防火墙iptables之基础语法
1.详细语法
iptables [-t 表名] <-A|I|D|R>链名[规则号] [-i|o 网卡名称] [-p 协议类型] [-s 源ip地址|源子网] [--sport 源端口号] [-d 目标ip地址|目标子网] [--dport 目标端口号] <-j 动作>
规则的查看与清除
iptables [-t tables ] [-L ] [-nv] [链名]
-t:后面接table,若胜利呢此项则默认为filter表
-L :列出目前的table的规则
-n:不适用ip与hostname的反查
-v:列出更多的详细信息,包括封包的位数,相关的网络接口
[root@zhu1 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.1.106 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere [root@zhu1 ~]# iptables -L -nv Chain INPUT (policy DROP 35 packets, 6228 bytes) pkts bytes target prot opt in out source destination 467 32278 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 * 192.168.1.106 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1091 packets, 168K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
target:代表进行的动作
prot:代表使用的封包协议,主要有tcp,udp,icmp三种封包协议
opt:额外的选项说明
source:代表此规则是针对那个来源ip进行限制
destination:代表此规则是针对那个目标ip进行限制
[root@zhu1 ~]# iptables -F [root@zhu1 ~]# iptables -X [root@zhu1 ~]# iptables -Z
-F:清除所有的定义 规则
-X:清除所有的自定义的规则
-Z:将所有链的统计与流量统计清零
定义预设政策
当数据包不符合所有的规则时,iptables将根据定义的默认规则来处理数据包
[-t 表名] :默认filter表
-P(大写)
[root@zhu1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@zhu1 ~]# iptables -P INPUT DROP [root@zhu1 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@zhu1 ~]# iptables -A INPUT -i lo -j ACCEPT [root@zhu1 ~]# iptables -A OUTPUT -o lo -j ACCEPT [root@zhu1 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
-A:新增一条规则,该规则将会增加到规则列表的最后一行,该项不能使用规则编号
[root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere [root@zhu1 ~]# iptables -A INPUT -i eth0 -s 192.168.1.106 -j ACCEPT [root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.1.106 anywhere
-D :从规则列表中删除指定的规则,可以使用完整的规则,也可以使用规则编号
[root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.1.106 anywhere [root@zhu1 ~]# iptables -D INPUT 3 [root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere
-I:插入一条规则,原本编号的规则会往后顺序移动,若不指定插入的位置,默认会插入第一条规则前
[root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere [root@zhu1 ~]# iptables -I INPUT -i eth0 -s 192.168.1.106 -j DROP [root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination DROP all -- 192.168.1.106 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere
[root@zhu1 ~]# iptables -I INPUT 3 -i eth0 -s 192.168.1.106 -j ACCEPT [root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination DROP all -- 192.168.1.106 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.1.106 anywhere ACCEPT all -- anywhere anywhere
-R:替换某条规则,规则的替换不会改变规则编号
[root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.1.106 anywhere ACCEPT all -- anywhere anywhere [root@zhu1 ~]# iptables -R INPUT 2 -s 192.168.1.105 -i eth0 -j DROP [root@zhu1 ~]# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- 192.168.1.105 anywhere ACCEPT all -- anywhere anywhere
-i | o 网卡名称
设定lo为信任状态,应打开
[root@zhu1 ~]# iptables -A INPUT -i lo -j ACCEPT [root@zhu1 ~]# iptables -A OUTPUT -o lo -j ACCEPT
只要是来自192.168.1.0/24网段的封包通通接受
[root@zhu1 ~]# iptables -A INPUT -i eth0 -j ACCEPT
-i:数据包从哪个网卡进入
-o:数据包从哪个网卡出去
-s 源ip|子网
源主机的ip地址或子网地址
只要是来自192.168.1.0/24的1024:65535的端口的封包,且想联机到本机的ssh port就拒绝
[root@zhu1 ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --sport 1024:65534 --dport ssh -j ACCEPT
[root@zhu1 ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
--sport 源端口号
数据包的ip的源端口号
--dport 目标端口号
数据包的目标ip的目标端口号
当想使用--sport和--dport来指定端口范围时,一定要有-p tcp 或-p udp这样的参数在前面,因为只有tcp和udp端口的封包具有端口号。
-j 动作
想要联机本机21端口的就放行
[root@zhu1 ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
只要是已经建立的封包就放行
[root@zhu1 ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
针对特定的mac地址
[root@zhu1 ~]# iptables -A INPUT -m mac --mac-source 08:00:27:9B:E5:37 -j ACCEPT
iptables -A INPUT [-p icmp] [--icmp-type 类型] -j ACCEP
-m multiport
同时开放本机的多个端口,
[root@zhu1 ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 -m multiport --dport 80,21,166,30001 -j ACCEPT
转载于:https://blog.51cto.com/zhujiangtao/1286432