Linux iptables
iptables:
?? ?Firewall:防火墻,是一種隔離工具,工作于主機(jī)或網(wǎng)絡(luò)的邊緣,對于進(jìn)出本主機(jī)或網(wǎng)絡(luò)的數(shù)據(jù)包,根據(jù)事先定義好的檢測規(guī)則做匹配檢測,如果匹配則做出相應(yīng)的動(dòng)作(接收、轉(zhuǎn)發(fā)或丟棄等),如果不匹配此條則依次向下匹配,如都不匹配則匹配默認(rèn)策略,一般用于保護(hù)內(nèi)網(wǎng);
?? ??? ?工作于內(nèi)核空間;
?? ??? ?分類:
?? ??? ??? ?主機(jī)防火墻
?? ??? ??? ?網(wǎng)絡(luò)防火墻
?? ??? ??? ??? ?硬件防火墻
?? ??? ??? ??? ?軟件防火墻
?? ??? ?數(shù)據(jù)包進(jìn)入主機(jī)之后有兩種走向,一種是數(shù)據(jù)包的目的是主機(jī)本身,通過監(jiān)聽端口將數(shù)據(jù)包轉(zhuǎn)給對應(yīng)的應(yīng)用程序;另一種是數(shù)據(jù)包的目的不是主機(jī)本身,而是通過此主機(jī)轉(zhuǎn)發(fā)而達(dá)到目的主機(jī)(需要主機(jī)支持主機(jī)轉(zhuǎn)發(fā)功能);數(shù)據(jù)包從主機(jī)發(fā)出需要從用戶空間進(jìn)入內(nèi)核空間的tcp/ip協(xié)議棧,通過匹配路由然后從主機(jī)的某塊網(wǎng)卡轉(zhuǎn)發(fā)出去;
?? ??? ??? ?因?yàn)閿?shù)據(jù)包分為進(jìn)、出、轉(zhuǎn)發(fā)等行為,所以我們的防火墻是被分別部署到不同行為的前后的,也就是在數(shù)據(jù)包必經(jīng)的路線上,設(shè)置了相應(yīng)的卡點(diǎn)(鉤子函數(shù)),用于過濾數(shù)據(jù)包;
?? ??? ??? ??? ?比如進(jìn)之前需要過濾什么數(shù)據(jù)包,發(fā)之前需要過濾什么數(shù)據(jù)包,轉(zhuǎn)發(fā)之前需要過濾什么數(shù)據(jù)包;
?? ?iptables/netfilter
?? ??? ?framework:netfilter,內(nèi)核中用于過濾用的框架,用于提供hook function(鉤子函數(shù));
?? ??? ?我們知道防火墻是用來過濾數(shù)據(jù)包的,可以幫我們阻擋我們不需要的數(shù)據(jù),那我們要怎么過濾呢?我們知道防火墻是通過在某些數(shù)據(jù)包必經(jīng)路線上設(shè)定一些規(guī)則,來過濾掉數(shù)據(jù)包;這個(gè)設(shè)置規(guī)則的工具就是iptables,它處于用戶空間;
?? ??? ?使用iptables設(shè)置的規(guī)則會(huì)馬上傳遞給內(nèi)核實(shí)行,但是不是永久儲(chǔ)存,關(guān)機(jī)即消失,所以我們通常是通過運(yùn)行腳本(配置文件)在開機(jī)時(shí)重新設(shè)置防火墻規(guī)則;雖然我們現(xiàn)在將它稱之為防火墻服務(wù),但是它本質(zhì)并不是服務(wù),因?yàn)樗鼪]有運(yùn)行任何進(jìn)程,每次都是通過配置文件來重新生成規(guī)則;
?? ?功能:
?? ??? ?filter:過濾,之所以被稱之為防火墻就是因?yàn)檫@個(gè)功能;
?? ??? ?nat:network address translation,網(wǎng)絡(luò)地址轉(zhuǎn)換,實(shí)現(xiàn)nat服務(wù)器;
?? ??? ?mangle:拆解報(bào)文,修改報(bào)文,封裝報(bào)文;
?? ??? ?raw:關(guān)閉nat表上啟用的連接追蹤機(jī)制;
?? ??? ??? ?連接追蹤機(jī)制就是可以識(shí)別出某個(gè)報(bào)文此前來訪問過;
?? ?鏈(內(nèi)置):(鉤子函數(shù))
?? ??? ?PREROUTING:路由前匹配的鏈
?? ??? ?INPUT:進(jìn)入主機(jī)匹配的鏈
?? ??? ?FORWARD:轉(zhuǎn)發(fā)鏈
?? ??? ?OUTPUT:從主機(jī)發(fā)出匹配的鏈
?? ??? ?POSTROUTING:路由后匹配的鏈
?? ??? ??? ?這是netfilter規(guī)定的五個(gè)規(guī)則鏈,任何一個(gè)數(shù)據(jù)包,只要經(jīng)過本機(jī),必將經(jīng)過這五個(gè)鏈中的其中一個(gè)鏈。iptables包含4個(gè)表,5個(gè)鏈。其中表是按照對數(shù)據(jù)包的操作區(qū)分的,鏈?zhǔn)前凑詹煌腍ook點(diǎn)來區(qū)分的,表和鏈實(shí)際上是netfilter的兩個(gè)維度。
?? ??? ??? ?相當(dāng)于在不同的卡點(diǎn)設(shè)置了檢查站,對數(shù)據(jù)包的進(jìn)、出、轉(zhuǎn)發(fā)做出相應(yīng)的檢測;
?? ??? ??? ?
?? ?流入:PREROUTING --> INPUT
?? ?流出:OUTPUT --> POSTROUTING
?? ?轉(zhuǎn)發(fā):PREROUTING -->? FORWARD --> POSTROUTING
?? ?各種功能的分別實(shí)現(xiàn):
?? ??? ?filter:INPUT,FORWARD,OUTPUT
?? ??? ?nat:PREROUING(DNAT),OUTPUT,POSTROUTING(SNAT)
?? ??? ?mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
?? ??? ?raw:PREROUTING,OUTPUT
?? ?路由發(fā)生的時(shí)刻:
?? ??? ?報(bào)文進(jìn)入本機(jī)后:
?? ??? ??? ?判斷目標(biāo)主機(jī);
?? ??? ?報(bào)文發(fā)出之間:
?? ??? ??? ?判斷經(jīng)由哪個(gè)接口送往下一跳;
?? ?iptables:四表五鏈
?? ??? ?添加規(guī)則時(shí)的考量點(diǎn):
?? ??? ??? ?要實(shí)現(xiàn)哪種功能:判斷添加在哪張表上;
?? ??? ??? ?報(bào)文流經(jīng)的路徑:判斷添加在那個(gè)鏈上;
?? ??? ?鏈:鏈上規(guī)則的次序即為檢查的次序,因此隱含一定的法則;
?? ??? ??? ?同類規(guī)則(訪問同一應(yīng)用),匹配范圍小的放上面;
?? ??? ??? ?不同類規(guī)則,(訪問不同應(yīng)用),匹配到報(bào)文頻率較多的放上面;
?? ??? ??? ?合并那些可由一條規(guī)則描述的多條規(guī)則;
?? ??? ??? ?設(shè)置默認(rèn)策略
?? ??? ?功能的優(yōu)先級(jí)次序:raw --> mangle --> net --> filter
?? ?規(guī)則:
?? ??? ?組成部分:報(bào)文的匹配條件,匹配到之后的處理動(dòng)作
?? ??? ??? ?匹配條件:根據(jù)協(xié)議報(bào)文特征
?? ??? ??? ??? ?基本匹配條件:源ip,目標(biāo)ip,源端口,目標(biāo)端口等
?? ??? ??? ??? ?擴(kuò)展匹配條件:比如連接追蹤等功能;
?? ??? ??? ?處理動(dòng)作:
?? ??? ??? ??? ?內(nèi)建處理機(jī)制
?? ??? ??? ??? ?自定義處理機(jī)制
?? ??? ??? ?Note:報(bào)文不會(huì)經(jīng)過自定義鏈,只能在內(nèi)置鏈上通過規(guī)則進(jìn)行引用后生效;
?? ??? ?
?? ?iptables:規(guī)則管理工具
?? ??? ?添加,修改,刪除,查看顯示等;
?? ??? ?規(guī)則和鏈有計(jì)數(shù)器:
?? ??? ??? ?pkgs:由規(guī)則或鏈所匹配到的報(bào)文的個(gè)數(shù);
?? ??? ??? ?bytes:由規(guī)則或鏈匹配到的所有報(bào)文大小之和;
?? ??? ??? ?
