iptables extension
Extended matching conditions: need to load extension modules (/usr/lib64/xtables/*.so), to take effect
view help man iptables-extensions
(1) implicitly extended: when using the -p option specifies a specific protocol, then the extension mechanism without -m option indicates the expansion module, the expansion module does not require manual loading
extended option tcp protocol
--source-port, --sport port [: port]: matching source port, the port may be a range of --destination-port, - dport port [: port]: matching the packets destination port, may range from --tcp-flags mask comp
mask list to be checked flag, with, separated
E.g. SYN, ACK, FIN, RST
comp mask in the list must be a list of 1 bit flag, non-specified, it must be 0, with the partition
Demo: extended option TCP protocol
A Host: 192.168.34.101
B Host: 192.168.34.102
(1) on the B host first create a new page, and start the httpd service and mariadb
[root@centos777~]#yum install mariadb-server httpd -y [root@centos777~]#systemctl start httpd [root@centos777~]#systemctl start mariadb [root@centos777~]#echo welcome to beijing > /var/www/html/index.html
(2) At this time, the other machine controls access host B
[Root @ centos777 ~] #iptables -A INPUT -s 192.168.34.1,127.0.0.1 -j ACCEPT allow local system access windows [Root @ centos777 ~] #iptables -A INPUT -j REJECT reject all other hosts to access the machine [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 68 4836 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes) num pkts bytes target prot opt in out source destination
(3) At this time, the host was unable to access host B A
[root@centos7~]#curl 192.168.34.102 curl: (7) Failed connect to 192.168.34.102:80; Connection refused
(4) A case only allow the host to access the machine HTTPD Service
[root@centos777~]#iptables -I INPUT 3 -s 192.168.34.101 -p tcp --dport 80 -j ACCEPT [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 217 15779 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 ACCEPT tcp -- * * 192.168.34.101 0.0.0.0/0 tcp dpt:80 4 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes) num pkts bytes target prot opt in out source destination
(5) Check that the A host agreement through tcp httpd can access services of the host B
[root@centos7~]#curl 192.168.34.102 welcome to beijing
(6) B A host database allows the host to access mysql
[root@centos777~]#iptables -I INPUT 3 -s 192.168.34.101 -p tcp --dport 3306 -j ACCEPT
(7) Create an account in mysql host B, verify the effect
[root@centos777~]#mysql -e "grant all on *.* to test@'192.168.34.%' identified by 'centos'"
(8) the startup itself mysql A host database, and the database can be connected to each other mysql
[root@centos7~]#systemctl start mariadb [root@centos7~]#mysql -utest -pcentos -h192.168.34.102 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 5.5.60-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
Extended option tcp protocol
Example:
--tcp-flags SYN, ACK, FIN, RST SYN flag indicates to be inspected is SYN, ACK, FIN, RST four, which must be a SYN, the remainder must be 0 --tcp-flags SYN, ACK, FIN, RST, SYN, ACK --tcp-flags ALL ALL --tcp_flags ALL NONE
--syn: to match the first handshake
Corresponds to: - tcp-flags SYN, ACK, FIN, RST SYN
Example:
At this time there are rules only allow tcp (handshake) were rejected, but may allow others access
[Root @ centos777 ~] #iptables -I INPUT 4 -s 192.168.34.100 -p tcp --syn -j REJECT host handshake access denied C [Root @ centos777 ~] #iptables -I INPUT 5 -s 192.168.34.100 -j ACCEPT allow access to host C [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 634 46456 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 11 685 ACCEPT tcp -- * * 192.168.34.101 0.0.0.0/0 tcp dpt:3306 4 0 0 REJECT tcp -- * * 192.168.34.100 0.0.0.0/0 tcp flags:0x17/0x02 5 6 398 ACCEPT all -- * * 192.168.34.100 0.0.0.0/0 6 34 4423 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes) num pkts bytes target prot opt in out source destination
