|
临时设置:即重启后就失效查询防火墙状态: service iptables status停止防火墙: service iptables stop启动防火墙: service iptables start重启防火墙: service iptables restart保存防火墙设置: service iptables save注意:在没保存之前不代表不生效,所有修改了规则后会立即生效,若没保存,则重启服务器或重启防火墙后,刚才所有的修改才会丢失。永久设置:即要想生效需要硬重启:关闭防火墙: chkconfig iptables off关闭后启用: chkconfig iptables oncentos7:systemctl start firewalld.service #启动firewallsystemctl stop firewalld.service #停止firewallsystemctl disable firewalld.service #禁止firewall开机启动四表五链及状态:四表:包过滤filter,网络地址转换nat,包重构mangle,数据跟踪raw,优先级:raw>mangle>nat>filter五链:PREROUTING,POSTROUTING,INPUT,OUTPUT,FORWARD状态:NEW第一个包,ESTABLISHED首次通过其后都通过,RELATED由已认证的连接产生的附加连接,INVALID状态不明包关于四表五链和状态的理解:防火墙相当于行政服务大厅,表相当于各个职能部门,链相当于各个窗口,状态相当于进来办事的人身份。张三进了市政厅iptables,先到接待窗口PREROUTING,由接待窗口状态要办的事项是本中心办理,还是其他兄弟城市的行政业务:1,若不是本中心的业务,就引导入FORWARD,进行一系列核核后,交给POSTROUTING发送给办事人员。 2,若是本中心的业务,就引导入办事窗口INPUT,然后在INPUT里的各个职能部门对照法规判断事务内容,即表规则对照,若通过,则再交给系统具体处理(程序),然后程序处理完成后交到OUTPUT部门进行通知准备等事项,OUTPUT部门也需要对照各种规则去判断能否将有关资料给该办事人员,若通过,则交给POSTROUTING部门去处理。对于用户身份:NEW为刚进入的人,ESTABLISHED为已通过身份证证的人,RELATED通过认证的人再带来的,INVALID身份不明的人功能区 表名、链名 PREROUTING POSTROUTING INPUT OUTPUT FORWARD包过滤 filter -- -- INPUT OUTPUT FORWARD网络地址转换 nat POSTROUTING POSTROUTING -- OUTPUT 包重构 mangle POSTROUTING POSTROUTING INPUT OUTPUT FORWARD数据跟踪 raw POSTROUTING -- -- OUTPUT /etc/sysconfig/network 包括主机基本网络信息,用于系统启动/etc/sysconfig/network-script/ 此目录下是系统启动最初始化网络的信息/etc/sysconfig/network-script/ifcfg-eth0 网络配置信息/etc/xinetd.conf 定义了由超级进程XINETD启动的网络服务/etc/protocols 设定了主机使用的协议以及各个协议的协议号/etc/services 设定了主机的不同端口的网络服务/etc/sysconfig/iptables 防火墙配置信息[root@localhost ~]# iptables -hiptables v1.4.7Usage: iptables -[ACD] chain rule-specification [options]iptables -I chain [rulenum] rule-specification [options]iptables -R chain rulenum rule-specification [options]iptables -D chain rulenum [options]iptables -[LS] [chain [rulenum]] [options]iptables -[FZ] [chain] [options]iptables -[NX] chainiptables -E old-chain-name new-chain-nameiptables -P chain target [options]iptables -h (print this help information)Commands:Either long or short options are allowed.–append -A chain Append to chain追加规则到末尾。–check -C chain Check for the existence of a rule–delete -D chain rulenum Delete rule rulenum (1 = first) from chain删除某个规则,若不指定则删除第一条–insert -I chain [rulenum] Insert in chain as rulenum (default 1=first)插入规则到位置,若不指定位置则为插入到第1条–replace -R chain rulenum Replace rule rulenum (1 = first) in chain替换指定序号的规则–list -L [chain [rulenum]] List the rules in a chain or all chains列出规则,默认filter表–list-rules -S [chain [rulenum]] Print the rules in a chain or all chains–flush -F [chain] Delete all rules in chain or all chains若指定了chain,删除该chain中的所有规则,否则删除所有chain中的所有规则。–zero -Z [chain [rulenum]] Zero counters in chain or all chains–new -N chain Create a new user-defined chain–delete-chain -X [chain] Delete a user-defined chain 清空自定义链中的规则–policy -P chain target Change policy on chain to target 默认的规则–rename-chain -E old new Change chain name, (moving any references)链重命名Options:[!] –proto -p proto protocol: by number or name, eg. tcp'[!] --source -s address[/mask][...] source specification源地址IP[!] --destination -d address[/mask][...] destination specification目标地址IP[!] --in-interface -i input name[+] network interface name ([+] for wildcard)--jump -j target target for rule (may load target extension) 要操作什么动作,可选有:ACCEPT接受,DROP丢弃,REJECT拒绝--goto -g chain jump to chain with no return--match -m match extended match (may load extension)启用一个模块--numeric -n numeric output of addresses and ports 只显示IP地址,不显示域名[!] --out-interface -o output name[+] network interface name ([+] for wildcard)--table -t table table to manipulate (default:filter’)指定操作的表,默认filter–verbose -v verbose mode–line-numbers print line numbers when listing–exact -x expand numbers (display exact values)[!] –fragment -f match second or further fragments only–modprobe=< command > try to insert modules using this command–set-counters PKTS BYTES set the counter during insert/append[!] –version -V print package version.防火墙版本号[root@localhost ~]#语法:iptables [-t表名]<-A|I|D|R>链名[规则编号][-i|o网卡名称][-p协议类型][-s源IP地址|源子网段][–sport源端口号][-d目标IP地址或段][–dport目标商口]<-j动作>iptables[-ttable][chain][options][-jtarget][-ttable]用来指明使用的表:filter,nat和mangle,raw,如果未指定,则使用filter作为缺省表。filter表包括INPUT,OUTPUT,和FORWARD三个链.command表明iptables命名要做什么,就是具体的操作动作<-A|I|D|R>[chain]链名[options]具体的规则[-jtarget]是由规则指定的操作。包括:ACCEPT,DROP,REJECT,RETURN,LOG,REDIRECT,MARK,MIRROR,MAQUERADE等[root@localhost ~]# iptables -LChain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:9502 DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: CHECK seconds: 3600 hit_count: 5 name: SSH side: source DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 3 name: SSH side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@localhost ~]# [root@localhost php]# iptables -P INPUT DROP #改变默认规则:ACCEPT表示所有都接受,DROP表示默认拒绝[root@localhost php]# iptables -LChain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED [root@localhost ~]# iptables -F 清除所有默认规则,注意:当默认规则为DROP时,切不可清除所有规则,否则将与服务器失去联系。[root@localhost ~]# iptables -X 清清所有自定义规则[root@localhost ~]# iptables -L Chain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@localhost ~]# 模块:添加备注模块:comment;[root@localhost ~]# iptables -A INPUT -p tcp –dport 80 -j ACCEPT -m comment –comment “备注内容,最多256字”限制连接数:connlimit,下例内容:只允许每IP同时发起30个80口请求,超过的丢弃[root@localhost ~]# iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 30 -j DROP限制IP段:iprange,下例内容:不允许该IP段数据包进入[root@localhost ~]# iptables -A INPUT -m iprange –src-range 192.168.1.100-192.168.1.120 -j DROP应用过滤:layer7,限制QQ,此模块默认没安装。[root@localhost ~]# iptables -A FORWARD -m layer7 –l7proto qq -j DROP基于MAC地址过滤:mac,过滤该MAC[root@localhost ~]# iptables -A INPUT -m mac –mac-source 00:0C:29:09:62:25 -j DROP多端口匹配:muluiport,同时匹配多个端口,默认好象没安装[root@localhost ~]# iptables -A INPUT -p tcp -m muluiport -dport 21,22,80,443 -j DROP状态匹配:state[root@localhost ~]# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT数据包字符串匹配:string[root@localhost ~]# iptables -A FORWARD -m string –algo bm -string baidu -j DROP访问行为综合判断:recent,其参数有:–name #设定列表名称,默认DEFAULT。–rsource #源地址,此为默认。–rdest #目的地址–seconds #指定时间内–hitcount #命中次数–set #将地址添加进列表,并更新信息,包含地址加入的时间戳。–rcheck #检查地址是否在列表,以第一个匹配开始计算时间。–update #和rcheck类似,以最后一个匹配计算时间。–remove #在列表里删除相应地址,后跟列表名称及地址。[root@localhost ~]# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name SSHPOOL –rcheck –seconds 3600 –hitcount 5 -j DROP[root@localhost ~]# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name SSHPOOL –update –seconds 300 –hitcount 3 -j DROP[root@localhost ~]# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name SSHPOOL –set -j ACCEPT[root@localhost ~]# iptables -A INPUT -p tcp –dport 22 -j ACCPET第一句:尝试连接22,从开始算起在3600秒内尝试过5次的,丢弃;第二句:尝试连接22,就记录下来,并允许进入,但这里并不代就真的进入了,后面需要验证密码;第三句:都允许进入22记录日志:iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j LOG –log-prefix “SSH Attack”iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j LOG –log-prefix “HTTP”WEB服务器完整定义:iptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -Fiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 443 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --rcheck --seconds 3600 --hitcount 5 -j DROPiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --update --seconds 300 --hitcount 3 -j DROPiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -P INPUT DROPservice iptables saveservice iptables restartclearservice iptables status只有数据库的服务器:iptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -Fiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p tcp --dport 3306 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --rcheck --seconds 3600 --hitcount 5 -j DROPiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --update --seconds 300 --hitcount 3 -j DROPiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -P INPUT DROPservice iptables saveservice iptables restartclearservice iptables status
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
