iptables

于 2022-04-28 16:07:57 发布
阅读量330 收藏
点赞数
分类专栏: iptables 文章标签: iptables
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_40548182/article/details/108993176
版权

保存iptables规则

在这里插入图片描述

iptables-save >/root/iptables
iptables-restore </root/iptables

设置开机自动加载iptables规则
方法1

cat /etc/rc.d/rc.local
#!/bin/bash
touch /var/lock/subsys/local
iptables-restore </root/iptables 

chmod +x /etc/rc.d/rc.local

方法2

yum -y install iptables-services
systemctl stop firewalld
systemctl disable firewalld

iptables -F
iptables-restore </opt/iptables
iptables-save >/etc/sysconfig/iptables
systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
reboot

iptables -P

默认iptables所有的链都是ACCEPT的,通过iptables -P 可以修改

iptables -nvL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    37374   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     5885  601K ACCEPT     all  --  *      *       192.168.229.100      0.0.0.0/0           
3     2261  277K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4649 packets, 8218K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
num   pkts bytes target     prot opt in     out     source               destination

修改INPUT链为DROP

[root@ceph01 ~]# iptables -P INPUT DROP
[root@ceph01 ~]# iptables -nvL --line
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    37910   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     5885  601K ACCEPT     all  --  *      *       192.168.229.100      0.0.0.0/0           
3     2269  277K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 25 packets, 4890 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
num   pkts bytes target     prot opt in     out     source               destination

扩展模块

multiport

接受139和445这两个不连续端口访问

iptables -I INPUT -p tcp -m multiport --dport 139,445  -j ACCEPT

mac

拒绝某个mac地址访问

iptables -A INPUT -m mac  --mac-source  fa:16:3e:37:3f:a1 -j REJECT
或者
iptables -A INPUT -s 192.168.229.121  -m mac  --mac-source  fa:16:3e:37:3f:a1 -j REJECT

iprange

拒绝某一个段连续的ip地址(前后闭区间)

iptables -I INPUT -m iprange --src-range 192.168.229.115-192.168.229.121 -j REJECT

由于是闭区间,这里的 192.168.229.115和 192.168.229.121都被拒绝。

拒绝某一个连续段ip的80端口。

iptables -I INPUT -p tcp --dport 80 -m iprange --src-range 192.168.229.115-192.168.229.121 -j REJECT

在这里插入图片描述

string

拒绝访问带有google字样的网站页面

iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --string "google" -j REJECT

time

iptables -I INPUT -m time --timestart 12:00 --timestop 14:00 -j REJECT

查看

iptables -nvL --line
Chain INPUT (policy ACCEPT 432 packets, 116K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 12:00:00 to 14:00:00 UTC reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 525 packets, 534K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
num   pkts bytes target     prot opt in     out     source               destination

connlimit

限制连接数最多为2

iptables -I  INPUT -m connlimit --connlimit-above 2 -j REJECT

iptables -nvL
Chain INPUT (policy ACCEPT 214 packets, 17211 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  340  172K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            #conn src/32 > 2 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 525 packets, 136K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
 pkts bytes target     prot opt in     out     source               destination

限制80端口最多连接数为2

iptables -I  INPUT -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT

iptables -nvL
Chain INPUT (policy ACCEPT 50461 packets, 4334K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   29  1740 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 #conn src/32 > 2 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 35543 packets, 9028K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
 pkts bytes target     prot opt in     out     source               destination

limit

超过10个包字后每分钟只允许通过20个包

iptables -I INPUT 2 -p icmp -j REJECT
说明:这需要拒绝这条规则配合
iptables -I INPUT -m limit -p icmp --icmp-type 8 --limit 20/minute --limit-burst 10 -j ACCEPT

