【CentOS 7笔记42】,防火墙和iptables filter表#171129

最新推荐文章于 2024-02-15 20:52:24 发布
最新推荐文章于 2024-02-15 20:52:24 发布
阅读量98 收藏
点赞数
文章标签: 网络 操作系统 python
原文链接:https://my.oschina.net/hellopasswd/blog/1581789
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

hellopasswd

firewalld和netfilter

  • setenforce 0 #临时关闭selinux
  • /etc/selinux/config #永久关闭selinux
  • CentOS 7版本开始使用firewalld防火墙,之前的版本用netfilter防火墙
  • 关闭firewalld开启netfilter方法
  • systemctl stop firewalld
  • systemctl disable firewalld
  • yum install -y iptables-services
  • systemctl enable iptables
  • systemctl start iptables
[root@localhost ~]# vi /etc/selinux/config
	# This file controls the state of SELinux on the system.
	# SELINUX= can take one of these three values:
	#     enforcing - SELinux security policy is enforced.
	#     permissive - SELinux prints warnings instead of enforcing.
	#     disabled - No SELinux policy is loaded.
	SELINUX=enforcing
	# SELINUXTYPE= can take one of these two values:
	#     targeted - Targeted processes are protected,
	#     minimum - Modification of targeted policy. Only selected processes are protected.
	#     mls - Multi Level Security protection.
	SELINUXTYPE=targeted

将SELINUX=enforcing改为SELINUX=disabled将永久关闭selinux

[root@localhost ~]# getenforce
	Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
	Permissive

关闭firewalld

[root@localhost ~]# systemctl disable firewalld
	Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
	Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@localhost ~]# systemctl stop firewalld

[root@localhost ~]# yum install -y iptables-services
	Loaded plugins: fastestmirror
	Loading mirror speeds from cached hostfile
	 * epel: mirrors.tongji.edu.cn
	Resolving Dependencies
	--> Running transaction check
	---> Package iptables-services.x86_64 0:1.4.21-18.2.el7_4 will be installed
	--> Processing Dependency: iptables = 1.4.21-18.2.el7_4 for package: iptables-services-1.4.21-18.2.el7_4.x86_64
	--> Running transaction check
	---> Package iptables.x86_64 0:1.4.21-13.el7 will be updated
	---> Package iptables.x86_64 0:1.4.21-18.2.el7_4 will be an update
	--> Finished Dependency Resolution

	Dependencies Resolved

	===================================================================================================
	 Package                     Arch             Version                      Repository         Size
	===================================================================================================
	Installing:
	 iptables-services           x86_64           1.4.21-18.2.el7_4            updates            51 k
	Updating for dependencies:
	 iptables                    x86_64           1.4.21-18.2.el7_4            updates           428 k

	Transaction Summary
	===================================================================================================
	Install  1 Package
	Upgrade             ( 1 Dependent package)

	Total download size: 479 k
	Downloading packages:
	Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
	(1/2): iptables-services-1.4.21-18.2.el7_4.x86_64.rpm                       |  51 kB  00:00:00     
	(2/2): iptables-1.4.21-18.2.el7_4.x86_64.rpm                                | 428 kB  00:00:00     
	---------------------------------------------------------------------------------------------------
	Total                                                              599 kB/s | 479 kB  00:00:00     
	Running transaction check
	Running transaction test
	Transaction test succeeded
	Running transaction
	  Updating   : iptables-1.4.21-18.2.el7_4.x86_64                                               1/3 
	  Installing : iptables-services-1.4.21-18.2.el7_4.x86_64                                      2/3 
	  Cleanup    : iptables-1.4.21-13.el7.x86_64                                                   3/3 
	  Verifying  : iptables-services-1.4.21-18.2.el7_4.x86_64                                      1/3 
	  Verifying  : iptables-1.4.21-18.2.el7_4.x86_64                                               2/3 
	  Verifying  : iptables-1.4.21-13.el7.x86_64                                                   3/3 

