iptables防火墙详解
1、iptables介绍
iptables是工作在linux内核空间的防火墙软件。具有非常强大的功能,可以实现自定义包过滤,源地址、目标地址、源端口、目标端口转换等。iptables会根据对数据包的分析来“比对”预先定义的规则内容进行匹配,若数据包与规则内容相同则进行相应的的动作处理,否则就继续下一条规则的比对;如果没有所匹配的规则,则iptables会执行默认策略。
2、iptables的表和链
iptables是由众多的表和链组成的,每个表中都有相应的链规则
filter表:实现数据包的过滤,是linux的默认表;
| 链名 | 功能 |
|---|---|
| INPUT | 主要是和进入linux主机的数据包相关 |
| FORWARD | 实现数据包转发 |
| OUTPUT | 主要与linux本机想要送出的数据包相关 |
nat表:用来实现源、目标地址的IP地址和端口的转换功能;
| 链名 | 功能 |
|---|---|
| PREROUTING | 在进行路由判断之前所要进行的规则 (DNAT) |
| POSTROUTING | 在进行路由判断之后所要进行的规则(SNAT) |
| OUTPUT | 与发送出去的数据包相关 |
mangle表:主要用来实现拆解报文,做出修改,封装报文;
| 链名 | 功能 |
|---|---|
| PREROUTING | 在进行路由判断之前所要进行的规则 (DNAT) |
| INPUT | 主要是和进入linux主机的数据包相关 |
| FORWARD | 实现数据包转发 |
| OUTPUT | 主要与linux本机想要送出的数据包相关 |
| POSTROUTING | 在进行路由判断之后所要进行的规则(SNAT) |
raw:主要用来实现关闭nat表上启用的连接追踪机制;
| 链名 | 功能 |
|---|---|
| OUTPUT | 主要与linux本机想要送出的数据包相关 |
| POSTROUTING | 在进行路由判断之后所要进行的规则(SNAT) |
3、iptables的常用语法
查看规则:iptables [-t tables] [-L] [-nv]
-L:list,列出指定链上的所有规则;
-n:numberic,以数字格式显示地址和端口号;
-v:verbose,显示详细信息;-vv、-vvv
–line-numbers:显示规则编号;
-x:exactly,显示计数器计数结果的精确值;
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]#
[[email protected] ~]# iptables -L -n -vvv --line-numbers
Chain INPUT (policy ACCEPT 49 packets, 3276 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27 packets, 2908 bytes)
num pkts bytes target prot opt in out source destination
libiptc vlibxtables.so.10. 632 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff
Underflows: pre/in/fwd/out/post = ffffffff/0/98/130/ffffffff
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 49 packets, 3276 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 1 (152):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 2 (304):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 27 packets, 2908 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
删除规则链:
-F:flush,清空规则链;省略链,表示清空指定表上的所有链;
-X:drop,删除用户自定义的空的规则链;
-Z:zero,清零,置零规则计数器;
-D:delete,删除指定链上的指定规则;
有两种删除方式:
(1)指定匹配条件;
(2)指定规则编号;
[[email protected] ~]# iptables -X
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -Z
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 34 packets, 2244 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 1688 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]#
添加规则链:
-N:new,创建新的自定义规则链;
-P:Plicy,为指定链设置默认策略;对filter表中的链而言,默认策略通常有ACCEPT,DROP,REJECT;
-E:rename,重命名自定义规则链;引用计数不为0的自定义链,无法改名,也无法删除;
-A:append,将新规则追加于指定链的尾部;
-I:insert,将新规则插入到指定链的指定位置;
修改规则链:
-R:replace,替换指定链上的指定规则;
匹配目标动作:
-j <TARGET>
ACCEPT:接收
DROP:丢弃
REJECT;拒绝
LOG:记录日志
DNAT:目标地址转换
SNAT:源地址转换
4、iptables的匹配条件
基本匹配:
[!]-s,–source IP | Netaddr:检查报文中源IP地址是否符合此处指定的地址范围;
[!]-d,–dst,–destination IP | Netaddr:检查报文中目标IP地址是否符合此处指定的地址范围;
-p,–prococol {tcp|udp|icmp}:检查报文中的协议,即ip首部中的protocols所标识的协议;
-i,–in-interface IFACE:数据报文的流入接口;仅能用于PREROUTING,INPUT,及FORWARD链上;
-o,–out-interface IFACE:数据报文的流出接口;仅能用于FORWARD,OUTPUT及POSTROUTING链上;
扩展匹配:
-m macth_name --spec_options:可同时匹配多个条件
-p tcp [udp] [icmp]
–dport PORT[-PORT]:目标端口,可以是单个端口或连续多个端口;
–sport PORT[-PORT]
5、规则配置注意事项:
1)要实现哪种功能;判断添加在哪张表上;
2)报文流经的路径;判断添加在哪个链上;
3)同类规则(访问同一应用),匹配范围小的放上面;
4)对报文做规则限制应该有进有出,不能只是配置单方向的规则;
5)不同类规则(访问不同应用),匹配到报文频率较大的放上面;
6)将那些可由一条规则描述的多个规则合并为一个;
7)设置默认策略;
6、常用规则示例:
1)开放本机的22端口号,只允许规定的主机登录
[[email protected] ~]# iptables -t filter -I INPUT -d 192.168.126.132 -p tcp --dport 22 -j ACCEPT
[[email protected] ~]#
[[email protected] ~]# iptables -t filter -I OUTPUT -s 192.168.126.132 -p tcp --sport 22 -j ACCEPT
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
225 14876 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 2168 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
[[email protected] ~]#
2)修改filter表上的默认规则链为DROP
[[email protected] ~]# iptables -P INPUT DROP
[[email protected] ~]# iptables -P FORWARD DROP
[[email protected] ~]# iptables -P OUTPUT DROP
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
515 35004 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
190 18732 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
[[email protected] ~]#
3)放行任意地址的icmp报文对本主机的访问
[[email protected] ~]# iptables -t filter -A INPUT -d 192.168.126.132 -p icmp -j ACCEPT
[[email protected] ~]# iptables -t filter -A OUTPUT -s 192.168.126.132 -p icmp -j ACCEPT
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
942 63544 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.126.132
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination
412 40756 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
0 0 ACCEPT icmp -- * * 192.168.126.132 0.0.0.0/0
[[email protected] ~]#
4)源ip地址为任意地址,目标地址为192.168.126.132数据包指定网卡为eno16777736的数据包可以进入和出去
[[email protected] ~]# iptables -t filter -A INPUT -d 192.168.126.132 -i eno16777736 -j ACCEPT
[[email protected] ~]# iptables -t filter -A OUTPUT -s 192.168.126.132 -o eno16777736 -j ACCEPT
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1861 139K ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.126.132
0 0 ACCEPT all -- eno16777736 * 0.0.0.0/0 192.168.126.132
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1038 102K ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
0 0 ACCEPT icmp -- * * 192.168.126.132 0.0.0.0/0
0 0 ACCEPT all -- * eno16777736 192.168.126.132 0.0.0.0/0
[[email protected] ~]#
5)删除filter表上INPUT链和OUTPUT链上的第二条规则
[[email protected] ~]# iptables -t filter -D INPUT 2
[[email protected] ~]# iptables -t filter -D OUTPUT 2
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2069 153K ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
1 328 ACCEPT all -- eno16777736 * 0.0.0.0/0 192.168.126.132
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1150 114K ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
1 328 ACCEPT all -- * eno16777736 192.168.126.132 0.0.0.0/0
[[email protected] ~]#
6)一条规则开放80端口和20、21号端口
[[email protected] ~]# iptables -t filter -A INPUT -d 192.168.126.132 -p tcp -m multiport --dport 20,21,80 -j ACCEPT
[[email protected] ~]#
[[email protected] ~]# iptables -t filter -A OUTPUT -s 192.168.126.132 -p tcp -m multiport --sport 20,21,80 -j ACCEPT
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2699 199K ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
1 328 ACCEPT all -- eno16777736 * 0.0.0.0/0 192.168.126.132
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 multiport dports 20,21,80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1522 150K ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
1 328 ACCEPT all -- * eno16777736 192.168.126.132 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 multiport sports 20,21,80
[[email protected] ~]#
7)仅允许192.168.126.1~129.168.126.100这个主机范围的ip地址可以访问本机的80端口
[[email protected] ~]# iptables -t filter -A INPUT -p tcp -m multiport --dport 80 -m iprange --dst-range 192.168.126.1-192.168.126.100 -j ACCEPT
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3745 278K ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
2 656 ACCEPT all -- eno16777736 * 0.0.0.0/0 192.168.126.132
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 multiport dports 20,21,80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 destination IP range 192.168.126.1-192.168.126.100
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2180 215K ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
7 956 ACCEPT all -- * eno16777736 192.168.126.132 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 multiport sports 20,21,80
[[email protected] ~]#
8)保存现有规则到配置文件中
[[email protected] ~]# iptables-save > iptables-`(date +%F)`
[[email protected] ~]# cat iptables-2019-03-28
# Generated by iptables-save v1.4.21 on Thu Mar 28 12:44:08 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 192.168.126.132/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.126.132/32 -i eno16777736 -j ACCEPT
-A INPUT -d 192.168.126.132/32 -p tcp -m multiport --dports 20,21,80 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m iprange --dst-range 192.168.126.1-192.168.126.100 -j ACCEPT
-A OUTPUT -s 192.168.126.132/32 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 192.168.126.132/32 -o eno16777736 -j ACCEPT
-A OUTPUT -s 192.168.126.132/32 -p tcp -m multiport --sports 20,21,80 -j ACCEPT
COMMIT
# Completed on Thu Mar 28 12:44:08 2019
[[email protected] ~]#
9)清空所有的规则链
[[email protected] ~]# iptables -X
[[email protected] ~]# iptables -Z
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -V -n -v
iptables v1.4.21
[[email protected] ~]#
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 80 packets, 5408 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 42 packets, 4072 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]#
10)载入iptables文件中的规则
[[email protected] ~]# iptables-restore < iptables-2019-03-28
[[email protected] ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34 2244 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 tcp dpt:22
0 0 ACCEPT all -- eno16777736 * 0.0.0.0/0 192.168.126.132
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.126.132 multiport dports 20,21,80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 destination IP range 192.168.126.1-192.168.126.100
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1688 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 tcp spt:22
0 0 ACCEPT all -- * eno16777736 192.168.126.132 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.126.132 0.0.0.0/0 multiport sports 20,21,80
[[email protected] ~]#