案例1.iptables中常用的参数以及作用
-P:设置默认策略
-F:清空规则链
-L:查看规则链
-A:在规则链的末尾加入新规则
-I num:在规则链的头部加入新规则
-D num:删除某一条规则
-s:匹配来源地址 IP/MASK ,加叹号“!” 表示除这个 IP 外
-d:匹配目标地址
-i网卡名称: 匹配从这块网卡流入的数据
-o网卡名称: 匹配从这块网卡流出的数据
-p:匹配协议,如TCP 、 UDP 、 ICMP
--dport num:匹配目标端口号
--sport num:匹配来源端口号
物理机VMnet1:192.168.10.1
Linux服务器1:192.168.10.2
Win7客户机:192.168.10.3
Linux服务器2:192.168.10.4
案例1. iptables -L 查看防火墙的规则
[root@dsrw yum.repos.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
案例2.iptables -F 清空已有的防火墙规则
[root@dsrw yum.repos.d]# iptables -F
[root@dsrw yum.repos.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
案例3. 把INPUT规则链的默认策略设置成拒绝。
[root@dsrw ~]# iptables -P INPUT DROP
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
规则链的默认策略拒绝动作只能是DROP,而不能是REJECT。
案例4.向INPUT链中添加允许ICMP流量进入策略。
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
服务器2ping服务器1
[root@dsrw ~]# ping -c 5 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
From 192.168.10.2 icmp_seq=1 Destination Host Prohibited
From 192.168.10.2 icmp_seq=2 Destination Host Prohibited
From 192.168.10.2 icmp_seq=3 Destination Host Prohibited
From 192.168.10.2 icmp_seq=4 Destination Host Prohibited
From 192.168.10.2 icmp_seq=5 Destination Host Prohibited
--- 192.168.10.2 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 100ms
[root@dsrw ~]# iptables -I INPUT -p icmp -j ACCEPT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
服务器2ping服务器1
[root@dsrw ~]# ping -c 5 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
64 bytes from 192.168.10.2: icmp_seq=1 ttl=64 time=2.38 ms
64 bytes from 192.168.10.2: icmp_seq=2 ttl=64 time=0.477 ms
64 bytes from 192.168.10.2: icmp_seq=3 ttl=64 time=0.448 ms
64 bytes from 192.168.10.2: icmp_seq=4 ttl=64 time=0.686 ms
64 bytes from 192.168.10.2: icmp_seq=5 ttl=64 time=0.343 ms
--- 192.168.10.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 84ms
rtt min/avg/max/mdev = 0.343/0.866/2.380/0.765 ms
案例5. 删除INPUT链中添加允许ICMP流量进入策略。
[root@dsrw ~]# iptables -D INPUT 1
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
服务器2ping服务器1
[root@dsrw ~]# ping -c 5 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
64 bytes from 192.168.10.2: icmp_seq=1 ttl=64 time=2.38 ms
64 bytes from 192.168.10.2: icmp_seq=2 ttl=64 time=0.477 ms
64 bytes from 192.168.10.2: icmp_seq=3 ttl=64 time=0.448 ms
64 bytes from 192.168.10.2: icmp_seq=4 ttl=64 time=0.686 ms
64 bytes from 192.168.10.2: icmp_seq=5 ttl=64 time=0.343 ms
--- 192.168.10.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 84ms
rtt min/avg/max/mdev = 0.343/0.866/2.380/0.765 ms
案例6.向INPUT链中添加只允许192.168.10.0网段的主机访问本服务器22端口,拒绝来自其他主机访问。
[root@dsrw ~]# iptables -I INPUT -p tcp --dport 22 -j REJECT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
![图片[1]-1.1.4 iptables配置-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片46.png)
![图片[2]-1.1.4 iptables配置-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片47.png)
[root@dsrw ~]# iptables -I INPUT -s 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
![图片[3]-1.1.4 iptables配置-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片48.png)
![图片[4]-1.1.4 iptables配置-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片49.png)
Linux服务器2登录Linux服务器1
[root@dsrw ~]# ssh 192.168.10.2
The authenticity of host '192.168.10.2 (192.168.10.2)' can't be established.
ECDSA key fingerprint is SHA256:hFlfjG/6A/hF+hqNMuW0p0gNEIedOpPVHo/bC7GkIxw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.2' (ECDSA) to the list of known hosts.
root@192.168.10.2's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Fri Dec 16 10:40:01 2022
[root@dsrw ~]# whoami
root
[root@dsrw ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.2 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::79a3:9a62:622d:f0ec prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:65:c4:9c txqueuelen 1000 (Ethernet)
RX packets 552 bytes 72063 (70.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 421 bytes 44817 (43.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
案例7.向INPUT链中添加拒绝所有人访问本机8888端口的策略
[root@dsrw ~]# iptables -I INPUT -p tcp --dport 8888 -j REJECT
[root@dsrw ~]# iptables -I INPUT -p udp --dport 8888 -j REJECT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:ddi-udp-1 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 reject-with icmp-port-unreachable
案例8.向INPUT链中添加拒绝192.168.10.4主机访问本机21端口(ftp服务)的策略
[root@dsrw ~]# iptables -I INPUT -p tcp -s 192.168.10.4 --dport 21 -j REJECT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- 192.168.10.4 anywhere tcp dpt:ftp reject-with icmp-port-unreachable
案例9.向INPUT链最后添加拒绝所以主机访问本机8899~8900端口的策略
[root@dsrw ~]# iptables -A INPUT -p udp --dport 8899:8900 -j REJECT
[root@dsrw ~]# iptables -A INPUT -p tcp --dport 8899:8900 -j REJECT
[root@dsrw ~]# iptables -L
REJECT udp -- anywhere anywhere udp dpts:ospf-lite:jmb-cds1 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:ospf-lite:jmb-cds1 reject-with icmp-port-unreachable
案例10. 让配置的防火墙策略永久生效,要执行保存命令:
[root@ldsrw ~]#iptables-save
# Generated by xtables-save v1.8.2 on Fri Dec 16 14:14:10 2022
RHEL5/6/7版本的话,对应的保存命令应该是:
[root@ldsrw ~]#service iptables save
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容