四表五链
四表
- 规则表
表的作用:容纳各种规则链
表的划分依据:防火墙规则的作用相似 - 默认包括四个规则表
raw表:确定是否对该数据包进行状态跟踪
mangle表:为数据包设置标记
nat表:修改数据包中的源、目标IP地址或端口
filter表:确定是否放行该数据包(过滤)
五链
- 规则链
规则的作用:对数据包进行过滤或处理
链的作用:容纳各种防火墙规则
链的分类依据:处理数据包的不同时机 - 默认包括5种规则链
INPUT :处理入站数据包
OUTPUT :处理出战数据包
FORWARD :处理转发数据包
POSTROUTING链:在进行路由选择后处理数据包
PREROUTING链:在进行路由选择前处理数据包
数据包控制的匹配流程
包过滤防火墙
以下两种称呼都可以表示Linux防火墙
- netfilter
位于Linux内核中的包过滤功能体系
称为Linux防火墙的“内核态” - iptables
位于/sbin/iptables,用来管理防火墙规则的工具
称为Linux防火墙的“用户态”
包过滤的工作层次
- 主要是网络层,针对IP数据包
- 体现正在对包内的IP地址、端口等信息的处理上
数据包过滤的匹配流程
- 规则表之间的顺序
raw>mangle>nat>filter - 规则链之间的顺序
入站:PREROUTING>INPUT
出站:OUTPUT>POSTROUTING
转发:PREROUTING>FORWARD>POSTROUTING - 规则链内的匹配顺序
按顺序一次检查,匹配即停止(LOG策略例外)
若找不到相匹配的规则,则按该链的默认策略处理
iptables
安装
[root@localhost ~]# systemctl stop firewalld.service #关闭防火墙
[root@localhost ~]# systemctl disable firewalld.service #关闭开机自启
[root@localhost ~]# yum -y install iptables iptables-services #安装iptables
[root@localhost ~]# systemctl start iptables.service #开启服务
[root@localhost ~]# systemctl enable iptables.service #开机自启
基本语法
iptables [-t 表名] 选项 [链名] [条件] [-j 控制类型]
- 数据包的常见控制类型
ACCEPT:允许通过
DROP:直接丢弃,不给出任何回应
REJECT:拒绝通过,必要时会给出提示
LOG:记录日志信息,然后传给下一跳规则继续匹配
常用选项
-A在指定链末尾追加一条
-I在指定链中插入一条新的,未指定序号默认作为第一条
-P指定默认规则
-D删除
-R修改、替换某一条规则
-L查看
-n所有字段以数字形式显示
-V查看时显示更详细信息
-F 清除链中所有规则
-X清空自定义链的规则,不影响其他链
-Z清空链的计数器
-S查看链的所有规则或者某个链的规则/某个具体规则后面跟编号
[root@localhost ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT #允许所有人来ping
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@localhost ~]# iptables -vnL #更详细显示全部内容
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
489 29888 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
14 1822 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 322 packets, 31972 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t filter -F #清空所有内容
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 15 packets, 988 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 848 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t filter -X #清空自定义内容
[root@localhost ~]# iptables -Z
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -X
[root@localhost ~]# iptables -t filter -AINPUT -j REJECT
[root@localhost ~]# iptables -t filter -AINPUT -j ACCEPT
[root@localhost ~]# iptables -P INPUT DROP #默认规则拒绝
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -R INPUT 1 -j DROP #修改链
[root@localhost ~]# iptables -A INPUT ! -p icmp -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -s 192.168.245.211 -j DROP
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 758 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.245.211 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.245.211 -j DROP
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 4 packets, 344 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 192.168.245.211 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dport 80,20,23 -s 192.168.245.211 -j DROP #端口
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.245.211 0.0.0.0/0 multiport dports 80,20,23
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dport 20:80 -s 192.168.245.211 -j DROP #多端口
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.245.211 0.0.0.0/0 multiport dports 80,20,23
0 0 DROP tcp -- * * 192.168.245.211 0.0.0.0/0 multiport dports 20:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination