iptables

发表于 | 分类于 | 阅读次数:

记录一下iptables相关的命令。

查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#(n:不进行host反查,v:详细信息)
iptables -nvL
iptables -nL --line-number
#Only for INPUT
iptables -nL INPUT --line-number
#Delete rule
iptables -D INPUT 2

#Example
iptables -t nat -nL V2RAY
iptables -t nat -nL V2RAY --line-number
iptables -t nat -D V2RAY 11

#插入到INPUT链中的第7行位置
iptables -I INPUT 7 -i eth0 -p tcp -m tcp --dport 11111 -j ACCEPT 
#最前
iptables -I
#最后
iptables -A

#Delete
iptables -D INPUT -i eth0 -p udp -m udp --dport 11111 -j ACCEPT 
iptables -nL INPUT --line-number
iptables -D INPUT 7

#Clean iptables
iptables -t nat -D OUTPUT -p tcp -j XRAY
#iptables -t nat -F XRAY
iptables -t nat -F #删除前需要清空策略,否则删除不掉  
iptables -t nat -X XRAY
iptables -t nat -Z XRAY

设定

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
-F:清除所有已定的规则
-X:除掉所有用户“自定义”的链
-Z:将所有的chain的计数与流量统计归零
-A:插入规则的最后面
-I:插入变为第一条规则
-i:进入网络接口(eth0,lo等)
-o:传出网络接口
-p:协议(tcp、udp、icmp及all或者!ICMP=tcp/udp)
-s:来源IP匹配:192.168.0.0/24或192.168.0.0/255.255.255.0
--sport:来源端口
-d:目标网络
--dport:目的端口
-j:操作:ACCEPT/DROP/REJECT/LOG
-P:策略:INPUT/OUTPUT/FORWARD
-m:模块:state/mac
--state:状态
            INVAID:无效
            ESTABLISHED:联机成功的
            NEW:新建的包
            RELATED:成功发邮并返回的包
注意:指定port时必须指定是udp还是tcp
A PREROUTING -p tcp --dport 8022 -j DNAT --to-destination 192.168.0.133:22
-A POSTROUTING -d 192.168.0.133 -p tcp --dport 22 -j SNAT --to 192.168.0.9

例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/sh
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#内部循环放行
iptables -A INPUT -i lo -j ACCEPT
#联机成功、并且成功发出与返回的包放行
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.5 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type any -j ACCEPT
#只允许本机连接mysql
iptables -A INPUT -s ! 127.0.0.1 -p tcp -m tcp --dport 3306 -j REJECT

备份与还原

1
iptables-save > /etc/sysconfig/iptables.bak

格式与/etc/sysconfig/iptables中的内容一样

1
iptables-restore < /etc/sysconfig/iptables.bak

加载/etc/sysconfig/iptables.bak中的内容,不会写入/etc/sysconfig/iptables中

1
/etc/init.d/iptables save

保存内容至/etc/sysconfig/iptables中,并可以使用service iptables start启动

NAT

端口转发:

1.到本机端口:

1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 81

2.到其它IP端口:

1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to 192.168.0.10:81

3.修改流入包的信息:

1
iptables -t nat -A PREROUTING -d 183.63.2.202 -j DNAT --to-destination 92.168.0.10

4.修改流出包的信息:

1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 183.63.2.202

5.ip伪装(当为动态IP时使用ip装,当为静态IP时可用第4条):

1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

6.打开路由:

永久修改:/etc/sysctl.conf中的net.ipv4.ip_forward=1,生效:sysctl -p

临时修改:echo 1 > /proc/sys/net/ipv4/ip_forward,重启后失效

7.屏蔽某个网站:

1
iptables -A FORWARD -m string --string "qq.com" --algo bm -j DROP

–algo:bm|kmp:bm比kmp快

8.禁止某个IP段不能上网:

1
iptables -A FORWARD -m iprange --src-range 192.168.0.0-192.168.0.100 -j DROP

其中:
–src-range:源地址 –dst-range:目的地址

9.多个端口:

1
-m --multport --sport 80,82

–sport 80:82 #80到82端口

10.时间限制:

1
-m time --time-start 00:00 --time-stop 13:00

11.限速:

1
2
iptables -A FORWARD -s 192.168.0.158 -m limit --limit 20/s -j ACCEPT
iptables -A FORWARD -s 192.168.0.158 -j DROP

20/s表示限速30k/s:

先用ifconfig查看MUT(1500字节),30k/1500B=20个MTU

12.禁止其他主机ping防火墙主机,但是允许从防火墙上ping其他主机:

1
2
3
iptables -A INPUT -p icmp --icmp-type Echo-Request -j DROP
iptables -A INPUT -p icmp --icmp-type Echo-Reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-Unreachable -j ACCEPT

13.开放vpn服务:

1
2
3
4
iptables -A INPUT -p tcp -m multiport --destination-port 47,1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --source-port 47,1723 -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT

实例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Generated by iptables-save v1.3.5 on Tue Jun  8 08:43:18 2010
*nat
:PREROUTING ACCEPT [9:721]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A PREROUTING -d 183.63.2.202 -j DNAT --to-destination 192.168.0.0/24
#-A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 183.63.2.202

-A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

#-A PREROUTING  -s 192.168.0.0/24 -p tcp -m tcp --dport 81 -j DNAT --to 10.35.60.79:8443
#-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 81
-A PREROUTING -p tcp -m tcp --dport 81 -j REDIRECT --to-ports 80
#-A PREROUTING -p tcp -m tcp --dport 23 -j DNAT --to 192.168.0.167:22
COMMIT
# Completed on Tue Jun  8 08:43:18 2010
# Generated by iptables-save v1.3.5 on Tue Jun  8 08:43:18 2010
*filter
:INPUT DROP [30:2480]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:11777]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 1:1023 --dport 1:1023 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
#open ssh
#-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#open smb
-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 137:138 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT
#open postfix
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
#open mysql
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3306 -j ACCEPT
#-A INPUT --dport 3306 -j ACCEPT
#open vnc
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5801 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5901 -j ACCEPT
#open http
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8088 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 10000 -j ACCEPT
#open socket
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5555 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5556 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 6666 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 6667 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 7777 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 7778 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 7788 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 7789 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8889 -j ACCEPT
#open ping
-A INPUT -s 192.168.0.0/255.255.255.0 -p icmp -m icmp --icmp-type any -j ACCEPT
#dns
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT
#vpn
-A INPUT -p tcp -m multiport --destination-port 47,1723 -j ACCEPT
-A INPUT -p udp -m multiport --destination-port 47,1723 -j ACCEPT
#openvpn
#-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 444 -j ACCEPT
#-A INPUT -p gre -j ACCEPT
#nfs
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m multiport --dport 111,2049 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m multiport --dport 111,2049 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp --dport 10001:10004 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p udp --dport 10001:10004 -j ACCEPT
#forward
#-A FORWARD -s 192.168.0.0/255.255.255.0 -j ACCEPT
COMMIT
# Completed on Tue Jun  8 08:43:18 2010
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed