Linux - 目录
Linux - Iptables
前置知识点
防火墙简介:
能够确保信息安全的一种设备,设备上有一些特定的规则,允许或拒绝数据包通过。通过防火墙可以隔离风险区域与安全区域的连接,同时不会妨碍风险区域的访问。当然需要注意的是世界上没有绝对的安全,防火墙也只是启到一定的安全防护。大多数的安全风险还是在内网当中!
防火墙分类:
-
软件防火墙:软件防火墙需要运行在特定的计算机上,而且需要计算机的操作系统的支持。
-
硬件防火墙:硬件防火墙其实就是一个普通 pc 机的架构,然后上面跑有专门的操作系统。
-
芯片级防火墙:这种防火墙基于专门的硬件平台,没有操作系统,专有的 ASIC 芯片使它们比其他类的防火墙速度更快,处理能力极强,性能更高,但是价格昂贵。
一、Iptables 简介
-
用户空间:由管理员制定规则(netfilter 组件)
-
内核空间:规则会提交给内核空间,内核就按照这些规则去过滤数据包。(iptables 组件)
二、Iptables 表和链
1. filter
默认的,能够实现数据包的过滤,该表还包含三条链:
- INPUT:到达本机的数据包
- OUTPUT:从本机出去的数据包
- FORWARD:经过本机的数据包
2. nat
网络地址转换:
- SNAT 源地址转换
- DNAT 目的地址转换
- PANT 跟 SNAT 差不多,不一样的是 SNAT 的源地址是固定的,而 PNAT 的源地址是不固定的,当使用 ppp 或 pppoe 的方式连接互联网的时候一般适应这个。
3. mangle
打标记,主要是修改数据包头部信息
- PREROUTING 链:在数据包进入防火墙之后,也称为路由前。
- POSTROUTING链:在数据包确定目标地址后,也称为路由后。
- OUTPUT链:从本机出去的时间包路由前
- INPUT链:数据包进入本机后,路由后
- FORWARD链:第一次路由判断之后,最后一次路由判断之前改变数据包
三、Iptables 状态
1. 命令
-A:顺序添加,添加一条新规则
-I:插入,插入一条新规则 -I 后面加一数字表示插入到哪行
-R:修改,删除一条新规则 -D 后面加一数字表示删除哪行
-D:删除,删除一条新规则 -D 后面加一数字表示删除哪行
-N:新建一个链
-X:删除一个自定义链,删除之前要保证次链是空的,而且没有被引用
-L:查看
iptables -L -n:以数字的方式显示
iptables -L -v:显示详细信息
iptables -L -x:显示精确信息
-E:重命名链
-F:清空链中的所有规则
-Z:清除链中使用的规则
-P:设置默认规则
2. 匹配条件
隐含匹配:
-p:tcp、udp、icmp
--sport:指定源端口
--dport:指定目标端
-s:源地址
-d:目的地址
-i:数据包进入的网卡
-o:数据包出口的网卡
扩展匹配:
-m state --state:匹配状态的
-m mutiport --source-port:端口匹配 ,指定一组端口
-m limit --limit 3/minute:每三分种一次
-m limit --limit-burst 5:只匹配5个数据包
-m string --string --algo bm|kmp --string"xxxx":匹配字符串
-mtime--timestart 8:00 --timestop 12:00:表示从哪个时间到哪个时间段
-mtime--days:表示那天
-m mac --mac-sourcexx:xx:xx:xx:xx:xx 匹配源MAC地址
-m layer7 --l7proto qq:表示匹配腾讯qq的;当然也支持很多协议,这个默认是没有的,需要我们给内核打补丁并重新编译内核及iptables才可以使用 -m layer7 这个显示扩展匹配
3. 动作
-j
DROP 直接丢掉
ACCEPT 允许通过
REJECT:丢掉,但是回复信息
LOG --log-prefix"说明信息,自己随便定义":记录日志
SNAT:源地址转换
DNAT:目标地址转换
REDIRECT:重定向
MASQUERAED:地址伪装
四、具体实例
1. 常见服务的端口号及协议
ssh tcp 22
dhcp udp 67 68
DNS tcp/udp 53
http tcp 80
samba udp 137 138 tcp 139 445
nfs 2049 111 /etc/sysconfig/nfs
ftp tcp 20 21 >1024
squid tcp 3128
mysql tcp 3306
smtp 25
pop3 110
imap 143
2. 应用实例
2.1 开启 22 端口
service iptables start
输出内容:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
如果 OUTPUT 链默认为 DROP 这条就一定要加上,以下相同。
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
只开放一个人的远程连接:
iptables -A INPUT -p tcp --dport 22 -s 192.168.8.71 -j ACCEPT
2.2 如果只开设了 web 服务
# 我们用 -P 来拦截主机上所有通讯
iptables -P INPUT DROP
# 打开 80 端口的 tcp 协议
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -L
输出内容:
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- 10.244.0.0/16 anywhere /* flanneld forward */
ACCEPT all -- anywhere 10.244.0.0/16 /* flanneld forward */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (2 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
DROP all -- !loopback/8 loopback/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT all -- anywhere anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
target prot opt source destination
Chain KUBE-PROXY-CANARY (0 references)
target prot opt source destination
Chain KUBE-SERVICES (2 references)
target prot opt source destination
REJECT tcp -- anywhere 10.1.127.185 /* default/my-release-nextcloud:http has no endpoints */ tcp dpt:webcache reject-with icmp-port-unreachable
/etc/init.d/iptables save
输出内容:
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
2.3 不允许 ping
iptables -A INPUT -p icmp -j DROP
2.4 删除 3 号规则
iptables -L --line-number
输出内容:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
2 KUBE-FIREWALL all -- anywhere anywhere
3 ACCEPT udp -- anywhere anywhere udp dpt:domain
4 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
5 ACCEPT udp -- anywhere anywhere udp dpt:bootps
6 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
2 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
3 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
4 DOCKER-USER all -- anywhere anywhere
5 DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
6 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
7 DOCKER all -- anywhere anywhere
8 ACCEPT all -- anywhere anywhere
9 ACCEPT all -- anywhere anywhere
10 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
11 ACCEPT all -- 192.168.122.0/24 anywhere
12 ACCEPT all -- anywhere anywhere
13 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
14 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
15 ACCEPT all -- 10.244.0.0/16 anywhere /* flanneld forward */
16 ACCEPT all -- anywhere 10.244.0.0/16 /* flanneld forward */
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
2 KUBE-FIREWALL all -- anywhere anywhere
3 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
Chain DOCKER (1 references)
num target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num target prot opt source destination
