看懂iptables的規(guī)則,增刪查改

詳細(xì)講解系列http://www.zsythink.net/archives/1199

關(guān)注點(diǎn):規(guī)則 = 匹配條件 + 動(dòng)作

一、target:匹配到規(guī)則后的動(dòng)作

在iptables規(guī)則中的target是數(shù)據(jù)包匹配到規(guī)則后需要進(jìn)行的處理或者動(dòng)作,可以分為基本和擴(kuò)展。
一些常用的target:

  • ACCEPT:允許數(shù)據(jù)包通過
  • DROP:直接丟棄數(shù)據(jù)包,不給任何回應(yīng)信息,這時(shí)候客戶端會(huì)感覺自己的請(qǐng)求泥牛入海了,過了超時(shí)時(shí)間才會(huì)有反應(yīng)
  • REJECT:拒絕數(shù)據(jù)包通過,必要時(shí)會(huì)給數(shù)據(jù)發(fā)送端一個(gè)響應(yīng)的信息,客戶端剛請(qǐng)求就會(huì)收到拒絕的信息
  • SNAT:源地址轉(zhuǎn)換,解決內(nèi)網(wǎng)用戶用同一個(gè)公網(wǎng)地址上網(wǎng)的問題
  • MASQUERADE:是SNAT的一種特殊形式,適用于動(dòng)態(tài)的、臨時(shí)會(huì)變的ip上
  • DNAT:目標(biāo)地址轉(zhuǎn)換
  • REDIRECT:在本機(jī)做端口映射
  • LOG:在/var/log/messages文件中記錄日志信息,然后將數(shù)據(jù)包傳遞給下一條規(guī)則,也就是說除了記錄以外不對(duì)數(shù)據(jù)包做任何其他操作,仍然讓下一條規(guī)則去匹配

二、查看規(guī)則 iptables -L

#簡(jiǎn)單查詢filter表
iptables -t filter -L
#顯示更多信息
 iptables -t filter -vL
#不對(duì)IP地址進(jìn)行名稱反解,直接顯示IP地址
 iptables -t filter -nvL
#顯示該表中指定鏈
 iptables -nvL INPUT
#顯示規(guī)則的編號(hào)
iptables --line-number  -nvL INPUT
  • -t:指定要操作的表,此例為filter表,可以省略-t filter,當(dāng)沒有使用-t選項(xiàng)指定表時(shí),默認(rèn)為操作filter表
  • -v:展示更多信息
  • -L:列出所有規(guī)則
  • -n:不對(duì)IP地址進(jìn)行名稱反解,直接顯示IP地址
  • --line-number:顯示規(guī)則的編號(hào)
[clam@shell-host ~]$ sudo iptables -t filter -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   37  2812 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             state NEW tcp dpt:ssh
   20  2639 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 48 packets, 3718 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[root@shell-host clam]# iptables --line-number  -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           
2       93  8789 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
6       83 10883 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
  1. 每條規(guī)則的字段的具體含義:
  • pkts: 對(duì)應(yīng)規(guī)則匹配到的報(bào)文的個(gè)數(shù)
  • bytes: 對(duì)應(yīng)匹配到的報(bào)文包的大小總和
  • target: 規(guī)則對(duì)應(yīng)的target,往往表示規(guī)則對(duì)應(yīng)的"動(dòng)作",即規(guī)則匹配成功后需要采取的措施
  • prot: 表示規(guī)則對(duì)應(yīng)的協(xié)議,是否只針對(duì)某些協(xié)議應(yīng)用此規(guī)則
  • opt: 表示規(guī)則對(duì)應(yīng)的選項(xiàng)
  • in: 表示數(shù)據(jù)包由哪個(gè)接口(網(wǎng)卡)流入,我們可以設(shè)置通過哪塊網(wǎng)卡流入的報(bào)文需要匹配當(dāng)前規(guī)則
  • out: 表示數(shù)據(jù)包由哪個(gè)接口(網(wǎng)卡)流出,我們可以設(shè)置通過哪塊網(wǎng)卡流出的報(bào)文需要匹配當(dāng)前規(guī)則
  • source: 表示規(guī)則對(duì)應(yīng)的源頭地址,可以是一個(gè)IP,也可以是一個(gè)網(wǎng)段
  • destination: 表示規(guī)則對(duì)應(yīng)的目標(biāo)地址??梢允且粋€(gè)IP,也可以是一個(gè)網(wǎng)段
  1. 每條鏈括號(hào)里的字段含義:
  • policy :當(dāng)前鏈的默認(rèn)策略,policy ACCEPT表示該鏈的默認(rèn)動(dòng)作為ACCEPT,默認(rèn)接受通過該節(jié)點(diǎn)(鏈)的所有請(qǐng)求,所以在配置該鏈的具體規(guī)則時(shí),應(yīng)該將需要拒絕的請(qǐng)求配置到規(guī)則中,說白了就是"黑名單"機(jī)制,默認(rèn)所有人都能通過,只有指定的人不能通過

當(dāng)把鏈設(shè)置為接受(ACCEPT),應(yīng)該是黑名單機(jī)制,但是上面顯示的規(guī)則大部分是ACCEPT,并不是想象中的DROP或者REJECT,這因?yàn)镮PTABLES的工作機(jī)制導(dǎo)致的,上例其實(shí)是利用了這些"機(jī)制",完成了所謂的"白名單"機(jī)制,并不是我們所描述的"黑名單"機(jī)制

  • packets:表示當(dāng)前鏈默認(rèn)策略匹配到的包的數(shù)量,0 packets表示默認(rèn)策略匹配到0個(gè)包
  • bytes:表示當(dāng)前鏈默認(rèn)策略匹配到的所有包的大小總和