	Installed:
	  iptables-services.x86_64 0:1.4.21-18.2.el7_4                                                     

	Dependency Updated:
	  iptables.x86_64 0:1.4.21-18.2.el7_4                                                              

	Complete!
[root@localhost ~]# systemctl enable iptables
	Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables

[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   45  2996 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		1   244 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 25 packets, 2628 bytes)
	 pkts bytes target     prot opt in     out     source               destination

netfilter5表5链介绍

  • filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个链

  • nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链

  • managle表用于给数据包做标记,几乎用不到

  • raw表可以实现不追踪某些数据包

  • security表在CentOS 6中并没有,用于强制访问控制(MAC)的网络规则

  • 数据包流向与netfilter的5个链

  • PREROUTING:数据包进入路由表之前

  • INPUT:通过路由表后目的地为本机

  • FORWARD:通过路由表后,目的地不为本机

  • OUTPUT:由本机产生,向外发出

  • POSTROUTING:发送到网卡接口之前

iptables filter表

  • iptables -F #清空所有规则
  • service iptables save #保存规则
  • iptables -t nat #-t指定表
  • iptables -Z #将计数器清零
  • iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
  • iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
  • iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
  • iptables -nvL --line-numbers
  • iptables -D INPUT 1
  • iptables -P INPUT DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  193 12868 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		6   552 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	   10  2365 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 112 packets, 12324 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables规则记录在/etc/sysconfig/iptables的配置文件中

[root@localhost ~]# cat /etc/sysconfig/iptables
	# sample configuration for iptables service
	# you can edit this manually or use system-config-firewall
	# please do not ask us to add additional ports/services to this default configuration
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT[root@localhost ~]# iptables -F

[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# cat /etc/sysconfig/iptables
	# sample configuration for iptables service
	# you can edit this manually or use system-config-firewall
	# please do not ask us to add additional ports/services to this default configuration
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT

重启服务,iptables规则重置

[root@localhost ~]# service iptables restart
	Redirecting to /bin/systemctl restart iptables.service
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		8   576 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 5 packets, 716 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# service iptables save


[root@localhost ~]# iptables -t filter -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   68  4536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		1   229 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 38 packets, 5024 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -t nat -nvL
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables -Z #将计数器清零pkts和bytes

[root@localhost ~]# iptables -Z ; iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP/REJECT

iptables -A #插入到后面

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  354 23684 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   13  1196 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  383 47064 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 23 packets, 2212 bytes)
	 pkts bytes target     prot opt in     out     source               destination

0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80

iptables -I #插入到前面

[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
	  513 35132 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   13  1196 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  384 47308 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 7 packets, 1156 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables -D #删除

[root@localhost ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  605 42492 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   17  1564 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  672 75245 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 19 packets, 1972 bytes)
	 pkts bytes target     prot opt in     out     source               destination  
[root@localhost ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  744 55092 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   18  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  673 75489 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
	 pkts bytes target     prot opt in     out     source               destination

删除iptables的规则,但是重新书写一条规则或许太麻烦或者忘记规则的写法时


[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
	  912 70948 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
		0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	   18  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	  674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
		0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 7 packets, 1364 bytes)
	 pkts bytes target     prot opt in     out     source               destination

iptables -nvL --line-number

[root@localhost ~]# iptables -nvL --line-number
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
	2     1010 77416 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
	3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
	4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	5       18  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	6      674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
	7        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 59 packets, 7820 bytes)
	num   pkts bytes target     prot opt in     out     source               destination

[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -D INPUT 7
	iptables: Index of deletion too big.
[root@localhost ~]# iptables -D INPUT 6
[root@localhost ~]# iptables -nvL --line-number
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1     1165 87732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
	2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
	3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	4       19  1748 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	5      674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy ACCEPT 42 packets, 4056 bytes)
	num   pkts bytes target     prot opt in     out     source               destination

iptables -P #默认规则

[root@localhost ~]# iptables -P OUTPUT DROP

终端使用DROP规则会使原本数据包在22端口通信,接收不了数据,在返回给客户端再返回给终端,结果到达不了终端,然后接收不了数据就会导致断开终端连接,解决办法到主机上将规则改回ACCEPT

