上一篇博文我們說到了iptables的基本工作原理、資料封包在核心的走向和管理鍊、管理規則、以及檢視規則、導入和導出規則;回顧請參考https://www.cnblogs.com/qiuhom-1874/p/12237976.html,今天我們再來說說iptables的基本比對條件。
iptables的基本比對條件也叫通用比對條件,是iptables/netfilter原生自帶的,無需加載子產品,通俗的講就是iptables這個指令的原生選項。iptables基本比對條件有以下幾種
一、iptables的基本比對條件
上一篇博文我們說到了iptables的基本工作原理、資料封包在核心的走向和管理鍊、管理規則、以及檢視規則、導入和導出規則;回顧請參考https://www.cnblogs.com/qiuhom-1874/p/12237976.html,今天我們再來說說iptables的基本比對條件。
1、[!] -s,--source addresss[/mask][,…]:表示比對封包段源ip位址或範圍,它可以是一個ip位址,也可以是一個網段位址,網段位址需要寫明子網路遮罩,其中子網路遮罩支援225.255.0.0的方式,也支援數字表示,比如192.168.0.0/24。同時它也支援取反。
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
461 33551 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14 packets, 1320 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.1.0/24 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 192.168.0.0/255.255.255.0 -j ACCEPT
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.232 192.168.0.99
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
[root@test ~]# iptables -A my_chain ! -s 192.168.10.0/24 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
946 67475 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.232 192.168.0.99
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * !192.168.10.0/24 0.0.0.0/0
[root@test ~]# 2、-d,--destination address[/mask][,…]:表示比對封包的目标ip位址或範圍,它同-s的用法一樣,支援單台主機或一個網段,網段需寫明子網路遮罩,子網路遮罩支援數字表示,也支援子網路遮罩位址的方式表示。同時它也支援對比對的條件取反。
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 22 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.10 -p tcp --dport 3306 -j DROP
[root@test ~]# iptables -A my_chain -d 192.168.10.0/24 -p tcp --dport 25 -j DROP
[root@test ~]# iptables -A my_chain ! -d 192.168.11.0/255.255.255.0 -p tcp --dport 123 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1698 123K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.10 tcp dpt:3306
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.10.0/24 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 !192.168.11.0/24 tcp dpt:123
[root@test ~]#
3、[!] -p, --protocol protocol:指定協定,可使用數字如0(all);protocol: tcp, udp, icmp, icmpv6, udplite,esp, ah, sctp, mh or“all“ 參考:/etc/protocols
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1752 126K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --dport 80 -j DROP
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --dport 23 -j DROP
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --sport 25 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p icmp --icmp-type 0 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p icmp --icmp-type 8 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2487 179K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 47 packets, 4340 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:80
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp spt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 0
0 0 ACCEPT icmp -- * * 192.168.0.232 192.168.0.99 icmptype 8
[root@test ~]# iptables -A my_chain ! -p udp -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2586 186K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:80
0 0 DROP tcp -- * * 192.168.0.232 192.168.0.99 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp spt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 0
0 0 ACCEPT icmp -- * * 192.168.0.232 192.168.0.99 icmptype 8
0 0 ACCEPT !udp -- * * 0.0.0.0/0 0.0.0.0/0
[root@test ~]# 提示:-p指定某一協定時,往往會有該協定的一些隐式擴充的選項,比如我們指定-p tcp 表示指定協定類型為tcp 後面指定的源端口或者目标端口 就是tcp子產品的隐式。通俗講就是我們指定了協定為tcp 可以不用明确的用-m 再指定其子產品,這種機制我們叫隐式擴充。上面的例子用到了隐式擴充到有 tcp 的 --sport --dport ;icmp 協定的--icmp-type;當然-p指定協定的類型也可以用! 來對它取反,表示比對除了指定的協定以為的所有協定的封包,如果不用-p 指定協定表示比對所有協定的封包
4、[!] -i, --in-interface name:封包流入的接口;隻能應用于資料封包流入環節,隻應用于INPUT、FORWARD、PREROUTING鍊以及自定義鍊。
[root@test ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0
valid_lft forever preferred_lft forever
inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fe51:af3c/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:63:ab:82:55 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.0.0/24 -i enp2s0 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2911 209K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
134 11256 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.99 0.0.0.0/0 tcp spt:53