At this time, the host access in C (192.168.34.100), this time access is denied by the handshake protocol
[root@centos7~]#curl 192.168.34.102 curl: (7) Failed connect to 192.168.34.102:80; Connection refused
At this time, the host can ping C
[root@centos7~]#ping 192.168.34.102 PING 192.168.34.102 (192.168.34.102) 56(84) bytes of data. 64 bytes from 192.168.34.102: icmp_seq=1 ttl=64 time=1.21 ms 64 bytes from 192.168.34.102: icmp_seq=2 ttl=64 time=0.383 ms 64 bytes from 192.168.34.102: icmp_seq=3 ttl=64 time=0.379 ms
udp expansion options
[!] --Source-port, --sport port [: port]: packet matching source port or port range [!] --Destination-port, - dport port [: port]: matching destination port or port range messages
icmp extended protocol
[!] --icmp-type {type[/code]|typename} type/code 0/0 echo-reply icmp response 8/0 echo-request icmp request
Practical exercise: ping each other can be achieved through the machine, the machine can not ping each other, or specify the unit can ping each other
(1) modify the firewall policy in the machine
[root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 935 69248 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 39 4843 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) num pkts bytes target prot opt in out source destination [Root @ centos777 ~] #iptables -I INPUT 3 -p icmp --icmp-type 0 -j ACCEPT wherein --icmp-type 0 means that the present machine is the result of ping each INPUT, the result is a response at this time
(2) to verify the effect, in the present machine for ping192.168.34.101, Ping the
[root@centos777~]#ping 192.168.34.101 PING 192.168.34.101 (192.168.34.101) 56(84) bytes of data. 64 bytes from 192.168.34.101: icmp_seq=1 ttl=64 time=0.745 ms
(3) the IP address of the ping each other, this time can not ping
[root@centos7~]#ping 192.168.34.102 PING 192.168.34.102 (192.168.34.102) 56(84) bytes of data. From 192.168.34.102 icmp_seq=1 Destination Port Unreachable From 192.168.34.102 icmp_seq=2 Destination Port Unreachable
(4) The machine according to protocol icmp 8, the other case the machine may ping the
[root@centos777~]#iptables -I INPUT 3 -p icmp --icmp-type 8 -j ACCEPT
(5) results in ping other machines
[root@centos7~]#ping 192.168.34.102 PING 192.168.34.102 (192.168.34.102) 56(84) bytes of data. 64 bytes from 192.168.34.102: icmp_seq=1 ttl=64 time=0.630 ms
Explicit extensions: You must use the extension mechanism -m option indicates expansion module to be called, to manually load the extension module
[-m matchname [per-match-options]]
Expansion Expansion module must be explicitly specified using performed: Explicit Extended
Using help:
CentOS 6: man iptables
CentOS 7: man iptables-extensions
1, multiport expansion
To define a discrete multi-port match, specify up to 15 ports
[!] --Source-ports - Port Sports [port | port: port] ... Specify multiple source ports [!] --destination-ports,--dports port[,port|,port:port]... Specify multiple destination ports [!] --Ports port [, port |, port: port] ... multiple source or destination port
Example:
iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.10 -p tcp -m multiport --dports 20:22,80 -j ACCEPT
drill:
(1) install and start the samba service
[Root @ centos777 ~] #yum install samba -y installation service samba [root@centos777~]#systemctl start smb
(2) create a system account and added to the samba service, becoming samba account
[root@centos777~]#useradd -s /sbin/nologin smb1 ; smbpasswd -a smb1 New SMB password: Retype new SMB password: Added user smb1.
(3) create a firewall rule, then you can specify the port number two discrete-time, and are displayed in a row, easy to manage
[root@centos777~]#iptables -I INPUT 4 -p tcp -m multiport --ports 139,445 -j ACCEPT [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 2044 151K ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 4 14 2394 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport ports 139,445 5 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 6 61 6969 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 26 packets, 3231 bytes) num pkts bytes target prot opt in out source destination
At this point in another host can log samba service
[root@centos7~]#smbclient //192.168.34.102/smb1 -U smb1%centos Try "help" to get a list of possible commands. smb: \>
May also be added in the machine samba UDP protocol port, since two consecutive port numbers, no need to add multiport module
[root@centos777~]#iptables -I INPUT 4 -p udp --dport 137:138 -j ACCEPT
2, iprange extension
Specified continuous (but generally not the entire network) IP address range
[!] --Src-range from [-to] source IP address range [!] --Dst-range from [-to] target range of IP addresses
Example:
iptables -A INPUT -d 172.16.1.100 -p tcp --dport 80 -m iprange --src-range 172.16.1.5-172.16.1.10 -j DROP
3, mac extension
Indicate source MAC address
It applies to: PREROUTING, FORWARD, INPUT chains
[!] --mac-source XX:XX:XX:XX:XX:XX
Example:
iptables -A INPUT -s 172.16.0.100 -m mac --mac-source 00:50:56:12:34:56 -j ACCEPT iptables -A INPUT -s 172.16.0.100 -j REJECT
Demo combat: ping host B allow native MAC address
A Host: 192.168.34.102
B Host: 192.168.34.101
(1) B is provided on the host the MAC address A firewall rules
[root@centos777~]#iptables -I INPUT 3 -m mac --mac-source 00:0c:29:4e:31:b6 -j ACCEPT [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 2629 195K ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 1 84 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:0C:29:4E:31:B6 4 81 9753 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 884 bytes) num pkts bytes target prot opt in out source destination
(2) Start the host A ping host B, then you can ping
[root@centos7~]#ping 192.168.34.102 PING 192.168.34.102 (192.168.34.102) 56(84) bytes of data. 64 bytes from 192.168.34.102: icmp_seq=1 ttl=64 time=0.883 ms ^C --- 192.168.34.102 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.883/0.883/0.883/0.000 ms
4, string expansion
Application layer data packets do string pattern matching detection
--algo {bm | kmp} string matching detection algorithm bm:Boyer-Moore kmp:Knuth-Pratt-Morris --from offset start offset --to offset the end of the shift [!] --String pattern string pattern to be detected [!] --Hex-string pattern string pattern to be detected, hexadecimal format
Example:
iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --string "google" -j REJECT
Practical exercise: do not allow the other host access google page
(1) In the new first few pages of the machine
[root@centos777~]#echo www.google.com > /var/www/html/google.html [root@centos777~]#echo www.google.com > /var/www/html/test.html [root@centos777~]#echo welcom to beijing > /var/www/html/index.html [root@centos777~]#cd /var/www/html [root@centos777html]#ls google.html index.html test.html
(2) and then set the google keyword kind of firewall rules deny access to all hosts
[root@centos777html]#iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --string "google" -j REJECT [root@centos777html]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 3010 229K ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 25 2006 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:0C:29:4E:31:B6 4 99 13459 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 32 packets, 2872 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 STRING match "google" ALGO name bm TO 65535 reject-with icmp-port-unreachable
(3) At this page to access the machine at the other host, then you can not access the google page
5, time extension
Matching the specified time according to the time the packet arrived
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 日期 --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] --timestart hh: mm [: ss] Time --timestop hh:mm[:ss] A few numbers [!] --Monthdays day [, day ...] month [!] --Weekdays day [, day ...] of the week, 1--7, respectively, Monday to Sunday --kerneltz: kernel time zone, not recommended, CentOS7 system defaults to UTC
Note: centos6 does not support kerneltz, - localtz specify a local time zone (default)
Example:
iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.10 -p tcp --dport 80 -m time --timestart 14:30 --timestop 18:30 --weekdays Sat,Sun -j DROP
Practical exercise:
(1) Set time module, specify the specific time period to access the network
[Root @ centos777 ~] #iptables -I INPUT 3 -m time --timestart 1:00 --timestop 10:00 -j ACCEPT allows access only 1:00 to 10:00 [root@centos777~]#cd [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 3364 255K ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 01:00:00 to 10:00:00 UTC 4 202 48180 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 1024 bytes) num pkts bytes target prot opt in out source destination [Root @ centos777 ~] file scope #date time is not set at this time Thu Dec 5 22:49:46 CST 2019
(2) other hosts to access this page is the host will be rejected
[root@centos7~]#curl 192.168.34.102 curl: (7) Failed connect to 192.168.34.102:80; Connection refused
6, connlimit extension
Make matching according to the number of concurrent connections per client IP
Prevented Dos (Denial of Service, DoS) attacks --connlimit-upto #: number of connections is less than equal to match #
--connlimit-above #: match the number of connections is greater than #
Respectively, and are usually the default deny or allow policy in conjunction
Example:
iptables -A INPUT -d 172.16.100.10 -p tcp --dport 22 -m connlimit --connlimit-above 2 -j REJECT
Practical exercise: prevent DOS attacks, firewall policy formulation
(1) in the machine provided firewall rules
[Root @ centos777 ~] #iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 -j REJECT developing firewall rules, access is denied number is greater than 100 [root@centos777~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 4148 325K ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 #conn src/32 > 100 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 1900 bytes) num pkts bytes target prot opt in out source destination
(2) at this time is smaller than the other host to access the machine 100 are connected to access a web page
[root@centos7~]#curl 192.168.34.102 welcome to beijing
7, limit expansion
Do based rate matching send and receive messages
Token bucket filter
--limit #[/second|/minute|/hour|/day] --limit-burst number
Practical exercise:
[Root @ centos777 ~] #iptables -A INPUT -p icmp --icmp-type 8 -m limit 20 / minute --limit-burst 10 -j ACCEPT receive rules --limit, and 10 before allowing access to web [Root @ centos777 ~] #iptables -A INPUT -j REJECT rejected all remaining
8, state extension
According to the state "connection tracking mechanism" to check the connection, the more consumption of resources
conntrack mechanism: trace relationships between request and response on the unit
State the following categories:
Tracking information repository connection request does not exist in this connection information entry, therefore, it is recognized as the first issue; new request: NEW ESTABLISHED: After the NEW state, the connection state in the communication period until the tracking information repository for the establishment of an entry failure performed RELATED: the newly launched but has been associated with a connection connector, such as: the relationship between the data connection is connected to the command ftp protocol INVALID: invalid connection, such as a flag tag is incorrect UNTRACKED: connecting track is not performed, as raw Tracking Table Close
Example:
Old users can connect to remote host via ssh
Set old user connections is not rejected, but quit after the old user can not connect via ssh host connection, new user connection is rejected firewall
[root@centos7~]#iptables -I INPUT 3 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
Because of a firewall, a new user can not connect
[!] --state state
Example:
iptables -A INPUT -d 172.16.1.10 -p tcp -m multiport --dports 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -s 172.16.1.10 -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED -j ACCEPT
已经追踪到的并记录下来的连接信息库
