文章目錄
- 查看當前的iptables規則
- 快速清除所有的iptables規則
- 添加一條限制固定目的ip、端口的iptables規則
- 添加一條限制固定目的ip、多個端口的iptables規則
- 添加一條限制對固定目的ip、端口來源的ip地址範圍的iptables規則
- 添加一條目的ip固定、源mac爲確定值的iptables規則
- 添加一條源ip已知抓取關鍵字符串的iptables規則
- 限制時間相關的iptables規則對源ip爲172.16.0.0/16目的ip爲172.16.100.10時間爲星期六星期日的23點至24點之間的tcp數據包通過80端口時丟棄
- 保存規則方式
- iptables規則中的nat地址轉換
- iptables規則中nat進行轉發功能
查看當前的iptables規則
命令:iptables -vnL
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 4629K packets, 1620M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 172.16.0.0/16 172.16.100.10 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 172.16.100.10 tcp dpt:80 source IP range 172.16.100.5-172.16.100.10
0 0 DROP all -- * * 0.0.0.0/0 172.16.100.10 source IP range 172.16.100.5-172.16.100.10
0 0 ACCEPT all -- * * 172.16.0.100 0.0.0.0/0 MAC 00:50:56:12:34:56
0 0 REJECT all -- * * 172.16.0.100 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 172.16.0.0/16 172.16.100.10 TIME from 23:00:00 to 23:59:59 on Sat,Sun UTC
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 23:00:00 to 23:59:59 on Sat,Sun UTC
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 420 packets, 37668 bytes)
pkts bytes target prot opt in out source destination
相關字段 | 含義 |
---|---|
pkts | 發送的包數量 |
bytes | 發送的包總共的大小 |
target | 目標,即想要效果是drop還是accept或者其他 |
prot | 協議 |
in | 進來通過哪個網卡 |
out | 出去通過哪個網卡 |
source | 源ip地址 |
destination | 目的ip地址 |
快速清除所有的iptables規則
命令:iptables -F
通過命令先清除所有的iptables規則限制
[root@centos ~]# iptables -F
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 2567 packets, 890K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
添加一條限制固定目的ip、端口的iptables規則
命令:iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j DROP
命令解釋:-A INPUT意思爲對input鏈添加規則;-d 192.168.1.1意思爲對目的ip爲192.168.1.1的所有ip進行添加的規則;-p tcp意思爲對tcp數據包進行添加規則;–dport 22意思爲對端口22進行添加規則;-j DROP意思爲滿足這個規則的使之drop掉,即丟棄。
[root@centos ~]# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 2484 packets, 861K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
添加一條限制固定目的ip、多個端口的iptables規則
命令示例:iptables -A INPUT -d 192.168.1.1 -p tcp -m multiport --dports 20,22,80 -j DROP
該命令對20,22,80是三個端口進行添加進規則
[root@centos ~]# iptables -A INPUT -d 192.168.1.1 -p tcp -m multiport --dports 20,22,80 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1256 packets, 438K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 672 bytes)
pkts bytes target prot opt in out source destination
添加一條限制對固定目的ip、端口來源的ip地址範圍的iptables規則
命令示例:iptables -A INPUT -d 192.168.1.1 -p tcp --dport 80 -m iprange --src-range 192.168.100.1-192.168.100.10 -j DROP
命令解析:使目的ip爲192.168.1.1 端口爲80的來源ip地址範圍中的192.168.100.1~192.168.100.10發送的包丟棄
[root@centos ~]# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 80 -m iprange --src-range 192.168.100.1-192.168.100.10 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1074 packets, 374K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 656 bytes)
pkts bytes target prot opt in out source destination
添加一條目的ip固定、源mac爲確定值的iptables規則
命令示例:iptables -D INPUT -s 192.168.100.100 -m mac --mac-source 00:50:56:12:34:56 -j DROP
命令解析:使目的ip爲192.168.100.100 的來源mac爲上述mac發送的包丟棄
[root@centos ~]# iptables -A INPUT -d 192.168.100.100 -m mac --mac-source 00:50:56:12:34:56 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1218 packets, 424K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
0 0 DROP all -- * * 0.0.0.0/0 192.168.100.100 MAC 00:50:56:12:34:56
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 860 bytes)
pkts bytes target prot opt in out source destination
添加一條源ip已知抓取關鍵字符串的iptables規則
命令示例:iptables -A OUTPUT -s 192.168.1.1 -d 0/0 -p tcp --sport 80 -m string --algo bm --string "baidu" -j DROP
命令解析:源ip爲192.168.1.1的tcp包通過80端口出去時若包含關鍵字符串“baidu”的話就使這個包丟棄
[root@centos ~]# iptables -A OUTPUT -s 192.168.1.1 -d 0/0 -p tcp --sport 80 -m string --algo bm --string "baidu" -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1691 packets, 590K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
0 0 DROP all -- * * 0.0.0.0/0 192.168.100.100 MAC 00:50:56:12:34:56
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 640 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.1.1 0.0.0.0/0 tcp spt:80 STRING match "baidu" ALGO name bm TO 65535
限制時間相關的iptables規則對源ip爲172.16.0.0/16目的ip爲172.16.100.10時間爲星期六星期日的23點至24點之間的tcp數據包通過80端口時丟棄
命令示例:iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.10 -p tcp --dport 80 -m time --timestart 23:00:00 --timestop 23:59:59 --weekdays Sat,Sun --kerneltz -j DROP
命令解析:
[root@centos ~]# iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.10 -p tcp --dport 80 -m time --timestart 23:00:00 --timestop 23:59:59 --weekdays Sat,Sun --kerneltz -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1314 packets, 458K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
0 0 DROP all -- * * 0.0.0.0/0 192.168.100.100 MAC 00:50:56:12:34:56
0 0 DROP tcp -- * * 172.16.0.0/16 172.16.100.10 tcp dpt:80 TIME from 23:00:00 to 23:59:59 on Sat,Sun
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 1164 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.1.1 0.0.0.0/0 tcp spt:80 STRING match "baidu" ALGO name bm TO 65535
保存規則方式
centos7:
iptables規則中的nat地址轉換
命令示例:iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.18.100.6-172.18.100.9
在postrouting鏈上將源ip爲10.0.1.0網段到目的ip爲非10.0.1.0網段的地址轉換成172.18.100.6-172.18.100.9範圍內的ip
[root@centos ~]# iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.18.100.6-172.18.100.9
[root@centos ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 397K packets, 46M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.0.1.0/24 !10.0.1.0/24 to:172.18.100.6-172.18.100.9
iptables規則中nat進行轉發功能
命令示例:iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080
命令解析:將目的ip爲172.16.100.10的通過80端口的tcp包轉發到8080端口
[root@centos ~]# iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[root@centos ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 81023 packets, 9472K bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 172.16.100.10 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.0.1.0/24 !10.0.1.0/24 to:172.18.100.6-172.18.100.9