码迷,mamicode.com
首页 > 其他好文 > 详细

iptables杂记(2)

时间:2018-03-18 16:14:21      阅读:158      评论:0      收藏:0      [点我收藏+]

标签:iptables 杂记 基础

iptables扩展

使用扩展参数放通80,和22端口

[root@xx ~]# iptables -I INPUT -s 10.201.106.0/24 -d 10.201.106.130 -p tcp -m multiport --dports 22,80 -j ACCEPT
[root@xx ~]# iptables -I OUTPUT -s 10.201.106.130 -d 10.201.106.0/24 -p tcp -m multiport --sports 22,80 -j ACCEPT
[root@xx ~]# 

[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 1 packets, 229 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  224 15988 ACCEPT     tcp  --  *      *       10.201.106.0/24      10.201.106.130       multiport dports 22,80
 3451  253K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       tcp dpt:22
   27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 11 packets, 1160 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   27  2304 ACCEPT     tcp  --  *      *       10.201.106.130       10.201.106.0/24      multiport sports 22,80
 2612  309K ACCEPT     tcp  --  *      *       10.201.106.130       0.0.0.0/0            tcp spt:22
   42  3528 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 8
[root@xx ~]# 

删除没用的规则:
[root@xx ~]# iptables -D INPUT 2
[root@xx ~]# iptables -D OUTPUT 2
[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  385 27742 ACCEPT     tcp  --  *      *       10.201.106.0/24      10.201.106.130       multiport dports 22,80
   27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  132 70357 ACCEPT     tcp  --  *      *       10.201.106.130       10.201.106.0/24      multiport sports 22,80
   42  3528 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 8
[root@xx ~]#

根据IP地址范围放通端口

[root@xx ~]# iptables -I INPUT -d 10.201.106.130 -p tcp -m multiport --dports 22:23,80 -m iprange --src-range 10.201.106.1-10.201.106.130 -j ACCEPT

[root@xx ~]# iptables -I OUTPUT -s 10.201.106.130 -p tcp -m multiport --sports 22:33,80 -m iprange --dst-range 10.201.106.1-10.201.106.130 -jACCEPT

[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  514 38968 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       multiport dports 22:23,80 source IP range 10.201.106.1-10.201.106.130
 1166 86322 ACCEPT     tcp  --  *      *       10.201.106.0/24      10.201.106.130       multiport dports 22,80
   27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 11 packets, 1160 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   22  3176 ACCEPT     tcp  --  *      *       10.201.106.130       0.0.0.0/0            multiport sports 22:33,80 destination IP range 10.201.106.1-10.201.106.130
 1153  154K ACCEPT     tcp  --  *      *       10.201.106.130       10.201.106.0/24      multiport sports 22,80
   42  3528 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 8
[root@xx ~]# 

删除多余规则:
[root@xx ~]# iptables -D INPUT 2
[root@xx ~]# iptables -D OUTPUT 2
[root@xx ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       multiport dports 22:23,80 source IP range 10.201.106.1-10.201.106.130
ACCEPT     icmp --  0.0.0.0/0            10.201.106.130       icmptype 0

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  10.201.106.130       0.0.0.0/0            multiport sports 22:33,80 destination IP range 10.201.106.1-10.201.106.130
ACCEPT     icmp --  10.201.106.130       0.0.0.0/0            icmptype 8
[root@xx ~]#

根据报文中的字符串过滤内容

[root@xx ~]# vim /www/htdocs/bad.html

This is a  movie page.

过滤前
技术分享图片

过滤后:

[root@xx ~]# iptables -I OUTPUT -m string --algo bm --string "movie" -j REJECT

[root@xx ~]# iptables -L -n -v --line-number
Chain INPUT (policy DROP 345 packets, 37324 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     1742  132K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       multiport dports 22:23,80 source IP range 10.201.106.1-10.201.106.130
2       27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 53 packets, 5010 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        6  2310 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "movie" ALGO name bm TO 65535 reject-with icmp-port-unreachable
2      982  265K ACCEPT     tcp  --  *      *       10.201.106.130       0.0.0.0/0            multiport sports 22:33,80 destination IP range 10.201.106.1-10.201.106.130
3       42  3528 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 8

技术分享图片
技术分享图片

iptables时间段内过滤

1、删除掉之前的string过滤条目
[root@xx ~]# iptables -D OUTPUT 1

2、本来是设置14-18点无法访问WEB服务,需要策略的时间和系统时间时区一模一样,所以改成了0:00-23:59,为了让策略匹配
[root@xx ~]# iptables -I INPUT -d 10.201.106.130 -p tcp --dport 80 -m time --timestart 00:00 --timestop 23:59 -j REJECT
[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   304 REJECT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       tcp dpt:80 TIME from 00:00:00 to 23:59:00 UTC reject-with icmp-port-unreachable
 2584  203K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       multiport dports 22:23,80 source IP range 10.201.106.1-10.201.106.130
   27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 6 packets, 472 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1595  511K ACCEPT     tcp  --  *      *       10.201.106.130       0.0.0.0/0            multiport sports 22:33,80 destination IP range 10.201.106.1-10.201.106.130
   42  3528 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 8
[root@xx ~]# 

