配置防火墙之iptables
防火墙会从上至下的顺序来读取配置的策略规则,在找到匹配项后就立即结束匹配工作并去执行匹配项中定义的行为(即放行或阻止)。如果在读取完所有的策略规则之后没有匹配项,就去执行默认的策略。一般而言,防火墙策略规则的设置有两种:一种是“通”(即放行),一种是“堵”(即阻止)。当防火墙的默认策略为拒绝时(堵),就要设置允许规则(通),否则谁都进不来;如果防火墙的默认策略为允许时,就要设置拒绝规则,否则谁都能进来,防火墙也就失去了防范的作用。
一 查看当前规则 iptables -L
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc二 清空规则 iptables -F
[root@linuxprobe ~]# iptables -F
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 堵策略
三 拒绝(无视)输入流 iptables -P INPUT DROP
[root@linuxprobe ~]# iptables -P INPUT DROP
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 四 允许ping通 iptables -I INPUT -p icmp -j ACCEPT
[root@linuxprobe ~]# iptables -I INPUT -p icmp -j ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 五 允许ssh iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 六 删除规则 iptables -D INPUT 1
[root@linuxprobe ~]# iptables -D INPUT 1
[root@linuxprobe ~]# iptables -D INPUT 1
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 放策略
七 允许输入流 iptables -I INPUT -j ACCEPT
[root@linuxprobe ~]# iptables -P INPUT ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 八 拒绝访问指定端口号 iptables -I INPUT -p tcp --dport 12345 -j REJECT
iptables -I INPUT -p udp --dport 12345 -j REJECT
[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT
[root@linuxprobe ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 九 拒绝指定主机访问指定端口号 iptables -p tcp -s 192.168.10.1 --dport 80 -j REJECT
[root@linuxprobe ~]# iptables -I INPUT -p tcp -s 192.168.10.1 --dport 80 -j REJECT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.1 anywhere tcp dpt:http reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 十 拒绝访问指定的端口范围(优先级最低) iptables -A INPUT -p tcp --dport 80:9000 -j REJECT
iptables -A INPUT -p udp --dport 80:9000 -j REJECT
[root@linuxprobe ~]# iptables -A INPUT -p tcp --dport 80:9000 -j REJECT
[root@linuxprobe ~]# iptables -A INPUT -p udp --dport 80:9000 -j REJECT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.1 anywhere tcp dpt:http reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:http:cslistener reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:http:cslistener reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination PS 查看端口号-服务 cat /etc/services|grep 9000
[root@linuxprobe ~]# cat /etc/services|grep 9000
cslistener 9000/tcp # CSlistener
cslistener 9000/udp # CSlistener
igrid 19000/tcp # iGrid Server
igrid 19000/udp # iGrid Server
matahari 49000/tcp # Matahari Broker保存策略
十一 保存策略 iptables-save
[root@linuxprobe ~]# iptables-save
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*filter
:INPUT ACCEPT [10681:659438]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11333:684878]
-A INPUT -s 192.168.10.1/32 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80:9000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 80:9000 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*security
:INPUT ACCEPT [11303:681674]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11333:684878]
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*raw
:PREROUTING ACCEPT [11777:725439]
:OUTPUT ACCEPT [11333:684878]
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*mangle
:PREROUTING ACCEPT [11777:725439]
:INPUT ACCEPT [11777:725439]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11333:684878]
:POSTROUTING ACCEPT [11359:687922]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*nat
:PREROUTING ACCEPT [376:36401]
:INPUT ACCEPT [1:60]
:POSTROUTING ACCEPT [55:3779]
:OUTPUT ACCEPT [55:3779]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Table `firewalld' is incompatible, use 'nft' tool.
十二 保存策略(5 6 7 版本)services iptables save
[root@linuxprobe ~]# services iptables save