134 11256 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- enp2s0 * 192.168.0.0/24 0.0.0.0/0
[root@test ~]# iptables -A OUTPUT -i enp2s0 -j ACCEPT
iptables v1.4.21: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
[root@test ~]#
提示:自定義添加到規則可以被任意主鍊所引用。不存在自定義鍊上的規則不适用主鍊,但主鍊上可以引用它的,隻是說主鍊引用後,規則不生效,比對不到封包。-i 表示指定網絡封包流入的接口,是以這個基本比對條件,隻能用于封包能夠進來的鍊上,比如PREROUTING、INPUT、FORWARD這三個主鍊,以及自定義鍊,通常情況,如果寫到自定義鍊,都是被這三個主鍊所引用,除此之外,被OUTPUT、和POSTROUTING所引用,規則是無效的,不能比對到封包。
5、[!] -o, --out-interface name:封包流出的接口;隻能應用于資料封包流出的環節,隻應用于FORWARD、OUTPUT、POSTROUTING鍊以及自定義鍊
[root@test ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0
valid_lft forever preferred_lft forever
inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fe51:af3c/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:63:ab:82:55 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 4512 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -o enp2s0 -j ACCEPT
[root@test ~]# iptables -A INPUT -o enp2s0 -j DROP
iptables v1.4.21: Can't use -o with INPUT
Try `iptables -h' or 'iptables --help' for more information.
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
238 16280 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 61 packets, 5724 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
[root@test ~]#
提示:同樣-o表示比對網絡封包的出口接口,不能用于網絡封包入口的鍊上。在iptables/netfilter架構中,封包的出口隻經過FORWARD、OUTPUT和POSTROUTING這三個主鍊,即便我們在自定義鍊上用-o來指定比對出口的網絡接口,也隻有被FORWARD、OUTPUT或者POSTROUTING這三個主鍊所引用才能生效,比對到封包,用在INPUT或PREROUTING鍊上iptables是不允許的。可以看到FORWARD這個鍊上即可以比對網絡封包的入口接口和出口接口。
二、tcp/udp/icmp隐式擴充選項說明
iptables的比對條件分基本比對條件和擴充比對條件,擴充比對條件裡有顯示擴充和隐式擴充,從字面上很好了解,顯示就是明确指定嘛 ,隐式就是不明确指定,通常擴充比對條件是需要加載擴充子產品(/usr/lib64/xtables/*.so)方可生效;隐式擴充我們可以了解為,當我們使用-p 去指定協定時無需再用-m再指定其子產品,就可以使用其擴充子產品中的選項,也就是說不需要我們手動的去加載子產品,-p 所指定的協定,會幫我們加載。(這個僅個人了解哈)
1、tcp協定的隐式擴充選項說明
[!] --source-port, --sport port[:port]:比對封包源端口,可為端口範圍,當端口連續時可以用:來表示;比如21:25,表示比對21,22,23,24,25這些連續的端口。
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
878 58520 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --sport 22 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1324 93312 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34 packets, 3144 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spt:22
[root@test ~]#
提示:以上添加到規則表示比對源位址為192.168.0.232 目标位址為192.168.0.99 的tcp封包,并且源端口為22 的封包,如果比對到這樣的封包,給予放行操作。當然如果是比對一個連續的端口可以寫成:來表示中間連續的端口,它也支援對源端口取反,表示比對除了指定的端口以外的所有端口如下所示
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp --sport 23:30 -j ACCEPT
[root@test ~]# iptables -nvL my_chain
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spt:22
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spts:23:30
[root@test ~]# iptables -A my_chain -s 192.168.0.232 -d 192.168.0.99 -p tcp ! --sport 40:50 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1519 107K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spt:22
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spts:23:30
0 0 ACCEPT tcp -- * * 192.168.0.232 192.168.0.99 tcp spts:!40:50
[root@test ~]#
[!] --destination-port,--dport port[:port]:比對封包目标端口,可為範圍,當端口連續是也可以用:來代替連續中間的端口,同--sport用法一樣
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 22 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 23:25 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp ! --dport 80 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpts:23:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:!80
[root@test ~]#
[!] --tcp-flags mask comp表示比對符合指定标志的資料封包,mask表示需檢查的标志為清單,用逗号分隔,例如SYN,ACK,FIN,RST;comp表示mask清單中必須為1的标志為清單,沒有指定表示必須為0用逗号分隔
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 22 packets, 1556 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j ACCEPT
[root@test ~]# iptables -A my_chain -p tcp --tcp-flags ALL ALL -j DROP
[root@test ~]# iptables -A my_chain -p tcp --tcp-flags ALL NONE -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 47 packets, 3830 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39 packets, 3630 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
[root@test ~]#
提示:以上規則表示比對tcp封包,syn=1 其他标志位為0的封包給予允許放行,比對所有标志位為1的封包給予丢棄,比對到所有标志為0的封包給予丢棄。這個擴充選項也支援取反,表示出了指定的标志位的所有封包。
[!] --syn:用于比對TCP第一次握手封包,它相當于--tcp-flags SYN,ACK,FIN,RST SYN
