iptables cheat sheet

最新推荐文章于 2022-05-12 16:16:13 发布

Andrew Yang

最新推荐文章于 2022-05-12 16:16:13 发布

阅读量266

点赞数

分类专栏： c iptables 安全 linux

本文链接：https://blog.csdn.net/yk_wing4/article/details/90344896

版权

linux 同时被 3 个专栏收录

83 篇文章 4 订阅

订阅专栏

41 篇文章 2 订阅

订阅专栏

安全

9 篇文章 0 订阅

订阅专栏

iptables

四表五链及其支持的target

table	PREROUTING	INPUT	FORWARD	OUTPUT	POSTROUTING
raw	NOTRACK	`<NA>`	`<NA>`	NOTRACK	`<NA>`
mangle	`<all targets>`	`<all targets>`	`<all targets>`	`<all targets>`	`<all targets>`
nat	DNAT	SNAT	`<NA>`	DNAT	SNAT
filter	`<NA>`	`<all targets>`	`<all targets>`	`<all targets>`	`<NA>`

标准的 target

项目	描述
DROP	报文丢弃
ACCEPT	报文通过
RETURN	不检查当前链中后续的规则。返回到上一层的链，继续检查。

基础例子

项目	语法	例子
Help for all	-h	iptables -h
Help for match	-m match --help	iptables -m mark --help
Help for target	-m target --help	iptables -j DNAT --help
Create a new user-defined chain	-N chain	iptables -N MY_CHAIN
Delete all rules in chain or all chains	-F chain	iptables -F FORWARD
Delete a user-defined chain	-X [chain]	iptables -X MY_CHAIN
Change chain name, (moving any references)	-E old-chain new-chain	iptables -E OLD_CHAIN NEW_CHAIN
Change policy on chain to target	-P chain target	iptables -P FORWARD drop
Append to chain	-A chain	iptables -A INPUT -j ACCEPT
Insert in chain as rulenum (default 1=first)	-I chain [rulenum]	iptables -I INPUT 2 -j ACCEPT
Check for the existence of a rule	-C chain	iptables -C INPUT -j ACCEPT
Delete matching rule from chain	-D chain	iptables -D INPUT -j ACCEPT
Delete rule rulenum (1 = first) from chain	-D chain rulenum	iptables -D INPUT 1
Replace rule rulenum (1 = first) in chain	-R chain rulenum	iptables -R INPUT 3 -j ACCEPT
List the rules in a chain or all chains	-L [chain [rulenum]]	iptables -nvL FORWARD
List the rules in a chain or all chains(with line number)	–line-numbers	iptables --line-numbers -nvL FORWARD
Zero counters in chain or all chains	-Z [chain [rulenum]]	iptables -Z FORWARD
Print the rules in a chain or all chains	-S [chain [rulenum]]	iptables -S ROSTROUTING -t nat
table to manipulate (default: `filter’)	-t table	iptables -t nat -I PREROUTING -d 8.8.8.8 -j DNAT --to 192.168.0.1
extended match (may load extension)	-m match	iptables -I FORWARD -m mark --mark 0x123/0xffff -j ACCEPT
by number or name	[!] -p proto protocol	iptables -I INPUT -p icmp -j DROP
source specification	[!] -s address[/mask][…]	iptables -I FORWARD -s 192.168.0.0/24 -j DROP
destination specification	[!] -d address[/mask][…]	iptables -I FORWARD -d 192.168.1.0/24 -j DROP
network interface name ([+] for wildcard)	[!] --in-interface -i input name[+]	iptables -I FORWARD -i eth0 -j DROP
network interface name ([+] for wildcard)	[!] --out-interface -o output name[+]	iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
target for rule (may load target extension)	-j target	iptables -I INPUT -s 192.168.0.0/24 -j MY_CHAIN
jump to chain with no return	-g chain	iptables -I INPUT -s 192.168.0.0/24 -g MY_CHAIN

nf_conntrack 模块

nf_conntrack 模块默认是使用知名协议端口号的，表中的 port_number。

l7_protocol	nf_conntrack 模块	nf_nat 模块	l4_protocol	port_number	port_name
ftp	nf_conntack_ftp	nf_nat_ftp	tcp	21	FTP_PORT
tftp	nf_conntack_tftp	nf_nat_tftp	udp	69	TFTP_PORT
h323	nf_conntack_h323	nf_nat_h323	tcp	1719	RAS_PORT
h323	nf_conntack_h323	nf_nat_h323	tcp	1720	Q931_PORT
sip	nf_conntack_sip	nf_nat_sip	tcp	5060	SIP_PORT
rtsp	nf_conntack_rtsp	nf_nat_rtsp	tcp	554	RTSP_PORT

如果要使用其他的端口号，那么需要重新加载 nf_conntrack 模块，并使用 ports= 来参数来指定。
注意一般可配置的个数，上限是 8个。

项目	例子
查看模块	`lsmod \| grep ftp`
卸载 nf_nat 模块	rmmod nf_nat_ftp
卸载 nf_conntrack 模块	rmmod nf_conntack_ftp
加载 nf_conntrack 模块（一般）	modprobe nf_conntack_ftp
加载 nf_conntrack 模块（指定其他端口）	modprobe nf_conntack_ftp ports=21,2125,2135
加载 nf_nat 模块	modprobe nf_nat_ftp

常用 match and target

源码文件夹

/net/netfilter

state match options:

[!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
			State(s) to match

conntrack match options:

[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
							   State(s) to match
[!] --ctproto proto            Protocol to match; by number or name, e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
							   Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
							   TCP/UDP/SCTP orig./reply source/destination port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
							   Status(es) to match
[!] --ctexpire time[:time]     Match remaining lifetime in seconds against
							   value or range of values (inclusive)
	--ctdir {ORIGINAL|REPLY}   Flow direction of packet

connmark match options:

[!] --mark value[/mask]    Match ctmark value with optional mask
[root@localhost proc]##

statistic match options:

 --mode mode                    Match mode (random, nth)
 random mode:
[!] --probability p		 Probability
 nth mode:
[!] --every n			 Match every nth packet
 --packet p			 Initial counter value (0 <= p <= n-1, default 0)

tcp match options:

[!] --tcp-flags mask comp	match when TCP flags & mask == comp
				(Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn			match when only SYN flag set
				(equivalent to --tcp-flags SYN,RST,ACK,FIN SYN)
[!] --source-port port[:port]
--sport ...
					match source port(s)
	[!] --destination-port port[:port]
--dport ...
					match destination port(s)
	[!] --tcp-option number        match if TCP option set

udp match options:

[!] --source-port port[:port]
 --sport ...
				match source port(s)
[!] --destination-port port[:port]
 --dport ...
				match destination port(s)

icmp match options:

[!] --icmp-type typename	match icmp type
[!] --icmp-type type[/code]	(or numeric type or type/code)
Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

hashlimit match options:

--hashlimit-upto <avg>           max average match rate
							   [Packets per second unless followed by 
							   /sec /minute /hour /day postfixes]
--hashlimit-above <avg>          min average match rate
--hashlimit-mode <mode>          mode is a comma-separated list of
							   dstip,srcip,dstport,srcport (or none)
--hashlimit-srcmask <length>     source address grouping prefix length
--hashlimit-dstmask <length>     destination address grouping prefix length
--hashlimit-name <name>          name for /proc/net/ipt_hashlimit
--hashlimit-burst <num>	    number to match in a burst, default 5
--hashlimit-htable-size <num>    number of hashtable buckets
--hashlimit-htable-max <num>     number of hashtable entries
--hashlimit-htable-gcinterval    interval between garbage collection runs
--hashlimit-htable-expire        after which time are idle entries expired?

limit match options:

--limit avg			max average match rate: default 3/hour
								[Packets per second unless followed by 
								/sec /minute /hour /day postfixes]
--limit-burst number		number to match in a burst, default 5

helper match options:

[!] --helper string        Match helper identified by string

SNAT target options:

 --to-source [<ipaddr>[-<ipaddr>]][:port[-port]]
				Address to map source to.
[--random] [--persistent]

DNAT target options:

 --to-destination [<ipaddr>[-<ipaddr>]][:port[-port]]
				Address to map destination to.
[--random] [--persistent]

MASQUERADE target options:

--to-ports <port>[-<port>]
			Port (range) to map to.
--random
			Randomize source port.

REDIRECT target options:

 --to-ports <port>[-<port>]
				Port (range) to map to.

MARK target options:

--set-xmark value[/mask]  Clear bits in mask and XOR value into nfmark
--set-mark value[/mask]   Clear bits in mask and OR value into nfmark
--and-mark bits           Binary AND the nfmark with bits
--or-mark bits            Binary OR the nfmark with bits
--xor-mask bits           Binary XOR the nfmark with bits

CT target options:

--notrack			Don't track connection
--helper name			Use conntrack helper 'name' for connection
--timeout name 		Use timeout policy 'name' for connection
--ctevents event[,event...]	Generate specified conntrack events for connection
--expevents event[,event...]	Generate specified expectation events for connection
--zone ID			Assign/Lookup connection in zone ID

CONNMARK target options:

--set-xmark value[/ctmask]    Zero mask bits and XOR ctmark with value
--save-mark [--ctmask mask] [--nfmask mask]
							Copy nfmark to ctmark using masks
--restore-mark [--ctmask mask] [--nfmask mask]
							Copy ctmark to nfmark using masks                                
--set-mark value[/mask]       Set conntrack mark value
--save-mark [--mask mask]     Save the packet nfmark in the connection
--restore-mark [--mask mask]  Restore saved nfmark value
--and-mark value              Binary AND the ctmark with bits
--or-mark value               Binary OR  the ctmark with bits
--xor-mark value              Binary XOR the ctmark with bits

LOG target options:

--log-level level		Level of logging (numeric or see syslog.conf)
--log-prefix prefix		Prefix log messages with this prefix.
--log-tcp-sequence		Log TCP sequence numbers.
--log-tcp-options		Log TCP options.
--log-ip-options		Log IP options.
--log-uid			Log UID owning the local socket.
--log-macdecode		Decode MAC addresses and protocol.