[root@localhost ~]# iptables -nvL --line-number
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1     1165 87732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
	2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
	3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
	4       19  1748 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
	5      674 75718 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	num   pkts bytes target     prot opt in     out     source               destination         
	1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

	Chain OUTPUT (policy DROP 37 packets, 24648 bytes)
	num   pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -P OUTPUT ACCEPT

-s #源ip -p #指定协议 --sport #源端口号 -d #目标ip --dport #目标端口号 -j #行为

#iptables小案例

vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -J ACCEPT
$ipt -A INPUT -p tcp --dprot 80 -j ACCEPT
$ipt -A INPUT -p tcp --dprot 21 -j ACCEPT

icmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP


[root@localhost ~]# vim /usr/local/sbin/iptables.sh
	#!/bin/bash
	ipt="/usr/sbin/iptables"
	$ipt -F
	$ipt -P INPUT DROP
	$ipt -P OUTPUT ACCEPT
	$ipt -P FORWARD ACCEPT
	$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT
	$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
	$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

在tcp协议里ESTABLISHED是保持连接,RELATED状态

[root@localhost ~]# w
	 22:10:01 up 1 day, 20:48,  2 users,  load average: 0.00, 0.01, 0.05
	USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
	root     tty1      06:40   15:23m  0.42s  0.42s -bash
	root     pts/0     21:50    1.00s  0.45s  0.00s w
[root@localhost ~]# sh /usr/local/sbin/iptables.sh 
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy DROP 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   28  1848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     tcp  --  *      *       192.168.133.0/24     0.0.0.0/0            tcp dpt:22
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
	 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -nvL
	Chain INPUT (policy DROP 1 packets, 229 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	   41  2712 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
		0     0 ACCEPT     tcp  --  *      *       192.168.133.0/24     0.0.0.0/0            tcp dpt:22
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
		0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 27 packets, 3628 bytes)
	 pkts bytes target     prot opt in     out     source               destination  
[root@localhost ~]# service iptables restart	#此命令为重启iptables服务
	Redirecting to /bin/systemctl restart iptables.service

可以看出pkts bytes的值正在增长

icmp案例 Windows

C:\Users\Administrator>ping 192.168.9.134
	
	正在 Ping 192.168.9.134 具有 32 字节的数据:
	来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64
	来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64
	来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64
	来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64

	192.168.9.134 的 Ping 统计信息:
	    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
	往返行程的估计时间(以毫秒为单位):
	    最短 = 0ms,最长 = 0ms,平均 = 0ms

Linux

[root@localhost ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP

使icmp被禁止了,--icmp-type 8指icmp8种类型

Windows

C:\Users\Administrator>ping 192.168.9.134

	正在 Ping 192.168.9.134 具有 32 字节的数据:
	请求超时。
	请求超时。
	请求超时。
	请求超时。

	192.168.9.134 的 Ping 统计信息:
	    数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),

Linux

[root@localhost ~]# ping www.qq.com
	PING www.qq.com (120.198.201.156) 56(84) bytes of data.
	64 bytes from 120.198.201.156: icmp_seq=1 ttl=128 time=32.3 ms
	64 bytes from 120.198.201.156: icmp_seq=2 ttl=128 time=11.9 ms
	64 bytes from 120.198.201.156: icmp_seq=3 ttl=128 time=28.6 ms
	^C
	--- www.qq.com ping statistics ---
	3 packets transmitted, 3 received, 0% packet loss, time 2004ms
	rtt min/avg/max/mdev = 11.991/24.342/32.349/8.862 ms
[root@localhost ~]# ping 192.168.9.134
	PING 192.168.9.134 (192.168.9.134) 56(84) bytes of data.
	^C
	--- 192.168.9.134 ping statistics ---
	5 packets transmitted, 0 received, 100% packet loss, time 4001ms

ping外网可以,但ping本机就不行

出现的问题,这里我在做实验时,在/etc/hosts里设置了192.168.9.134 www.qq.com导致ping不通,原因是ping自己的本机ip

[root@localhost ~]# ping www.qq.com
	PING www.qq.com (192.168.9.134) 56(84) bytes of data.
	^C
	--- www.qq.com ping statistics ---
	11 packets transmitted, 0 received, 100% packet loss, time 10000ms