?? ??? ?iptables命令:
?? ??? ??? ?iptables [-t table] {-A|-C|-D} chain rule-specification
?? ??? ??? ?
?? ??? ??? ?ip6tables [-t table] {-A|-C|-D} chain rule-specification
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -I chain [rulenum] rule-specification
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -R chain rulenum rule-specification
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -D chain rulenum
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -S [chain [rulenum]]
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -N chain
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -X [chain]
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -P chain target
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] -E old-chain-name new-chain-name
?? ??? ??? ?
?? ??? ??? ?iptables [-t table] SUBCOMMAND CHAIN CRETERIA -j TARGET
?? ??? ??? ??? ?table:表名稱
?? ??? ??? ??? ??? ?filter
?? ??? ??? ??? ??? ?nat
?? ??? ??? ??? ??? ?mangle
?? ??? ??? ??? ??? ?raw
?? ??? ??? ??? ?SUBCOMMAND:參數(shù)選項(xiàng)
?? ??? ??? ??? ??? ?鏈管理:
?? ??? ??? ??? ??? ??? ?-F:省略鏈名稱,則清空指定表上的所有鏈的防火墻規(guī)則,默認(rèn)為filter表
?? ??? ??? ??? ??? ??? ?-N new_chainname:創(chuàng)建新的自定義鏈規(guī)則
?? ??? ??? ??? ??? ??? ?-X:刪除用戶自定義的空的規(guī)則鏈
?? ??? ??? ??? ??? ??? ?-Z:清除規(guī)則計(jì)數(shù)器的統(tǒng)計(jì)信息
?? ??? ??? ??? ??? ??? ?-P:設(shè)置鏈的默認(rèn)策略,一般有ACCEPT,DROP REJECT
?? ??? ??? ??? ??? ??? ?-E:重命名自定義鏈
?? ??? ??? ??? ??? ?規(guī)則管理:
?? ??? ??? ??? ??? ??? ?-A:將新規(guī)則追加至指定鏈的尾部
?? ??? ??? ??? ??? ??? ?-I:將新規(guī)則插入至指定鏈的指定位置
?? ??? ??? ??? ??? ??? ?-D:刪除指定鏈上的制定規(guī)則
?? ??? ??? ??? ??? ??? ??? ?有兩種方式:
?? ??? ??? ??? ??? ??? ??? ??? ?指定匹配條件
?? ??? ??? ??? ??? ??? ??? ??? ?指定規(guī)則編號(hào)
?? ??? ??? ??? ??? ??? ?-R:替換指定鏈上的指定規(guī)則
?? ??? ??? ??? ??? ?查看:
?? ??? ??? ??? ??? ??? ?-L:--list,列出指定鏈上的規(guī)則
?? ??? ??? ??? ??? ??? ??? ?-n:以數(shù)字格式顯示地址和端口號(hào)
?? ??? ??? ??? ??? ??? ??? ?-v:顯示詳細(xì)信息
?? ??? ??? ??? ??? ??? ??? ??? ?-vv,-vvv
?? ??? ??? ??? ??? ??? ??? ?--line-numbers:顯示規(guī)則的編號(hào)
?? ??? ??? ??? ??? ??? ??? ?-x:顯示計(jì)數(shù)器計(jì)數(shù)結(jié)果的精確值
?? ??? ??? ??? ?CHAIN:鏈名稱
?? ??? ??? ??? ??? ?PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
?? ??? ??? ??? ?CRETERIA:匹配標(biāo)準(zhǔn)
?? ??? ??? ??? ??? ?基本匹配:
?? ??? ??? ??? ??? ??? ?[!] -s,--source IP_address/Network:檢查報(bào)文中源ip地址是否符合此處指定的地址范圍,"!"表示取反;
?? ??? ??? ??? ??? ??? ?[!]-d,--destination IP_address/Network:檢查報(bào)文中目的地址是否符合此處指定的地址范圍;
?? ??? ??? ??? ??? ??? ?-p,--protocol {tcp|udp|icmp}:檢查報(bào)文的協(xié)議類型;
?? ??? ??? ??? ??? ??? ?-i,--in-interface IFACE:數(shù)據(jù)報(bào)文的流入接口,僅能用于PREROUTING,FORWARD,INPUT鏈上;
?? ??? ??? ??? ??? ??? ?-o,--out-interface IFACE:數(shù)據(jù)報(bào)文的流出接口,僅能用于POSTROUTING,FORWARD,OUTPUT鏈上;
?? ??? ??? ??? ??? ?擴(kuò)展匹配:-m match_name --spec_options
?? ??? ??? ??? ??? ??? ?例如:-m tcp --dport 80
?? ??? ??? ??? ??? ??? ?隱式擴(kuò)展:對 -p protocol指明的協(xié)議進(jìn)程的擴(kuò)展可省略-m選項(xiàng);
?? ??? ??? ??? ??? ??? ??? ?-p tcp
?? ??? ??? ??? ??? ??? ??? ??? ?--sport PORT_NUM:源端口號(hào)
?? ??? ??? ??? ??? ??? ??? ??? ?--dport PORT_NUM:目標(biāo)端口號(hào)
?? ??? ??? ??? ??? ??? ??? ??? ?--tcp-flags LIST1 LIST2:檢查LIST1中所指明的標(biāo)志位,其中LIST2中所指明的標(biāo)志位必須為1,剩余的必須為0,LIST1中沒有指明的不做檢查;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?SYN,ACK,FIN,RST,PSH,URG
