天天看點
傳回

關于iptables -m選項以及規則的了解

關于iptables的詳細狀态可以檢視http://os.51cto.com/art/201108/285209.htm

時常在伺服器的防火牆上看到有這些規則,

2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED,我覺得有必要搞下這個iptables了

下面就來談談iptables

一.首先iptables有四種狀态

NEW,ESTABLISHED,RELATED,INVALID。

NEW狀态:主機連接配接目标主機,在目标主機上看到的第一個想要連接配接的包

ESTABLISHED狀态:主機已與目标主機進行通信,判斷标準隻要目标主機回應了第一個包,就進入該狀态。

RELATED狀态:主機已與目标主機進行通信,目标主機發起新的連結方式,例如ftp

INVALID狀态:無效的封包,例如資料破損的封包狀态

二.其次再來談談上述規則的作用

你會發現有這條

2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

經常又會看見這條規則

3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主機不滿足RELATED的情況,會給它傳回host-prohibited

添加方式:iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

第二條規則的含義其實是:調用狀态子產品,比對當狀态為RELATED和ESTABLISHED的所有資料包通過,換句話說就是允許所有已經建立的連接配接,表現為本機可以ping其他主機,但是其他主機無法ping本機,隻接受自己發出去的響應包,這是萬能的一句話,允許所有自己發出去的包進來。後面跟具體規則

第三條規則的含義其實是:依據第二條來的,所有不滿足第二條規則的,都會被拒絕,而且會給主機傳回一個host-prohibited的消息。需要注意的則是,所有位于第三條規則之下的規則都無法生效,位于該規則之上的都會生效

三.口說無憑,下面我們來做個實驗看看

隻添加iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT,完全沒有任何作用

[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination 

1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212 

2.添加兩條規則,防火牆規則如圖,會産生自己能ping其他主機,但是其他主機ping不通自己的情況

2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 37 packets, 10438 bytes)

效果圖:

[root@iZuf62ds2bbsfbvox5ivxdZ ~]# ping 123.56.16.77

PING 123.56.16.77 (123.56.16.77) 56(84) bytes of data.

64 bytes from 123.56.16.77: icmp_seq=1 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=2 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=3 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=4 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=5 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=6 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=7 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=8 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=9 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=10 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=11 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=12 ttl=55 time=24.7 ms

^C

--- 123.56.16.77 ping statistics ---

13 packets transmitted, 12 received, 7% packet loss, time 12039ms

rtt min/avg/max/mdev = 24.660/24.720/24.788/0.149 ms

[root@iZuf62ds2bbsfbvox5ivxdZ ~]# exit

logout

Connection to 101.132.109.227 closed.

Welcome to aliyun Elastic Compute Service!

[root@xz-server1 ~]# ping 101.132.109.227

PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.

From 101.132.109.227 icmp_seq=1 Destination Host Prohibited

From 101.132.109.227 icmp_seq=2 Destination Host Prohibited

From 101.132.109.227 icmp_seq=3 Destination Host Prohibited

From 101.132.109.227 icmp_seq=4 Destination Host Prohibited

From 101.132.109.227 icmp_seq=5 Destination Host Prohibited

From 101.132.109.227 icmp_seq=6 Destination Host Prohibited

From 101.132.109.227 icmp_seq=7 Destination Host Prohibited

From 101.132.109.227 icmp_seq=8 Destination Host Prohibited

From 101.132.109.227 icmp_seq=9 Destination Host Prohibited

From 101.132.109.227 icmp_seq=10 Destination Host Prohibited

From 101.132.109.227 icmp_seq=11 Destination Host Prohibited

From 101.132.109.227 icmp_seq=12 Destination Host Prohibited

From 101.132.109.227 icmp_seq=13 Destination Host Prohibited

From 101.132.109.227 icmp_seq=14 Destination Host Prohibited

--- 101.132.109.227 ping statistics ---

14 packets transmitted, 0 received, +14 errors, 100% packet loss, time 13480ms

結論:下面兩條規則必須連用(filter表INPUT鍊規則是ACCEPT的時候),其他主機ping包過來的時候直接拒絕,并且傳回給它host-prohibited資訊。

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

那麼下面還需要說明一點的是,當filter表INPUT鍊預設規則是DROP的時候,命中iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited該規則,依舊會傳回host-prohibited資訊。沒有命中規則的,不會傳回任何資訊,直接被drop掉

修改INPUT預設規則:

iptables -P INPUT DROP

[root@iZuf62ds2bbsfbvox5ivxdZ ~]# service iptables status

Table: filter

Chain INPUT (policy DROP)

num target prot opt source destination 

1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212 

2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 

3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Table: nat

Chain PREROUTING (policy ACCEPT)

Chain POSTROUTING (policy ACCEPT)

1 MASQUERADE all -- 192.168.0.0/16 0.0.0.0/0

13 packets transmitted, 0 received, +13 errors, 100% packet loss, time 12441ms

本文轉自飛奔的小GUI部落格51CTO部落格,原文連結http://blog.51cto.com/9237101/2052865如需轉載請自行聯系原作者

ziwenzhou

網絡協定 網絡時間協定 網絡實作協定 網絡篇協定 網絡協定證書
上一篇: harbor的加密機制與背景修改登入密碼
下一篇: C# 準備開始學習 并行程式開發

繼續閱讀