一、顯示擴展
顯示擴展必須使用-m選項指定使用的擴展, 必須顯示指明使用的擴展模塊用如下方式查看:
$ rpm -ql iptables | grep "\.so"
查看顯示擴展使用說明:
# CentOS 6
$ man iptables
# CentOS 7
$ man iptables-extension
二、擴展選項
2.1 multiport擴展
以離散方式定義多端口匹配, 最多指定15個端口.
- [!] --source-ports, --sports port[,port|,port:port]...: 指明多個源端口
- [!] --destination-ports, --dport port[,port|port:port]...: 指明多個離散的目標端口
- --ports port[,port|port:port]...: 既能匹配源端口, 又能匹配目標端口
示例: 放行其他主機對192.168.123.101主機22號端口和80端口的訪問
$ iptables -t filter -I INPUT -s 0.0.0.0/0 -d 192.168.123.101 -p tcp -m multiport --dports 22,80 -j ACCEPT
$ iptables -t filter -I OUTPUT -d 0.0.0.0/0 -s 192.168.123.101 -p tcp -m multiport --sports 22,80 -j ACCEPT
$ iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
378 42192 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 multiport dports 22,80
...
Chain OUTPUT (policy DROP 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
135 19800 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 multiport sports 22,80
2.2 iprange擴展
指明連續(但一般是不能擴展爲整個網絡)IP地址範圍時使用.
示例: 僅允許192.168.123.1至192.168.123.10來訪問192.168.123.101主機的22號端口和80端口
$ iptables -t filter -I INPUT -d 192.168.123.101 -p tcp -m multiport --dports 22:23,80 -m iprange --src-range 192.168.123.1-192.168.123.10 -j ACCEPT
$ iptables -t filter -I OUTPUT -s 192.168.123.101 -p tcp -m multiport --sports 22:23,80 -m iprange --dst-range 192.168.123.1-192.168.123.10 -j ACCEPT
$ iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
271 29080 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 multiport dports 22:23,80 source IP range 192.168.123.1-192.168.123.10
...
...
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
23 3288 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 multiport sports 22:23,80 destination IP range
...
2.3 string擴展
檢查報文中出現的字符串.
- --algo {bm|kmp}: bm(Boyer-moore)算法; kmp(Kunth-Pratt-morris)算法.
- [!] --string pattern
- [!] --hex-string pattern
示例: 如果192.168.123.101主機網頁的響應報文中帶有“movie”字符, 就拒絕響應
$ iptables -t filter -I OUTPUT -s 192.168.123.101 -d 0.0.0.0/0 -m string --algo bm --string "movie" -j REJECT
2.4 time擴展
根據報文到達的時間與指定時間範圍進行匹配.
- --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
- --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
- --timestart hh:mm[:ss]
- --timestop hh:mm[:ss]
- [!] --monthdays day[,day...]
- [!] --weekdays day[,day...]
示例: 禁止在下午14點至16點之間訪問192.168.123.101主機的80端口
$ iptables -t filter -I INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp --dport 80 -m time --timestart 14:00 --timestop 16:00 -j REJECT
$ iptables -L -n -v
Chain INPUT (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.123.101 tcp dpt:80 TIME from 14:00:00 to 16:00:00 UTC reject-with icmp-port-unreachable
...
2.5 connlimit擴展
根據每個客戶端IP(也可以是地址塊)做併發連接數數量匹配.
- --connlimit-above n: 連接的數量大於n
- --connlimit-upto n: 連接的數量小於n
示例: 當其他的主機對192.168.123.101主機22號端口的連接大於3個, 則拒絕後面的連接.
$ iptables -t filter -I INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp --dport 22 -m connlimit --connlimit-above 3 -j REJECT
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 192.168.123.101 tcp dpt:22 #conn src/32 > 3 reject-with icmp-port-unreachable
...
2.6 limit擴展
基於手法報文的速率做檢查.
令牌桶過濾器:
- --limit rate[/second|/minute|/hour|/day]
- --limit_burst number
示例: 其他主機對192.168.123.100主機的icmp請求每秒上線最多5個, 一分鐘最多30個
$ iptables -t filter -A OUTPUT -d 0.0.0.0/0 -s 192.168.123.101 -p icmp --icmp-type 0 -j ACCEPT
$ iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
...
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.123.101 icmptype 8 limit: avg 30/min burst 5
...
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
...
0 0 ACCEPT icmp -- * * 192.168.123.101 0.0.0.0/0 icmptype 0
2.7 state擴展
根據連接追蹤機制檢查連接的狀態.
- 調整連接追蹤功能所能夠容納的最大連接數量: /proc/sys/net/nf_conntrack_max
$ cat /proc/sys/net/nf_conntrack_max
31248
$ echo "65535" > /proc/sys/net/nf_conntrack_max
$ cat /proc/sys/net/nf_conntrack_max
65535
- 已經追蹤到並記錄下的連接: /proc/net/nf_conntrack
$ cat /proc/net/nf_conntrack
ipv4 2 udp 17 19 src=192.168.123.101 dst=202.112.29.82 sport=55386 dport=123 src=202.112.29.82 dst=192.168.123.101 sport=123 dport=55386 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 udp 17 19 src=192.168.123.101 dst=5.103.139.163 sport=35028 dport=123 src=5.103.139.163 dst=192.168.123.101 sport=123 dport=35028 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 udp 17 18 src=192.168.123.101 dst=202.112.31.197 sport=41850 dport=123 src=202.112.31.197 dst=192.168.123.101 sport=123 dport=41850 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.123.101 dst=192.168.123.1 sport=22 dport=1214 src=192.168.123.1 dst=192.168.123.101 sport=1214 dport=22 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 udp 17 17 src=192.168.123.101 dst=5.79.108.34 sport=56947 dport=123 src=5.79.108.34 dst=192.168.123.101 sport=123 dport=56947 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
- 不同協議或連接類型的追蹤時長: /proc/sys/net/netfilter/
- 可追蹤的連接狀態:
- NEW: 新發出的請求, 連接追蹤模板中不存在此連接相關的信息條目; 因此, 將其識別爲第一次發出的請求.
- ESTABLISHED: NEW狀態之後, 連接追蹤模板中爲其建立的條目失效之前期間內所進行的通信的狀態.
- RELATED: 相關的連接, 如FTP協議的命令連接與數據連接之間的關係.
- INVALIED: 無法識別的連接.
- [!] --state STATE1,STATE2,...
示例1: 其他主機對192.168.123.101主機的22和80端口訪問的狀態NEW和ESTABLESHED時, 運行訪問.
$ iptables -t filter -I INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp -m multiport --dports 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -t filter -I OUTPUT -s 192.168.123.101 -d 0.0.0.0/0 -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
398 42224 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 multiport dports 22,80 state NEW,ESTABLISHED
...
...
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 1104 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 multiport sports 22,80 state ESTABLISHED
...
示例2: 在192.168.123.101主機上放開被動模式的ftp服務
$ lsmod | grep ftp
$ modprobe nf_conntrack_ftp
$ lsmod | grep ftp
nf_conntrack_ftp 18638 0
nf_conntrack 111302 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
$ iptables -t filter -A INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -t filter -A INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -t filter -A OUTPUT -s 192.168.123.101 -d 0.0.0.0/0 -p tcp -m state --state ESTABLISHED -j ACCEPT
$ iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
...
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 tcp dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 state RELATED,ESTABLISHED
...
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
...
0 0 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 state ESTABLISHED