?? ??? ??? ??? ??? ??? ??? ??? ?--syn:檢查是否為tcp連接的第一次請求;
?? ??? ??? ??? ??? ??? ??? ?-p udp
?? ??? ??? ??? ??? ??? ??? ??? ?--sport PORT_NUM:源端口號(hào)
?? ??? ??? ??? ??? ??? ??? ??? ?--dport PORT_NUM:目標(biāo)端口號(hào)
?? ??? ??? ??? ??? ??? ??? ?-p icmp
?? ??? ??? ??? ??? ??? ??? ??? ?--icmp-type NUM:icmp類型;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?0:echo-reply,響應(yīng)類型
?? ??? ??? ??? ??? ??? ??? ??? ??? ?8:echo-request,發(fā)出ping的類型
?? ??? ??? ??? ??? ??? ??? ??? ??? ?ping別人發(fā)出的是類型8,得到回應(yīng)的類型為0
?? ??? ??? ??? ??? ??? ?顯式擴(kuò)展:必須使用-m選項(xiàng)指定使用的擴(kuò)展模塊(rpm -ql iptables | grep "\.so");
?? ??? ??? ??? ??? ??? ??? ?幫助:
?? ??? ??? ??? ??? ??? ??? ??? ?Centos6:man iptables
?? ??? ??? ??? ??? ??? ??? ??? ?Centos7:man iptables-extensions
?? ??? ??? ??? ??? ??? ??? ?擴(kuò)展模塊:
?? ??? ??? ??? ??? ??? ??? ??? ?multiport擴(kuò)展:以離散方式定義多端口匹配,最多指定15個(gè)端口;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?[!] --source-ports,--sports port[,port|,port:port]...:指明多個(gè)源端口;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?[!] --destination-ports,--dports port[,port|,port:port]...:指明多個(gè)目的端口;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?[!] --ports port[,port|,port :port]...:指明多個(gè)端口,不分源和目的;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?例子:
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?~]#iptables -A INPUT -s 192.168.10.0/24 -d 172.16.10.0/24 -p tcp -m multiport --dports 22,80 -j ACCEPT
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?~]#iptables -A OUTPUT -s 172.16.10.0/24 -d 192.168.10.0/24 -p tcp -m multiport --sports 22,80 -j ACCEPT
?? ??? ??? ??? ??? ??? ??? ??? ?iprange擴(kuò)展:指明連續(xù)的(一般不能擴(kuò)展為整個(gè)網(wǎng)絡(luò))IP地址范圍;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?[!] --src-range from[-to]:指明連續(xù)的源IP地址范圍;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?[!] --dst-range from[-to]:指明連續(xù)的目的地址范圍;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?例子:
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?~]#iptables -A INPUT? -d 172.16.10.0/24 -p tcp -m multiport --dports 22:24,80 -m iprange --src-range 192.168.10.1-192.168.10.100 -j ACCEPT
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?~]#iptables -A OUTPUT -s 172.16.10.0/24 -p tcp -m multiport --sports 22:24,80 -m iprange --dst-range 192.168.10.1-192.168.10.100 -j ACCEPT
?? ??? ??? ??? ??? ??? ??? ??? ?string擴(kuò)展:檢查出現(xiàn)在報(bào)文中的字符串;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--algo {bm|kmp}
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?bm = Boyer-Moore
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?kmp = Knuth-Pratt-Morris
?? ??? ??? ??? ??? ??? ??? ??? ??? ?[!] --string pattern
?? ??? ??? ??? ??? ??? ??? ??? ??? ?例子:
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?iptables -A OUTPUT -m string --algo bm --string 'movie' -j ACCEPT
?? ??? ??? ??? ??? ??? ??? ??? ?time擴(kuò)展:根據(jù)報(bào)文到達(dá)的時(shí)間與指定的時(shí)間范圍進(jìn)行匹配;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--datestart:指定年月日
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--datestop
?? ??? ??? ??? ??? ??? ??? ??? ??? ?