3、登录测试

技术分享图片
技术分享图片

指明某个协议端口的并发连接数限制数量

[root@xx ~]# iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 3 -j REJECT

[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
   41  5548 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 #conn src/32 > 3 reject-with icmp-port-unreachable
   33  1672 REJECT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       tcp dpt:80 TIME from 00:00:00 to 23:59:00 UTC reject-with icmp-port-unreachable
 3309  267K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       multiport dports 22:23,80 source IP range 10.201.106.1-10.201.106.130
   27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0

ping速率限制

[root@xx ~]# iptables -A INPUT -d 10.201.106.130 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 30/minute -j ACCEPT

[root@xx ~]# iptables -A OUTPUT -s 10.201.106.130 -p icmp --icmp-type 0 -j ACCEPT

[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   41  5548 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 #conn src/32 > 3 reject-with icmp-port-unreachable
   33  1672 REJECT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       tcp dpt:80 TIME from 00:00:00 to 23:59:00 UTC reject-with icmp-port-unreachable
 4108  325K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       multiport dports 22:23,80 source IP range 10.201.106.1-10.201.106.130
   27  2268 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 8 limit: avg 30/min burst 5

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2856  676K ACCEPT     tcp  --  *      *       10.201.106.130       0.0.0.0/0            multiport sports 22:33,80 destination IP range 10.201.106.1-10.201.106.130
   42  3528 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  *      *       10.201.106.130       0.0.0.0/0            icmptype 0
[root@xx ~]#

查看最大并发连接数

[root@xx ~]# cat /proc/sys/net/nf_conntrack_max 
15628

查看已经追踪到的所有连接

[root@xx ~]# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 299 ESTABLISHED src=10.201.106.1 dst=10.201.106.130 sport=49630 dport=22 src=10.201.106.130 dst=10.201.106.1 sport=22 dport=49630 [ASSURED] mark=0 zone=0 use=2
[root@xx ~]#

设置SSH进入只允许新连接和已建立连接,出去只允许已建立连接

[root@xx ~]# iptables -I INPUT -d 10.201.106.130 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@xx ~]# 

[root@xx ~]# iptables -I OUTPUT -s 10.201.106.130 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

[root@xx ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:22 state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  10.201.106.130       0.0.0.0/0            tcp spt:22 state ESTABLISHED
[root@xx ~]#

设置http进入只允许新连接和已建立连接,出去只允许已建立连接

[root@xx ~]# iptables -I INPUT -d 10.201.106.130 -p tcp -dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables v1.4.21: multiple -d flags not allowed
Try `iptables -h‘ or ‘iptables --help‘ for more information.
[root@xx ~]# 
[root@xx ~]# 
[root@xx ~]# 
[root@xx ~]# iptables -I INPUT -d 10.201.106.130 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@xx ~]# 
[root@xx ~]# iptables -I OUTPUT -s 10.201.106.130 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
[root@xx ~]# 
[root@xx ~]# 
[root@xx ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:80 state NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:22 state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  10.201.106.130       0.0.0.0/0            tcp spt:80 state ESTABLISHED
ACCEPT     tcp  --  10.201.106.130       0.0.0.0/0            tcp spt:22 state ESTABLISHED
[root@xx ~]#

测试:
技术分享图片

放通ping

[root@xx ~]# iptables -A INPUT -d 10.201.106.130 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@xx ~]# 
[root@xx ~]# iptables -A OUTPUT -s 10.201.106.130 -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
[root@xx ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:80 state NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:22 state NEW,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            10.201.106.130       icmptype 8 state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  10.201.106.130       0.0.0.0/0            tcp spt:80 state ESTABLISHED
ACCEPT     tcp  --  10.201.106.130       0.0.0.0/0            tcp spt:22 state ESTABLISHED
ACCEPT     icmp --  10.201.106.130       0.0.0.0/0            icmptype 0 state ESTABLISHED
[root@xx ~]#

技术分享图片

对所有已建立的进程出站放通

[root@xx ~]# iptables -I OUTPUT -m state --state ESTABLISHED -j ACCEPT

[root@xx ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:80 state NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            10.201.106.130       tcp dpt:22 state NEW,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            10.201.106.130       icmptype 8 state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
[root@xx ~]#

放通进站

[root@xx ~]# iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT

再合并80和22端口的策略

[root@xx ~]# iptables -I INPUT 2 -d 10.201.106.130 -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT

[root@xx ~]# iptables -D INPUT 3
[root@xx ~]# iptables -D INPUT 3
[root@xx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  465 35120 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.201.106.130       multiport dports 22,80 state NEW
   18  1080 ACCEPT     icmp --  *      *       0.0.0.0/0            10.201.106.130       icmptype 8 state NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  575  116K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
[root@xx ~]#

iptables杂记(2)

标签:iptables 杂记 基础

原文地址:http://blog.51cto.com/zhongle21/2088154
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!