iptables学习总结(一)

1、显示当前iptables状态(-n表示以数字形式显示IP地址和端口,默认会自动对ip地址进行解析为机器名或网络名,这需要花费不少时间,若不使用-n选项,则iptables -L常会出现停顿现象)

     #iptables -L -n

   当然,也可以直接使用

     #iptables-save

      命令,也将显示目前正在使用的iptables,显示结果只是格式不同而已。

2、添加或修改iptables后,建议对iptables进行保存.

     #iptables-save > iptables-script

     重新加载iptables规则,使用命令:

     #iptables-restore iptables-script

3、若要在iptables重启后保持修改后的状态,则需要执行下面的命令

    #service iptables save

    现在执行 service iptables restart命令,在使用 iptables -L -n,你会发现结果就是你之前修改后的结果,而不再是系统默认的iptables规则了。

4、iptables -[command] chain,command选项解释如下:

--flush   -F [chain]          Delete all rules in chain or all chains //删除所有链中的所有规则(包括用户自定义链)
--zero    -Z [chain]          Zero counters in chain or all chains //把所有链中的规则计数器清零(不知道这样翻译对不对:))
--new     -N chain            Create a new user-defined chain //创建一个新的用户自定义链
--delete-chain
           -X [chain]          Delete a user-defined chain //删除一个用户自定义链
--policy -P chain target
                               Change policy on chain to target //设置链的默认政策
--rename-chain
           -E old-chain new-chain
                               Change chain name, (moving any references) //重命名链名(用户自定义链)

5、一般在定义任何规则之前,需要执行以下命令:

#iptables -F #删除所有规则
#iptables -Z #删除所有规则
#iptables -X #删除自定义链
#iptables -t -nat -F #删除nat表里所有规则


iptables学习研究(二) 收藏
下面给出简单的iptables规则定义的步骤与方法:

第一步:清楚所有以定义的规则和用户自定义规则

#iptables -F
#iptables -X
#iptables -Z

第二步:设置默认政策,这里为了安全和方面控制,把所有默认政策设置为丢弃(DROP)

#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT DROP

第三步:禁止ping服务器

#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

第四步:禁止ip转发

#/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

第五步:允许本地环路

#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

第六步:确保tcp连接是合法的syn数据包

#iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

第七步:打开ssh端口(即22端口)
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

第八步:打开ftp端口(即21端口)

#iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

第九步:打开www端口(即80端口)

#iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

第十步:保存

#iptables-save > iptables-script
#iptables-restore iptables-script

或者

#service iptables save


iptables学习研究三(limit,--limit-burst) 收藏
iptables --limit --limit-burst 使用研究

1、限制特定包传入速度
2、限制特定端口传入频率
3、使用--limit限制ping的一个例子
4、用户自定义使用链
5、防范SYN-Flood碎片***

1、限制特定包传入速度
参数 -m limit --limit
范例 iptables -A INPUT -m limit --limit 3/hour
说明 用来比对某段时间内封包的平均流量,上面的例子是用来比对:每小时平均流量是否超过一次 3 个封包。 除了每小时平均
次外,也可以每秒钟、每分钟或每天平均一次,默认值为每小时平均一次,参数如后: /second、 /minute、/day。 除了进行封
数量的比对外,设定这个参数也会在条件达成时,暂停封包的比对动作,以避免因骇客使用洪水***法,导致服务被阻断。

2、限制特定包瞬间传入的峰值
参数 --limit-burst
范例 iptables -A INPUT -m limit --limit-burst 5
说明 用来比对瞬间大量封包的数量,上面的例子是用来比对一次同时涌入的封包是否超过 5 个(这是默认值),超过此上限的封
将被直接丢弃。使用效果同上。


3、使用--limit限制ping的一个例子

限制同时响应的 ping (echo-request) 的连接数
限制每分只接受一個 icmp echo-request 封包(注意:当已接受1个icmp echo-request 封包后,
iptables将重新统计接受之后的一秒内接受的icmp echo-request 封包的个数,此刻为0个,所以它会继续接受icmp echo-request包,
出现的结果是你在1分钟时间内将看到很多

Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64
Reply from 192.168.0.111: bytes=32 time<1ms TTL=64

响应结果,若你同时开好几个ping窗口,你会发现任一时刻只有一个会有响应//--limit 1/m 所限制)

#iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/m --limit-burst 1 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

--limit 1/s 表示每秒一次; 1/m 则为每分钟一次
--limit-burst 表示允许触发 limit 限制的最大次数 (预设 5)

4、用户自定义使用链

上面例子的另一种实现方法:

#iptables -N pinglimit
#iptables -A pinglimit -m limit --limit 1/m --limit-burst 1 -j ACCEPT
#iptables -A pinglimit -j DROP
#iptables -A INPUT -p icmp --icmp-type echo-request -j pinglimit

5、防范 SYN-Flood 碎片***

#iptables -N syn-flood
#iptables -A syn-flood -m limit --limit 100/s --limit-burst 150 -j RETURN
#iptables -A syn-flood -j DROP
#iptables -I INPUT -j syn-flood


本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/fafa211/archive/2008/04/19/2307517.aspx
iptables学习与研究四(使用LOG记录失败日志) 收藏
通常情况下,iptables的默认政策为DROP,不匹配的数据包将被直接丢弃。但在丢弃之前建议把信息记录下来,以使你了解哪些信息没有通过规则,有时可依此判断是否有人在尝试***你的服务器。

下面给出一个用来详细记录未匹配规则的数据包的iptables规则:

#记录下未符合规则的udp数据包,然后丢弃之。

#iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
#iptables -A INPUT -i $IFACE -p udp -j DROP
#iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
#iptables -A OUTPUT -o $IFACE -p udp -j DROP

# 记录下未符合规则的icmp数据包,然后丢弃之。

#iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
#iptables -A INPUT -i $IFACE -p icmp -j DROP
#iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
#iptables -A OUTPUT -o $IFACE -p icmp -j DROP

# 记录下未符合规则的tcp数据包,然后丢弃之。

iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP

# 记录下其他未符合规则的数据包,然后丢弃之。

iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP

加上适当的记录日志前缀,可以方便对日志进行分析。 日志通常记录在/var/log/message文件中。如,可以使用 cat /var/log/message | grep "IPTABLES UDP-IN: " 查找出你需要的日志信息。 当然为了防止日志文件过大,你也可以对日志文件记录进行限制,如可以在-j LOG 命令 前加上-m limit --limit 6/h --limit-burst 5


iptables学习与研究五(一个由James C. Stephens整理的iptables的规则脚本) 收藏
# http://www.cs.princeton.edu/~jns/security/iptables/index.html
# Prepared by James C. Stephens
# (jns@gfdl.noaa.gov)

#!/bin/bash
#
# Load appropriate modules.

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# These lines are here in case rules are already in place and the script is ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero the counters
# before we implement new rules.

iptables -F
iptables -X
iptables -Z

# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a default DROP
# policy), what happens is that there is a small time period when packets are denied until
# the new rules are back in place. There is no period, however small, when packets we
# don't want are allowed.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

## ===========================================================
## Some definitions:

NAMESERVER_1="x.x.x.x"
NAMESERVER_2="x.x.x.x"
BROADCAST="x.x.x.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"

## ============================================================
## Kernel flags
# To dynamically change kernel parameters and variables on the fly you need
# CONFIG_SYSCTL defined in your kernel. I would advise the following:
# Disable response to ping.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the network
# interface they're arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets.

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.

/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

# Note: With connection tracking, all fragments are reassembled before being
# passed to the packet-filtering code so there is no ip_always_defrag switch as there
# was in the 2.2 kernel.

