@Aklis
2016-10-21T04:53:38.000000Z
字数 4037
阅读 426
未分类
/ \ Outgoing
Incoming-->[Routing ]--->|FORWARD|------->
[Decision] \_____/ ^
| |
v ____
___ / \
/ \
----------
|OUTPUT|
|INPUT| \____/
\___/ ^
| |
----> Local Process ----
四张规则表 五条规则链
- raw:
- 状态跟踪机制处理
1. OUTPUT
2. PREROUTING
mangle: #iptables -t mangle -L
nat: #iptables -t nat -L
修改数据包的 IP 地址和端口号 就是转发啦
filter: #iptables -L
过滤数据包决定数据包是否放行
-A - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
-L - List the current filter rules.
-m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
--ctstate - Define the list of states for the rule to match on. Valid states are:
NEW - The connection has not yet been seen.
RELATED - The connection is new, but is related to another connection already permitted.
ESTABLISHED - The connection is already established.
INVALID - The traffic couldn't be identified for some reason.
-m limit - Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
--limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".
-p - The connection protocol used.
--dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
-j - Jump to the specified target. By default, iptables allows four targets:
ACCEPT - Accept the packet and stop processing rules in this chain.
REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
DROP - Silently ignore the packet, and stop processing rules in this chain.
LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
--log-prefix - When logging, put this text before the log message. Use double quotes around the text to use.
--log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
-i - Only match if the packet is coming in on the specified interface.
-I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
-I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
-v - Display more information in the output. Useful for if you have rules that look similar without using -v.
-s --source - address[/mask] source specification
-d --destination - address[/mask] destination specification
-o --out-interface - output name[+] network interface name ([+] for wildcard)
Logging
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way:
sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
See Tips section for more ideas on logging.
EXAMPLE:
条件匹配
仅允许从202.13.0.0/16网段的主机来登陆本机的22端口
#iptables -A INPUT -p tcp --dport 22 -s 202.13.0.0/16 -j ACCEPT
#iptables -A INPUT -p tcp --dport 20:1024 -j ACCEP
#禁止其他主机ping防火墙主机,但是允许从防火墙上ping其他主机(允许接受ICMP回应数据)。 1
#iptables -A INPUT -p icmp --icmp-type Echo-Request -j DROP
#iptables -A INPUT -p icmp --icmp-type Echo-Reply -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type destination-Unreachable -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8002 -j ACCEPT
# 允许已建立的或相关连的通行
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许本地回环接口
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#允许本机对外访问
-A OUTPUT -j ACCEPT
# 允许访问SSH端口,如果端口修改了可以更改相应端口号
-A INPUT -p tcp --dport 22 -j ACCEPT
#允许访问80(HTTP)端口
-A INPUT -p tcp --dport 80 -j ACCEPT
#允许访问FTP端口:21、20
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 20 -j ACCEPT
#允许访问161(SNMP)端口:
-A INPUT -p udp --dport 161 -j ACCEPT
#禁止其他未允许的规则访问
-A INPUT -j REJECT
-A FORWARD -j REJECT
#使用XEN、OPENVZ的VPS用户注意!!!如果在文件中加上了最后一条“禁止其他
未允许的规则访问”,则必须加上第一条“允许已建立的或相关连的通行”。如果
没加上第一条,则无法通过指定的端口号(如SSH)连接VPS。
显式匹配
MAC地址
禁止转发来自 3C-97-0E-77-7F-67 的包
#iptables -A FORWARD -m mac --mac-source 3C-97-0E-77-7F-67
-j DROP
多端口
#iptables -A INPUT -p tcp -m multiport --dport 20,21,25,110,1250:1280 -j ACCEPT多 IP
#iptables -A FORWARD -p tcp -m iprange --src-range 192.168.1.20-192.168.1.99 -j DROP
状态
拒绝访问防火墙的新数据包,但允许响应连接或与已有连接相关的数据包。 #iptables -A INPUT -p tcp -m state --state NEW -j DROP
#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT