centos iptables

一、安装及使用

（一）安装

[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig

[root@k8s-node1 sysconfig]# yum install iptables

[root@k8s-node1 sysconfig]# yum install iptables-services

[root@k8s-node1 sysconfig]# ls -l | grep iptables
-rw-------. 1 root root 550 8月 8 19:41 iptables
-rw-------. 1 root root 2116 8月 8 19:41 iptables-config
[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig

systemctl stop firewalld 停用

systemctl mask firewalld 禁用

（二）使用

[root@k8s-node1 sysconfig]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:8081

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

允许所有input:

iptables -P INPUT ACCEPT

开机启动:

systemctl enable iptables

systemctl stop/start/restart iptables

chkconfig iptables off/on 永久关闭/开启

手动配置端口:

[root@k8s-node1 sysconfig]# clear
oot@k8s-node1 sysconfig]# vim /etc/sysconfig/iptables
▽
1 # sample configuration for iptables service
2 # you can edit this manually or use system-config-firewall
3 # please do not ask us to add additional ports/services to this default configuration
4 *filter
5 :INPUT ACCEPT [0:0]
6 :FORWARD ACCEPT [0:0]
7 :OUTPUT ACCEPT [0:0]
8 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
9 -A INPUT -p icmp -j ACCEPT
10 -A INPUT -i lo -j ACCEPT
11 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
12 -A INPUT -j REJECT --reject-with icmp-host-prohibited
13 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
14 COMMIT

保存配置:

service iptables save

（三）常用规则

查看: iptables -L -n

允许所有通过: iptables -P INPUT ACCEPT

清空默认规则: iptables -F

清空自定义规则: iptables -X

计数器归零: iptables -Z

允许本地（lo接口数据包)访问: iptables -A INPUT -i lo -j ACCEPT

开放端口: iptables -A INPUT -p tcp --dport 22 -j ACCEPT

允许ping: iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

允许接受本机请求之后的返回数据: iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT

其他入站丢弃: iptables -P INPUT DROP

其他出站放行: iptables -P OUTPUT ACCEPT

所有转发丢弃: iptables -P FORWARD DROP

接收某ip所有请求: iptables -A INPUT -p tcp -s <ip> -j ACCEPT

过滤所有非以上规则请求: iptables -P INPUT DROP

封停ip: iptables -I INPUT -s <ip> -j DROP

解封ip: iptables -D INPUT -s <ip> -j DROP

保存配置: service iptables save

二、理解

1. 传输协议:

tcp udp icmp

2. 服务类型:

http ftp smtp

3. 处理方式:

accept reject drop

tcp/ip协议栈属于内核的一部分

web服务属于用户空间

web服务监听套接字 (IP:Port)，响应客户端请求时，响应报文的目标终点为客户端, 此时 web 的ip:port成了原点。

netfilter 属于内核的一部分，内核中设置关卡，所有进出报文需通过关卡（input/output关卡）检查以做出放行、阻止，iptables中称为链。

IP_FORWARD用于将报文转发给其他机器

5种链:

路由前: PREROUTING

转发: FORWARD

路由后: POSTROUTING

进入本机: INPUT

从本机出去: OUTPUT

4种table:

filter: 负责过滤功能，iptables_filter，内核模块

nat: network address translation, iptables_nat

mangle: iptable_mangle, 报文拆解、修改、重装

raw: iptable_raw, 关闭nat上启用的连接追踪

优先级: raw->mangle->nat->filter

链与able:

prerouting: raw/nat/mangle

input: mangle/filter (centos7 nat)

forward: mangle/filter

output: raw/nat/mangle/filter

postrouting: mangle/nat

表(功能) ----链(钩子)

raw: prerouting/output

mangle: prerouting/input/forward/output/postrouting

nat: prerouting/ouput/postrouting(centos7 input)

filter: input/forward/output

linux主机支持转发:

/pro/sys/net/ipv4/ip_forward

规则:

基本条件: source ip, destination ip

扩展条件: source port, destination port

协作(target):

ACCEPT: 允许通过

DROP: 直接丢弃，不回复。

REJECT: 拒绝，回复响应信息

SNAT: 源地址转换, 内网用户用同一个公网连接外网

MASQUERADE: SNAT的特殊形式，用于动态、临时可能变动的ip上

DNAT: 目标地址转换

REDIRECT: 本机做端口映射

LOG: /var/log/messages文件中记录日志信息，除了记录不作任何操作，让数据包匹配下一条rule

三、命令

1. 查看表 iptables -t filter(默认)/raw/mangle/nat -L INPUT -v

-t: target

-L: list

-v: verbose

-I: insert （链的首部）

-A: append (链的尾部)

-s: source

-j: jump

-F: flush

-R: replace

-P: policy

[root@k8s-node1 sysconfig]# iptables --help
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

示例:

iptables --line-numbers -vnL INPUT

iptables -t filter -I INPUT <line-num> -s <source-ip> -j DROP

iptables -t filter -D INPUT <rule line-num>

iptables -t filter -D INPUT -s <source-ip> -j DROP

iptables -t filter -F <rule name>

iptables -t filter -R INPUT <rule line-no> -s <source-ip> -j <target>

iptables -t filter -P INPUT DROP

四、保存规则

/etc/sysconfig/iptables

iptables save

cat /etc/sysconfig/iptables

iptables restart重启（未保存会丢失）

iptables-save > /etc/sysconfig/iptables

iptables-restore < /etc/sysconfig/iptables

会覆盖

Neil_001

发布了85 篇原创文章 · 获赞 11 · 访问量 1万+

私信关注

猜你喜欢