ping 192.168.229.114
PING 192.168.229.114 (192.168.229.114) 56(84) bytes of data.
64 bytes from 192.168.229.114: icmp_seq=1 ttl=64 time=0.498 ms
64 bytes from 192.168.229.114: icmp_seq=2 ttl=64 time=0.652 ms
64 bytes from 192.168.229.114: icmp_seq=3 ttl=64 time=0.424 ms
64 bytes from 192.168.229.114: icmp_seq=4 ttl=64 time=0.513 ms
64 bytes from 192.168.229.114: icmp_seq=5 ttl=64 time=0.512 ms
64 bytes from 192.168.229.114: icmp_seq=6 ttl=64 time=0.479 ms
64 bytes from 192.168.229.114: icmp_seq=7 ttl=64 time=0.480 ms
64 bytes from 192.168.229.114: icmp_seq=8 ttl=64 time=0.533 ms
From 192.168.229.114 icmp_seq=9 Destination Port Unreachable
64 bytes from 192.168.229.114: icmp_seq=10 ttl=64 time=0.640 ms
From 192.168.229.114 icmp_seq=11 Destination Port Unreachable
From 192.168.229.114 icmp_seq=12 Destination Port Unreachable
64 bytes from 192.168.229.114: icmp_seq=13 ttl=64 time=0.500 ms
From 192.168.229.114 icmp_seq=14 Destination Port Unreachable

state

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

查看现有规则

iptables -nvL
Chain INPUT (policy ACCEPT 1093 packets, 312K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   37  3108 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 20/min burst 10 icmptype 8
    4   336 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
 1429  148K ACCEPT     all  --  *      *       192.168.229.100      0.0.0.0/0           
   
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1452 packets, 1816K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
 pkts bytes target     prot opt in     out     source               destination

另一台主机连接本主机

[root@ceph02 ~]# ssh ceph01
root@ceph01's password: 
Last login: Sat Oct 10 13:54:39 2020 from 192.168.229.100
[root@ceph01 ~]#

增加一条规则

iptables -A INPUT -p tcp --dport 22 -j REJECT

可以发现已经(正在)连接的主机无法操作
查看现在的防火墙规则

iptables -nvL --line
Chain INPUT (policy ACCEPT 5402 packets, 1610K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       37  3108 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 20/min burst 10 icmptype 8
2        4   336 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
3     1549  160K ACCEPT     all  --  *      *       192.168.229.100      0.0.0.0/0           
4       11   968 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6801 packets, 8892K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
num   pkts bytes target     prot opt in     out     source               destination

在第4条规则之前增加一条规则

iptables -I INPUT 4 -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

查看现有规则

iptables -nvL --line
Chain INPUT (policy ACCEPT 2819 packets, 867K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       37  3108 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 20/min burst 10 icmptype 8
2        4   336 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
3     1893  196K ACCEPT     all  --  *      *       192.168.229.100      0.0.0.0/0           
4       10  1456 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state RELATED,ESTABLISHED
5       13  1144 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3430 packets, 4614K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
num   pkts bytes target     prot opt in     out     source               destination

可以发现已经连接的主机又可以操作了。
查看连接记录

[root@ceph01 ~]# cat /proc/net/nf_conntrack -n
     1	ipv4     2 tcp      6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=50418 dport=6802 src=192.168.229.115 dst=192.168.229.114 sport=6802 dport=50418 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     2	ipv4     2 tcp      6 431998 ESTABLISHED src=192.168.229.115 dst=192.168.229.114 sport=42970 dport=6806 src=192.168.229.114 dst=192.168.229.115 sport=6806 dport=42970 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     3	ipv4     2 tcp      6 341634 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=36772 dport=6789 src=192.168.229.115 dst=192.168.229.114 sport=6789 dport=36772 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     4	ipv4     2 tcp      6 431821 ESTABLISHED src=192.168.229.115 dst=192.168.229.114 sport=48784 dport=22 src=192.168.229.114 dst=192.168.229.115 sport=22 dport=48784 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     5	ipv4     2 tcp      6 431998 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=51194 dport=6789 src=192.168.229.115 dst=192.168.229.114 sport=6789 dport=51194 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     6	ipv4     2 tcp      6 299 ESTABLISHED src=192.168.229.100 dst=192.168.229.114 sport=40646 dport=22 src=192.168.229.114 dst=192.168.229.100 sport=22 dport=40646 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     7	ipv4     2 tcp      6 431996 ESTABLISHED src=192.168.229.121 dst=192.168.229.114 sport=45530 dport=6806 src=192.168.229.114 dst=192.168.229.121 sport=6806 dport=45530 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     8	ipv4     2 tcp      6 431998 ESTABLISHED src=192.168.229.114 dst=192.168.229.121 sport=36636 dport=6789 src=192.168.229.121 dst=192.168.229.114 sport=6789 dport=36636 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
     9	ipv4     2 tcp      6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.121 sport=53122 dport=6802 src=192.168.229.121 dst=192.168.229.114 sport=6802 dport=53122 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
    10	ipv4     2 tcp      6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.121 sport=57894 dport=6803 src=192.168.229.121 dst=192.168.229.114 sport=6803 dport=57894 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
    11	ipv4     2 tcp      6 431999 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=44632 dport=6803 src=192.168.229.115 dst=192.168.229.114 sport=6803 dport=44632 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
    12	ipv4     2 tcp      6 431997 ESTABLISHED src=192.168.229.114 dst=192.168.229.115 sport=54100 dport=6789 src=192.168.229.115 dst=192.168.229.114 sport=6789 dport=54100 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
    13	ipv4     2 tcp      6 431998 ESTABLISHED src=192.168.229.115 dst=192.168.229.114 sport=36114 dport=6805 src=192.168.229.114 dst=192.168.229.115 sport=6805 dport=36114 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
    14	ipv4     2 tcp      6 431996 ESTABLISHED src=192.168.229.121 dst=192.168.229.114 sport=43084 dport=6805 src=192.168.229.114 dst=192.168.229.121 sport=6805 dport=43084 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2

在192.168.229.121上再ssh连接一次,然后查看记录已经增加了一条

15	ipv4     2 tcp      6 431996 ESTABLISHED src=192.168.229.121 dst=192.168.229.114 sport=43084 dport=6805 src=192.168.229.114 dst=192.168.229.121 sport=6805 dport=43084 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2

查看最多能记录多少条

cat /proc/sys/net/nf_conntrack_max 
65536

state还可以对被动模式增加规则(比如vsftpd服务的被动模式并不知道端口是哪个,并且是不固定的)
服务端操作

yum -y install vsftpd
systemctl start vsftpd
[root@ceph01 ~]# useradd ftp -s /sbin/nologin 
useradd:用户“ftp”已存在
[root@ceph01 ~]# passwd ftp
更改用户 ftp 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。

[root@ceph01 ~]# modprobe nf_conntrack_ftp
[root@ceph01 ~]# lsmod |grep nf_conntrack_ftp
nf_conntrack_ftp       18478  0 
nf_conntrack          139264  6 nf_nat,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4

客户端操作

[root@ceph02 ~]# ftp 192.168.229.114
ftp: connect: 拒绝连接
ftp> ls
Not connected.
ftp>

可以看见服务端拒绝了连接
查看服务端的防火墙规则

iptables -vnL --line
Chain INPUT (policy ACCEPT 22 packets, 1936 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     5643  577K ACCEPT     all  --  *      *       192.168.229.100      0.0.0.0/0           
2      198  117K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 136 packets, 23628 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain Vl (0 references)
num   pkts bytes target     prot opt in     out     source               destination

服务端开放21端口

iptables -I INPUT -p tcp --dport 21 -j ACCEPT

客户端再次连接,可以发现可以连接,但是无法查看文件(查看文件是被动模式,端口不确定,并且随时变化)

ftp 192.168.229.114
Connected to 192.168.229.114 (192.168.229.114).
220 (vsFTPd 3.0.2)
Name (192.168.229.114:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,229,114,68,157).
ftp: connect: 拒绝连接
ftp>

服务端利用state模块增加一条ACCEPT规则

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

客户端再次连接,发现可以查看文件

ftp 192.168.229.114
Connected to 192.168.229.114 (192.168.229.114).
220 (vsFTPd 3.0.2)
Name (192.168.229.114:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,229,114,150,168).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Apr 01  2020 pub
226 Directory send OK.
ftp>

在这里插入图片描述
记录某台主机的访问日志

iptables -I INPUT  -s 192.168.229.121 -j LOG --log-prefix "from 192.168.229.121 access"

自定义一个iptables链

iptables -N TEST

改链的名字

iptables -E test TEST
将test链改名为TEST

将一个链的规则导入到另一个链

查看TEST和TEST2链规则

iptables -nvL
Chain TEST (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.229.100      0.0.0.0/0            tcp dpt:80

