【9.25】日常運維——netfilter 表、iptables 文法
- 10.12 firewalld 和 netfilter
- 10.13 netfilter 5 表 5 鍊介紹
- 10.14 iptables 文法
-
- iptables 常用選項
- 10.15 iptables filter 表案例
10.12 firewalld 和 netfilter
- selinux 臨時關閉
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
Permissive
-
selinux 永久關閉
在配置檔案 /etc/selinux/config 中将SELINUX=改為 disable
[[email protected] ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disable
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
permissive 不會發生阻斷,會提醒,不會顯示出來,隻是記錄資訊
-
CentOS7 之前版本使用的是 netfilter 防火牆,CentOS7 開始使用 firewalld 防火牆
但是 iptables 工具用法是一樣的
- 打開 netfilter,關閉firewalld
[[email protected] ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# yum install -y iptables-services
過程略
[[email protected] ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[[email protected] ~]# systemctl start iptables
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 1924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 16 packets, 1488 bytes)
pkts bytes target prot opt in out source
10.13 netfilter 5 表 5 鍊介紹
- netfilter 的5個表:filter,nat,mangle,raw,security
-
filter 有3個鍊:
INPUT 作用于進入本機的包
FORWARD 作用于和本機無關的包
OUTPUT 作用于送出本機的包
-
nat 有 3 個鍊:
PREROUTING 包在剛剛到達防火牆時改變包的目标位址
OUTPUT 改變本地産生的包的目标位址
POSTROUTING 作用是在包将離開防火牆時改變包源位址
- managle,raw,security 表基本用不到,是以不用關注,隻需要關注 filter 和 nat 即可
- iptables傳輸資料包的過程圖示: 參考:http://www.cnblogs.com/metoy/p/4320813.html
【9.25】日常運維——netfilter 表、iptables 文法10.12 firewalld 和 netfilter10.13 netfilter 5 表 5 鍊介紹10.14 iptables 文法10.15 iptables filter 表案例
資料包進入網卡,首先進入 PREROUTING 鍊判斷目标 IP,如果不是本機,那麼轉發出去,要經過 FORWARD 鍊,到 POSTROUTING 鍊輸出
如果 PREOUTING 判斷 IP 是本機,那麼會進入 INPUT 鍊,進入到本機核心,處理完後,發送出去,經過 OUTPUT 鍊,最後到 POSTROUTING 鍊輸出
總結:
如果是本機 PREROUTING ——> INPUT ——> OUTPUT ——> POSTROUTING
如果不是本機 PREROUTING ——> FORWARD ——> POSTROUTING
10.14 iptables 文法
- iptables -nvL 檢視 iptables 規則
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
93 6690 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
14 1877 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 85 packets, 7970 bytes)
pkts bytes target prot opt in out source destination
- iptables 規則儲存在 /etc/sysconfig/iptables
[[email protected] ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
- iptables -F 清空 iptables 規則
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 34 packets, 2244 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 1688 bytes)
pkts bytes target prot opt in out source destination
規則隻是暫時清空,并沒有從配置檔案中清空,如果重新開機服務,規則還會被加載,進而生效
如果想要永久生效,需要寫入配置檔案,可以執行 service iptables save
- service iptables save 儲存 iptables 規則
- 重新開機伺服器或重新開機服務會重新加載 iptables 規則
[[email protected] ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14 924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 864 bytes)
pkts bytes target prot opt in out source destination
重新開機伺服器或者重新開機iptables規則,都會去加載配置檔案 /etc/sysconfig/iptables 中的規則
- 預設 iptables 檢視的時 netfilter 表的規則 iptables -t netfilter -nvL(不加 -t 就是filter表)
- iptables -t nat -nvL 檢視 nat 表的規則
[[email protected] ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- iptables -Z 清除計數器
[[email protected] ~]# iptables -Z;iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables 常用選項
- iptables 常用選項
| 選項 | 含義 |
|---|---|
| -A | 增加一條規則 INPUT:針對的鍊 |
| -s | 指定來源ip(source) |
| -p | 指定協定(tcp、udp、icmp) |
| –sport | 來源端口 |
| -d | 目标的 ip |
| –dport | 目标端口 |
| -j | 操作 (DROP扔掉 / REJECT 拒絕,DROP直接丢掉;REJECT看下告訴他不行) |
| -I | 插入 |
| -i | 指定網卡 |
- iptables -A 增加 iptables 規則(排隊到最後)
[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
413 28732 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 946 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes)
pkts bytes target prot opt in out source destination
- iptables -I 插入規則到最前(相當于插隊)
[[email protected] ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
524 36068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 946 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
如果前面比對過,後面就不會再被比對了
- iptables -D 删除規則
[[email protected] ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
584 40828 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 946 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
如果需要删除的規則很長,規則已經記不清楚了, iptables -D 不太好删除
那麼可以用簡便的方法來删除
-
iptables 删除規則(簡單方法)
1,先給規則一個規則号;2,再删除規則号對應的規則
[[email protected] ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 654 45448 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 5 1175 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 32 packets, 4368 bytes)
num pkts bytes target prot opt in out source destination
[[email protected] ~]# iptables -D INPUT 7
[[email protected] ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 717 49616 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 5 1175 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 10 packets, 2232 bytes)
num pkts bytes target prot opt in out source destination
- iptables -i 指定網卡
- 預設規則:資料包如果沒有具體規則來比對,那麼就走預設的政策 policy
- 更改預設政策:iptables -P OUTPUT DROP(運作的話,遠端連接配接就會被禁掉,隻能到主機去修改規則)
- 改回政策:iptables -P OUTPUT ACCEPT (放行)
DROP / REJECT / ACCEPT
10.15 iptables filter 表案例
- iptables 小案例
[[email protected] ~]# vi /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.194.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
:wq
ipt="/usr/sbin/iptables"
定義一個變量 ipt,友善簡單,路徑要寫全局路徑
$ipt -F
清空掉原本的規則
$ipt -P INPUT DROP
定義預設政策 INPUT DROP掉
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
OUTPUT 和 FORWARD 全部 ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
加入規則:-m state 指定狀态,指定讓 RELATED,ESTABLISHED 狀态放行
$ipt -A INPUT -s 192.168.194.0/24 -p tcp --dport 22 -j ACCEPT
增加規則:網段為 192.168.194.0/24 ,端口為 22 的資料包放行
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
80 和 21 端口資料包放行
- 實際操作:
[[email protected] ~]# sh /usr/local/sbin/iptables.sh
[[email protected] ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
32 2112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.194.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1596 bytes)
pkts bytes target prot opt in out source destination
- 恢複預設狀态:
[[email protected] ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2640 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 21 packets, 1964 bytes)
pkts bytes target prot opt in out source destination
-
icmp 示例:
ping 本機 ip可以 ping 通
- 網際網路也可以 ping 通
[[email protected] ~]# ping www.baidu.com
PING www.baidu.com (192.168.194.150) 56(84) bytes of data.
64 bytes from www.baidu.com (192.168.194.150): icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from www.baidu.com (192.168.194.150): icmp_seq=2 ttl=64 time=0.042 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.030/0.036/0.042/0.006 ms
- 加上規則後,無法 ping 本機,但可以 ping 外網
iptables -I INPUT -p icmp --icmp-type 8 -j DROP
![法理學學習筆記Day4——法律規則重點知識點法的微觀結構★★★★★(考察40次)(二級考點)法律規則(二級考點)1.法律[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)