在生產環境中,除硬件設備防火牆的策略配置之外,因爲涉及一些權限控制並不那麼嚴謹的軟件使用,需要單獨對該類應用服務器做單獨防火牆設定。
iptables是Linux上常用的防火牆過濾包管理工具,它是Linux內核中netfilter實現包過濾的一部分。
1、netfilter/iptables的四表五鏈
iptables 實際上就是一種包過濾型防火牆。就是通過書寫一些接受哪些包,拒絕哪些包的規則,實現數據包的過濾。這些規則存儲在專用的信息包過濾表中,而這些表集成在 Linux 內核中。在信息包過濾表中,規則被分組放在我們所謂的鏈(chain)中。
1.1 四表
1.2 五鏈
詳細對應關係如下:
2、filter表
數據包過濾中,最常見的就是filter表的使用,也是iptables的預設規則表。由於iptables利用的數據包過濾的機制,通過分析數據包的報頭數據,與定義的規則來進行比對,決定該數據包是進入允許(ACCEPT)主機還是丟棄(DROP)。 也就是說,根據數據包的分析資料”對比”預先定義的規則內容,若數據包數據與規則內容相同則進行動作,否則就繼續下一條規則的比對。重點在比對與分析順序。
2.1 filter表規則
2.1 filter表示例結構
[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
## 聲明表爲filter
*filter
## 默認策略Policy
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
## 自定義chain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
3、iptables命令
3.1 iptables命令規則
## 簡單查看命令參數
[root@localhost ~]# iptables -h
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
3.2 iptables 匹配條件
iptables定義規則的格式:
iptables [-AI 鏈名] [-io 網絡接口 ] [ -p 協議 ] [ -m 擴展 擴展參數 ] [ -s 來源IP/網絡 ] [ -d 目標IP/網絡 ] -j [ACCEPT | DROP|REJECT|LOG]
1. [ -m state --state options ]
iptables有四種狀態:NEW,ESTABLISHED,RELATED,INVALID。
NEW狀態:主機連接目標主機,在目標主機上看到的第一個想要連接的包
ESTABLISHED狀態:主機已與目標主機進行通信,判斷標準只要目標主機迴應了第一個包,就進入該狀態。
RELATED狀態:主機已與目標主機進行通信,目標主機發起新的鏈接方式,例如ftp
INVALID狀態:無效的封包,例如數據破損的封包狀態
例:
2. [ -m multiport --dport/sport ]
##多端口匹配
例:iptables -A INPUT -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
3. [ -m iprange --src-range ]
##IP範圍匹配
例:iptables -A FORWARD -p tcp -m iprange --src-range 192.168.1.122-192.168.1.128 -j ACCEPT
3.3 iptables常用命令示例
1、命令 -A, --append
範例:iptables -A INPUT -p tcp --dport 22 -j ACCEPT
說明 :新增規則到INPUT規則鏈中,規則時接到所有目的端口爲22的數據包的流入連接,該規則將會成爲規則鏈中的最後一條規則。
2、命令 -D, --delete
範例:iptables -D INPUT -p tcp --dport 80 -j ACCEPT
或: iptables -D INPUT 1
說明: 從INPUT規則鏈中刪除上面建立的規則,可輸入完整規則,或直接指定規則編號加以刪除。
3、命令 -R, --replace
範例: iptables -R INPUT 1 -s 192.168.0.1 -j DROP
說明 取代現行第一條規則,規則被取代後並不會改變順序。
4、命令 -I, --insert
範例:iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
說明: 在第一條規則前插入一條規則,原本該位置上的規則將會往後移動一個順位。
5、命令 -L, --list
範例: iptables -L INPUT
說明:列出INPUT規則鏈中的所有規則。
6、命令 -F, --flush
範例: iptables -F INPUT
說明: 刪除INPUT規則鏈中的所有規則。
7、命令 -Z, --zeroLINUX教程 centos教程
範例:iptables -Z INPUT
說明 將INPUT鏈中的數據包計數器歸零。它是計算同一數據包出現次數,過濾阻斷式攻擊不可少的工具。-Z:將所有的chain的計數與流量統計都歸零
8、命令 -N, --new-chain
範例: iptables -N denied
說明: 定義新的規則鏈。
9、命令 -X, --delete-chain
範例: iptables -X denied
說明: 刪除某個自定義的規則鏈,如果後面沒有參數,則默認清除所有自定義chain。-X:清楚所有用戶"自定義"的chain或者tables
10、命令 -P, --policy
範例 :iptables -P INPUT DROP
說明 :定義默認的過濾策略。 數據包沒有找到符合的策略,則根據此預設方式處理。
11、命令 -E, --rename-chain
範例: iptables -E denied disallowed
說明: 修改某自訂規則鏈的名稱。
4、iptables創建
4.1 創建前的準備
- 原有規則查看
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5384 7621K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3478 packets, 264K bytes)
pkts bytes target prot opt in out source destination
- 服務狀態查看
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2018-07-13 23:20:13 EDT; 30min ago
Process: 12699 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 12699 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
Jul 13 23:20:13 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Jul 13 23:20:13 localhost.localdomain iptables.init[12699]: iptables: Applying firewall rules: [ OK ]
Jul 13 23:20:13 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
- 清空原有規則
## 清除防火牆的所有規則:
[root@localhost ~]# iptables -F //清除所有的已定製的規則
[root@localhost ~]# iptables -X //清除所有用戶"自定義"的chain或者tables
[root@localhost ~]# iptables -Z //將所有的chain的計數與流量統計都歸零
## 保存,保存前,務必確認防火牆默認INPUT策略Policy爲ACCEPT,否則遠程SSH必定斷開
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sat Jul 14 00:37:51 2018
*filter
:INPUT ACCEPT [1434:117566]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1226:277818]
COMMIT
# Completed on Sat Jul 14 00:37:51 2018
## 規則已無
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 14 packets, 924 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 880 bytes)
pkts bytes target prot opt in out source destination
4.2 規則設定
因爲iptables執行完全依賴於順序,根據filter表的結構,需設定默認規則Policy,當數據包不在我們設置的規則之內時,則該數據包的通過與否,是以Policy的設置爲準。在安全性比較高的主機中,Filter內的INPUT鏈定義的比較嚴格,INPUT的Policy定義爲DROP。
iptables定義規則:
格式:iptables [-t table] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP ]
-p : 定義策略(Policy)。注意:P爲大寫
ACCEPT :數據包可接受
DROP :數據包丟棄,client不知道爲何被丟棄
- 首先保證sshd通訊正常
## 這裏我們要設定默認規則全部爲DROP的情況,爲保證SSH正常,首先寫入SSH訪問策略
[root@localhost ~]# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
98 6500 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
52 4808 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
- 設定默認策略Policy
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -P FORWARD DROP
[root@localhost ~]# iptables -P OUTPUT DROP
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
179 11837 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
102 10216 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
- 保證本機迴環正常
[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -o lo -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 800 52707 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 458 47772 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
- 已有連接及相關連接保持正常
[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 978 64524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 4 237 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 567 58885 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 5 268 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 不禁ping
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1204 79461 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 4 237 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 700 73273 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 5 268 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
- 允許ping
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 598 39376 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 2 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 351 47660 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 3 180 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
- 允許域名解析
[root@localhost ~]# iptables -A INPUT -p udp --sport 53 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -vnL --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1199 80605 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 10 900 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 16 1446 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 741 109K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
2 10 900 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 9 684 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
5 9 756 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
6 4 264 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53