iptables

未分类

                          /     \         Outgoing
Incoming-->[Routing ]--->|FORWARD|------->
           [Decision]     \_____/        ^
                |                        |
                v                      ____
               ___                    /    \
              /   \                
----------
  |OUTPUT|
             |INPUT|                  \____/
              \___/                      ^
                |                        |
                 ----> Local Process ----

四张规则表 五条规则链
- raw:
- 状态跟踪机制处理

1. OUTPUT
2. PREROUTING

• mangle: #iptables -t mangle -L

  1. PREROUTING
  2. POSTROUTING
  3. INPUT
  4. OUTPUT
  5. FORWARD

• nat: #iptables -t nat -L

  • 修改数据包的 IP 地址和端口号 就是转发啦

    1. PREROUTING
    2. POSTROUTING
    3. OUTPUT

• filter: #iptables -L

  • 过滤数据包决定数据包是否放行

    1. INPUT 接收从外部发到防火墙本机的数据
    2. OUTPUT 发送到外部的数据
    3. FORWARD 需要防火墙转发的数据

Ubuntu

-A - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
-L - List the current filter rules.
-m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
--ctstate - Define the list of states for the rule to match on. Valid states are:
NEW - The connection has not yet been seen.
RELATED - The connection is new, but is related to another connection already permitted.
ESTABLISHED - The connection is already established.
INVALID - The traffic couldn't be identified for some reason.
-m limit - Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
--limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".
-p - The connection protocol used.
--dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
-j - Jump to the specified target. By default, iptables allows four targets:
ACCEPT - Accept the packet and stop processing rules in this chain.
REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
DROP - Silently ignore the packet, and stop processing rules in this chain.
LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
--log-prefix - When logging, put this text before the log message. Use double quotes around the text to use.
--log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
-i - Only match if the packet is coming in on the specified interface.
-I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
-I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
-v - Display more information in the output. Useful for if you have rules that look similar without using -v.
-s --source - address[/mask] source specification
-d --destination - address[/mask] destination specification
-o --out-interface - output name[+] network interface name ([+] for wildcard)

Logging
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way:

sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

See Tips section for more ideas on logging.

EXAMPLE：

MATCH

条件匹配
仅允许从202.13.0.0/16网段的主机来登陆本机的22端口
#iptables -A INPUT -p tcp --dport 22 -s 202.13.0.0/16 -j ACCEPT

#iptables -A INPUT -p tcp --dport 20:1024 -j ACCEP

#禁止其他主机ping防火墙主机，但是允许从防火墙上ping其他主机（允许接受ICMP回应数据）。 1
#iptables -A INPUT -p icmp --icmp-type Echo-Request -j DROP
#iptables -A INPUT -p icmp --icmp-type Echo-Reply -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type destination-Unreachable -j ACCEPT

iptables -I INPUT -m state --state NEW -p tcp --dport 8002 -j ACCEPT

# 允许已建立的或相关连的通行
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许本地回环接口
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#允许本机对外访问 
-A OUTPUT -j ACCEPT 
# 允许访问SSH端口，如果端口修改了可以更改相应端口号 
-A INPUT -p tcp --dport 22 -j ACCEPT 
#允许访问80（HTTP）端口 
-A INPUT -p tcp --dport 80 -j ACCEPT 
#允许访问FTP端口：21、20 
-A INPUT -p tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp --dport 20 -j ACCEPT 
#允许访问161（SNMP）端口：
-A INPUT -p udp --dport 161 -j ACCEPT
#禁止其他未允许的规则访问 
-A INPUT -j REJECT 
-A FORWARD -j REJECT
#使用XEN、OPENVZ的VPS用户注意！！！如果在文件中加上了最后一条“禁止其他
未允许的规则访问”，则必须加上第一条“允许已建立的或相关连的通行”。如果
没加上第一条，则无法通过指定的端口号（如SSH）连接VPS。

显式匹配

MAC地址

禁止转发来自 3C-97-0E-77-7F-67 的包
#iptables -A FORWARD -m mac --mac-source 3C-97-0E-77-7F-67
-j DROP

多端口
#iptables -A INPUT -p tcp -m multiport --dport 20,21,25,110,1250:1280 -j ACCEPT

多 IP
#iptables -A FORWARD -p tcp -m iprange --src-range 192.168.1.20-192.168.1.99 -j DROP

状态
拒绝访问防火墙的新数据包，但允许响应连接或与已有连接相关的数据包。 #iptables -A INPUT -p tcp -m state --state NEW -j DROP
#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT