iptables基本用法

iptables是一个很好用的数据包过滤工具，可以针对host，port等进行数据包拦截等操作。

本文主要介绍iptables的两个操作：drop和reject.

1.drop

drop顾名思义，就是丢包，不回复任何数据。

设置策略：

iptables -A OUTPUT -p tcp --dport 3306 -d 192.168.0.101 -j DROP

查看策略：

[root@localhost lanyang]# iptables -nxvL
Chain INPUT (policy ACCEPT 4 packets, 505 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      49     3025 DROP       tcp  --  *      *       0.0.0.0/0            192.168.0.101       tcp dpt:3306 

测试代码，参考golang中mysql建立连接超时时间timeout 测试
其中

timeout=5s
readTimeout=6s

效果演示：

2019/10/27 18:34:52 start
2019/10/27 18:34:52 value: 1
2019/10/27 18:34:55 start
2019/10/27 18:34:55 value: 1
2019/10/27 18:34:58 start
2019/10/27 18:34:58 value: 1
2019/10/27 18:35:01 start
[mysql] 2019/10/27 18:35:07 packets.go:36: read tcp 192.168.0.104:54462->192.168.0.101:3306: i/o timeout
2019/10/27 18:35:07 query failed: invalid connection
2019/10/27 18:35:10 start
[mysql] 2019/10/27 18:35:15 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:20 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:35:20 query failed: driver: bad connection
2019/10/27 18:35:23 start
[mysql] 2019/10/27 18:35:28 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:33 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:38 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:35:38 query failed: driver: bad connection
2019/10/27 18:35:41 start
[mysql] 2019/10/27 18:35:46 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:51 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:56 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:35:56 query failed: driver: bad connection
2019/10/27 18:35:59 start
[mysql] 2019/10/27 18:36:04 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:36:09 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:36:14 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:36:14 query failed: driver: bad connection

2.reject

reject有很多种策略，包括:

icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
tcp-reset

默认是icmp-port-unreachable.

2.1 默认策略icmp-port-unreachable

设置规则：

iptables -A OUTPUT -p tcp --dport 3306 -d 192.168.1.107 -j REJECT

查看规则：

sudo iptables -nxvL
Chain INPUT (policy ACCEPT 5 packets, 515 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 372 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       4      260 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107      tcp dpt:3306 reject-with icmp-port-unreachable 

效果演示

2020/03/29 16:35:09 start
2020/03/29 16:35:09 value: 1
2020/03/29 16:35:12 start
2020/03/29 16:35:12 value: 1
2020/03/29 16:35:15 start
[mysql] 2020/03/29 16:35:21 packets.go:36: read tcp 192.168.1.107:49654->192.168.1.107:3306: i/o timeout
2020/03/29 16:35:21 query failed: invalid connection
2020/03/29 16:35:24 start
[mysql] 2020/03/29 16:35:25 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:26 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:26 query failed: driver: bad connection
2020/03/29 16:35:29 start
2020/03/29 16:35:30 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:33 start
2020/03/29 16:35:34 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:37 start
2020/03/29 16:35:38 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:41 start
[mysql] 2020/03/29 16:35:42 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:43 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:46 start
[mysql] 2020/03/29 16:35:47 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:48 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:49 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:49 query failed: driver: bad connection
2020/03/29 16:35:52 start
[mysql] 2020/03/29 16:35:53 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:54 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:55 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:55 query failed: driver: bad connection
2020/03/29 16:35:58 start
[mysql] 2020/03/29 16:35:59 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:00 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:01 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:01 query failed: driver: bad connection
2020/03/29 16:36:04 start
[mysql] 2020/03/29 16:36:05 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:06 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:07 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:36:10 start
[mysql] 2020/03/29 16:36:11 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:12 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:13 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:36:16 start
[mysql] 2020/03/29 16:36:17 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:18 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:19 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:19 query failed: driver: bad connection

2.2 tcp-reset

设置规则：

# iptables -A INPUT -p tcp --dport 3306 -d 192.168.1.111 -j REJECT --reject-with tcp-reset

该规则直接返回给客户端TCP RST.

查看规则：

[root@localhost lanyang]# iptables -nxvL
Chain INPUT (policy ACCEPT 34 packets, 3139 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      22     1325 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.111       tcp dpt:3306 reject-with tcp-reset 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 48 packets, 2509 bytes)
    pkts      bytes target     prot opt in     out     source               destination   

测试代码，参考golang中mysql建立连接超时时间timeout 测试
其中

timeout=1s
readTimeout=6s

效果演示：

2020/03/29 22:27:24 start
2020/03/29 22:27:24 value: 1
2020/03/29 22:27:27 start
2020/03/29 22:27:27 value: 1
2020/03/29 22:27:30 start
2020/03/29 22:27:30 value: 1
2020/03/29 22:27:33 start
2020/03/29 22:27:33 value: 1
2020/03/29 22:27:36 start
[mysql] 2020/03/29 22:27:36 packets.go:36: read tcp 192.168.1.111:47784->192.168.1.111:3306: read: connection reset by peer
2020/03/29 22:27:36 query failed: invalid connection
2020/03/29 22:27:39 start
2020/03/29 22:27:39 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:42 start
2020/03/29 22:27:42 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:45 start
2020/03/29 22:27:45 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:48 start
2020/03/29 22:27:48 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:51 start
2020/03/29 22:27:51 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:54 start
2020/03/29 22:27:54 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:57 start
2020/03/29 22:27:57 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:28:00 start

3.参考

iptables(8) - Linux man page

iptables 之 REJECT 与 DROP 对比