本机可以ping到外网,但使得外部ping不到主机

修改于 171129

转载于:https://my.oschina.net/hellopasswd/blog/1581789

weixin_34033624
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
CentOS7安装iptables防火墙的方法
09-15
本篇文章主要介绍了CentOS7安装iptables防火墙的方法,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
CentOS7 Docker防火墙的简单配置教程
01-10
CentOS7 Docker防火墙的简单配置 禁用 firewalld 服务 systemctl disable firewalld systemctl stop firewalld 安装 iptables 防火墙服务 yum install iptables-services 创建 iptables 配置脚本 cat >> /usr/...
iptables 防火墙filter
种一颗树最好的时间是十年前,其次是现在!
07-17 2027
IP信息包括过滤系统,它实际上由两个组件netfilteriptables组成。主要工作在网络层,针对IP数据包,体现在包内的IP地址、端口等信息的处理。是为包过滤的实现提供规则,通过各种不同的规定,告诉netfilter对来自某些源,前往某些目的或具有某些协议特征的数据包该如何处理。为了更加方便的组织和管理防火墙规则,iptables采用了和链的分层结构。所以它会对请求的数据包的包头数据进行分析,根据我们预先设定的规则进行匹配来决定是否可以进入主机。其中。总结里有链,链里有规则。...
iptables-filter
竹林晚风
10-10 1044
iptables -A 添加 -I 插入 -D 删除 -F 清除 -L 列出 格式:iptables -A INPUT(INPUT链) -s 192.168.0.2 -p(协议) tcp --dport 22 -j(动作) DROP    INPUT 自己生效 forword 转发 内核有转发机制 0示不转发,1示转发 INPPUT和FORWARD只能有一条才能生效
iptables 知识-filter
浪漫的偷笑
11-02 462
iptables 免费的 基于包过滤的类似交换机acliptables 和链 个分类4个filter   和主机有关 负责防火墙功能 过滤本机流入流出的数据包 是iptables默认的INPUT FORWORD OUTPUT INPUT 过滤所有目标是本机的数据包过滤进入主机的数据包FORWORD 转发流经主机但不进入主机的数据包转发OUTPUT处理源地址是本机的数据包处理从主机发出去的数据...
Linux centos7iptables filter案例、iptables nat应用
weixin_30527143的博客
05-10 258
一、iptables filter案例 vim/usr/local/sbin/iptables.sh 加入如下内容 #! /bin/bash ipt="/usr/sbin/iptables" $ipt -F $ipt -P INPUT DROP $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -A INPUT -m sta...
iptables深入解析-filter应用篇
weixin_33981932的博客
07-24 183
上一篇文章分析了iptables代码下发运作的流程细节,篇幅有限还有很多需要补充.关于netfilter的框架网上已经被讲烂了,框架很简单,但是实现却不简单.但不论什么都要最终归到实际应用上,才能体现其价值. 下面我们就以iptables1.4.21 ubuntu14 32位 内核版本 3.13.0为环境来开发一个最常...
CentOS 7.0关闭默认防火墙启用iptables防火墙的设置方法
09-15
主要介绍了CentOS 7.0关闭默认防火墙启用iptables防火墙的设置方法,需要的朋友可以参考下
详解centos6和centos7防火墙的关闭
09-15
本篇文章主要介绍了centos6和centos7防火墙的关闭 ,具有一定的参考价值,感兴趣的小伙伴们可以参考一下。
iptables详解之filter
LIUQIANQIAN3333的博客
08-21 471
iptables详解之filter iptables令很多小伙伴脑阔疼,下面我们来说说如何使用iptables。 一、iptables格式 1.1、iptables 帮助 通过iptables --help查看一下iptables用法 [root@note1 ~]# iptables --help iptables v1.4.21 Usage: iptables -[ACD] chai...
