保存iptables规则
iptables-save >/root/iptables
iptables-restore </root/iptables
设置开机自动加载iptables规则
方法1
cat /etc/rc.d/rc.local
#!/bin/bash
touch /var/lock/subsys/local
iptables-restore </root/iptables
chmod +x /etc/rc.d/rc.local
方法2
yum -y install iptables-services
systemctl stop firewalld
systemctl disable firewalld
iptables -F
iptables-restore </opt/iptables
iptables-save >/etc/sysconfig/iptables
systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
reboot
iptables -P
默认iptables所有的链都是ACCEPT的,通过iptables -P 可以修改
iptables -nvL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37374 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 5885 601K ACCEPT all -- * * 192.168.229.100 0.0.0.0/0
3 2261 277K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4649 packets, 8218K bytes)
num pkts bytes target prot opt in out source destination
Chain Vl (0 references)
num pkts bytes target prot opt in out source destination
修改INPUT链为DROP
[root@ceph01 ~]# iptables -P INPUT DROP
[root@ceph01 ~]# iptables -nvL --line
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37910 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 5885 601K ACCEPT all -- * * 192.168.229.100 0.0.0.0/0
3 2269 277K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25 packets, 4890 bytes)
num pkts bytes target prot opt in out source destination
Chain Vl (0 references)
num pkts bytes target prot opt in out source destination
扩展模块
multiport
接受139和445这两个不连续端口访问
iptables -I INPUT -p tcp -m multiport --dport 139,445 -j ACCEPT
mac
拒绝某个mac地址访问
iptables -A INPUT -m mac --mac-source fa:16:3e:37:3f:a1 -j REJECT
或者
iptables -A INPUT -s 192.168.229.121 -m mac --mac-source fa:16:3e:37:3f:a1 -j REJECT
iprange
拒绝某一个段连续的ip地址(前后闭区间)
iptables -I INPUT -m iprange --src-range 192.168.229.115-192.168.229.121 -j REJECT
由于是闭区间,这里的 192.168.229.115和 192.168.229.121都被拒绝。
拒绝某一个连续段ip的80端口。
iptables -I INPUT -p tcp --dport 80 -m iprange --src-range 192.168.229.115-192.168.229.121 -j REJECT
string
拒绝访问带有google字样的网站页面
iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --string "google" -j REJECT
time
iptables -I INPUT -m time --timestart 12:00 --timestop 14:00 -j REJECT
查看
iptables -nvL --line
Chain INPUT (policy ACCEPT 432 packets, 116K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 12:00:00 to 14:00:00 UTC reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 525 packets, 534K bytes)
num pkts bytes target prot opt in out source destination
Chain Vl (0 references)
num pkts bytes target prot opt in out source destination
connlimit
限制连接数最多为2
iptables -I INPUT -m connlimit --connlimit-above 2 -j REJECT
iptables -nvL
Chain INPUT (policy ACCEPT 214 packets, 17211 bytes)
pkts bytes target prot opt in out source destination
340 172K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 2 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 525 packets, 136K bytes)
pkts bytes target prot opt in out source destination
Chain Vl (0 references)
pkts bytes target prot opt in out source destination
限制80端口最多连接数为2
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT
iptables -nvL
Chain INPUT (policy ACCEPT 50461 packets, 4334K bytes)
pkts bytes target prot opt in out source destination
29 1740 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 #conn src/32 > 2 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35543 packets, 9028K bytes)
pkts bytes target prot opt in out source destination
Chain Vl (0 references)
pkts bytes target prot opt in out source destination
limit
超过10个包字后每分钟只允许通过20个包
iptables -I INPUT 2 -p icmp -j REJECT
说明:这需要拒绝这条规则配合
iptables -I INPUT -m limit -p icmp --icmp-type 8 --limit 20/minute --limit-burst 10 -j ACCEPT
ping 192.168.229.114
PING 192.168.229.114 (192.168.229.114) 56(84) bytes of data.
64 bytes from 192.168.229.114: icmp_seq=1 ttl=64 time=0.498 ms
64 bytes from 192.168.229.114: icmp_seq=2 ttl=64 time=0.652 ms
64 bytes from 192.168.229.114: icmp_seq=3 ttl=64 time=0.424 ms
64 bytes from 192.168.229.114: icmp_seq=4 ttl=64 time=0.513 ms
64 bytes from 192.168.229.114: icmp_seq=5 ttl=64 time=0.512 ms
64 bytes from 192.168.229.114: icmp_seq=6 ttl=64 time=0.479 ms
64 bytes from 192.168.229.114: icmp_seq=7 ttl=64 time=0.480 ms
64 bytes from 192.168.229.114: icmp_seq=8 ttl=64 time=0.533 ms
From 192.168.229.114 icmp_seq=9 Destination Port Unreachable
64 bytes from 192.168.229.114: icmp_seq=10 ttl=64 time=0.640 ms
From 192.168.229.114 icmp_seq=11 Destination Port Unreachable
From 192.168.229.114 icmp_seq=12 Destination Port Unreachable
64 bytes from 192.168.229.114: icmp_seq=13 ttl=64 time=0.500 ms
From 192.168.229.114 icmp_seq=14 Destination Port Unreachable
state
查看现有规则
iptables -nvL
Chain INPUT (policy ACCEPT 1093 packets, 312K bytes)
pkts bytes target prot opt in out source destination
37 3108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 20/min burst 10 icmptype 8
4 336 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1429 148K ACCEPT all -- * * 192.168.229.100 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1452 packets, 1816K bytes)
pkts bytes target prot opt in out source destination
Chain Vl (0 references)
pkts bytes target prot opt in out source destination
另一台主机连接本主机
[root@ceph02 ~]# ssh ceph01
root@ceph01's password:
Last login: Sat Oct 10 13:54:39 2020 from 192.168.229.100
[root@ceph01 ~]#
增加一条规则
iptables -A INPUT -p tcp --dport 22 -j REJECT
可以发现已经(正在)连接的主机无法操作
查看现在的防火墙规则
iptables -nvL --line
Chain INPUT (policy ACCEPT 5402 packets, 1610K bytes)
num pkts bytes target prot opt in out source destination
1 37 3108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 20/min burst 10 icmptype 8
2 4 336 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
3 1549 160K ACCEPT all -- * * 192.168.229.100 0.0.0.0/0
4 11 968 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6801 packets, 8892K bytes)
num pkts bytes target prot opt in out source destination
Chain Vl (0 references)
num pkts bytes target prot opt in out source destination
在第4条规则之前增加一条规则
iptables -I INPUT 4 -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
查看现有规则
iptables -nvL --line
Chain INPUT (policy ACCEPT 2819 packets, 867K bytes)
num pkts bytes target prot opt in out source destination
1 37 3108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 20/min burst 10 icmptype 8
2 4 336 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
3 1893 196K ACCEPT all -- * * 192.168.229.100 0.0.0.0/0
4 10 1456 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state RELATED,ESTABLISHED
5 13 1144 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3430 packets, 4614K bytes)
num pkts bytes target prot opt in out source destination
Chain Vl (0 references)
num pkts bytes target prot opt in out source destination
可以发现已经连接的主机又可以操作了。
查看连接记录
[root@ceph01 ~]# cat /proc/net/nf_conntrack -n
1 ipv4 2 tcp 6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=50418 dport=6802 src=192.168.229.115 dst=192.168.229.114 sport=6802 dport=50418 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
2 ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.229.115 dst=192.168.229.114 sport=42970 dport=6806 src=192.168.229.114 dst=192.168.229.115 sport=6806 dport=42970 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
3 ipv4 2 tcp 6 341634 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=36772 dport=6789 src=192.168.229.115 dst=192.168.229.114 sport=6789 dport=36772 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
4 ipv4 2 tcp 6 431821 ESTABLISHED src=192.168.229.115 dst=192.168.229.114 sport=48784 dport=22 src=192.168.229.114 dst=192.168.229.115 sport=22 dport=48784 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