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--timestart:指定時(shí)分秒
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--timestop
?? ??? ??? ??? ??? ??? ??? ??? ??? ?
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--monthdays:指定某個(gè)月中的某些天
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--weekdays:指定星期
?? ??? ??? ??? ??? ??? ??? ??? ?connlimit擴(kuò)展:根據(jù)每個(gè)客戶端ip(也可以是地址塊)做并發(fā)連接數(shù)數(shù)量匹配;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--connlimit-above n:連接的數(shù)量大于n;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--connlimit-upto n:連接的數(shù)量小于等于n;
?? ??? ??? ??? ??? ??? ??? ??? ?limit擴(kuò)展:基于收發(fā)報(bào)文的速率做檢查;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?令牌通過濾器:
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--limit rate[/second|/minute|/hour|/day]???? rate:為指定的個(gè)數(shù)?? 例如:30/minute
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--limit-burst number
?? ??? ??? ??? ??? ??? ??? ??? ?state擴(kuò)展:根據(jù)連接追蹤機(jī)制檢查連接狀態(tài);
?? ??? ??? ??? ??? ??? ??? ??? ??? ?調(diào)整連接追蹤功能所能夠容納的最大連接數(shù)量:
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?/proc/sys/net/nf_conntrack_max
?? ??? ??? ??? ??? ??? ??? ??? ??? ?已經(jīng)追蹤到并記錄下的連接:
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?/proc/net/nf_conntrack
?? ??? ??? ??? ??? ??? ??? ??? ??? ?可追蹤的連接狀態(tài):
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?NEW:新發(fā)出的請求,連接追蹤模板中不存在此連接相關(guān)的信息條目,因此,將其識(shí)別為第一次發(fā)出的請求;
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?ESTABLISHED:NEW狀態(tài)之后,連接追蹤模板中為其建立的條目失效之前期間內(nèi)所進(jìn)行的通信狀態(tài);
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?RELATED:相關(guān)的連接,如ftp協(xié)議的命令連接與數(shù)據(jù)連接之間的關(guān)系;
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?INVALIED:無法識(shí)別的連接;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?--state STATE1,STATE2,…
?? ??? ??? ??? ??? ??? ??? ??? ??? ?
?? ??? ??? ??? ??? ??? ??? ??? ??? ?Note:iptables的連接追蹤數(shù)量達(dá)到最大值后,連接碰到各種狀態(tài)的超時(shí)后就會(huì)從表中刪除;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?解決辦法一般有兩個(gè):
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?1.加大ip_conntrack_max值
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?vim /etc/sysctl.conf
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?net.ipv4.ip_conntrack_max=393665
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?net.ipv4.netfilter.ip_conntrack_max=393665
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?2.降低ip_conntrack timeout時(shí)間
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?vim /etc/sysctl.conf
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?net.netfilter.nf_conntrack_tcp_timeout_established=300
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
?? ??? ??? ??? ??? ??? ??? ?
?? ??? ??? ??? ?TARGET:處理動(dòng)作
?? ??? ??? ??? ??? ?-j TARGET :跳轉(zhuǎn)至指定的target
?? ??? ??? ??? ??? ??? ?ACCEPT:接受
?? ??? ??? ??? ??? ??? ?DROP:丟棄
?? ??? ??? ??? ??? ??? ?REJECT:拒絕
?? ??? ??? ??? ??? ??? ?RETURN:返回調(diào)用的鏈
?? ??? ??? ??? ??? ??? ?REDIRECT:端口重定向
?? ??? ??? ??? ??? ??? ?LOG:記錄日志
?? ??? ??? ??? ??? ??? ?MARK:作防火墻標(biāo)記
?? ??? ??? ??? ??? ??? ?DNAT:目標(biāo)地址轉(zhuǎn)換
?? ??? ??? ??? ??? ??? ?SNAT:源地址轉(zhuǎn)換
?? ??? ??? ??? ??? ??? ?MASQUERADE:地址偽裝
?? ??? ??? ??? ??? ??? ?自定義鏈:由自定義鏈上的規(guī)則進(jìn)行匹配檢查
?? ??? ??? ??? ??? ??? ?……
?? ??? ??? ??? ??? ??? ?
