2021-07-10 linux学习-网络方面(三) 配置防火墙之iptables

配置防火墙之iptables

防火墙会从上至下的顺序来读取配置的策略规则,在找到匹配项后就立即结束匹配工作并去执行匹配项中定义的行为(即放行或阻止)。如果在读取完所有的策略规则之后没有匹配项,就去执行默认的策略。一般而言,防火墙策略规则的设置有两种:一种是“通”(即放行),一种是“堵”(即阻止)。当防火墙的默认策略为拒绝时(堵),就要设置允许规则(通),否则谁都进不来;如果防火墙的默认策略为允许时,就要设置拒绝规则,否则谁都能进来,防火墙也就失去了防范的作用。

一 查看当前规则  iptables -L

[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

二 清空规则  iptables -F

[root@linuxprobe ~]# iptables -F
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

堵策略

三 拒绝(无视)输入流  iptables -P INPUT DROP

[root@linuxprobe ~]# iptables -P INPUT DROP
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

四 允许ping通  iptables -I INPUT -p icmp -j ACCEPT

[root@linuxprobe ~]# iptables -I INPUT -p icmp -j ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

五 允许ssh  iptables -I INPUT -p tcp --dport 22 -j ACCEPT

[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

六 删除规则 iptables -D INPUT 1

[root@linuxprobe ~]# iptables -D INPUT 1
[root@linuxprobe ~]# iptables -D INPUT 1
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

放策略

七 允许输入流  iptables -I INPUT -j ACCEPT

[root@linuxprobe ~]# iptables -P INPUT ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

八 拒绝访问指定端口号 iptables -I INPUT -p tcp --dport 12345 -j REJECT

                                      iptables -I INPUT -p udp --dport 12345 -j REJECT

[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT
[root@linuxprobe ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

九 拒绝指定主机访问指定端口号  iptables -p tcp -s 192.168.10.1 --dport 80 -j REJECT

[root@linuxprobe ~]# iptables -I INPUT -p tcp -s 192.168.10.1 --dport 80 -j REJECT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  192.168.10.1         anywhere             tcp dpt:http reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

十 拒绝访问指定的端口范围(优先级最低)  iptables -A INPUT -p tcp --dport 80:9000 -j REJECT

                                                                      iptables -A INPUT -p udp --dport 80:9000 -j REJECT

[root@linuxprobe ~]# iptables -A INPUT -p tcp --dport 80:9000 -j REJECT
[root@linuxprobe ~]# iptables -A INPUT -p udp --dport 80:9000 -j REJECT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  192.168.10.1         anywhere             tcp dpt:http reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpts:http:cslistener reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpts:http:cslistener reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

PS 查看端口号-服务 cat /etc/services|grep 9000

[root@linuxprobe ~]# cat /etc/services|grep 9000
cslistener      9000/tcp                # CSlistener
cslistener      9000/udp                # CSlistener
igrid           19000/tcp               # iGrid Server
igrid           19000/udp               # iGrid Server
matahari        49000/tcp               # Matahari Broker

保存策略

十一 保存策略 iptables-save

[root@linuxprobe ~]# iptables-save
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*filter
:INPUT ACCEPT [10681:659438]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11333:684878]
-A INPUT -s 192.168.10.1/32 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80:9000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 80:9000 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*security
:INPUT ACCEPT [11303:681674]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11333:684878]
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*raw
:PREROUTING ACCEPT [11777:725439]
:OUTPUT ACCEPT [11333:684878]
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*mangle
:PREROUTING ACCEPT [11777:725439]
:INPUT ACCEPT [11777:725439]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11333:684878]
:POSTROUTING ACCEPT [11359:687922]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Generated by xtables-save v1.8.2 on Sat Jul 10 16:45:25 2021
*nat
:PREROUTING ACCEPT [376:36401]
:INPUT ACCEPT [1:60]
:POSTROUTING ACCEPT [55:3779]
:OUTPUT ACCEPT [55:3779]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jul 10 16:45:25 2021
# Table `firewalld' is incompatible, use 'nft' tool.

十二 保存策略(5 6 7 版本)services iptables save

[root@linuxprobe ~]# services iptables save

上一篇:搭建k8s节点报错/proc/sys/net/bridge/bridge-nf-call-iptables contents are not set


下一篇:CentOS7关闭防火墙