5 ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=51194 dport=6789 src=192.168.229.115 dst=192.168.229.114 sport=6789 dport=51194 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
6 ipv4 2 tcp 6 299 ESTABLISHED src=192.168.229.100 dst=192.168.229.114 sport=40646 dport=22 src=192.168.229.114 dst=192.168.229.100 sport=22 dport=40646 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
7 ipv4 2 tcp 6 431996 ESTABLISHED src=192.168.229.121 dst=192.168.229.114 sport=45530 dport=6806 src=192.168.229.114 dst=192.168.229.121 sport=6806 dport=45530 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
8 ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.229.114 dst=192.168.229.121 sport=36636 dport=6789 src=192.168.229.121 dst=192.168.229.114 sport=6789 dport=36636 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
9 ipv4 2 tcp 6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.121 sport=53122 dport=6802 src=192.168.229.121 dst=192.168.229.114 sport=6802 dport=53122 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
10 ipv4 2 tcp 6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.121 sport=57894 dport=6803 src=192.168.229.121 dst=192.168.229.114 sport=6803 dport=57894 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
11 ipv4 2 tcp 6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=44632 dport=6803 src=192.168.229.115 dst=192.168.229.114 sport=6803 dport=44632 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
12 ipv4 2 tcp 6 431997 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=54100 dport=6789 src=192.168.229.115 dst=192.168.229.114 sport=6789 dport=54100 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
13 ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.229.115 dst=192.168.229.114 sport=36114 dport=6805 src=192.168.229.114 dst=192.168.229.115 sport=6805 dport=36114 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
14 ipv4 2 tcp 6 431996 ESTABLISHED src=192.168.229.121 dst=192.168.229.114 sport=43084 dport=6805 src=192.168.229.114 dst=192.168.229.121 sport=6805 dport=43084 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
在192.168.229.121上再ssh连接一次,然后查看记录已经增加了一条
15 ipv4 2 tcp 6 431996 ESTABLISHED src=192.168.229.121 dst=192.168.229.114 sport=43084 dport=6805 src=192.168.229.114 dst=192.168.229.121 sport=6805 dport=43084 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
查看最多能记录多少条
cat /proc/sys/net/nf_conntrack_max
65536
state还可以对被动模式增加规则(比如vsftpd服务的被动模式并不知道端口是哪个,并且是不固定的)
服务端操作
yum -y install vsftpd
systemctl start vsftpd
[root@ceph01 ~]# useradd ftp -s /sbin/nologin
useradd:用户“ftp”已存在
[root@ceph01 ~]# passwd ftp
更改用户 ftp 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@ceph01 ~]# modprobe nf_conntrack_ftp
[root@ceph01 ~]# lsmod |grep nf_conntrack_ftp
nf_conntrack_ftp 18478 0
nf_conntrack 139264 6 nf_nat,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
客户端操作
[root@ceph02 ~]# ftp 192.168.229.114
ftp: connect: 拒绝连接
ftp> ls
Not connected.
ftp>
可以看见服务端拒绝了连接
查看服务端的防火墙规则
iptables -vnL --line
Chain INPUT (policy ACCEPT 22 packets, 1936 bytes)
num pkts bytes target prot opt in out source destination
1 5643 577K ACCEPT all -- * * 192.168.229.100 0.0.0.0/0
2 198 117K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 136 packets, 23628 bytes)
num pkts bytes target prot opt in out source destination
Chain Vl (0 references)
num pkts bytes target prot opt in out source destination
服务端开放21端口
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
客户端再次连接,可以发现可以连接,但是无法查看文件(查看文件是被动模式,端口不确定,并且随时变化)
ftp 192.168.229.114
Connected to 192.168.229.114 (192.168.229.114).
220 (vsFTPd 3.0.2)
Name (192.168.229.114:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,229,114,68,157).
ftp: connect: 拒绝连接
ftp>
服务端利用state模块增加一条ACCEPT规则
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
客户端再次连接,发现可以查看文件
ftp 192.168.229.114
Connected to 192.168.229.114 (192.168.229.114).
