碼上快樂

相關內容    簡體    繁體

linux中防火牆策略管理工具iptables

本文轉載自   查看原文   2020-12-21 18:26   509    linux shell

防火牆:內網和外網之間過濾流量的服務

 

 

 1、iptables常用的命令參數

 

 

 

2、查看已有的防火牆規則鏈

[root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all --  anywhere             anywhere             reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all --  anywhere             anywhere             reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_public all --  anywhere             anywhere            [goto] FWDI_public all --  anywhere             anywhere            [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_public all --  anywhere             anywhere            [goto] FWDO_public all --  anywhere             anywhere            [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_public (2 references) target prot opt source destination FWDI_public_log all -- anywhere anywhere FWDI_public_deny all -- anywhere anywhere FWDI_public_allow all -- anywhere anywhere Chain FWDI_public_allow (1 references) target prot opt source destination Chain FWDI_public_deny (1 references) target prot opt source destination Chain FWDI_public_log (1 references) target prot opt source destination Chain FWDO_public (2 references) target prot opt source destination FWDO_public_log all -- anywhere anywhere FWDO_public_deny all -- anywhere anywhere FWDO_public_allow all -- anywhere anywhere Chain FWDO_public_allow (1 references) target prot opt source destination Chain FWDO_public_deny (1 references) target prot opt source destination Chain FWDO_public_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_public all --  anywhere             anywhere            [goto] IN_public all --  anywhere             anywhere            [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination Chain IN_public (2 references) target prot opt source destination IN_public_log all -- anywhere anywhere IN_public_deny all -- anywhere anywhere IN_public_allow all -- anywhere anywhere Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW Chain IN_public_deny (1 references) target prot opt source destination Chain IN_public_log (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination

 

3、清空已有的防火牆策略規則鏈

[root@PC1 ~]# iptables -F [root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

4、將INPUT規則鏈設置為拒絕

[root@PC1 ~]# iptables -L | head Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) [root@PC1 ~]# iptables -P INPUT DROP ## (防火牆默認的拒絕動作只能是DROP,而不能填寫REJECT) [root@PC1 ~]# iptables -L | head Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references)

 

5、向INPUT規則鏈中添加允許ICMP流量的策略規則

[root@PC1 ~]# ifconfig | head -n 3  eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 inet 192.168.10.10  netmask 255.255.255.0  broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe66:37f7 prefixlen 64  scopeid 0x20<link> [root@PC1 ~]# ping -c 3 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. --- 192.168.10.10 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
## 以上部分為測試,ping命令的服務屬於icmp,當前不能執行ping命令,說明沒有開通icmp流量
[root@PC1 ~]# iptables -L ## 列出當前的規則鏈 Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination 
[root@PC1 ~]# iptables -I INPUT -p icmp -j ACCEPT   ## 設置允許icmp流量
[root@PC1 ~]# ping -c 3 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. 64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.031 ms 64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.033 ms 64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.043 ms --- 192.168.10.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.031/0.035/0.043/0.008 ms
[root@PC1 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT icmp -- anywhere anywhere  Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

6、刪除icmp流量的允許策略

[root@PC1 ~]# iptables -D INPUT 1 [root@PC1 ~]# ping -c 3 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. --- 192.168.10.10 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms [root@PC1 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

7、將默認的允許規則設置為允許

[root@PC1 ~]# iptables -P INPUT ACCEPT [root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

8、將INPUT規則鏈設置為只允許指定網段的主機訪問本機的22端口,拒絕其他所有主機的流量

[root@PC1 ~]# iptables -I INPUT -s 192.168.20.0/24 -p tcp --dport 22 -j ACCEPT [root@PC1 ~]# iptables -A INPUT -p tcp --dport 22 -j REJECT [root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.20.0/24 anywhere tcp dpt:ssh REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination  
[root@PC2 ~]# ifconfig | head -n 3 eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 inet 192.168.10.20  netmask 255.255.255.0  broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe25:bb3e prefixlen 64  scopeid 0x20<link> [root@PC2 ~]# ssh 192.168.10.10 ssh: connect to host 192.168.10.10 port 22: Connection refused

 

9、向INPUT規則鏈中添加拒絕所有人訪問本機12345端口的策略規則

[root@PC1 ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT [root@PC1 ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT [root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable ACCEPT tcp --  192.168.20.0/24 anywhere tcp dpt:ssh REJECT tcp --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

10、向INPUT規則鏈中添加拒絕192.168.10.5主機訪問本機80端口(web服務)的策略規則

[root@PC1 ~]# iptables -I INPUT -p tcp -s 192.168.10.5 --dport 80 -j REJECT [root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.10.5 anywhere tcp dpt:http reject-with icmp-port-unreachable REJECT udp --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable REJECT tcp --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable ACCEPT tcp --  192.168.20.0/24 anywhere tcp dpt:ssh REJECT tcp --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

11、向INPUT規則鏈中添加拒絕所有主機訪問本機1000~1024端口的策略規則

[root@PC1 ~]# iptables -I INPUT -p tcp --dport 1000:1024 -j REJECT [root@PC1 ~]# iptables -I INPUT -p udp --dport 1000:1024 -j REJECT [root@PC1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT udp -- anywhere anywhere udp dpts:cadlock2:1024 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpts:cadlock2:1024 reject-with icmp-port-unreachable REJECT tcp --  192.168.10.5         anywhere             tcp dpt:http reject-with icmp-port-unreachable REJECT udp --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable REJECT tcp --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable ACCEPT tcp --  192.168.20.0/24 anywhere tcp dpt:ssh REJECT tcp --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination

 

12、保存所有的設置,使其開機后依然生效

[root@PC1 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Linux中的iptables防火牆策略 linux系統中firewalld防火牆管理工具firewall-config(GUI圖形用戶界面) linux系統中firewalld防火牆管理工具firewall-cmd(CLI命令行) Linux防火牆iptables的策略 LINUX中IPTABLES防火牆使用 linux防火牆的管理和策略控制 Linux防火牆簡介 – iptables配置策略 Linux防火牆--IPtables配置策略思路 Linux防火牆---iptables Linux中iptables防火牆指定端口范圍
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM