iptables 使用

------------實踐-----------------

1 iptables -L -v shows (note

the counts for INPUT and OUTPUT

2  iptables-save >/root/my.active.firewall.rules

   iptables-restore </root/my.active.firewall.rules

3 刪除一個

-L 顯示當前的行號

-D 刪除具體行數

iptabels -D INPUT -s 192.168.1.1/24 -j DROP

4  記錄日誌功能 iptables

5 阻斷icmp包

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

6

The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT




7 開放一個範圍的ip地址對apache訪問

iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT




7 優化

Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:

IPTABLES_MODULES_UNLOAD = no

8 

 Help Iptables Flooding My Server Screen

Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit







注意：如果var/log/message 中沒有記錄  可以重啓一下rsyslog 服務器




9 

Block a Specific ip-address

Before we proceed further will other examples, if you want to block a specific ip-address, you should do that first as shown below. Change the “x.x.x.x” in the following example to the specific ip-address that you like to block.

BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

This is helpful when you find some strange activities from a specific ip-address in your log files, and you want to temporarily block that ip-address while you do further research.

10 

Allow Incoming HTTP and HTTPS

The following rules allow all incoming web traffic. i.e HTTP traffic to port 80.

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

The following rules allow all incoming secure web traffic. i.e HTTPS traffic to port 443.

iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

The following example allows all incoming SSH, HTTP and HTTPS traffic.

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

11  Allow Loopback Access

You should allow full loopback access on your servers. i.e access using 127.0.0.1iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

12   Allow MySQL connection only from a specific network

If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

13 

Prevent DoS AttackThe following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

14

15

 /sbin/iptables -P INPUT DROP
       /sbin/iptables -P OUTPUT ACCEPT
       /sbin/iptables -A INPUT -i lo -j ACCEPT
       /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
       /sbin/iptables -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
       /sbin/iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
       /sbin/iptables -A INPUT -p all -m state --state INVALID,NEW -j DROP

16 iptables 插入指定條目

# First get the iptables list with the line numbers enabled$ iptables -nL --line-numbers# Look up the line number you want to use (the exisitng rule will shift down) and insert your rule$ iptables -I INPUT {LINE_NUMBER} -i eth1 -p tcp --dport 21 -s 123.123.123.123 -j ACCEPT -m comment --comment "This rule is here for this reason"# Aftarwards i always save my rules to a file in etc so i can reload them at the next reboot$ iptables-save > /etc/iptables.local# (To do this, add the following rule to your /etc/rc.local file)/sbin/iptables-restore < /etc/iptables.local

16  iptables -I INPUT -p icmp --icmp-type ping -m limit --limit 3/s -j DROP  

17 替換

iptables -R INPUT 1  -p icmp --icmp-type ping -m limit --limit 10/s -j DROP