三、增加規(guī)則 iptables -I

#插入規(guī)則
iptables -t filter -I INPUT -s 192.168.50.90 -j DROP
#指定位置插入規(guī)則
iptables -t filter -I INPUT  3 -s 192.168.50.90 -j DROP
#追加規(guī)則
iptables -t filter -A INPUT -s 192.168.50.90 -j ACCEPT
  • -I:表示insert,插入,-I INPUT表示在INPUT鏈的首部插入規(guī)則
  • -s:表示source,指明"匹配條件"中的"源地址",即如果報(bào)文的源地址屬于-s對(duì)應(yīng)的地址,那么報(bào)文則滿足匹配條件
  • -j:指明當(dāng)"匹配條件"被滿足時(shí),所對(duì)應(yīng)的動(dòng)作,此例中指定的動(dòng)作為DROP
  • 3:表示插入編號(hào)為3的規(guī)則,其余規(guī)則標(biāo)號(hào)后移一位
  • A:表示append,追加,-A INPUT表示在INPUT鏈的尾部追加規(guī)則
#插入規(guī)則
[root@shell-host clam]# iptables -t filter -I INPUT -s 192.168.50.90 -j DROP
[root@shell-host clam]# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           
   80  7849 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    2   120 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   63  8148 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
#追加規(guī)則
[root@shell-host clam]# iptables -t filter -A INPUT -s 192.168.50.90 -j ACCEPT
[root@shell-host clam]# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           
   93  8789 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   87 11359 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  *      *       192.168.50.90        0.0.0.0/0

四、刪除規(guī)則 iptables -D |清空規(guī)則iptables -F

#根據(jù)規(guī)則的編號(hào)去刪除規(guī)則
iptables -D INPUT 2
#根據(jù)具體的匹配條件與動(dòng)作刪除規(guī)則
iptables -D INPUT -s 192.168.50.90 -j DROP
#清空指定表的指定鏈中的所有規(guī)則
iptables -t filter -F INPUT
  • -D:表示刪除指定鏈中的某條規(guī)則
  • -F:表示清空對(duì)應(yīng)鏈中的規(guī)則,執(zhí)行時(shí)需三思 
[root@shell-host clam]# iptables --line-number -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           
2       95  8941 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
6       91 11915 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
7        0     0 ACCEPT     all  --  *      *       192.168.50.90        0.0.0.0/0           
[root@shell-host clam]# iptables -D INPUT 2
[root@shell-host clam]# iptables --line-number -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           
2        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5       91 11915 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
6        0     0 ACCEPT     all  --  *      *       192.168.50.90        0.0.0.0/0    
[root@shell-host clam]# iptables -D INPUT -s 192.168.50.90 -j DROP
[root@shell-host clam]# iptables --line-number -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
4       97 12543 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
5        0     0 ACCEPT     all  --  *      *       192.168.50.90        0.0.0.0/0

五、修改規(guī)則 iptables -R | 修改鏈 iptables -P

#修改規(guī)則
iptables -R INPUT 5 -s 192.168.50.90 -j DROP
#修改鏈的動(dòng)作
iptables -P FORWARD DROP
  • -R:表示修改指定的鏈,雖然指定了編號(hào),但-s選項(xiàng)以及對(duì)應(yīng)的源地址不可省略,必須指定規(guī)則對(duì)應(yīng)的原本的匹配條件(如果有多個(gè)匹配條件,都需要指定)

命令沒有使用-s指定對(duì)應(yīng)規(guī)則中原本的源地址,那么在修改完成后,修改的規(guī)則中的源地址會(huì)自動(dòng)變?yōu)?.0.0.0/0(此IP表示匹配所有網(wǎng)段的IP地址),而此時(shí)萬一-j對(duì)應(yīng)的動(dòng)作又為REJECT,那么所有IP的請(qǐng)求都被拒絕了(因?yàn)闆]有指定原本的源地址,當(dāng)前規(guī)則的源地址自動(dòng)變?yōu)?.0.0.0/0),如果正在使用ssh遠(yuǎn)程到服務(wù)器上進(jìn)行iptables設(shè)置,那么ssh請(qǐng)求也將會(huì)被阻斷!

  • -P:表示修改指定的鏈
[root@shell-host clam]# iptables --line-number -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
4       97 12543 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
5        0     0 ACCEPT     all  --  *      *       192.168.50.90        0.0.0.0/0           
[root@shell-host clam]# iptables -R INPUT 5 -s 192.168.50.90 -j DROP
[root@shell-host clam]# iptables --line-number -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
4       97 12543 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
5        0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           

[root@shell-host clam]# iptables --line-number -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
4      105 13503 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
5        0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 360 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root@shell-host clam]# iptables -P FORWARD DROP
[root@shell-host clam]# iptables --line-number -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
4      106 13581 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
5        0     0 DROP       all  --  *      *       192.168.50.90        0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

六、保存規(guī)則 service iptables save

  1. iptables的修改會(huì)立即生效,但是是臨時(shí)的,iptables restart后會(huì)失效
  2. 對(duì)規(guī)則進(jìn)行了修改以后,如果想要修改永久生效,必須使用"service iptables save"命令保存,規(guī)則默認(rèn)保存在/etc/sysconfig/iptables文件中
  3. 不執(zhí)行service iptables save,可以使用service iptables restart恢復(fù)到之前的狀態(tài),即:在restart前不save,之前的修改將會(huì)全部丟失,在重啟iptables以后,規(guī)則會(huì)再次回到上次保存/etc/sysconfig/iptables文件時(shí)的模樣
[root@shell-host clam]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  確定  ]
[root@shell-host clam]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Sat May 30 01:30:25 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat May 30 01:30:25 2020
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容