?? ??? ??? ??? ?通過iptables工具在某個(gè)表里的某個(gè)鏈上根據(jù)某些參數(shù)選項(xiàng)設(shè)置某些符合匹配標(biāo)準(zhǔn)的規(guī)則,然后做出相應(yīng)的處理動(dòng)作;
?? ??? ??? ?
?? ??? ??? ??? ?問題:如何開放被動(dòng)模式的ftp服務(wù)?
?? ??? ??? ??? ??? ?關(guān)于ftp模式的解釋:https://www.cnblogs.com/ajianbeyourself/p/7655464.html
?? ??? ??? ??? ??? ?因?yàn)閒tp監(jiān)聽的是兩個(gè)接口,所以使用RELATED可以免去很多麻煩,它可以自動(dòng)判斷ftp監(jiān)聽端口進(jìn)出的關(guān)系;
?? ??? ??? ??? ??? ?1.裝載RELATED追蹤的專用模塊:/lib/modules/$(unamr -r)/kernel/net/netfilter/nf_conntrack_ftp.ko
?? ??? ??? ??? ??? ??? ?~]#modprobe /lib/modules/$(unamr -r)/kernel/net/netfilter/nf_conntrack_ftp.ko
?? ??? ??? ??? ??? ?2.放行請求報(bào)文:
?? ??? ??? ??? ??? ??? ?命令連接:NEW,ESTABLISHED
?? ??? ??? ??? ??? ??? ?數(shù)據(jù)連接:RELATED,ESTABLISHED
?? ??? ??? ??? ??? ??? ??? ?RELATED只在第一次剛建立連接時(shí)使用;
?? ??? ??? ??? ??? ??? ?例子:
?? ??? ??? ??? ??? ??? ??? ?~]#iptables -A INPUT -d LocalIP -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
?? ??? ??? ??? ??? ??? ??? ?~]#iptables -A INPUT -d LocalIP -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
?? ??? ??? ??? ??? ?3.放行響應(yīng)報(bào)文:
?? ??? ??? ??? ??? ??? ?ESTABLISHED
?? ??? ??? ??? ??? ??? ?例子:
?? ??? ??? ??? ??? ??? ??? ?~]#iptables -A OUTPUT -s LocalIP -p tcp -m state --state ESTABLISHED -j ACCEPT
?? ??? ??? ??? ??? ?
?? ??? ?
?? ??? ??? ??? ?如何保存及重載規(guī)則:
?? ??? ??? ??? ??? ?保存規(guī)則至指定文件:
?? ??? ??? ??? ??? ??? ?iptables-save >? /PATH/TO/SOMEFILE
?? ??? ??? ??? ??? ?從指定文件重載規(guī)則:
?? ??? ??? ??? ??? ??? ?iptables-restore < /PATH/TO/SOMEFILE
?? ??? ??? ??? ??? ?Centos 6:
?? ??? ??? ??? ??? ??? ?service iptables save? <==>? iptables-save > /etc/sysocnfig/iptables
?? ??? ??? ??? ??? ??? ?service iptables restart? < ==> iptables-restore < /etc/sysconfig/iptables
?? ??? ??? ??? ??? ?Centos 7:引入了新的iptables前端管理工具:firewall
?? ??? ??? ??? ??? ??? ?firewall-cmd:命令行工具
?? ??? ??? ??? ??? ??? ?firewall-config:圖形化界面工具
?? ??? ??? ??? ??? ??? ?關(guān)于firewall的文章:http://www.ibm.com/developerworks/cn/linux/1507_caojh/index.html
?? ??? ??? ??? ??? ?