Chain TEST2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

将TEST链的规则导入到TEST2链
注意:这个命令只适用于自定义的链(亲自试验)

iptables -A TEST2 -j TEST

查看导入的规则

iptables -nvL
Chain TEST (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.229.100      0.0.0.0/0            tcp dpt:80

Chain TEST2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TEST       all  --  *      *       0.0.0.0/0            0.0.0.0/0

删除链

iptables -X TEST2

清空链

iptables -F TEST2

查看某表某链的规则

iptables  -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:172.18.0.6:80 
DNAT       tcp  --  anywhere             anywhere            tcp spt:irdmi dpt:http to:172.18.0.6:80 
DNAT       tcp  --  anywhere             anywhere            tcp spt:http dpt:irdmi to:172.18.0.6:80

删除某表某链的规则

iptables  -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:172.18.0.6:80 
DNAT       tcp  --  anywhere             anywhere            tcp spt:irdmi dpt:http to:172.18.0.6:80 
DNAT       tcp  --  anywhere             anywhere            tcp spt:http dpt:irdmi to:172.18.0.6:80 

iptables -t nat  -D PREROUTING 1

iptables  -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp spt:irdmi dpt:http to:172.18.0.6:80 
DNAT       tcp  --  anywhere             anywhere            tcp spt:http dpt:irdmi to:172.18.0.6:80

清空某表某链的规则

iptables -F PREROUTING -t nat

iptables实现跳转访问

场景
公司有两台服务器(zabbix和172.18.0.6)一台PC机,PC机不通172.18.0.6,现在想通过zabbix做个iptables规则,通过PC机访问172.18.0.6的网页。PC机网段为192.168.140.0/24。
想实现的效果为,浏览器输入zabbix的ip:8000(zabbix只有一个网卡eth0)访问172.18.0.6:80。
zabbix服务器上操作
开启ip转发

cat >>/etc/sysctl.conf<<EOF 
net.ipv4.ip_forward = 1
EOF
sysctl -p

允许8000端口通过

iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp --sport 8000 -j ACCEPT

配置转发规则
方法1

iptables -A PREROUTING -t nat -d 192.168.254.3 -p tcp --dport 8000 -j DNAT --to-destination 172.18.0.6:80
iptables -A POSTROUTING -t nat -d 172.18.0.6   -p tcp --dport 80 -j SNAT --to-source 192.168.254.3

查看方法1转发规则

[root@zabbix ~]# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             192.168.254.3       tcp dpt:irdmi to:172.18.0.6:80 

[root@zabbix ~]# iptables -L POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       tcp  --  anywhere             172.18.0.6          tcp dpt:http to:192.168.254.3

方法2

iptables -A PREROUTING -t nat  -p tcp --dport 8000 -j DNAT --to-destination 172.18.0.6:80
iptables -A POSTROUTING -t nat   -p tcp --dport 80 -j SNAT --to-source 192.168.254.3

查看方法2转发规则

iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:irdmi to:172.18.0.6:80 

[root@zabbix ~]# iptables -L POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:192.168.254.3

