.129 -d 192.168.29.1 -p tcp --dport 3389 -j SNAT --to-source 192.168.29.128
[root@localhost ~]# iptables -t nat -L POSTROUTING 4 -n -v --line
4 0 0 SNAT tcp -- * ens36 192.168.29.129 192.168.29.1 tcp dpt:3389 to:192.168.29.128
[root@localhost ~]# telnet 192.168.29.128 3389
Trying 192.168.29.128...
Connected to 192.168.29.128.
Escape character is '^]'.
- 保存iptables列表
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Tue Jul 12 14:34:41 2022
*filter
:INPUT ACCEPT [1661:119024]
:FORWARD ACCEPT [29:1701]
:OUTPUT ACCEPT [1284:132141]
COMMIT
# Completed on Tue Jul 12 14:34:41 2022
# Generated by iptables-save v1.4.21 on Tue Jul 12 14:34:41 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 192.168.29.129/32 -d 192.168.29.128/32 -i ens36 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.29.1:3389
-A POSTROUTING -s 192.168.29.129/32 -d 192.168.29.1/32 -o ens36 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.29.128
COMMIT
# Completed on Tue Jul 12 14:34:41 2022
[root@localhost ~]#
-情况防火墙规则
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 20 packets, 1168 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11 packets, 900 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]#
- 开通本机的80端口
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
[root@localhost ~]# iptables -t filter -L INPUT 1 -n -v --line
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[root@localhost ~]#
- 不允许本机往外ping
[root@localhost ~]# iptables -t filter -I OUTPUT -p icmp --icmp-type echo-request -j DROP
[root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v --line
1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
[root@localhost ~]# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 192.168.10.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root@localhost ~]#
-本机禁ping
[root@localhost ~]# iptables -t filter -I INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
[root@localhost ~]# iptables -t filter -L INPUT 1 -n -v
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-unreachable
[root@localhost ~]# ping 192.168.29.128
PING 192.168.29.128 (192.168.29.128) 56(84) bytes of data.
From 192.168.29.128 icmp_seq=1 Destination Host Unreachable
From 192.168.29.128 icmp_seq=2 Destination Host Unreachable
--- 192.168.29.128 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
[root@localhost ~]#
-禁止29.129经过本机访问80端口
[root@localhost ~]# iptables -t filter -A FORWARD -s 192.168.29.129 -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -t filter -L FORWARD 1 -n -v
0 0 DROP all -- * ens33 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.8-192.168.2.13
[root@localhost ~]#
-禁止指定mac访问本机22端口
[root@localhost ~]# iptables -t filter -I INPUT -m mac --mac-source 00:0c:29:2a:be:73 -d 172.169.10.2 -p tcp --dport 22 -j REJECT
[root@localhost ~]# iptables -t filter -L INPUT 1 -n -v
0 0 REJECT tcp -- * * 0.0.0.0/0 172.169.10.2 MAC 00:0C:29:2A:BE:73 tcp dpt:22 reject-with icmp-port-unreachable
[root@localhost ~]#
-禁止一段IP经过本主机
[root@localhost ~]# iptables -t filter -I FORWARD -m iprange --src-range 192.168.2.8-192.168.2.13 -o ens33 -j DROP
[root@localhost ~]# iptables -t filter -L FORWARD 1 -n -v
0 0 DROP all -- * ens33 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.8-192.168.2.13
[root@localhost ~]#
- 禁止本机访问指定/某些网站
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (110.242.68.3) 56(84) bytes of data.
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=1 ttl=128 time=11.5 ms
--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 11.545/11.545/11.545/0.000 ms
[root@localhost ~]# iptables -t filter -I OUTPUT -s 192.168.0.0/16 -o ens33 -m string --string baidu --algo kmp -j DROP
[root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v
0 0 DROP all -- * ens33 192.168.0.0/16 0.0.0.0/0 STRING match "baidu" ALGO name kmp TO 65535
[root@localhost ~]# ping www.baidu.com
ping: www.baidu.com: Name or service not known
[root@localhost ~]#
-
每天固定8点到18点禁止源地址段上网,需要+8转换为北京时间
[root@localhost ~]# iptables -I OUTPUT -s 192.168.10.0/24 -m time --timestart 00:00 --timestop 10:00 -j DROP [root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v 0 0 DROP all -- * * 192.168.10.0/24 0.0.0.0/0 TIME from 00:00:00 to 10:00:00 UTC [root@localhost ~]#
-
每周2周4固定8点到18点禁止源地址段上网,需要+8转换为北京时间
[root@localhost ~]# iptables -I OUTPUT -s 192.168.10.0/24 -m time --timestart 00:00 --timestop 10:00 --weekdays 2,4 -j DROP [root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v 0 0 DROP all -- * * 192.168.10.0/24 0.0.0.0/0 TIME from 00:00:00 to 10:00:00 on Tue,Thu UTC [root@localhost ~]#
-
按固定日期时间段匹配,需要+8转换为北京时间
[root@localhost ~]# iptables -I OUTPUT -s 192.168.10.0/24 -m time --datestart 2022-7-21T00:00:00 --datestop 2022-7-22T10:00:00 -j DROP[root@localhost ~]# [root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v 0 0 DROP all -- * * 192.168.10.0/24 0.0.0.0/0 TIME starting from 2022-07-21 00:00:00 until date 2022-07-22 10:00:00 UTC [root@localhost ~]#
-
丢弃目的端口号:23,24,25以及135,136,137,138,139。在另外的主机上不能访问其中的任何一个端口。
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dports 23:25,135:139 -j DROP [root@localhost ~]# iptables -t filter -L INPUT 3 -n -v 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 23:25,135:139 [root@localhost ~]#
-
屏蔽2222和12306不连续的两个端口
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dport 2222,12306 -j DROP [root@localhost ~]# iptables -t filter -L INPUT -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 2222,12306 [root@localhost ~]#
-
放开80和8080不连续的两个端口
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dport 80,8080 -j ACCEPT [root@localhost ~]# iptables -t filter -L INPUT 1 -n -v 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080 [root@localhost ~]#