?? ??? ??? ??? ?NAT:Network Address Translation,網(wǎng)絡(luò)地址轉(zhuǎn)換,可以用于實(shí)現(xiàn)私網(wǎng)地址訪問公網(wǎng)服務(wù)器(SNAT),或者用于實(shí)現(xiàn)內(nèi)網(wǎng)服務(wù)器對公網(wǎng)開放(DNAT),還可以用于隱藏內(nèi)網(wǎng)地址,增加安全性;位于網(wǎng)絡(luò)層、傳輸層,內(nèi)核空間;
?? ??? ??? ??? ?Proxy:代理,位于應(yīng)用層,用戶空間;
?? ??? ??? ??? ??? ?nat表:
?? ??? ??? ??? ??? ??? ?PREROUTING(DNAT):先轉(zhuǎn)換后路由
?? ??? ??? ??? ??? ??? ??? ?當(dāng)內(nèi)網(wǎng)提供服務(wù)器給外網(wǎng)訪問時(shí),首先會(huì)根據(jù)事先設(shè)定的規(guī)則判斷是否需要轉(zhuǎn)換,如果是就將外網(wǎng)主機(jī)所訪問的公有ip地址轉(zhuǎn)換為內(nèi)網(wǎng)服務(wù)器所在的私有ip地址,并且將這個(gè)轉(zhuǎn)換記錄下來,然后將數(shù)據(jù)包發(fā)給內(nèi)網(wǎng)服務(wù)器;
?? ??? ??? ??? ??? ??? ??? ?當(dāng)內(nèi)網(wǎng)服務(wù)器返回?cái)?shù)據(jù)包時(shí),nat根據(jù)之前記錄的信息,再將地址轉(zhuǎn)換回去;
?? ??? ??? ??? ??? ??? ??? ??? ?iptables -t nat -A PREROUTING -d ExtIP -p udp|tcp --dport PORT_NUM -j DNAT --to-destination InterserverIp[:PORT_NUM]
?? ??? ??? ??? ??? ??? ?例子:iptables -t nat -A PREROUTING -d 111.222.33.44 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.20
?? ??? ??? ??? ??? ??? ?OUTPUT
?? ??? ??? ??? ??? ??? ?POSTROUTING(SNAT):先路由后轉(zhuǎn)換
?? ??? ??? ??? ??? ??? ??? ?當(dāng)內(nèi)網(wǎng)主機(jī)訪問外網(wǎng)服務(wù)器時(shí),首先會(huì)將內(nèi)網(wǎng)私有源ip地址轉(zhuǎn)換為事先設(shè)置的可以訪問外網(wǎng)的公有ip地址,并且將這個(gè)轉(zhuǎn)換記下來,然后去訪問服務(wù)器;
?? ??? ??? ??? ??? ??? ??? ?當(dāng)服務(wù)器返回?cái)?shù)據(jù)包時(shí),nat根據(jù)之前記錄的信息,再將地址轉(zhuǎn)換回去;
?? ??? ??? ??? ??? ??? ??? ??? ?iptables -t nat -A POSTROUTING -s LocalIp ! -d LocalIp -j SNAT --to-source Extip
?? ??? ??? ??? ??? ??? ??? ??? ?iptables -t nat -A POSTROUTING -s LocalIp ! -d LocalIp -j MASQUERADE
?? ??? ??? ??? ??? ??? ??? ??? ?MASQUERADE:用于所轉(zhuǎn)換的外網(wǎng)地址不固定時(shí),例如ADSL撥號(hào)上網(wǎng);
?? ??? ??? ??? ??? ??? ?例子:iptables -t nat -A POSTROUTING -s 192.168.10.20 ! -d 192.168.10.20 -j SNAT --to-source 111.222.33.44
?? ??? ??? ??? ??? ?proxy代理:
?? ??? ??? ??? ??? ??? ?proxy位于應(yīng)用層,所以會(huì)解封裝數(shù)據(jù)包,來查看其使用的為什么協(xié)議,然后根據(jù)具體協(xié)議作代理,所以可以基于代理做訪問控制,增加安全性;一般一種協(xié)議的代理只能使用其專有的應(yīng)用軟件來代理;
?? ??? ??? ??? ??? ??? ??? ?