验证
在这里插入图片描述

永久保存iptables规则

cat  /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Nov 15 11:41:17 2017
*filter
:INPUT ACCEPT [329:47908]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [420:53331]
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80,10050:10051 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
COMMIT
# Completed on Wed Nov 15 11:41:17 2017
时空无限
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
linux下IPTABLES配置详解(防火墙)
choukuad381324的博客
09-18 1024
转自http://www.cnblogs.com/JemBai/archive/2009/03/19/1416364.html 关闭防火墙: service iptables stop chkcon...
iptables 详解
qq_32859671的博客
08-07 262
iptables 详解–转http://www.cnblogs.com/metoy/p/4320813.html基本概念 1.iptables简介 防火墙,其实说白了讲,就是用于实现Linux下访问控制的功能的,它分为硬件的或者软件的防火墙两种。无论是在哪个网络中,防火墙工作的地方一定是在网络的边缘。而我们的任务就是需要去定义到底防火墙如何工作,这就是防火墙的策略,规则,以达到让它
ceph存储 CentOS内核优化示例sysctl.conf、iptables、limits.conf
skdkjxy的专栏
03-08 1868
不是老法师,具体参数请自己根据自己的系统需求等情况做适当修改 /etc/sysctl.conf net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1
iptables讲解
06-08
iptables 好用的叫学,非常的厉害iptables 好用的叫学,非常的厉害iptables 好用的叫学,非常的厉害iptables 好用的叫学,非常的厉害iptables 好用的叫学,非常的厉害iptables 好用的叫学,非常的厉害iptables 好用...
Iptables
07-29
NULL 博文链接:https://zhengdl126.iteye.com/blog/804597
iptables详解
09-04
安全体系概览,预备知识:OSI七层模型,Firewalls: netfilter/iptables,数据包的流向图(iptables语法,标准流程)
Centos离线安装iptables.docx
04-15
Centos离线安装iptables
IPTABLES简介
06-25
iptables防火墙工作在网络层,针对TCP/IP数据包实施过滤和限制,iptables防火墙基于内核编码实现,具有非常稳定的性能和高效率。
iptables手册.pdf
08-15
适用于内外网,物理机环境对安全要求严格,文章描述清除,浅显易懂 带有图片描述不至于过于枯燥
iptables-services-1.4.21-34.el7.x86_64.rpm
09-22
iptables-services-1.4.21-34.el7.x86_64.rpm
iptables详解:图文并茂理解iptables.pdf
05-18
iptables 防火墙 linux
iptables-1.4.21
11-24
centos7离线安装iptablesiptables-1.4.21-34.el7.x86_64.rpm和iptables-services-1.4.21-34.el7.x86_64.rpm
iptables -nvL 查看防火墙是否关闭:如下代表防火墙没关闭。
wuapeng的博客
07-01 3174
iptables -nvL 查看防火墙是否关闭:如下代表防火墙没关闭。   Chain INPUT (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination          4157 1985K RH-Firewa
Linux iptables详解
u011029104的专栏
08-19 334
iptables iptables 是 Linux 操作系统里面一款知名 IP 防火墙工具。iptables 有两块主要的功能,分别是过滤和映射。 其中的过滤,又可以分为访问过滤和出口过滤。当一个 IP 访问我们服务器的时候,我们针对个 IP 进行一些规则判断,如果触发了规则,那么对 IP 进行禁止,这就是访问过滤。而出口过滤呢?是我们服务器要访问一个 IP,然后针对我们主动访问的...
iptables 防火墙
BWL1998的博客
04-22 2449
文章目录ptables 防火墙iptables概述防火墙中的四表五链四表五链规则链之间的匹配顺序那么我们来小结一下?安装iptables 服务iptables命令行配置方法脱离纸上谈兵,进入实战查看序号删除规则设置默认规则修改规则 ptables 防火墙 iptables概述 Linux 系统的防火墙:IP信息包过滤系统,他实际上由两个组件netfilter和iptables组成。 主要工作在网络层,针对ip数据包。体现在对包内的ip地址、端口、协议等信息处理上。 netfilter/iptables关系:
python结合shell自动创建kafka的连接器
weixin_40548182的博客
04-28 320
cat query_oracle.py #!/usr/bin/env python import cx_Oracle import sys import os import csv import traceback user = "test" passwd = "test" listener = '10.0.2.15:1521/orcl' conn = cx_Oracle.connect(user, passwd, listener) cursor = conn.cursor() sql = "sele
查询iptables
最新发布
04-30
iptables是Linux系统中用于配置和管理网络防火墙的工具。它允许管理员定义规则来控制网络流量的进出。以下是查询iptables的一些常用命令和方法: 1. 查看当前的iptables规则: ``` iptables -L ``` 2. 查看详细的iptables规则信息: ``` iptables -L -v ``` 3. 查看指定表的规则: ``` iptables -L 表名 ``` 4. 查看指定链的规则: ``` iptables -L 表名 -t 链名 ``` 5. 查找特定IP地址或端口的规则: ``` iptables -L -v -n | grep IP地址/端口号 ``` 6. 清空所有iptables规则: ``` iptables -F ``` 7. 添加一条新的iptables规则: ``` iptables -A 表名 -t 链名 规则参数 ``` 8. 删除指定的iptables规则: ``` iptables -D 表名 -t 链名 规则参数 ``` 9. 保存当前的iptables规则到文件中: ``` iptables-save > 文件名 ``` 10. 从文件中加载iptables规则: ``` iptables-restore < 文件名 ```

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

时空无限

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值