linux防火墙
linux包过滤防火墙
linux中的防火墙基于网络层来过滤的
分为内核态和用户态
- linux防火墙针对ip数据包
- 体现在对包内外的IP地址,端口的信息的处理上
iptables的表链结构
iptables表及作用
- raw表:是否对该数据包进行状态跟踪
- mangle表:位数据包设置标记
- nat表: 修改数据包中的源,目标ip地址或端口
- filter表:是否放行该数据包(过滤)
iptables链及作用
- INPUT:处理入站数据包
- OUTPUT:处理出站数据包
- FORWARD:处理转发数据包
- POSTROUTING:在进行路由选择后处理的数据包
- PREROUTING:在进行路由选择前处理数据包
规则表之间的顺序
raw–>mangle–>nat–>filter
规则链之间的顺序
入站:PREROUTING–>INPUT
出站:OPUPUT–>POSTROUTING
转发:PREROUTING–>FORWARD–>POSTROUTING
规则链内的匹配顺序
- 按顺序依次检查,匹配到就停止
- 若找不到匹配规则,就按默认的策略处理
iptables安装
首先需要禁用firewalld防火墙
然后安装
[root@localhost ~]# yum -y install iptables-services.x86_64
iptables语法结构
iptables -t 表名 选项 【链名】【条件】【-j 控制类型】
数据包的常见控制类型
- ACCEPT:允许通过
- DROP:直接丢弃,不作回应
- REJECT:拒绝通过,给出提醒
- LOG:记录日志,不作控制
添加新规则
- -A:在链的末尾追加规则
- -I:在链开头或指定序号插入一条规则
iptables相关配置
- iptables -t filter/nat -L 查看filter或nat表
[root@localhost ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
- iptables -t filter -L -n 以数字形式显示
[root@localhost ~]# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
- iptables -t filter -L -v 显示更详细信息
[root@localhost ~]# iptables -t filter -L -v
Chain INPUT (policy ACCEPT 17463 packets, 31M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
一般会结合起来用
[root@localhost ~]# iptables -t filter -vnL
Chain INPUT (policy ACCEPT 17486 packets, 31M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
- iptables -t filter -F 清空filter表
[root@localhost ~]# iptables -t filter -F
- iptables -t filter -X 清空自定义链
[root@localhost ~]# iptables -t filter -X
- iptables -t filter -Z 清除计数器
[root@localhost ~]# iptables -t filter -Z
- iptables -t filter -A INPUT -j REJECT 拒绝所有入站包
[root@localhost ~]# iptables -t filter -A INPUT -j REJECT
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- iptables -D INPUT 1 用编号删除链
[root@localhost ~]# iptables -D INPUT 1
- iptables -P INPUT DROP 定义默认规则
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
- iptables -R INPUT 1 -j REJECT 修改一条链时需要加编号才可以
[root@localhost ~]# iptables -R INPUT 1 -j REJECT
- 禁止3.2主机来ping我,定义入站规则,源ip为3.2
[root@localhost ~]# iptables -A INPUT -p icmp -s 192.168.3.2 -j DROP
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 192.168.3.2 anywhere
[root@server ~]# ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
- 禁止我去访问3.2主机的tcp服务,控制出站的包,目标ip为3.2
[root@localhost ~]# iptables -A OUTPUT -p tcp -d 192.168.3.2 -j DROP
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere 192.168.3.2
可以控制网卡流量,INPUT和-i是一对
[root@localhost ~]# iptables -A INPUT -i ens33 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 13 packets, 868 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ens33 * 0.0.0.0/0 0.0.0.0/0
OUTPUT和-o是一对
[root@localhost ~]# iptables -A OUTPUT -o ens33 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ens33 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.3.2
0 0 DROP all -- * ens33 0.0.0.0/0 0.0.0.0/0
- 还可以对端口号进行控制,禁止3.2主机访问防火墙的80端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -s 192.168.3.2 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 18 packets, 1188 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.3.2 0.0.0.0/0 tcp dpt:80
- !代表除定义的链之外生效
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -s 192.168.3.2 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 18 packets, 1188 bytes)
pkts bytes target prot opt in out source destination
19 1988 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 还可以控制icmp的请求包和回应包,禁止3.2请求防火墙ping包
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.3.2 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 192.168.3.2 0.0.0.0/0 icmptype 8
-
echo-request可以用8表示
-
echo-reply可以用0表示
-
控制多端口,禁止3.2访问防火墙的20.23.80端口
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dport 20,23,80 -s 192.168.3.2 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 30 packets, 1980 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.3.2 0.0.0.0/0 multiport dports 20,23,80
- 多端口连续写,20到80端口用:
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dport 20:80 -s 192.168.3.2 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.3.2 0.0.0.0/0 multiport dports 20,23,80
0 0 DROP tcp -- * * 192.168.3.2 0.0.0.0/0 multiport dports 20:80
- 定义地址范围,禁止3.2到3.211ping防火墙
[root@localhost ~]# iptables -A INPUT -p icmp -m iprange --dst-range 192.168.3.2-192.168.3.211 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 528 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.3.2-192.168.3.211
- 对mac地址控制
[root@localhost ~]# iptables -A INPUT -p icmp -m mac --mac-source 00:0c:29:e5:4b:ad -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:0C:29:E5:4B:AD
- 控制连接状态
[root@localhost ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14 924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
这些策略只是临时的,想要永久生效写入/etc/sysconfig/iptables中
[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT