iptables 基本语法 内核2.6.18
4张表
表和链:
filter: input forward output
nat: prerouting output postrouting
mangle:perrouting output postrouting input forward
raw:prerouting output
-------------------------------------
man iptables
iptables -L
默认是:filter表
---------------------------------
保持SSH 登陆
iptables -t filter -A INPUT -p tcp --dport 22 -j accept
iptables -t filter -A OUPUT -p tcp --sport 22 -j accept
--------------------------------
iptables -L --line 查看链的号码
-------------------------------------------
设定默认的链规则: 设置安全的链,先打开SSH 然后关闭默认规则,然后再逐个添加允许的规则
iptables -t filter -A INPUT -p tcp --dport 22 -j accept
iptables -t filter -A OUPUT -p tcp --sport 22 -j accept
iptables -P OUTPUT DROP
iptables -P INPUT DROP
注意:当添加端口时,必须指定协议。
================================
测试用:
=============================================================================
打开telnet 23 端口
iptables -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 23 -j ACCEPT
或
iptables -t filter -A OUTPUT -p tcp --sport 23 -d 169.254.1.148 -j ACCEPT
----------------------------------------------------------------------------------
打开icmp ping 的功能
[root@client ~]# iptables -t filter -A INPUT -p icmp -j ACCEPT
[root@client ~]# iptables -t filter -A OUTPUT -p icmp -j ACCEPT
[root@client ~]# iptables -L
iptables -L --line
[root@client ~]# iptables -L --line
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
3 ACCEPT icmp -- anywhere anywhere
iptables -D INPUT 3(icmp的号码)
添加流量限制的测试:
iptables -A INPUT -p icmp -m limit --limit 2/m --limit-burst 3 -j ACCEPT
C:\Documents and Settings\Haier>ping 169.254.1.233
Pinging 169.254.1.233 with 32 bytes of data:
Reply from 169.254.1.233: bytes=32 time=2ms TTL=64
Reply from 169.254.1.233: bytes=32 time<1ms TTL=64
Reply from 169.254.1.233: bytes=32 time<1ms TTL=64
Request timed out.
Ping statistics for 169.254.1.233:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
--------------------------------------------------------------------------
必须开启,以免一些程序无法正常运行
开启 本地回环地址
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
---------------------------------------------------------------------
开启DNS 跟其他的协议有点不同,注意,,,,,,,
[root@client ~]# ping www.baidu.com
ping: unknown host www.baidu.com
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
---------------------------------------------------------------------------------------------
通过-m参数来匹配状态
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -L
[root@client ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- client.redhat.org.cn client.redhat.org.cn
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
----------------------------------
iptables -A INPUT -p tcp -m multiport --dport 20,21,22,23,25,80 -j ACCEPT
iptables -L
[root@client ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- client.redhat.org.cn client.redhat.org.cn
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,ssh,telnet,smtp,http
注意:连续端口的指定 --dport 80:90 80------90
----------------------------------
iptables-save 保存配置的规则
保存在/etc/sysconfig/iptables
iptables-save > /home/iptables.file
iptables -F 清空
iptables -restore /home/iptables.file 恢复
---------------------------------------------------------------------------
forward 链
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 192.168.1.5
---------------------------------------------
流量控制
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.0/24 -j ACCEPT
对单台主机限速。。。。。
iptables -A FORWARD -i eth0 -d 192.168.0.2 -m limit --limit 10/s --limit-burst 10 -j ACCEPT
---------------------------------------------------------------
对多台连续的主机限速:
编写脚本
#!/bin/bash
for((i=2;i<=34;i++))
do
iptables -A FORWARD -i eth0 -d 192.168.0.$i -m limit --limit 10/s --limit-burst 10 -j ACCEPT
done
-[------------------------------------------------------
NAT的设置
先打开路由功能
vi /etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.8 --dport 81 -j DNAT --to 192.168.0.2:80