centos iptables

First, install and use

(A) Installation

[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig

[root@k8s-node1 sysconfig]# yum install iptables

[root@k8s-node1 sysconfig]# yum install iptables-services

[root@k8s-node1 sysconfig]# ls -l | grep iptables
-rw-------. 1 root root 550 8月 8 19:41 iptables
-rw-------. 1 root root 2116 8月 8 19:41 iptables-config
[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig

systemctl stop firewalld disabled

systemctl mask firewalld disabled

(B) the use

[root@k8s-node1 sysconfig]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:8081

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Allow all input:

iptables -P INPUT ACCEPT

boot:

systemctl enable iptables

systemctl stop/start/restart iptables

chkconfig iptables off / on permanently closed / open

Manually configure the port:

[root@k8s-node1 sysconfig]# clear
oot@k8s-node1 sysconfig]# vim /etc/sysconfig/iptables
▽
1 # sample configuration for iptables service
2 # you can edit this manually or use system-config-firewall
3 # please do not ask us to add additional ports/services to this default configuration
4 *filter
5 :INPUT ACCEPT [0:0]
6 :FORWARD ACCEPT [0:0]
7 :OUTPUT ACCEPT [0:0]
8 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
9 -A INPUT -p icmp -j ACCEPT
10 -A INPUT -i lo -j ACCEPT
11 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
12 -A INPUT -j REJECT --reject-with icmp-host-prohibited
13 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
14 COMMIT

Save located:

service iptables save

View: iptables -L -n

Allow all through: iptables -P INPUT ACCEPT

Clear default rules: iptables -F

Clear custom rules: iptables -X

Counter to zero: iptables -Z

Allows local (lo Packet Interface) access: iptables -A INPUT -i lo -j ACCEPT

Open ports: iptables -A INPUT -p tcp --dport 22 -j ACCEPT

允许ping: iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

After allowed to receive return data according to requests: iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT

Additional inbound discarded: iptables -P INPUT DROP

Additional outbound Release: iptables -P OUTPUT ACCEPT

All forward dropped: iptables -P FORWARD DROP

A request receiving all ip: iptables -A INPUT -p tcp -s <ip> -j ACCEPT

All non-over filter rule request: iptables -P INPUT DROP

封停ip: iptables -I INPUT -s <ip> -j DROP

解封ip: iptables -D INPUT -s <ip> -j DROP

Save Configuration: service iptables save

Second, understanding

1. Transfer Protocol:

tcp udp icmp

2. Type of service:

http ftp smtp

3. Treatment:

accept reject drop

tcp / ip protocol stack belonging to a part of the core

web services are user space

web service listening socket: when (IP Port), responding to client requests, the response packet destination endpoint for the client, then the web ip: port became the origin.

netfilter part of the kernel, the kernel level set, all incoming and outgoing packets required by Level (input / output level) checks to make a pass, block, called iptables chain.

IP_FORWARD used to forward messages to other machines

5 kinds of chains:

Before routing: PREROUTING

Forwarding: FORWARD

After routing: POSTROUTING

Enter the machine: INPUT

From the machine out: OUTPUT

Four kinds of table:

filter: responsible for filtering, iptables_filter, kernel modules

nat: network address translation, iptables_nat

mangle: iptable_mangle, packet disassemble, modify, reloading

raw: iptable_raw, close the connection tracking enabled on nat

Priority: raw-> mangle-> nat-> filter

Chain and able:

PREROUTING: raw / night / missing

Input: absent / filter (centos7 night)

forward: mangle/filter

output: raw/nat/mangle/filter

mail routing: missing / night

Table (function) ---- chain (hook)

raw: prerouting/output

mangle: prerouting/input/forward/output/postrouting

nat: prerouting/ouput/postrouting(centos7 input)

filter: input/forward/output

linux host Forwards:

/pro/sys/net/ipv4/ip_forward

rule:

Basic conditions: source ip, destination ip

Expansion condition: source port, destination port

Collaboration (target):

ACCEPT: allows

DROP: discards, do not reply.

REJECT: rejected, replies response information

SNAT: source address translation, network users to use the same external network-connected public network

MASQUERADE: special form of SNAT for dynamic, the interim possible change ip

DNAT: Destination Translation

REDIRECT: The machine do port mapping

LOG: / var / log / messages log file records, in addition to recording without any operation, so that the packet matches a rule

Third, the command

See Table 1. iptables -t filter (default) / raw / mangle / nat -L INPUT -v

-t: target

-L: list

-v: verbose

-I: (header chain) insert

-A: append (tail chain)

-s: source

-j: jump

-F: flush

-R: replace

-P: policy

[root@k8s-node1 sysconfig]# iptables --help
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

Example:

iptables --line-numbers -vnL INPUT

iptables -t filter -I INPUT <line-num> -s <source-ip> -j DROP

iptables -t filter -D INPUT <rule line-num>

iptables -t filter -D INPUT -s <source-ip> -j DROP

iptables -t filter -F <rule name>

iptables -t filter -R INPUT <rule line-no> -s <source-ip> -j <target>

iptables -t filter -P INPUT DROP

Fourth, the preservation rule

/etc/sysconfig/iptables

iptables save

cat /etc/sysconfig/iptables

iptables restart restart (not saved will be lost)

iptables-save > /etc/sysconfig/iptables

iptables-restore < /etc/sysconfig/iptables

Overrides

Neil_001

Published 85 original articles · won praise 11 · views 10000 +

Private letter concerns

Guess you like