220 (vsFTPd 3.0.2)
Name (192.168.229.114:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,229,114,150,168).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Apr 01 2020 pub
226 Directory send OK.
ftp>
记录某台主机的访问日志
iptables -I INPUT -s 192.168.229.121 -j LOG --log-prefix "from 192.168.229.121 access"
自定义一个iptables链
iptables -N TEST
改链的名字
iptables -E test TEST
将test链改名为TEST
将一个链的规则导入到另一个链
查看TEST和TEST2链规则
iptables -nvL
Chain TEST (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.229.100 0.0.0.0/0 tcp dpt:80
Chain TEST2 (0 references)
pkts bytes target prot opt in out source destination
将TEST链的规则导入到TEST2链
注意:这个命令只适用于自定义的链(亲自试验)
iptables -A TEST2 -j TEST
查看导入的规则
iptables -nvL
Chain TEST (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.229.100 0.0.0.0/0 tcp dpt:80
Chain TEST2 (0 references)
pkts bytes target prot opt in out source destination
0 0 TEST all -- * * 0.0.0.0/0 0.0.0.0/0
删除链
iptables -X TEST2
清空链
iptables -F TEST2
查看某表某链的规则
iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.18.0.6:80
DNAT tcp -- anywhere anywhere tcp spt:irdmi dpt:http to:172.18.0.6:80
DNAT tcp -- anywhere anywhere tcp spt:http dpt:irdmi to:172.18.0.6:80
删除某表某链的规则
iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.18.0.6:80
DNAT tcp -- anywhere anywhere tcp spt:irdmi dpt:http to:172.18.0.6:80
DNAT tcp -- anywhere anywhere tcp spt:http dpt:irdmi to:172.18.0.6:80
iptables -t nat -D PREROUTING 1
iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp spt:irdmi dpt:http to:172.18.0.6:80
DNAT tcp -- anywhere anywhere tcp spt:http dpt:irdmi to:172.18.0.6:80
清空某表某链的规则
iptables -F PREROUTING -t nat
iptables实现跳转访问
场景
公司有两台服务器(zabbix和172.18.0.6)一台PC机,PC机不通172.18.0.6,现在想通过zabbix做个iptables规则,通过PC机访问172.18.0.6的网页。PC机网段为192.168.140.0/24。
想实现的效果为,浏览器输入zabbix的ip:8000(zabbix只有一个网卡eth0)访问172.18.0.6:80。
zabbix服务器上操作
开启ip转发
cat >>/etc/sysctl.conf<<EOF
net.ipv4.ip_forward = 1
EOF
sysctl -p
允许8000端口通过
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp --sport 8000 -j ACCEPT
配置转发规则
方法1
iptables -A PREROUTING -t nat -d 192.168.254.3 -p tcp --dport 8000 -j DNAT --to-destination 172.18.0.6:80
iptables -A POSTROUTING -t nat -d 172.18.0.6 -p tcp --dport 80 -j SNAT --to-source 192.168.254.3
查看方法1转发规则
[root@zabbix ~]# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 192.168.254.3 tcp dpt:irdmi to:172.18.0.6:80
[root@zabbix ~]# iptables -L POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere 172.18.0.6 tcp dpt:http to:192.168.254.3
方法2
iptables -A PREROUTING -t nat -p tcp --dport 8000 -j DNAT --to-destination 172.18.0.6:80
iptables -A POSTROUTING -t nat -p tcp --dport 80 -j SNAT --to-source 192.168.254.3
查看方法2转发规则
iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:irdmi to:172.18.0.6:80
[root@zabbix ~]# iptables -L POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.254.3
验证
永久保存iptables规则
cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Nov 15 11:41:17 2017
*filter
:INPUT ACCEPT [329:47908]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [420:53331]
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,10050:10051 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
COMMIT
# Completed on Wed Nov 15 11:41:17 2017