DX

iptables

6 min read

iptables

在centos6.5系统中, 一般iptables默认是开启状态。
firewalld 之前的防火墙

安装

Install

yum install -y iptables       # 安装iptables

yum install iptables-services # 安装iptables-services

yum update iptables           # 升级iptables

Check status

service iptables status       # CentOS6

systemctl status iptables     # CentOS7

Auto start

chkconfig iptables on               # CentOS6

systemctl enable iptables.service   # CentOS7

Copy

基本使用

开放指定端口

iptables -A INPUT -p tcp —dport 4022 -j ACCEPT

iptables -A INPUT -p tcp —dport 8080 -j ACCEPT

iptables -A INPUT -p tcp —dport 8087 -j ACCEPT

Copy

查看状态

[root@localhost ~]# service iptables

Table: filter                # Table: 过滤? 是表示当前防火墙实现过滤的功能部分

Chain INPUT (policy ACCEPT)  # INPUT默认的方针是允许通过 后面命令改成默认禁止 iptables -P INPUT DROP

num  target     prot opt source               destination

1    ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:10050

1    ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

2    ACCEPT     icmp —  0.0.0.0/0            0.0.0.0/0

3    ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0

4    ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

5    REJECT     all  —  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)   # FORWARD默认的方针是允许通过 后面命令改成默认禁止 iptables -P FORWARD DROP

num  target     prot opt source               destination

1    REJECT     all  —  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)    # OUTPUT默认的方针是允许通过 后面命令改成默认禁止iptables -P OUTPUT ACCEPT

num  target     prot opt source               destination

如果OUTPUT不设置过滤规则,就表示所有的出都是允许的? 还是都不允许?

查看状态

[root@localhost zabbix]# iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:10050

ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     icmp —  0.0.0.0/0            0.0.0.0/0

ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0

ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7000

ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:17000

REJECT     all  —  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

REJECT     all  —  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

没有规则的时候

查看当前的规则: 没有规则的时候是这样的

[root@localhost ~]# iptables -L -n

Chain INPUT (policy ACCEPT)              # 默认允许

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)            # 默认允许

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)             # 默认允许,如果默认DROP的话,在添加INPUT规则的时候也需要添加OUTPUT规则

target     prot opt source               destination

Copy

配置信息

默认的配置信息,/etc/sysconfig/iptables

[root@localhost sysconfig]# more iptables

Firewall configuration written by system-config-firewall

Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state —state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state —state NEW -m tcp -p tcp —dport 22 -j ACCEPT

-A INPUT -j REJECT —reject-with icmp-host-prohibited

-A FORWARD -j REJECT —reject-with icmp-host-prohibited

COMMIT

Copy

更改规则

添加规则, 允许192.168.111.1 这个机器访问22端口,允许入

iptables -A INPUT -s 192.168.111.1/32 -p tcp -m tcp —dport 22 -j ACCEPT

添加规则, 如果OUTPUT默认DROP也需要允许出

iptables -A OUTPUT -s 192.168.111.1/32 -p tcp -m tcp —dport 22 -j ACCEPT

插入规则

iptables -I INPUT -p tcp —dport 10050 -j ACCEPT

删除规则

iptables -D INPUT -p tcp —dport 22 -j ACCEPT

注意! 注意! 注意! 在更改过规则之后需要进行保存.

保存规则

通常使用-A 和 -D参数修改,然后保存到配置文件,也可以直接修改配置文件,然后重启服务

#>service iptables save

Copy

清空规则

iptables -F 清除预设表filter中的所有规则链的规则
iptables -X 清除预设表filter中使用者自定链中的规则

其他

iptables -A INPUT -s 192.168.111.1 -p all -j ACCEPT —全部放行

iptables -A INPUT -p tcp —dport 80 -j ACCEPT —开通Web,不限制IP?
iptables -A OUTPUT -p tcp —sport 80 -j ACCEPT -WEB出
iptables -A INPUT -p tcp —dport 21 -j ACCEPT —允许FTP
iptables -A INPUT -p icmp -j ACCEPT —icmp协议,Ping程序使用该协议 (INPUT设置成DROP的话)
iptables -A OUTPUT -p icmp -j ACCEPT (OUTPUT设置成DROP的话)

—如下回环操作需要添加,不然Ping不通自己
IPTABLES -A INPUT -i lo -p all -j ACCEPT —允许loopback!(否则会导致DNS无法正常关闭等问题) (如果是INPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT —允许loopback!(会导致DNS无法正常关闭等问题)(如果是OUTPUT DROP)

—减少不安全端口,封闭本机的端口
iptables -A OUTPUT -p tcp —sport 31337 -j DROP
iptables -A OUTPUT -p tcp —dport 31337 -j DROP
iptables -A INPUT -s 10.161.8.119 -p tcp —dport 22 -j ACCEPT 放行单个端口

Graph View