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 73 packets, 5582 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 61 packets, 6538 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
[root@test ~]# iptables -A INPUT -p tcp --syn -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 11 packets, 804 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 864 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
[root@test ~]#
2、udp協定的隐式擴充選項說明
[!] --source-port, --sport port[:port]:比對封包的源端口或端口範圍,當端口連續可以使用:來代替連續的中間端口
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1636 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A OUTPUT -p udp --sport 928 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p udp --sport 111:123 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p udp ! --sport 323 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 14 packets, 1028 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1144 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:111:123
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:!323
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
[!] --destination-port,--dport port[:port]:比對封包的目标端口或端口範圍,當端口連續可以使用:來代替連續的中間端口
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 73 packets, 5156 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 54 packets, 6288 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:111:123
1 76 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:!323
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p udp --dport 928 -j ACCEPT
[root@test ~]# iptables -A INPUT -p udp --dport 111:123 -j ACCEPT
[root@test ~]# iptables -A INPUT -p udp ! --dport 323 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 14 packets, 1028 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:111:123
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:!323
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1160 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:928
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:111:123
1 76 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:!323
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
3、icmp協定的隐式擴充選項
[!] --icmp-type {type[/code]|typename}
type/code 的值代表意義
備注:此圖檔來源網絡
從上面的表可以看到不同的type,所表達的意思不同,就拿icmp最常用的兩個類型,0和8來說,0表示icmp的應答資料包類型,就好比我們去用ping工具去探測遠端主機是否存活,可以向遠端主機發送icmp協定的8号類型的資料包,對方收到這種類型的資料包,如果正常存活,它會回複一個icmp0号類型的消息,否則它會恢複一個其他類型的資料包(通常情況在對方主機沒有設定任何針對icmp協定封包的控制時)
在iptables裡允許我們去ping對方,不允許對方ping我們
[root@test ~]# iptables -F
[root@test ~]# iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
[root@test ~]# iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
[root@test ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 25 packets, 1780 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:把以上三條規則添加到iptabels中就可以實作我們本機發出去的icmp類型為8 的封包可以正常放行,從對方主機傳回icmp類型為0的應答封包可以正常放行,同時明确指定發往本機icmp類型為8的請求封包給予丢棄操作
提示:這樣是可以拒絕别人用ping工具來探測我們防火牆主機是否存活,當然這樣設定後,我們自己想探測都不行了,要想設定自己可以探測,我們可以在規則裡添加對應的規則。明确放行特定的icmp資料封包
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 30 packets, 2084 bytes)
pkts bytes target prot opt in out source destination
15 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
35 2940 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1780 bytes)
pkts bytes target prot opt in out source destination
36 3024 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -I INPUT -s 192.168.0.151 -p icmp --icmp-type 8 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -d 192.168.0.151 -p icmp --icmp-type 0 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 528 bytes)
pkts bytes target prot opt in out source destination
12 1008 ACCEPT icmp -- * * 192.168.0.151 0.0.0.0/0 icmptype 8
15 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
46 3864 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 764 bytes)
pkts bytes target prot opt in out source destination
36 3024 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.151 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:如果OUTPUT鍊的預設處理動作是DROP 需要配置以上兩條規則,如果預設規則是ACCEPT 那麼在INPUT鍊上添加一條允許指定源ip的封包允許就可以了
提示:可以看到添加了指定的源ip主機允許規則後,用對應的主機ping防火牆主機了。
以上就是tcp、udp、icmp這三種協定的常用隐式擴充選項。
作者:Linux-1874
出處:https://www.cnblogs.com/qiuhom-1874/
本文版權歸作者和部落格園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接配接,否則保留追究法律責任的權利.