在生产环境中,除硬件设备防火墙的策略配置之外,因为涉及一些权限控制并不那么严谨的软件使用,需要单独对该类应用服务器做单独防火墙设定。
iptables是Linux上常用的防火墙过滤包管理工具,它是Linux内核中netfilter实现包过滤的一部分。
1、netfilter/iptables的四表五链
iptables 实际上就是一种包过滤型防火墙。就是通过书写一些接受哪些包,拒绝哪些包的规则,实现数据包的过滤。这些规则存储在专用的信息包过滤表中,而这些表集成在 Linux 内核中。在信息包过滤表中,规则被分组放在我们所谓的链(chain)中。
1.1 四表
1.2 五链
详细对应关系如下:
2、filter表
数据包过滤中,最常见的就是filter表的使用,也是iptables的预设规则表。由于iptables利用的数据包过滤的机制,通过分析数据包的报头数据,与定义的规则来进行比对,决定该数据包是进入允许(ACCEPT)主机还是丢弃(DROP)。 也就是说,根据数据包的分析资料”对比”预先定义的规则内容,若数据包数据与规则内容相同则进行动作,否则就继续下一条规则的比对。重点在比对与分析顺序。
2.1 filter表规则
2.1 filter表示例结构
[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
## 声明表为filter
*filter
## 默认策略Policy
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
## 自定义chain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT3、iptables命令
3.1 iptables命令规则
## 简单查看命令参数
[root@localhost ~]# iptables -h
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
3.2 iptables 匹配条件
iptables定义规则的格式:
iptables [-AI 链名] [-io 网络接口 ] [ -p 协议 ] [ -m 扩展 扩展参数 ] [ -s 来源IP/网络 ] [ -d 目标IP/网络 ] -j [ACCEPT | DROP|REJECT|LOG]
1. [ -m state --state options ]
iptables有四种状态:NEW,ESTABLISHED,RELATED,INVALID。
NEW状态:主机连接目标主机,在目标主机上看到的第一个想要连接的包
ESTABLISHED状态:主机已与目标主机进行通信,判断标准只要目标主机回应了第一个包,就进入该状态。
RELATED状态:主机已与目标主机进行通信,目标主机发起新的链接方式,例如ftp
INVALID状态:无效的封包,例如数据破损的封包状态
例:
2. [ -m multiport --dport/sport ]
##多端口匹配
例:iptables -A INPUT -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
3. [ -m iprange --src-range ]
##IP范围匹配
例:iptables -A FORWARD -p tcp -m iprange --src-range 192.168.1.122-192.168.1.128 -j ACCEPT
3.3 iptables常用命令示例
1、命令 -A, --append
范例:iptables -A INPUT -p tcp --dport 22 -j ACCEPT
说明 :新增规则到INPUT规则链中,规则时接到所有目的端口为22的数据包的流入连接,该规则将会成为规则链中的最后一条规则。
2、命令 -D, --delete
范例:iptables -D INPUT -p tcp --dport 80 -j ACCEPT
或: iptables -D INPUT 1
说明: 从INPUT规则链中删除上面建立的规则,可输入完整规则,或直接指定规则编号加以删除。
3、命令 -R, --replace
范例: iptables -R INPUT 1 -s 192.168.0.1 -j DROP
说明 取代现行第一条规则,规则被取代后并不会改变顺序。
4、命令 -I, --insert
范例:iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
说明: 在第一条规则前插入一条规则,原本该位置上的规则将会往后移动一个顺位。
5、命令 -L, --list
范例: iptables -L INPUT
说明:列出INPUT规则链中的所有规则。
6、命令 -F, --flush
范例: iptables -F INPUT
说明: 删除INPUT规则链中的所有规则。
7、命令 -Z, --zeroLINUX教程 centos教程
范例:iptables -Z INPUT
说明 将INPUT链中的数据包计数器归零。它是计算同一数据包出现次数,过滤阻断式攻击不可少的工具。-Z:将所有的chain的计数与流量统计都归零
8、命令 -N, --new-chain
范例: iptables -N denied
说明: 定义新的规则链。
9、命令 -X, --delete-chain
范例: iptables -X denied
说明: 删除某个自定义的规则链,如果后面没有参数,则默认清除所有自定义chain。-X:清楚所有用户"自定义"的chain或者tables
10、命令 -P, --policy
范例 :iptables -P INPUT DROP
说明 :定义默认的过滤策略。 数据包没有找到符合的策略,则根据此预设方式处理。
11、命令 -E, --rename-chain
范例: iptables -E denied disallowed
说明: 修改某自订规则链的名称。
4、iptables创建
4.1 创建前的准备
- 原有规则查看
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5384 7621K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3478 packets, 264K bytes)
pkts bytes target prot opt in out source destination - 服务状态查看
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2018-07-13 23:20:13 EDT; 30min ago
Process: 12699 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 12699 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
Jul 13 23:20:13 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Jul 13 23:20:13 localhost.localdomain iptables.init[12699]: iptables: Applying firewall rules: [ OK ]
Jul 13 23:20:13 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
- 清空原有规则
## 清除防火墙的所有规则:
[root@localhost ~]# iptables -F //清除所有的已定制的规则
[root@localhost ~]# iptables -X //清除所有用户"自定义"的chain或者tables
[root@localhost ~]# iptables -Z //将所有的chain的计数与流量统计都归零
## 保存,保存前,务必确认防火墙默认INPUT策略Policy为ACCEPT,否则远程SSH必定断开
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sat Jul 14 00:37:51 2018
*filter
:INPUT ACCEPT [1434:117566]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1226:277818]
COMMIT
# Completed on Sat Jul 14 00:37:51 2018
## 规则已无
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 14 packets, 924 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 880 bytes)
pkts bytes target prot opt in out source destination 4.2 规则设定
因为iptables执行完全依赖于顺序,根据filter表的结构,需设定默认规则Policy,当数据包不在我们设置的规则之内时,则该数据包的通过与否,是以Policy的设置为准。在安全性比较高的主机中,Filter内的INPUT链定义的比较严格,INPUT的Policy定义为DROP。
iptables定义规则:
格式:iptables [-t table] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP ]
-p : 定义策略(Policy)。注意:P为大写
ACCEPT :数据包可接受
DROP :数据包丢弃,client不知道为何被丢弃- 首先保证sshd通讯正常
## 这里我们要设定默认规则全部为DROP的情况,为保证SSH正常,首先写入SSH访问策略
[root@localhost ~]# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
98 6500 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
52 4808 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
- 设定默认策略Policy
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -P FORWARD DROP
[root@localhost ~]# iptables -P OUTPUT DROP
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
179 11837 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
102 10216 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
- 保证本机回环正常
[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -o lo -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 800 52707 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 458 47772 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
- 已有连接及相关连接保持正常
[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 978 64524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 4 237 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 567 58885 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 5 268 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 不禁ping
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1204 79461 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 4 237 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 700 73273 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 5 268 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
- 允许ping
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 598 39376 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 2 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 351 47660 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 3 180 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
- 允许域名解析
[root@localhost ~]# iptables -A INPUT -p udp --sport 53 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1199 80605 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 10 900 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 16 1446 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 741 109K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 10 900 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 9 684 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
5 9 756 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
6 4 264 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53