iptables configuration in detail

Others 2019-09-25 17:18:51 views: null
A: iptables [Detailed]
     Firewall name is actually natfilter, iptables is a tool, by default, the firewall is a chain of five four tables, the table is divided into: filter, nat, mangle, raw, chains are: The most commonly used is the filter table!
    
nat: This rule table has two rules PREROUTING and POSTROUTING chains, the main function is one to one, one to many, many-to-work such as Network Address Translation (SNAT, DNAT), this rule except for the URL conversion table, but do not other purposes.
 
mangle: This rule has a table PREROUTING, FORWARD and POSTROUTING three rules chain. In addition to the packet rewriting URLs will conversion work outside, in some special applications may have to rewrite the packet (TTL, TOS) setting or MARK (the packet marked for subsequent filtering), then these must be work rules are defined in the mangle table, because the usage is not high, we do not intend to discuss the use of mangle.
 
filter: This is the default rule table rule table, with INPUT, FORWARD and OUTPUT chain three rules, the rules table definition is used for packet filtering processing operation (e.g.: DROP, LOG, ACCEPT or REJECT), we will substantially rules are built on the rule table.
 
1: iptables Grammar
       
       iptables -t [table] -I [link name] -p [protocol] --dport [port number] -s [source ip] -d [target ip] -j [behavior]
示列: iptables  -t filter  -I  INPUT  -p tcp ---dport  80  -s  192.168.1.1 -d 172.168.10.1 -j  DROP
 
 
2: iptables [options]
 
         -t     :表示指定表的名称,如:filter、nat、mangle表
        -p     :表示指定协议的类型,如:TCP、ICMP、HTTP等协议类型
         -I     :表示在最前面插入规则
         -A    :表示在后面追加规则
         -F     :表示清除所有规则        
         -X     :清除链
         -Z     :将链的记数的流量清零
         -D    :表示删除规则
         -s     :表示指定来源IP地址
         -d    :表示目标地址
         -j      :表示执行怎么样的行为,如:DROP(丢弃)、ACCEPT(允许)、REJECT(丢弃但提醒)
         --dpot    :表示指定的端口
         --line-numbers   :表示显示规则的行数
 
 
二:iptables【用法】
 
1:添加一条入站规则,拒绝TCP协议的来源地址192.168.1.22的端口号80访问到目标192.168.1.254地址
[root@ghs ~]# iptables -I INPUT -p tcp --dport 80 -s 192.168.1.22 -d  192.168.1.254 -j DROP
 
[root@ghs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       192.168.1.22         192.168.1.254       tcp dpt:80
  432 36320 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    6   936 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
 
默认iptables的文件路径在 /etc/sysconfig/iptables文件,查看文件信息,可以看出,上面的添加的规则并没有写入到文件中,当重启iptables服务后,写入的规则会消失
[root@ghs ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
如果想要把写的规则保存到文件永久生效,需要输入下面命令
[root@ghs ~]# service iptables save
iptables:将防火墙规则保存到 /etc/sysconfig/iptables:     [确定]
 
查看文件,红色字段显示的表示之前写入的规则已保存
[root@ghs ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri May 19 07:27:44 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:7984]
-A INPUT -s 192.168.1.22/32 -d 192.168.1.254/32 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri May 19 07:27:44 2017
 
删除规则
[root@ghs ~]# iptables -D INPUT -p tcp --dport 80 -s 192.168.1.22 -d  192.168.1.254 -j DROP
[root@ghs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  741 62296 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
   15  2691 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
2:如果需要删除很久之前写的规则,但是不记了具体完整的命令时,加入--line-numbers显示规则的行号,然后以后行数删除规则
[root@ghs ~]# iptables --line-numbers -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  *      *       192.168.1.22         192.168.1.254       tcp dpt:80
2      442 37120 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        1    84 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
6        9  1487 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
以行数删除规则,删除行数1:1        0     0 DROP       tcp  --  *      *       192.168.1.22         192.168.1.254       tcp dpt:80 的规则
[root@ghs ~]# iptables -D INPUT 1
 
[root@ghs ~]# iptables --line-numbers -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      486 40560 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        1    84 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        9  1487 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
 
三:备份与恢复
 
1:备份防火墙规则
使用命令iptables-save备份到1.ipt文件
[root@ghs ~]# iptables-save  > 1.ipt
 
查看1.ipt的备份文件
[root@ghs ~]# cat 1.ipt
# Generated by iptables-save v1.4.7 on Fri May 19 07:45:07 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69:8568]
-A INPUT -s 192.168.1.22/32 -d 192.168.1.254/32 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
2:恢复备份的规则文件
使用命令清除防火墙规则
[root@ghs ~]# iptables -F
 
查看下规则是否清除
[root@ghs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 7 packets, 536 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 5 packets, 536 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
使用命令iptables-restore将1.ipt备份的规则文件恢复规则
[root@ghs ~]# iptables-restore  < 1.ipt
 
查看规则
[root@ghs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       192.168.1.22         192.168.1.254       tcp dpt:80
    5   392 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
红色字段的规则就是恢复的  

Guess you like

Origin www.cnblogs.com/douyi/p/11584114.html
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com