在基於 Red Hat 的 Linux 上,iptables 帶有某些默認規則。清理它們並從頭開始是個好主意。
在我們開始學習如何使用 iptables 添加防火牆規則之前,瞭解如何清理所有現有的默認規則並從頭開始一切會很有幫助。
IPTables 中的默認規則
如下圖啓動iptables防火牆。
# service iptables status
Firewall is stopped.
# service iptables start
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
可以看到下面的默認規則:iptables -> Filter Table -> RH-Firewall-1-INPUT Chain,如下圖。您還可以使用 'iptables –list' 查看所有規則。
# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
IPTables 規則存儲在 /etc/sysconfig/iptables
請注意,iptables 規則存儲在 /etc/sysconfig/iptables 文件中。如果您查看此文件,您將看到所有默認規則。
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
暫時刪除所有防火牆規則
使用 'iptables –flush' 選項暫時刪除所有規則。
# iptables --flush
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
在“iptables –flush”之後,如果您重新啓動 iptables,您將再次看到所有默認規則。所以,–flush 只是暫時的。
# service iptables stop
# service iptables start
# iptables --list
永久刪除所有默認防火牆規則
在刪除所有防火牆規則之前,您將在 /etc/sysconfig/iptables 文件中看到以下內容。
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
First, flush all these rules temporarily, as we discussed above.
首先,正如我們上面討論的那樣,暫時刷新所有這些規則。
# iptables --flush
接下來,使用“service iptables save”將當前的 iptables(它是空的,因爲我們剛剛刷新它)保存到 /etc/sysconfig/iptables 文件以供永久使用
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
最後,查看 /etc/sysconfig/iptables 以確保沒有規則。
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Oct 28 08:44:01 2020
*filter
:INPUT ACCEPT [102:7668]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:8560]
COMMIT
# Completed on Thu Oct 28 08:44:01 2020
現在,如果您停止並啓動 iptables,您將不再看到默認規則。因此,請記住執行“service iptables save”以使“iptables –flush”永久化。
# service iptables stop
# service iptables start
# iptables --list