1.1.4 iptables配置

案例1.iptables中常用的参数以及作用

-P:设置默认策略
-F:清空规则链
-L:查看规则链
-A:在规则链的末尾加入新规则
-I num:在规则链的头部加入新规则
-D num:删除某一条规则
-s:匹配来源地址 IP/MASK ,加叹号“!” 表示除这个 IP 外
-d:匹配目标地址
-i网卡名称: 匹配从这块网卡流入的数据
-o网卡名称: 匹配从这块网卡流出的数据
-p:匹配协议,如TCP 、 UDP 、 ICMP
--dport num:匹配目标端口号
--sport num:匹配来源端口号
物理机VMnet1:192.168.10.1
Linux服务器1:192.168.10.2
Win7客户机:192.168.10.3
Linux服务器2:192.168.10.4
案例1. iptables -L 查看防火墙的规则
[root@dsrw yum.repos.d]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

案例2.iptables -F 清空已有的防火墙规则

[root@dsrw yum.repos.d]# iptables -F
[root@dsrw yum.repos.d]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

案例3. 把INPUT规则链的默认策略设置成拒绝。

[root@dsrw ~]# iptables -P INPUT DROP
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

规则链的默认策略拒绝动作只能是DROP,而不能是REJECT。

案例4.向INPUT链中添加允许ICMP流量进入策略。

[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
服务器2ping服务器1
[root@dsrw ~]# ping -c 5 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
From 192.168.10.2 icmp_seq=1 Destination Host Prohibited
From 192.168.10.2 icmp_seq=2 Destination Host Prohibited
From 192.168.10.2 icmp_seq=3 Destination Host Prohibited
From 192.168.10.2 icmp_seq=4 Destination Host Prohibited
From 192.168.10.2 icmp_seq=5 Destination Host Prohibited

--- 192.168.10.2 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 100ms


[root@dsrw ~]# iptables -I INPUT -p icmp -j ACCEPT 
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
服务器2ping服务器1
[root@dsrw ~]# ping -c 5 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
64 bytes from 192.168.10.2: icmp_seq=1 ttl=64 time=2.38 ms
64 bytes from 192.168.10.2: icmp_seq=2 ttl=64 time=0.477 ms
64 bytes from 192.168.10.2: icmp_seq=3 ttl=64 time=0.448 ms
64 bytes from 192.168.10.2: icmp_seq=4 ttl=64 time=0.686 ms
64 bytes from 192.168.10.2: icmp_seq=5 ttl=64 time=0.343 ms

--- 192.168.10.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 84ms
rtt min/avg/max/mdev = 0.343/0.866/2.380/0.765 ms

案例5. 删除INPUT链中添加允许ICMP流量进入策略。

[root@dsrw ~]# iptables -D INPUT 1
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
服务器2ping服务器1
[root@dsrw ~]# ping -c 5 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
64 bytes from 192.168.10.2: icmp_seq=1 ttl=64 time=2.38 ms
64 bytes from 192.168.10.2: icmp_seq=2 ttl=64 time=0.477 ms
64 bytes from 192.168.10.2: icmp_seq=3 ttl=64 time=0.448 ms
64 bytes from 192.168.10.2: icmp_seq=4 ttl=64 time=0.686 ms
64 bytes from 192.168.10.2: icmp_seq=5 ttl=64 time=0.343 ms

--- 192.168.10.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 84ms
rtt min/avg/max/mdev = 0.343/0.866/2.380/0.765 ms

案例6.向INPUT链中添加只允许192.168.10.0网段的主机访问本服务器22端口,拒绝来自其他主机访问。

[root@dsrw ~]# iptables -I INPUT  -p tcp --dport 22   -j REJECT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable
图片[1]-1.1.4 iptables配置-大赛人网
图1-1 win7客户机登录 Putty登录Lniux服务器1
图片[2]-1.1.4 iptables配置-大赛人网
图1-2  win7客户机登录失败
[root@dsrw ~]# iptables -I INPUT -s 192.168.10.0/24  -p tcp --dport 22  -j ACCEPT 
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.10.0/24      anywhere             tcp dpt:ssh
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable
图片[3]-1.1.4 iptables配置-大赛人网
图1- 3 物理机登录Linux服务器1
图片[4]-1.1.4 iptables配置-大赛人网
图1- 4 输入用户名密码登录Linux服务器1
Linux服务器2登录Linux服务器1
[root@dsrw ~]# ssh 192.168.10.2
The authenticity of host '192.168.10.2 (192.168.10.2)' can't be established.
ECDSA key fingerprint is SHA256:hFlfjG/6A/hF+hqNMuW0p0gNEIedOpPVHo/bC7GkIxw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.2' (ECDSA) to the list of known hosts.
root@192.168.10.2's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Dec 16 10:40:01 2022
[root@dsrw ~]# whoami
root
[root@dsrw ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.2  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::79a3:9a62:622d:f0ec  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:65:c4:9c  txqueuelen 1000  (Ethernet)
        RX packets 552  bytes 72063 (70.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 421  bytes 44817 (43.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

案例7.向INPUT链中添加拒绝所有人访问本机8888端口的策略

[root@dsrw ~]# iptables -I INPUT  -p tcp   --dport 8888 -j REJECT
[root@dsrw ~]# iptables -I INPUT  -p udp  --dport 8888 -j REJECT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             udp dpt:ddi-udp-1 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 reject-with icmp-port-unreachable

案例8.向INPUT链中添加拒绝192.168.10.4主机访问本机21端口(ftp服务)的策略

[root@dsrw ~]# iptables -I INPUT  -p tcp  -s 192.168.10.4  --dport 21 -j REJECT
[root@dsrw ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
REJECT     tcp  --  192.168.10.4         anywhere             tcp dpt:ftp reject-with icmp-port-unreachable

案例9.向INPUT链最后添加拒绝所以主机访问本机8899~8900端口的策略

[root@dsrw ~]# iptables -A INPUT  -p udp  --dport  8899:8900 -j REJECT
[root@dsrw ~]# iptables -A INPUT  -p tcp  --dport  8899:8900 -j REJECT
[root@dsrw ~]# iptables -L

REJECT     udp  --  anywhere             anywhere             udp dpts:ospf-lite:jmb-cds1 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpts:ospf-lite:jmb-cds1 reject-with icmp-port-unreachable

案例10. 让配置的防火墙策略永久生效,要执行保存命令:
[root@ldsrw ~]#iptables-save
# Generated by xtables-save v1.8.2 on Fri Dec 16 14:14:10 2022

RHEL5/6/7版本的话,对应的保存命令应该是:
[root@ldsrw ~]#service iptables save
© 版权声明
THE END
喜欢就支持一下吧
点赞5 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容