【CentOS 7笔记43】,防火墙和iptables filter表#
2019独角兽企业重金招聘Python工程师标准>>>
shallow丿ove
firewalld和netfilter
- setenforce 0 #临时关闭selinux
- /etc/selinux/config #永久关闭selinux
- CentOS 7版本开始使用firewalld防火墙,之前的版本用netfilter防火墙
- 关闭firewalld开启netfilter方法
- systemctl stop firewalld
- systemctl disable firewalld
- yum install -y iptables-services
- systemctl enable iptables
- systemctl start iptables
[root@localhost ~]# vi /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=enforcing# SELINUXTYPE= can take one of these two values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected.# mls - Multi Level Security protection.SELINUXTYPE=targeted
将SELINUX=enforcing改为SELINUX=disabled将永久关闭selinux
[root@localhost ~]# getenforceEnforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforcePermissive
关闭firewalld
[root@localhost ~]# systemctl disable firewalldRemoved symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# yum install -y iptables-servicesLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfile* epel: mirrors.tongji.edu.cnResolving Dependencies--> Running transaction check---> Package iptables-services.x86_64 0:1.4.21-18.2.el7_4 will be installed--> Processing Dependency: iptables = 1.4.21-18.2.el7_4 for package: iptables-services-1.4.21-18.2.el7_4.x86_64--> Running transaction check---> Package iptables.x86_64 0:1.4.21-13.el7 will be updated---> Package iptables.x86_64 0:1.4.21-18.2.el7_4 will be an update--> Finished Dependency ResolutionDependencies Resolved===================================================================================================Package Arch Version Repository Size===================================================================================================Installing:iptables-services x86_64 1.4.21-18.2.el7_4 updates 51 kUpdating for dependencies:iptables x86_64 1.4.21-18.2.el7_4 updates 428 kTransaction Summary===================================================================================================Install 1 PackageUpgrade ( 1 Dependent package)Total download size: 479 kDownloading packages:Delta RPMs disabled because /usr/bin/applydeltarpm not installed.(1/2): iptables-services-1.4.21-18.2.el7_4.x86_64.rpm | 51 kB 00:00:00 (2/2): iptables-1.4.21-18.2.el7_4.x86_64.rpm | 428 kB 00:00:00 ---------------------------------------------------------------------------------------------------Total 599 kB/s | 479 kB 00:00:00 Running transaction checkRunning transaction testTransaction test succeededRunning transactionUpdating : iptables-1.4.21-18.2.el7_4.x86_64 1/3 Installing : iptables-services-1.4.21-18.2.el7_4.x86_64 2/3 Cleanup : iptables-1.4.21-13.el7.x86_64 3/3 Verifying : iptables-services-1.4.21-18.2.el7_4.x86_64 1/3 Verifying : iptables-1.4.21-18.2.el7_4.x86_64 2/3 Verifying : iptables-1.4.21-13.el7.x86_64 3/3 Installed:iptables-services.x86_64 0:1.4.21-18.2.el7_4 Dependency Updated:iptables.x86_64 0:1.4.21-18.2.el7_4 Complete!
[root@localhost ~]# systemctl enable iptablesCreated symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 45 2996 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:221 244 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 25 packets, 2628 bytes)pkts bytes target prot opt in out source destination
netfilter5表5链介绍
filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个链
nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链
managle表用于给数据包做标记,几乎用不到
raw表可以实现不追踪某些数据包
security表在CentOS 6中并没有,用于强制访问控制(MAC)的网络规则
数据包流向与netfilter的5个链
PREROUTING:数据包进入路由表之前
INPUT:通过路由表后目的地为本机
FORWARD:通过路由表后,目的地不为本机
OUTPUT:由本机产生,向外发出
POSTROUTING:发送到网卡接口之前
iptables filter表
- iptables -F #清空所有规则
- service iptables save #保存规则
- iptables -t nat #-t指定表
- iptables -Z #将计数器清零
- iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
- iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
- iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
- iptables -nvL --line-numbers
- iptables -D INPUT 1
- iptables -P INPUT DROP
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 193 12868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 6 552 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2210 2365 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 112 packets, 12324 bytes)pkts bytes target prot opt in out source destination
iptables规则记录在/etc/sysconfig/iptables的配置文件中
[root@localhost ~]# cat /etc/sysconfig/iptables# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 6 packets, 428 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# cat /etc/sysconfig/iptables# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT
重启服务,iptables规则重置
[root@localhost ~]# service iptables restartRedirecting to /bin/systemctl restart iptables.service
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 5 packets, 716 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# service iptables save
[root@localhost ~]# iptables -t filter -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 68 4536 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:221 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 38 packets, 5024 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
iptables -Z #将计数器清零pkts和bytes
[root@localhost ~]# iptables -Z ; iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP/REJECT
iptables -A #插入到后面
[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 354 23684 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 13 1196 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22383 47064 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 23 packets, 2212 bytes)pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
iptables -I #插入到前面
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80513 35132 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 13 1196 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22384 47308 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 7 packets, 1156 bytes)pkts bytes target prot opt in out source destination
iptables -D #删除
[root@localhost ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 605 42492 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 17 1564 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22672 75245 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 19 packets, 1972 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 744 55092 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 18 1656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22673 75489 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)pkts bytes target prot opt in out source destination
删除iptables的规则,但是重新书写一条规则或许太麻烦或者忘记规则的写法时
[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80912 70948 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 18 1656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22674 75718 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 7 packets, 1364 bytes)pkts bytes target prot opt in out source destination
iptables -nvL --line-number
[root@localhost ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:802 1010 77416 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 18 1656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:226 674 75718 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 59 packets, 7820 bytes)num pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -D INPUT 7iptables: Index of deletion too big.
[root@localhost ~]# iptables -D INPUT 6
[root@localhost ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 1165 87732 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 19 1748 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:225 674 75718 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 42 packets, 4056 bytes)num pkts bytes target prot opt in out source destination
iptables -P #默认规则
[root@localhost ~]# iptables -P OUTPUT DROP
终端使用DROP规则会使原本数据包在22端口通信,接收不了数据,在返回给客户端再返回给终端,结果到达不了终端,然后接收不了数据就会导致断开终端连接,解决办法到主机上将规则改回ACCEPT
[root@localhost ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 1165 87732 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 19 1748 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:225 674 75718 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy DROP 37 packets, 24648 bytes)num pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -P OUTPUT ACCEPT
-s #源ip -p #指定协议 --sport #源端口号 -d #目标ip --dport #目标端口号 -j #行为
#iptables小案例
vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -J ACCEPT
$ipt -A INPUT -p tcp --dprot 80 -j ACCEPT
$ipt -A INPUT -p tcp --dprot 21 -j ACCEPTicmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@localhost ~]# vim /usr/local/sbin/iptables.sh#!/bin/bashipt="/usr/sbin/iptables"$ipt -F$ipt -P INPUT DROP$ipt -P OUTPUT ACCEPT$ipt -P FORWARD ACCEPT$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$ipt -A INPUT -s 192.168.133.0/24 -p tcp --dport 22 -j ACCEPT$ipt -A INPUT -p tcp --dport 80 -j ACCEPT$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
在tcp协议里ESTABLISHED是保持连接,RELATED状态
[root@localhost ~]# w22:10:01 up 1 day, 20:48, 2 users, load average: 0.00, 0.01, 0.05USER TTY LOGIN@ IDLE JCPU PCPU WHATroot tty1 06:40 15:23m 0.42s 0.42s -bashroot pts/0 21:50 1.00s 0.45s 0.00s w
[root@localhost ~]# sh /usr/local/sbin/iptables.sh
[root@localhost ~]# iptables -nvLChain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT tcp -- * * 192.168.133.0/24 0.0.0.0/0 tcp dpt:220 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -nvLChain INPUT (policy DROP 1 packets, 229 bytes)pkts bytes target prot opt in out source destination 41 2712 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT tcp -- * * 192.168.133.0/24 0.0.0.0/0 tcp dpt:220 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 27 packets, 3628 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# service iptables restart #此命令为重启iptables服务Redirecting to /bin/systemctl restart iptables.service
可以看出pkts bytes的值正在增长
icmp案例 Windows
C:\Users\Administrator>ping 192.168.9.134正在 Ping 192.168.9.134 具有 32 字节的数据:来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64来自 192.168.9.134 的回复: 字节=32 时间<1ms TTL=64192.168.9.134 的 Ping 统计信息:数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),往返行程的估计时间(以毫秒为单位):最短 = 0ms,最长 = 0ms,平均 = 0ms
Linux
[root@localhost ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
使icmp被禁止了,--icmp-type 8指icmp8种类型
Windows
C:\Users\Administrator>ping 192.168.9.134正在 Ping 192.168.9.134 具有 32 字节的数据:请求超时。请求超时。请求超时。请求超时。192.168.9.134 的 Ping 统计信息:数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
Linux
[root@localhost ~]# ping www.qq.comPING www.qq.com (120.198.201.156) 56(84) bytes of data.64 bytes from 120.198.201.156: icmp_seq=1 ttl=128 time=32.3 ms64 bytes from 120.198.201.156: icmp_seq=2 ttl=128 time=11.9 ms64 bytes from 120.198.201.156: icmp_seq=3 ttl=128 time=28.6 ms^C--- www.qq.com ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2004msrtt min/avg/max/mdev = 11.991/24.342/32.349/8.862 ms
[root@localhost ~]# ping 192.168.9.134PING 192.168.9.134 (192.168.9.134) 56(84) bytes of data.^C--- 192.168.9.134 ping statistics ---5 packets transmitted, 0 received, 100% packet loss, time 4001ms
ping外网可以,但ping本机就不行
出现的问题,这里我在做实验时,在/etc/hosts里设置了192.168.9.134 www.qq.com导致ping不通,原因是ping自己的本机ip
[root@localhost ~]# ping www.qq.comPING www.qq.com (192.168.9.134) 56(84) bytes of data.^C--- www.qq.com ping statistics ---11 packets transmitted, 0 received, 100% packet loss, time 10000ms
本机可以ping到外网,但使得外部ping不到主机
转载于:https://my.oschina.net/u/3892756/blog/3056542
【CentOS 7笔记43】,防火墙和iptables filter表#相关推荐
- iptables nat表含义_十(4)iptables语法、iptables filter表小案例、iptables nat表应用
iptables语法 filter表: INPUT链:作用于进入本机的包 OUTPUT链:作用于送出本机的包 FORWARD链:作用于和本机无关的包 nat表: PREROUTING链:作用是包在刚刚 ...
- 31次课(iptables filter表案例、iptables nat表应用)
10.15 iptables filter表案例 iptables小案例,需求需要把80端口22端口还有21端口放行.但是22端口我需要指定一个ip段,只有这个ip段的ip访问的时候才可以访问,其他段 ...
- 10.15 iptables filter表小案例10.16/10.17/10.18 iptables nat表应用
2019独角兽企业重金招聘Python工程师标准>>> 10.15 iptables filter表小案例 iptables 命令.语法总结 iptables-nvL //查看ipt ...
- iptables filter表案例/iptables nat表应用
iptables filter表案例 iptables filter 表案例 创建一个iptables.sh脚本 [root@Ask-02 ~]# vim /usr/local/sbin/iptabl ...
- 10.15 iptables filter表案例
2019独角兽企业重金招聘Python工程师标准>>> iptables常用知识回顾点 iptables -I/-A/-D 后紧跟 链 ,可以是INPUT,OUTPUT,FORWAR ...
- 企业防火墙之iptables
1.1 企业中安全优化配置原则 尽可能不给服务器配置外网ip ,可以通过代理转发或者通过防火墙映射.并发不是特别大情况有外网ip,可以开启防火墙服务. 大并发的情况,不能开iptables,影响性能, ...
- Linux防火墙-netfilter filter表案列与nat表应用
iptables filter表案例 脚本代码和注释 [root@localhost ~]# vim /usr/local/sbin/iptables.sh ## 文档内容 #!/bin/bash # ...
- 摘自ubantuer-Linux防火墙iptables学习笔记(三)iptables命令详解和举例
网上看到这个配置讲解得还比较易懂,就转过来了,大家一起看下,希望对您工作能有所帮助. 网管员的安全意识要比空喊Linux安全重要得多. iptables -F iptables -X iptables ...
- 实用防火墙(Iptables)脚本分析
实用防火墙(Iptables)脚本分析 --Redhat,CentOS,Ubuntu等常见Linux发行版中都会预装Iptables防火墙,大多数初学者设置起来由于对这款软件比较陌生,设置起来比较困难 ...
最新文章
- java菜单动态加载功能_Javascript实现动态菜单添加
- python脚本如何监听终止进程行为,如何通过脚本名获取pid
- FreeMarker 自动转义和格式化HTML和XML输出,预防xss
- JQuery实现滚动广告(转)
- python进程数上限_python – 使用具有最大同时进程数的multipr...
- 有源晶振和无源晶振的输出波形
- java.lang.NumberFormatException: For input string: F
- Java 注解知识总结
- bzoj1296 [SCOI2009]粉刷匠 区间dp+背包
- webpack2 项目构建一
- ccf矩阵java_CCF系列之矩阵(201512-5)
- Leetcode106 由中序序列和后序序列构建二叉树
- php foreach创建文件,php – mkdir()在foreach函数中跳过第一个文件
- bat脚本 rar压缩屏蔽某文件夹 不压缩某文件夹
- invalid operands of types‘const char [7]‘and ‘char [32]‘ to binary
- 谈谈新加坡的电子政务
- C++中优先队列priority_queue的基础用法
- SpringCloudRPC远程调用核心原理:Feign弹性RPC客户端的重要组件
- MySQL-学习数据库必备的基础知识
- 拿下阿里三面是后,面试官问我:你是怎么学习Redis的?
热门文章
- pma mysql_mysql pma怎么看当前连接数
- linux 查看网站目录权限,解决SELinux对网站目录权限控制的不当的问题
- 全网最详细的Android Studio卸载、安装和启动教程
- 一年多少钱_赴英读研一年多少钱?
- visual studio可以开发app吗_郑州app开发价格是怎么定得呢?预约理发app好做吗
- 下载 LINUX 和 windows 版本下 MySQL5.7.32
- ef mysql 中文乱码,mysql解決中文亂碼問題
- 路西法第一季为什么会被打伤_海贼王:路飞新招式‘红岩枪’,这次把凯多打伤了,大妈震惊...
- python强制转型,python2--python3如何转型
- java 乱码 号处理器_java处理中日文字符串的乱码问题