## ============================================================
# RULES

## LOOPBACK
# Allow unlimited traffic on the loopback interface.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again. The default limit
# is 3/hour. The default limit burst is 5.

iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

## Make sure NEW tcp connections are SYN packets

iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP

## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.

iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP

## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary with the flags we
# have set in the kernel above ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
# Refuse spoofed packets pretending to be from your IP address.

iptables -A INPUT -i $IFACE -s $IPADDR -j DROP

# Refuse packets claiming to be from a Class A private network.

iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP

# Refuse packets claiming to be from a Class B private network.

iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP

# Refuse packets claiming to be from a Class C private network.

iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP

# Refuse Class D multicast addresses. Multicast is illegal as a source address.

iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP

# Refuse Class E reserved IP addresses.

iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP

# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.

iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP

# Refuse broadcast address packets.

iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP

## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of this rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.

iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT

# Allow UDP packets to DNS servers from client.

iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

## SSH
# Allow ssh outbound.

iptables -A INPUT -i $IFACE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

## WWW
# Allow www outbound to 80.

iptables -A INPUT -i $IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow www outbound to 443.

iptables -A INPUT -i $IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

## TELNET
# Allow telnet outbound.

iptables -A INPUT -i $IFACE -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT

## FTP
# Allow ftp outbound.

iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Now for the connection tracking part of ftp. This is discussed more completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine, to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes
# the connection as RELATED to the original outgoing connection to port 21 so we don't
# need NEW as a state match.

iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
# connection to port 21 so we don't need NEW as a state match.

iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

## SMTP
# Allow smtp outbound.

iptables -A INPUT -i $IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

## AUTH server
# Reject ident probes with a tcp reset.
# I need to do this for a broken mailhost that won't accept my mail if I just drop its ident probe.

iptables -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset

## TRACEROUTE
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.

iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT

# ICMP
# We accept icmp in if it is "related" to other connections (e.g a time exceeded (11)
# from a traceroute) or it is part of an "established" connection (e.g. an echo reply (0)
# from an echo-request (8)).

iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# We always allow icmp out.

iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## LOGGING
# You don't have to split up your logging like I do below, but I prefer to do it this way
# because I can then grep for things in the logs more easily. One thing you probably want
# to do is rate-limit the logging. I didn't do that here because it is probably best not too
# when you first set things up ................. you actually really want to see everything going to
# the logs to work out what isn't working and why. You cam implement logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
#
# Any udp not already allowed is logged and then dropped.

iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP

# Any icmp not already allowed is logged and then dropped.

iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP

# Any tcp not already allowed is logged and then dropped.

iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP

# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.

iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP

###上面的脚本是由James C. Stephens 所整理的
##是个比较全的iptables配置脚本.为了保持原汁原味方便大家学习研究使用,所有没有做任何的修改。
##特发出来与大家一起分享,希望对大家有用.


iptables学习与研究六(一些补充) 收藏
常用的处理动作:
-j 参数用来指定要进行的处理动作,常用的处理动作包括:ACCEPT、REJECT、DROP、REDIRECT、MASQUERADE、LOG、DNAT、 SNAT、MIRROR、QUEUE、RETURN、MARK,分别说明如下:

ACCEPT 将封包放行,进行完此处理动作后,将不再比对其它规则,直接跳往下一个规则(natostrouting)。

REJECT 拦阻该封包,并传送封包通知对方,可以传送的封包有几个选择:ICMP port-unreachable、ICMP echo-reply 或是 tcp-reset(这个封包会要求对方关闭联机),进行完此处理动作后,将不再比对其它规则,直接 中断过滤程序。

范例如下: iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset

DROP 丢弃封包不予处理,进行完此处理动作后,将不再比对其它规则,直接中断过滤程序。

REDIRECT 将封包重新导向到另一个端口(PNAT),进行完此处理动作后,将 会继续比对其它规则。 这个功能可以用来实作通透式 porxy 或用来保护 web 服务器。

