文章目录
- 查看当前的iptables规则
- 快速清除所有的iptables规则
- 添加一条限制固定目的ip、端口的iptables规则
- 添加一条限制固定目的ip、多个端口的iptables规则
- 添加一条限制对固定目的ip、端口来源的ip地址范围的iptables规则
- 添加一条目的ip固定、源mac为确定值的iptables规则
- 添加一条源ip已知抓取关键字符串的iptables规则
- 限制时间相关的iptables规则对源ip为172.16.0.0/16目的ip为172.16.100.10时间为星期六星期日的23点至24点之间的tcp数据包通过80端口时丢弃
- 保存规则方式
- iptables规则中的nat地址转换
- iptables规则中nat进行转发功能
查看当前的iptables规则
命令:iptables -vnL
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 4629K packets, 1620M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 172.16.0.0/16 172.16.100.10 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 172.16.100.10 tcp dpt:80 source IP range 172.16.100.5-172.16.100.10
0 0 DROP all -- * * 0.0.0.0/0 172.16.100.10 source IP range 172.16.100.5-172.16.100.10
0 0 ACCEPT all -- * * 172.16.0.100 0.0.0.0/0 MAC 00:50:56:12:34:56
0 0 REJECT all -- * * 172.16.0.100 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 172.16.0.0/16 172.16.100.10 TIME from 23:00:00 to 23:59:59 on Sat,Sun UTC
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 23:00:00 to 23:59:59 on Sat,Sun UTC
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 420 packets, 37668 bytes)
pkts bytes target prot opt in out source destination
相关字段 | 含义 |
---|---|
pkts | 发送的包数量 |
bytes | 发送的包总共的大小 |
target | 目标,即想要效果是drop还是accept或者其他 |
prot | 协议 |
in | 进来通过哪个网卡 |
out | 出去通过哪个网卡 |
source | 源ip地址 |
destination | 目的ip地址 |
快速清除所有的iptables规则
命令:iptables -F
通过命令先清除所有的iptables规则限制
[root@centos ~]# iptables -F
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 2567 packets, 890K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
添加一条限制固定目的ip、端口的iptables规则
命令:iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j DROP
命令解释:-A INPUT意思为对input链添加规则;-d 192.168.1.1意思为对目的ip为192.168.1.1的所有ip进行添加的规则;-p tcp意思为对tcp数据包进行添加规则;–dport 22意思为对端口22进行添加规则;-j DROP意思为满足这个规则的使之drop掉,即丢弃。
[root@centos ~]# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 2484 packets, 861K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
添加一条限制固定目的ip、多个端口的iptables规则
命令示例:iptables -A INPUT -d 192.168.1.1 -p tcp -m multiport --dports 20,22,80 -j DROP
该命令对20,22,80是三个端口进行添加进规则
[root@centos ~]# iptables -A INPUT -d 192.168.1.1 -p tcp -m multiport --dports 20,22,80 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1256 packets, 438K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 672 bytes)
pkts bytes target prot opt in out source destination
添加一条限制对固定目的ip、端口来源的ip地址范围的iptables规则
命令示例:iptables -A INPUT -d 192.168.1.1 -p tcp --dport 80 -m iprange --src-range 192.168.100.1-192.168.100.10 -j DROP
命令解析:使目的ip为192.168.1.1 端口为80的来源ip地址范围中的192.168.100.1~192.168.100.10发送的包丢弃
[root@centos ~]# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 80 -m iprange --src-range 192.168.100.1-192.168.100.10 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1074 packets, 374K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 656 bytes)
pkts bytes target prot opt in out source destination
添加一条目的ip固定、源mac为确定值的iptables规则
命令示例:iptables -D INPUT -s 192.168.100.100 -m mac --mac-source 00:50:56:12:34:56 -j DROP
命令解析:使目的ip为192.168.100.100 的来源mac为上述mac发送的包丢弃
[root@centos ~]# iptables -A INPUT -d 192.168.100.100 -m mac --mac-source 00:50:56:12:34:56 -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1218 packets, 424K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
0 0 DROP all -- * * 0.0.0.0/0 192.168.100.100 MAC 00:50:56:12:34:56
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 860 bytes)
pkts bytes target prot opt in out source destination
添加一条源ip已知抓取关键字符串的iptables规则
命令示例:iptables -A OUTPUT -s 192.168.1.1 -d 0/0 -p tcp --sport 80 -m string --algo bm --string "baidu" -j DROP
命令解析:源ip为192.168.1.1的tcp包通过80端口出去时若包含关键字符串“baidu”的话就使这个包丢弃
[root@centos ~]# iptables -A OUTPUT -s 192.168.1.1 -d 0/0 -p tcp --sport 80 -m string --algo bm --string "baidu" -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1691 packets, 590K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
0 0 DROP all -- * * 0.0.0.0/0 192.168.100.100 MAC 00:50:56:12:34:56
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 640 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.1.1 0.0.0.0/0 tcp spt:80 STRING match "baidu" ALGO name bm TO 65535
限制时间相关的iptables规则对源ip为172.16.0.0/16目的ip为172.16.100.10时间为星期六星期日的23点至24点之间的tcp数据包通过80端口时丢弃
命令示例:iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.10 -p tcp --dport 80 -m time --timestart 23:00:00 --timestop 23:59:59 --weekdays Sat,Sun --kerneltz -j DROP
命令解析:
[root@centos ~]# iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.10 -p tcp --dport 80 -m time --timestart 23:00:00 --timestop 23:59:59 --weekdays Sat,Sun --kerneltz -j DROP
[root@centos ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1314 packets, 458K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 multiport dports 20,22,80
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 source IP range 192.168.100.1-192.168.100.10
0 0 DROP all -- * * 0.0.0.0/0 192.168.100.100 MAC 00:50:56:12:34:56
0 0 DROP tcp -- * * 172.16.0.0/16 172.16.100.10 tcp dpt:80 TIME from 23:00:00 to 23:59:59 on Sat,Sun
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 1164 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.1.1 0.0.0.0/0 tcp spt:80 STRING match "baidu" ALGO name bm TO 65535
保存规则方式
centos7:
iptables规则中的nat地址转换
命令示例:iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.18.100.6-172.18.100.9
在postrouting链上将源ip为10.0.1.0网段到目的ip为非10.0.1.0网段的地址转换成172.18.100.6-172.18.100.9范围内的ip
[root@centos ~]# iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j SNAT --to-source 172.18.100.6-172.18.100.9
[root@centos ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 397K packets, 46M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.0.1.0/24 !10.0.1.0/24 to:172.18.100.6-172.18.100.9
iptables规则中nat进行转发功能
命令示例:iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080
命令解析:将目的ip为172.16.100.10的通过80端口的tcp包转发到8080端口
[root@centos ~]# iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[root@centos ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 81023 packets, 9472K bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 172.16.100.10 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.0.1.0/24 !10.0.1.0/24 to:172.18.100.6-172.18.100.9