First, install and use
(A) Installation
[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig
[root@k8s-node1 sysconfig]# yum install iptables
[root@k8s-node1 sysconfig]# yum install iptables-services
[root@k8s-node1 sysconfig]# ls -l | grep iptables
-rw-------. 1 root root 550 8月 8 19:41 iptables
-rw-------. 1 root root 2116 8月 8 19:41 iptables-config
[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig
systemctl stop firewalld disabled
systemctl mask firewalld disabled
(B) the use
[root@k8s-node1 sysconfig]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:8081
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Allow all input:
iptables -P INPUT ACCEPT
boot:
systemctl enable iptables
systemctl stop/start/restart iptables
chkconfig iptables off / on permanently closed / open
Manually configure the port:
[root@k8s-node1 sysconfig]# clear
oot@k8s-node1 sysconfig]# vim /etc/sysconfig/iptables
▽
1 # sample configuration for iptables service
2 # you can edit this manually or use system-config-firewall
3 # please do not ask us to add additional ports/services to this default configuration
4 *filter
5 :INPUT ACCEPT [0:0]
6 :FORWARD ACCEPT [0:0]
7 :OUTPUT ACCEPT [0:0]
8 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
9 -A INPUT -p icmp -j ACCEPT
10 -A INPUT -i lo -j ACCEPT
11 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
12 -A INPUT -j REJECT --reject-with icmp-host-prohibited
13 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
14 COMMIT
Save located:
service iptables save
(C) common rules
View: iptables -L -n
Allow all through: iptables -P INPUT ACCEPT
Clear default rules: iptables -F
Clear custom rules: iptables -X
Counter to zero: iptables -Z
Allows local (lo Packet Interface) access: iptables -A INPUT -i lo -j ACCEPT
Open ports: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
允许ping: iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
After allowed to receive return data according to requests: iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
Additional inbound discarded: iptables -P INPUT DROP
Additional outbound Release: iptables -P OUTPUT ACCEPT
All forward dropped: iptables -P FORWARD DROP
A request receiving all ip: iptables -A INPUT -p tcp -s <ip> -j ACCEPT
All non-over filter rule request: iptables -P INPUT DROP
封停ip: iptables -I INPUT -s <ip> -j DROP
解封ip: iptables -D INPUT -s <ip> -j DROP
Save Configuration: service iptables save
Second, understanding
1. Transfer Protocol:
tcp udp icmp
2. Type of service:
http ftp smtp
3. Treatment:
accept reject drop
tcp / ip protocol stack belonging to a part of the core
web services are user space
web service listening socket: when (IP Port), responding to client requests, the response packet destination endpoint for the client, then the web ip: port became the origin.
netfilter part of the kernel, the kernel level set, all incoming and outgoing packets required by Level (input / output level) checks to make a pass, block, called iptables chain.
IP_FORWARD used to forward messages to other machines
5 kinds of chains:
Before routing: PREROUTING
Forwarding: FORWARD
After routing: POSTROUTING
Enter the machine: INPUT
From the machine out: OUTPUT
Four kinds of table:
filter: responsible for filtering, iptables_filter, kernel modules
nat: network address translation, iptables_nat
mangle: iptable_mangle, packet disassemble, modify, reloading
raw: iptable_raw, close the connection tracking enabled on nat
Priority: raw-> mangle-> nat-> filter
Chain and able:
PREROUTING: raw / night / missing
Input: absent / filter (centos7 night)
forward: mangle/filter
output: raw/nat/mangle/filter
mail routing: missing / night
Table (function) ---- chain (hook)
raw: prerouting/output
mangle: prerouting/input/forward/output/postrouting
nat: prerouting/ouput/postrouting(centos7 input)
filter: input/forward/output
linux host Forwards:
/pro/sys/net/ipv4/ip_forward
rule:
Basic conditions: source ip, destination ip
Expansion condition: source port, destination port
Collaboration (target):
ACCEPT: allows
DROP: discards, do not reply.
REJECT: rejected, replies response information
SNAT: source address translation, network users to use the same external network-connected public network
MASQUERADE: special form of SNAT for dynamic, the interim possible change ip
DNAT: Destination Translation
REDIRECT: The machine do port mapping
LOG: / var / log / messages log file records, in addition to recording without any operation, so that the packet matches a rule
Third, the command
See Table 1. iptables -t filter (default) / raw / mangle / nat -L INPUT -v
-t: target
-L: list
-v: verbose
-I: (header chain) insert
-A: append (tail chain)
-s: source
-j: jump
-F: flush
-R: replace
-P: policy
[root@k8s-node1 sysconfig]# iptables --help
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
Example:
iptables --line-numbers -vnL INPUT
iptables -t filter -I INPUT <line-num> -s <source-ip> -j DROP
iptables -t filter -D INPUT <rule line-num>
iptables -t filter -D INPUT -s <source-ip> -j DROP
iptables -t filter -F <rule name>
iptables -t filter -R INPUT <rule line-no> -s <source-ip> -j <target>
iptables -t filter -P INPUT DROP
Fourth, the preservation rule
/etc/sysconfig/iptables
iptables save
cat /etc/sysconfig/iptables
iptables restart restart (not saved will be lost)
iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
Overrides