linux系统的iptables服务

IPTABLES

IPTABLES 是与最新的 3.5 版本 Linux 内核集成的 IP 信息包过滤系统。如果 Linux 系统连接到因特网或 LAN、服务器或连接 LAN 和因特网的代理服务器，则该系统有利于在 Linux 系统上更好地控制 IP 信息包过滤和防火墙配置。

防火墙在做信息包过滤决定时，有一套遵循和组成的规则，这些规则存储在专用的信息包过滤表中，而这些表集成在 Linux 内核中。在信息包过滤表中，规则被分组放在我们所谓的链（chain）中。iptables IP 信息包过滤系统是一款功能强大的工具，可用于添加、编辑和移除规则。

虽然 netfilter/iptables IP 信息包过滤系统被称为单个实体，但它实际上由两个组件netfilter 和 iptables 组成。

netfilter 组件也称为内核空间（kernelspace），是内核的一部分，由一些信息包过滤表组成，这些表包含内核用来控制信息包过滤处理的规则集。

iptables 组件是一种工具，也称为用户空间（userspace），它使插入、修改和除去信息包过滤表中的规则变得容易。
iptables 的最大优点是它可以配置有状态的防火墙，这是 ipfwadm 和 ipchains 等以前的工具都无法提供的一种重要功能。有状态的防火墙能够指定并记住为发送或接收信息包所建立的连接的状态。防火墙可以从信息包的连接跟踪状态获得该信息。在决定新的信息包过滤时，防火墙所使用的这些状态信息可以增加其效率和速度。这里有四种有效状态，名称分别为 ESTABLISHED 、 INVALID 、 NEW 和 RELATED。

状态 ESTABLISHED 指出该信息包属于已建立的连接，该连接一直用于发送和接收信息包并且完全有效。INVALID 状态指出该信息包与任何已知的流或连接都不相关

iptables 命令

-nL查看火墙信息
-F 刷新策略，临时清空表的信息
-t 等同-nL
-t 指定操作的表
-P 默认规则
-A 自己添加的规则
从上到下依次读取策略，上面的满足了，就不读取下面的
-I 插入，可以指定添加所在位置
-R 修改策略
-n 表示不做解析
-L 查表的策略信息
-p 协议
-D 删除链上的制定规则
-N 自动以添加链名
-E 修改规则链名称
-X 删除自定义链

开启服务

[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl disable firewalld
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
[[email protected] ~]# systemctl start iptables.service
[[email protected] ~]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'

清空规则并修改访问为接受模式

[[email protected] ~]# iptables -nL                                                                                #查看防火墙策略信息
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp -- 0.0.0.0/0            0.0.0.0/0
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all -- 0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all -- 0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[[email protected] ~]# iptables -F                                                                                   #清空策略
[[email protected] ~]# iptables -nL                                                                                 #查看策略已清空
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[[email protected] ~]# service iptables save                                                              #保存规则信息
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[[email protected] ~]# vim /etc/sysconfig/iptables                                                     #查看iptables配置文件
[[email protected] ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
[[email protected] ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[[email protected] ~]# yum install httpd -y
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# iptables -p INPUT ACCEPT                                                          #将访问设置为接收模式

真机浏览器：
172.25.254.202
可以看到http测试页面（任何主机都可以）

默认添加访问http为拒绝模式

测试：
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[[email protected] ~]# iptables -P INPUT DROP
[[email protected] ~]# iptables -nL
显示DROP

真机浏览器测试：
一直在等待

实验：

[[email protected] ~]# iptables -P INPUT ACCEPT
[[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j REJECT                                         #默认添加httpd为拒绝模式
[[email protected] ~]# iptables -nL                                                                                                    #查看添加规则
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

浏览器测试：访问被拒绝

[[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT                                       #默认添加httpd为接受模式
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

浏览器测试：访问被拒绝

添加，第二行被覆盖

[[email protected] ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT                                    #在第一行插入httpd为接受模式
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

浏览器测试：可以访问

指定用户添加内容

[[email protected] ~]# iptables -R INPUT 1 -s 172.25.254.2 -p tcp --dport 80 -j ACCEPT
                                                  #-R：修改；-s：数据来源，将INPUT表第一条修改为默认指定172.25.254.2主机可以访问本机httpd
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 172.25.254.2         0.0.0.0/0            tcp dpt:80
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

真机可以看到，其他都不可以看到

[[email protected] ~]# iptables -N westos                                                      #添加westos为链名
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 172.25.254.2         0.0.0.0/0            tcp dpt:80
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain westos (0 references)
target     prot opt source               destination
[[email protected] ~]# iptables -E westos WESTOS                                   #修改链名称为WESTOS
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 172.25.254.2         0.0.0.0/0            tcp dpt:80
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain WESTOS (0 references)
target     prot opt source               destination
[[email protected] ~]# iptables -X WESTOS                                               #删除westos链
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 172.25.254.2         0.0.0.0/0            tcp dpt:80
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[[email protected] ~]# iptables -I INPUT 2 -p tcp -j ACCEPT                       #在第二条插入允许访问httpd
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 172.25.254.2         0.0.0.0/0            tcp dpt:80
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0
REJECT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

对第一次访问的请求读取允许连接的策略，当第二次访问或者之后访问的直接接受请求，不读取允许连接的策略，以便节省时间
NEW：表示第一次访问
ESTABLISHED ：表示第二次访问
RELATED ：表示关闭访问后再次访问

[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT                                  #将ssh端口设置为接受
[[email protected] ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT                                  #dns
[[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT                                  #http
[[email protected] ~]# iptables -A INPUT -p tcp --dport 3260 -j ACCEPT                              #iscsi
[[email protected] ~]# iptables -A INPUT -i lo -j ACCEPT                                                        #回环接口
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:3260
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[[email protected] ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
                                                                           #将之前访问过或者正在访问的主机设置为接受模式，再次访问不再读取策略
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            tcp dpt:3260
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

[[email protected] ~]# iptables -F

[[email protected] ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT                                    #添加ssh端口为接受
[[email protected] ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT                                    #dns
[[email protected] ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT                                    #httpd
[[email protected] ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 3260 -j ACCEPT                                #iscsi
[[email protected] ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT                                  #https
[[email protected] ~]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT                                                          #回环接口
[[email protected] ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3260
ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0            state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[[email protected] ~]# service iptables save                                                                                                                 #保存规则
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

[[email protected] ~]# vim /etc/sysconfig/iptable