/proc/net/nf_conntrack
调整连接追踪功能所能够容纳的最大连接数量
/proc/sys/net/nf_conntrack_max
不同的协议的连接追踪时长
/proc/sys/net/netfilter/
注意:CentOS7 需要加载模块: modprobe nf_conntrack_ipv4
/proc/sys/net/nf_conntrack_max:连接跟踪的最大连接数
可以将此参数写在配置文件中,永久生效:
vim /etc/sysctl.conf
net.nf_conntrack_max=88888 临时修改到88888
修改完配置文件之后,使配置文件生效:
[root@centos7~]#sysctl -p net.nf_conntrack_max = 88888
iptables的链接跟踪表最大容量为/proc/sys/net/nf_conntrack_max,各种状态的超时链接会从表中删除;当模板满载时,后续连接可能会超时
解决方法两个:
(1) 加大nf_conntrack_max 值
vim /etc/sysctl.conf net.nf_conntrack_max = 393216 net.netfilter.nf_conntrack_max = 393216
(2) 降低 nf_conntrack timeout时间
vim /etc/sysctl.conf net.netfilter.nf_conntrack_tcp_timeout_established = 300 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 iptables -t nat -L -n
开放被动模式的ftp服务
(1) 装载ftp连接追踪的专用模块:
跟踪模块路径:/lib/modules/kernelversion/kernel/net/netfilter
vim /etc/sysconfig/iptables-config 配置文件 IPTABLES_MODULES=“nf_conntrack_ftp" modproble nf_conntrack_ftp加载此模块
(2) 放行请求报文:
命令连接:NEW, ESTABLISHED
数据连接:RELATED, ESTABLISHED
iptables –I INPUT -d LocalIP -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d LocalIP -p tcp --dport 21 -m state --state NEW -j ACCEPT
(3) 放行响应报文:
iptables -I OUTPUT -s LocalIP -p tcp -m state --state ESTABLISHED -j ACCEPT
实战演示:开放被动模式的ftp服务
A主机:192.168.34.101
B主机:192.168.34.102
(1)在A主机先添加一个允许tcp协议,21端口连接的访问
[root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 445 34224 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 40 5213 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state RELATED,ESTABLISHED 4 3 320 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 77 packets, 8175 bytes) num pkts bytes target prot opt in out source destination [root@centos7~]#iptables -I INPUT 3 -p tcp --dport 21 -j ACCEPT
(2)在A主机安装vsftpd服务并启动服务
[root@centos7~]#yum install vsftpd -y [root@centos7~]#systemctl start vsftpd
(3)此时在B主机只能连接A主机的ftp服务器,被动模式的端口号是随机的,A主机不能添加指定的tcp协议端口号,因此B主机不能执行其他操作。
(4)在A主机加载ftp相关模块,能识别FTP协议,能分析ftp21端口号的数据传输的信息,从而能够得知下次通讯过程中被动模式使用的端口号是多少
[root@centos7~]#modprobe nf_conntrack_ftp
(5)在A主机添加一个iptables防火墙规则,注意:ESTABLISHED,RELATED和tcp 21协议的合理性,将tcp 21的防火墙规则放在后面较好,当用户访问大量数据时,提高效率,优化性能方面可以考虑。
[root@centos7~]#iptables -I INPUT 3 -m state --state ESTABLISHED,RELATED -j ACCEPT
(6)最后在B主机验证连接ftp效果,此时就可以访问文件
Target:
ACCEPT, DROP, REJECT, RETURN
LOG, SNAT, DNAT, REDIRECT, MASQUERADE,..
LOG:非中断target,本身不拒绝和允许,放在拒绝和允许规则前
并将日志记录在/var/log/messages系统日志中
--log-level level 级别: debug,info,notice, warning, error, crit, alert,emerg --log-prefix prefix 日志前缀,用于区别不同的日志,最多29个字符
演示:
(1)在A主机配置一个防火墙规则
[root@centos7~]#iptables -I INPUT 4 -s 192.168.34.102 -j LOG --log-prefix "from 34.102 access:" [root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 1467 110K ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 17 939 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 0 0 LOG all -- * * 192.168.34.102 0.0.0.0/0 LOG flags 0 level 4 prefix "from 34.102 access:" 5 10 1226 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 32 packets, 2856 bytes) num pkts bytes target prot opt in out source destination
(2)在B主机访问当前的信息,就会在系统日志中记录来自于B主机的信息
(3)在A主机进行log日志跟踪,可以看到跟踪的日志信息
iptables防火墙规则总结
任何不允许的访问,应该在请求到达时给予拒绝
规则在链接上的次序即为其检查时的生效次序
基于上述,规则优化
1 安全放行所有入站和出站的状态为ESTABLISHED状态连接 2 谨慎放行入站的新请求 3 有特殊目的限制访问功能,要在放行规则之前加以拒绝 4 同类规则(访问同一应用),匹配范围小的放在前面,用于特殊处理 5 不同类的规则(访问不同应用),匹配范围大的放在前面 例如:将一个网段的IP地址放在前面,包含在此网段的IP地址放在后面 6 应该将那些可由一条规则能够描述的多个规则合并为一条 7 设置默认策略,建议白名单(只放行特定连接) 1) iptables -P,不建议 2) 建议在规则的最后定义规则做为默认策略
规则有效期限:
使用iptables命令定义的规则,手动删除之前,其生效期限为kernel存活期限
保存规则:
保存规则至指定的文件
CentOS 7
(1)将防火墙规则保存到指定的文件中
[root@centos7~]#iptables-save > /data/iptables.rule 保存到data目录下 [root@centos7~]#iptables -F 清空防火墙规则之后 [root@centos7~]#iptables-restore < /data/iptables.rule 从保存的文件中导出,即可恢复之前的防火墙策略 [root@centos7~]#iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 24 1792 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG all -- * * 192.168.34.102 0.0.0.0/0 LOG flags 0 level 4 prefix "from 34.102 access:" 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes) pkts bytes target prot opt in out source destination
(2)将本地开机启动加执行权限,并将执行的文件存在此配置文件中,开机启动即可
[root@centos7~]#chmod +x /etc/rc.d/rc.local 给开机启动的本地服务加上执行权限 [root@centos7~]#vim /etc/rc.d/rc.local 修改本地开机配置文件信息
CentOS 6防火墙保存规则
service iptables save 将规则覆盖保存至/etc/sysconfig/iptables文件中
然后设置为开机启动
chkconfig iptables on