一、认识iptables
二、Iptables命令
2.1、语法:iptables -t table 命令 chain rules -j target
table:有filter、nat、mangle,默认是filter
命令:
-L 或 --list 查看iptables规则列表
[[email protected] ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-v 显示更多设置,-n 以数字形式显示IP地址和端口
[[email protected] ~]#iptables -L FORWARD -nv
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000
0 0 ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
0 0 DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
-P 或 --policy 定义默认策略
[[email protected] ~]# iptables -t filter -P FORWARD DROP
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[[email protected] ~]# iptables -t filter -P FORWARD ACCEPT
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-A 或--append 在规则列表的最后增加一条规则
[[email protected] ~]#iptables -t filter -A FORWARD -p icmp -j DROP
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-I或--insert 在规则列表的最前面插入一条规则
[[email protected] ~]# iptables -t filter -I FORWARD 2 -p icmp -j ACCEPT
[[email protected] ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-R或--replace 替换规则列表中的某条规则
[[email protected] ~]#iptables -t filter -R FORWARD 2 -p icmp -j DROP
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-D或--delete 从规则列表中删除一条规则
[[email protected] ~]#iptables -t filter -D FORWARD 2
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-F或--flush 删除表中所有的规则
[[email protected] ~]#iptables -t filter -F
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.2、Iptables匹配选项
-i或--in-interface 指定数据包从哪块网络接口进入,如eth0、eth1等
-o或--out-interface 指定数据包从哪块网络接口输出,如eth0、eth1等
[[email protected] ~]# iptables -t filter -I FORWARD -i eth0 -j DROP
[[email protected] ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-p或--protocol 指定数据包匹配的协议,如TCP、UDP、ICMP等
-s或--source 指定数据包匹配的源地址
-d或--destination 指定数据包匹配的目的地址
--sport 指定数据包匹配的源端口号,可以使用”起始端口号:结束端口号”的格式指定一个范围
--dport 指定数据包匹配的目标端口号,可以使用”起始端口号:结束端口号”的格式指定一个范围
[[email protected] ~]# iptables -t filter -I FORWARD -p tcp -s 10.0.0.90/32 -d 10.0.0.80/32 --dport 3389 -j DROP
[[email protected] ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[[email protected] ~]#iptables -t filter -I FORWARD -p tcp -s 10.0.0.0/24 -d 10.10.10.0/24 --dport 3389 -j DROP
[[email protected] ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 10.0.0.0/24 10.0.10.0/24 tcp dpt:ms-wbt-server
DROP tcp -- 10.0.0.90 10.0.0.80 tcp dpt:ms-wbt-server
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.3、Iptables使用扩展选项
限制网速:-m limit --limit
控制瞬间爆发流量:-m limit --limit-burst
[[email protected] ~]# iptables -t filter -F
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[[email protected] ~]# iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j ACCEPT
[[email protected] ~]#iptables -t filter -A FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit 300/second -j DROP //超过的就drop
[[email protected] ~]#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[[email protected] ~]#iptables -t filter -I FORWARD -s 172.16.2.0/24 -d 172.16.3.0/24 -m limit --limit-burst 1000 -j ACCEPT
[[email protected] ~]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 3/hour burst 1000
ACCEPT all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
DROP all -- 172.16.2.0/24 172.16.3.0/24 limit: avg 303/sec burst 5
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.4、处理动作
-j 参数用来指定要进行的处理动作,常用的处理动作包括:ACCEPT、REJECT、DROP、REDIRCT、MASQUERADE、LOG、DNAT、SNAT、MIRROR、QUEUE、RETURN、MARK
Filter表能使用的主要动作:
ACCEPT:将封包放行,进行完此处理动作后,将不再匹配其他规则,直接跳往下一个规则链
REJECT:拦截该封包,并传送封包通知对方,进行完此处理动作后,将不再匹配其他规则,直接中断过滤程序
DROP:丢弃封包不予处理,进行完此处理动作后,将不再匹配其他规则,直接中断过滤程序。
三、保存和还原iptables设置
3.1、保存修改的iptables到配置文件中
[[email protected] ~]# /etc/rc.d/init.d/iptables save
3.2、查看iptables的配置文件
[[email protected] ~]# cat /etc/sysconfig/iptables
3.3、保存修改的iptables到一个文件中及从文件中导入到iptables中
[[email protected] ~]# iptables-save >iptables.conf1
[[email protected] ~]# iptables-restore< iptables.conf1
四、配置NAT实现网络地址转换
[[email protected] ~]# ifconfig eth0:0 10.0.0.81 netmask 255.255.255.0
[[email protected] ~]#ip addr show eth0:0
2: eth0: < BROADCAST,MULTICAST,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:21:85:0e brd ff:ff:ff:ff:ff:ff
inet 10.0.0.80/24 brd 10.0.0.255 scope global eth0
inet 10.0.0.81/24 brd 10.0.0.255 scope global secondary eth0:0
inet6 fe80::20c:29ff:fe21:850e/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j SNAT --to-source 10.0.0.80-10.0.0.81
[[email protected] ~]#iptables -t nat -L POSTROUTING -nv
Chain POSTROUTING (policy ACCEPT 3 packets, 205 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- - eth0 10.0.10.0/24 0.0.0.0/0 to:10.0.0.80-10.0.0.81
五、mangle表的应用
--ttl-inc 1
--ttl-dec 2
--ttl-set 40
[[email protected] ~]#iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[[email protected] ~]# iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-inc 1
[[email protected] ~]#iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-dec 2
[[email protected] ~]# iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 40
[[email protected] ~]#iptables -t mangle -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL decrement by 2
TTL all -- anywhere anywhere TTL increment by 1
TTL all -- anywhere anywhere TTL set to 40
转载于:https://blog.51cto.com/13162375/2095290