1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (2 references)
num target prot opt source destination
Chain KUBE-FIREWALL (2 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
2 DROP all -- !loopback/8 loopback/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere ctstate INVALID
2 ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
3 ACCEPT all -- anywhere anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
4 ACCEPT all -- anywhere anywhere /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
num target prot opt source destination
Chain KUBE-PROXY-CANARY (0 references)
num target prot opt source destination
Chain KUBE-SERVICES (2 references)
num target prot opt source destination
1 REJECT tcp -- anywhere 10.1.127.185 /* default/my-release-nextcloud:http has no endpoints */ tcp dpt:webcache reject-with icmp-port-unreachable
iptables -D INPUT 3
iptables -L --line-number
输出内容:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
2 KUBE-FIREWALL all -- anywhere anywhere
3 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
4 ACCEPT udp -- anywhere anywhere udp dpt:bootps
5 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
2 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
3 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
4 DOCKER-USER all -- anywhere anywhere
5 DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
6 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
7 DOCKER all -- anywhere anywhere
8 ACCEPT all -- anywhere anywhere
9 ACCEPT all -- anywhere anywhere
10 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
11 ACCEPT all -- 192.168.122.0/24 anywhere
12 ACCEPT all -- anywhere anywhere
13 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
14 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
15 ACCEPT all -- 10.244.0.0/16 anywhere /* flanneld forward */
16 ACCEPT all -- anywhere 10.244.0.0/16 /* flanneld forward */
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
2 KUBE-FIREWALL all -- anywhere anywhere
3 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
Chain DOCKER (1 references)
num target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num target prot opt source destination
1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (2 references)
num target prot opt source destination
Chain KUBE-FIREWALL (2 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
2 DROP all -- !loopback/8 loopback/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere ctstate INVALID
2 ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
3 ACCEPT all -- anywhere anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
4 ACCEPT all -- anywhere anywhere /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
num target prot opt source destination
Chain KUBE-PROXY-CANARY (0 references)
num target prot opt source destination
Chain KUBE-SERVICES (2 references)
num target prot opt source destination
1 REJECT tcp -- anywhere 10.1.127.185 /* default/my-release-nextcloud:http has no endpoints */ tcp dpt:webcache reject-with icmp-port-unreachable
2.5 防止广播包进入局域网
iptables -A INPUT -s 255.255.255.255 -i eth0 -j DROP
iptables -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
iptables -A INPUT -d 0.0.0.0 -i eth0 -j DROP
2.6 修改第 3 条规则
iptables -R INPUT 3 -s 192.168.8.72 -j ACCEPT
2.7 在第 3 条规则上面插入一条新的规则
iptables -I INPUT 3 -s 192.168.8.73 -j ACCEPT
2.8 把 ping 的信息定向到日志
iptables -A INPUT -p icmp -s 172.16.13.13 -j LOG
tail -0f /var/log/messages
2.9 连续端口的写法:25:110
iptables -A INPUT -p tcp --dport 25:110 -j ACCEPT
2.10 允许 loopback!(不然会导致DNS无法正常关闭等问题)
iptables -A INPUT -i lo -p all -j ACCEPT
# output 链为 DROP 的情况下
iptables -A OUTPUT -o lo -p all -j ACCEPT
2.11 减少不安去的端口连接
有些些特洛伊木马会扫描端口 31337 到 31340 (即黑客语言中的 elite 端口)上的服务。既然合法服务都不使用这些非标准端口来通信,所以拒绝这些端口的连接是有必要的。
iptables -A OUTPUT -p tcp --sport 31337:31338 -j DROP
iptables -A OUTPUT -p tcp --sport 31339:31340 -j DROP
3. FORWARD 链实例(要开启转发功能,有两块网卡)
注:在做NAT时,FORWARD 默认规则是 DROP 时,必须要做的
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eh0 -j ACCEP
3.1 丢弃坏的 TCP 包
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
3.2 处理 IP 碎片数量,防止攻击,允许每秒 100 个
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
3.3 设置 ICMP 包过滤,允许每秒 1 个包,限制触发条件是 10 个包
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -t nat -L
如果想清除:
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
3.4 添加规则
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
3.5 禁用FTP(21)端口
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP
3.6 拒绝非法连接
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
3.7 接收已经建立的连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT