iptables实战
1.开启防火墙
systemctl start firewalld
2.清空所有的默认规则,我们自己定义自己的规则
iptables -F 查看此时的iptables iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) target prot opt source destination Chain FWDO_public_allow (0 references) target prot opt source destination Chain FWDO_public_deny (0 references) target prot opt source destination Chain FWDO_public_log (0 references) target prot opt source destination Chain INPUT_ZONES (0 references) target prot opt source destination Chain INPUT_ZONES_SOURCE (0 references) target prot opt source destination Chain INPUT_direct (0 references) target prot opt source destination Chain IN_public (0 references) target prot opt source destination Chain IN_public_allow (0 references) target prot opt source destination Chain IN_public_deny (0 references) target prot opt source destination Chain IN_public_log (0 references) target prot opt source destination Chain OUTPUT_direct (0 references) target prot opt source destination
3.我们准备建立自己的规则
(1) 放行ssh (端口:22)
iptables -t filter -A INPUT -s 0/0 -d 192.168.42.153 -p tcp --dport 22 -j ACCEPT 或者 iptables -A INPUT -d 192.168.42.153 -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -s 192.168.42.153 -d 0/0 -p tcp --sport 22 -j ACCEPT 或者 iptables -A OUTPUT -s 192.168.42.153 -p tcp --sport 22 -j ACCEPT
(2)修改默认规则链(关闭所有端口)
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
(3)放行web(80)端口 httpd nginx
iptables -I INPUT -d 192.168.42.153 -p tcp --dport 80 -j ACCEPT 或者 iptables -t filter -I INPUT -d 192.168.42.153 -p tcp --dport 80 -j ACCEPT iptables -I OUTPUT -s 192.168.42.153 -p tcp --sport 80 -j ACCEPT 或者 iptables -t filter -I OUTPUT -s 192.168.42.153 -d 0/0 -p tcp --sport 80 -j ACCEPT
(4)修改默认规则链后,我们发现ping不通自己,也ping不通别的主机
iptables -t filter -I INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT iptables -t filter -I OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT
(5)允许自己ping别的主机
iptables -t filter -I OUTPUT -s 192.168.42.153 -d 0/0 -p icmp --icmp-type 8 -j ACCEPT iptables -t filter -I INPUT -s 0/0 -d 192.168.42.153 -p icmp --icmp-type 0 -j ACCEPT
(6)允许任何人来ping本机
iptables -t filter -I INPUT -s 0/0 -d 192.168.42.153 -p icmp --icmp-type 8 -j ACCEPT iptables -t filter -I OUTPUT -s 192.168.42.153 -d 0/0 -p icmp --icmp-type 0 -j ACCEPT
(7)同时开发多个端口(多端口匹配)
iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp -m multiport --dports 22,80,3306 -j ACCEPT iptables -I INPUT -d 0/0 -s 192.168.42.153 -p tcp -m multiport --sports 22,80,3306 -j ACCEPT
(8)iptables -vnL –line-numbers #显示数字
iptables -vnL INPUT --line-numbers Chain INPUT (policy DROP 1 packets, 229 bytes) num pkts bytes target prot opt in out source destination 1 8 576 ACCEPT icmp -- * * 0.0.0.0/0 192.168.42.153 icmptype 8 2 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 192.168.42.153 icmptype 0 3 16 1226 ACCEPT all -- lo * 127.0.0.1 127.0.0.1 4 88 7565 ACCEPT tcp -- * * 0.0.0.0/0 192.168.42.153 tcp dpt:80 5 2135 163K ACCEPT tcp -- * * 0.0.0.0/0 192.168.42.153 tcp dpt:22
(9) 源地址,目的地址范围匹配
iptables -I INPUT -d 192.168.42.153 -p tcp --dport 23 -m iprange --src-range 192.168.42.150-192.168.42.158 -j ACCEPT iptables -I OUTPUT -s 192.168.42.153 -p tcp --dport 23 -m iprange --dst-range 192.168.42.150-192.168.42.158 -j ACCEPT
(10)禁止包含”old”字符的页面出来
iptables -I OUTPUT -s 192.168.42.153 -d 0/0 -p tcp --sport 80 -m string --algo bm --string "old" -j DROP
(11)基于时间限定,9点到19点,禁止访问80端口
iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp --dport 80 -m time --timestart 09:00:00 --timestop 19:00:00 --kerneltz -j DROP
(12)周一到周五9点到19点禁止访问80端口
iptables -I INPUT -d 192.168.42.153 -p tcp --dport 80 -m time --timestart 09:00:00 --timestop 19:00:00 --kerneltz --weekdays 1,2,3,4,5 -j DROP
(13)端口大于2个并发连接(禁止)
iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp --dport 22 -m connlimit --connlimit-above 2 -j DROP
(14)端口同一个客户端小于3个并发连接
iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp --dport 22 -m connlimit ! --connlimit-above 3 -j DROP
4.新建自定义链 ,开放80
iptables -F iptables -A INPUT -d 192.168.42.153 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -s 192.168.42.153 -p tcp --sport 22 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -N webinput iptables -N weboutput iptables -I webinput -d 192.168.42.153 -p tcp --dport 80 -j ACCEPT iptables -I weboutput -s 192.168.42.153 -p tcp --sport 80 -j ACCEPT iptables -A INPUT -p tcp -j webinput iptables -A OUTPUT -p tcp -j weboutput
“`
原创文章,作者:srayban,如若转载,请注明出处:http://www.178linux.com/77980