例如:iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

MASQUERADE 改写封包来源 IP 为防火墙 NIC IP,可以指定 port 对应的范围,进行完此处理动作后,直接跳往下一个规则 (mangleostrouting)。这个功能与 SNAT 略有不同,当进行 IP 伪装时,不需指定要伪装成哪个 IP,IP 会从网卡直接读,当使用拨接连线时,IP 通常是由 ISP 公司的 DHCP 服务器指派的,这个时候 MASQUERADE 特别有用。

范例如下: iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000

LOG 将封包相关讯息纪录在 /var/log 中,详细位置请查阅 /etc/syslog.conf 组态档,进行完此处理动作后,将会继续比对其 规则。

例如:iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"

SNAT 改写封包来源 IP 为某特定 IP 或 IP 范围,可以指定 port 对应的范围,进行完此处理动作后,将直接跳往下一个规则(mangleostrouting)。

范例如下:iptables -t nat -A POSTROUTING -p tcp-o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000

DNAT 改写封包目的地 IP 为某特定 IP 或 IP 范围,可以指定 port 对应的范围,进行完此处理动作后,将会直接跳往下一个规 炼(filter:input 或 filter:forward)。

范例如下:iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination
192.168.1.1-192.168.1.10:80-100

MIRROR 镜射封包,也就是将来源 IP 与目的地 IP 对调后,将封包送回,进行完此处理动作后,将会中断过滤程序。

QUEUE 中断过滤程序,将封包放入队列,交给其它程序处理。透过自行开发的处理程序,可以进行其它应用,例如:计算联机费 .......等。

RETURN 结束在目前规则炼中的过滤程序,返回主规则炼继续过滤,如果把自订规则炼看成是一个子程序,那么这个动作,就相当 提早结束子程序并返回到主程序中。

MARK 将封包标上某个代号,以便提供作为后续过滤的条件判断依据,进行完此处理动作后,将会继续比对其它规则。

范例如下: iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2

参数 -m mac --mac-source
范例 iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
说明 用来比对封包来源网络接口的硬件地址,这个参数不能用在 OUTPUT 和 Postrouting 规则炼上,这是因为封包要送出到网
后,才能由网卡驱动程序透过 ARP 通讯协议查出目的地的 MAC 地址,所以 iptables 在进行封包比对时,并不知道封包会送到
个网络接口去。

参数 --mark
范例 iptables -t mangle -A INPUT -m mark --mark 1
说明 用来比对封包是否被表示某个号码,当封包被比对成功时,我们可以透过 MARK 处理动作,将该封包标示一个号码,号码最
不可以超过 4294967296。

参数 -m owner --uid-owner
范例 iptables -A OUTPUT -m owner --uid-owner 500
说明 用来比对来自本机的封包,是否为某特定使用者所产生的,这样可以避免服务器使用 root 或其它身分将敏感数据传送出
,可以降低系统被骇的损失。可惜这个功能无法比对出来自其它主机的封包。

参数 -m owner --gid-owner
范例 iptables -A OUTPUT -m owner --gid-owner 0
说明 用来比对来自本机的封包,是否为某特定使用者群组所产生的,使用时机同上。

参数 -m owner --pid-owner
范例 iptables -A OUTPUT -m owner --pid-owner 78
说明 用来比对来自本机的封包,是否为某特定行程所产生的,使用时机同上。

参数 -m owner --sid-owner
范例 iptables -A OUTPUT -m owner --sid-owner 100
说明 用来比对来自本机的封包,是否为某特定联机(Session ID)的响应封包,使用时机同上。

参数 -m state --state
范例 iptables -A INPUT -m state --state RELATED,ESTABLISHED
说明 用来比对联机状态,联机状态共有四种:INVALID、ESTABLISHED、NEW 和 RELATED。

INVALID 表示该封包的联机编号(Session ID)无法辨识或编号不正确。
ESTABLISHED 表示该封包属于某个已经建立的联机。
NEW 表示该封包想要起始一个联机(重设联机或将联机重导向)。
RELATED 表示该封包是属于某个已经建立的联机,所建立的新联机。例如:FTP-DATA 联机必定是源自某个 FTP 联机。