iptables filter浅析
weixin_34395205的博客
11-24 144
即使iptables filter的资料已经烂大街了,但是我还是决定拿他作为我的一篇。至于为什么不用其他的?不会。并且标题的浅析并不是低调,是因为真的不深:) 我想我还是直接说 -m参数吧: > 1. -m state 检查状态,四中状态值 NEW:新建的连接是这种状态 ESTABLISHED:已经联机成功的联机状态RELATED:INVALID:是的,有...
iptablesfilter的学习和实验
北风
01-12 1711
实验目标:本次实验主要完成以下内容:DROP掉外界主机的icmp协议的流量、DROP掉向外界主机发出的icmp协议的流量、DROP掉特定的源IP发送过来的流量,完成试验后删除所有规则。 实验设备:Ubuntu20 实验拓扑:3个namesapce代三个主机,主机1作为流量接收设备,主机2、3作为流量发送设备。具体的拓扑构建见上一篇博客《两个network namesapce通过路由实现互通》(https://blog.csdn.net/weixin_40042248/article/details/.
Linux-iptablesfilter)详解
qq_62311779的博客
06-12 4509
目录一、iptables简介 :(1)基本认识:(2) 四五链: 1、“四”是指 iptables 的功能 2、“五链”是指内核中控制网络的 NetFilter 定义的 5 个规则链。每个规则中包含 多个数据链,防火墙规则需要写入到这些具体的数据链中。 3、 iptables的结构: 4、图解:​二、安装iptables服务: 三、路由转发配置: 四、filte: ——查看 filter 的详细规则—— INPUT 入站链(找我的:—— FORWAR
【3】iptables理解 - filter
weixin_33827965的博客
04-30 246
filter是默认,功能是对数据包做过滤。此有三条链(iptables -t filter -L -n,用此命令查看),分别是:INPUT、FORWARD、OUTPUT。INPUT链:数据流向iptables主机本身的数据包经过input链。比如访问iptables主机的22、80等端口的包会到input链,然后与此链中的规则进行匹配,决定丢弃或放行。 ...
iptables filter小案例
乐猿
12-01 314
iptables filter小案例
iptables filter实例
weixin_33795093的博客
05-09 104
filter应用不指定iptables的类型,默认使用filter,用来做访问控制的防火墙。例如:只允许192.168.1.0/24这个网段来访问22端口,开发 80 和 21 端口。# vim iptables.sh#! /bin/baships="/usr/sbin/iptables" #定义变量$ips -F #清空规则$ips -P INPUT...
iptables防火墙filter控制、扩展匹配、使用iptables配置网络防火墙、NAT原理、配置SNAT
最新发布
fmj121030的博客
02-15 1235
私有地址,如果需要访问互联网中的公有地址,进行上网,可以通过NAT技术,将私有地址转成公有地址,再访问外界。为192.168.88.10和192.168.99.100配置网关。要求:在node1上配置防火墙,保护server1。NAT一般用于将私有地址转成全球唯一的公有地址。NAT技术产生,主要是解决IPV4地址不够用。NAT:网络地址翻译、网络地址转换。
Linux安全—iptables详解(概念和filter
weixin_44431280的博客
09-11 2091
Linux防火墙iptables不管是在运维,还是安全场景(基线核查,应急响应等)中使用都是很多的,本篇文章内容主要为iptables的基础介绍和常用filter的介绍,主要书写思路为概念介绍—例子说明—截图说明,希望对大家有所帮助,文章也会持续进行更新和完善。
iptables防火墙----filter的学习-INPUT
weixin_69899223的博客
06-13 2444
iptables防火墙----filter的学习-INPUT
centos 7.0关闭默认防火墙启用iptables防火墙的设置方法
04-28
CentOS 7.0的默认防火墙是Firewalld,如果要关闭默认防火墙并启用iptables防火墙,需执行以下步骤: 1. 关闭Firewalld服务 使用以下命令停止Firewalld服务并禁止其开机启动: ``` systemctl stop firewalld ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值