?? ??? ??? ??? ?tcp_wrapper:tcp包裝器
?? ??? ??? ??? ??? ?對基于tcp協(xié)議開發(fā)并提供服務(wù)的應(yīng)用程序,提供的一層訪問控制工具;
?? ??? ??? ??? ??? ?基于庫調(diào)用實(shí)現(xiàn)其功能:libwrap庫
?? ??? ??? ??? ??? ?判斷服務(wù)是否能夠由tcp_wrapper進(jìn)行訪問控制:
?? ??? ??? ??? ??? ??? ?1.動(dòng)態(tài)編譯:ldd命令
?? ??? ??? ??? ??? ??? ??? ?可以通過使用:ldd $(which command) | grep "libwrap" 查看是否調(diào)用了libwrap庫;
?? ??? ??? ??? ??? ??? ?2.靜態(tài)編譯:strings命令查看應(yīng)用程序文件,查看其結(jié)果中是否出現(xiàn)
?? ??? ??? ??? ??? ??? ??? ?hosts.allow
?? ??? ??? ??? ??? ??? ??? ?hosts.deny
?? ??? ??? ??? ??? ?在配置文件中為各服務(wù)分別定義訪問控制規(guī)則實(shí)現(xiàn)訪問控制:
?? ??? ??? ??? ??? ??? ?/etc/hosts.allow
?? ??? ??? ??? ??? ??? ?/etc/hosts.deny
?? ??? ??? ??? ??? ??? ?配置文件語法:
?? ??? ??? ??? ??? ??? ??? ?daemon_list:client_list [:options]
?? ??? ??? ??? ??? ??? ??? ??? ?daemon_list:
?? ??? ??? ??? ??? ??? ??? ??? ??? ?應(yīng)用程序的文件名稱,而非服務(wù)名;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?應(yīng)用程序文件名稱列表,彼此之間使用","分隔;
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?例如:sshd,vsftpd
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?ALL表示所有服務(wù);
?? ??? ??? ??? ??? ??? ??? ?client_list:
?? ??? ??? ??? ??? ??? ??? ??? ?IP地址
?? ??? ??? ??? ??? ??? ??? ??? ?主機(jī)名
?? ??? ??? ??? ??? ??? ??? ??? ?網(wǎng)絡(luò)地址:必須使用完整格式的掩碼,不能使用前綴格式的掩碼
?? ??? ??? ??? ??? ??? ??? ??? ??? ?簡短格式的網(wǎng)絡(luò)地址:例如172.16. 表示172.16.0.0/255.255.255.0;
?? ??? ??? ??? ??? ??? ??? ??? ?ALL:表示所有主機(jī)
?? ??? ??? ??? ??? ??? ??? ??? ?KNOWN:所有可以解析到主機(jī)名的主機(jī);
?? ??? ??? ??? ??? ??? ??? ??? ?UNKNOWN:所有無法解析到主機(jī)名的主機(jī);
?? ??? ??? ??? ??? ??? ??? ??? ?PARANOID:主機(jī)名的正反解不匹配;
?? ??? ??? ??? ??? ??? ??? ?EXCEPT:除了;
?? ??? ??? ??? ??? ??? ??? ??? ?hosts.allow
?? ??? ??? ??? ??? ??? ??? ??? ??? ?vsftpd:172.16. EXCEPT 172.16.100.0/255.255.255.0 EXCEPT 172.16.100.1
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?表示允許192.16.網(wǎng)段的主機(jī),不允許192.16.100.0網(wǎng)段,但是除了172.16.100.0中的172.16.100.1這個(gè)地址;
?? ??? ??? ??? ??? ??? ??? ?[:options]
?? ??? ??? ??? ??? ??? ??? ??? ?deny:拒絕,用于hosts.alloww文件中,用于實(shí)現(xiàn)deny功能;
?? ??? ??? ??? ??? ??? ??? ??? ?allow:允許,用于hosts.deny文件中,用于實(shí)現(xiàn)allow功能;
?? ??? ??? ??? ??? ??? ??? ??? ?spawn:啟動(dòng)額外應(yīng)用程序;
?? ??? ??? ??? ??? ??? ??? ??? ??? ?vsftpd:ALL:spawn /bin/echo `date` login attempt from %c %s, %d >> /var/log/vsftpd.deny.log
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?表示將關(guān)于vsftpd的帶有時(shí)間的相關(guān)信息追加至指定文件中;
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?%c:client ip
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?%s:server ip
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?%d:daemon ip
注:根據(jù)馬哥視頻做的學(xué)習(xí)筆記,如有錯(cuò)誤,歡迎指正;侵刪
轉(zhuǎn)載于:https://www.cnblogs.com/guowei-Linux/p/11072885.html
總結(jié)
以上是生活随笔為你收集整理的Linux iptables的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【Java】 剑指offer(36) 二
- 下一篇: 跟着iMX28x开发套件学linux-0