centos iptables
一、安装及使用(一)安装[root@k8s-node1 sysconfig]# pwd/etc/sysconfig[root@k8s-node1 sysconfig]# yum install iptables[root@k8s-node1 sysconfig]# yum install iptables-services[root@k8s-node1 sysconfig]#...
一、安装及使用
(一)安装
[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig
[root@k8s-node1 sysconfig]# yum install iptables
[root@k8s-node1 sysconfig]# yum install iptables-services
[root@k8s-node1 sysconfig]# ls -l | grep iptables
-rw-------. 1 root root 550 8月 8 19:41 iptables
-rw-------. 1 root root 2116 8月 8 19:41 iptables-config
[root@k8s-node1 sysconfig]# pwd
/etc/sysconfig
systemctl stop firewalld 停用
systemctl mask firewalld 禁用
(二)使用
[root@k8s-node1 sysconfig]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:8081
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
允许所有input:
iptables -P INPUT ACCEPT
开机启动:
systemctl enable iptables
systemctl stop/start/restart iptables
chkconfig iptables off/on 永久关闭/开启
手动配置端口:
[root@k8s-node1 sysconfig]# clear
oot@k8s-node1 sysconfig]# vim /etc/sysconfig/iptables
▽
1 # sample configuration for iptables service
2 # you can edit this manually or use system-config-firewall
3 # please do not ask us to add additional ports/services to this default configuration
4 *filter
5 :INPUT ACCEPT [0:0]
6 :FORWARD ACCEPT [0:0]
7 :OUTPUT ACCEPT [0:0]
8 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
9 -A INPUT -p icmp -j ACCEPT
10 -A INPUT -i lo -j ACCEPT
11 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
12 -A INPUT -j REJECT --reject-with icmp-host-prohibited
13 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
14 COMMIT
保存配置:
service iptables save
(三)常用规则
查看: iptables -L -n
允许所有通过: iptables -P INPUT ACCEPT
清空默认规则: iptables -F
清空自定义规则: iptables -X
计数器归零: iptables -Z
允许本地(lo接口数据包)访问: iptables -A INPUT -i lo -j ACCEPT
开放端口: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
允许ping: iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
允许接受本机请求之后的返回数据: iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
其他入站丢弃: iptables -P INPUT DROP
其他出站放行: iptables -P OUTPUT ACCEPT
所有转发丢弃: iptables -P FORWARD DROP
接收某ip所有请求: iptables -A INPUT -p tcp -s <ip> -j ACCEPT
过滤所有非以上规则请求: iptables -P INPUT DROP
封停ip: iptables -I INPUT -s <ip> -j DROP
解封ip: iptables -D INPUT -s <ip> -j DROP
保存配置: service iptables save
二、理解
1. 传输协议:
tcp udp icmp
2. 服务类型:
http ftp smtp
3. 处理方式:
accept reject drop
tcp/ip协议栈属于内核的一部分
web服务 属于 用户空间
web服务 监听 套接字 (IP:Port),响应客户端请求时,响应报文的目标终点为 客户端, 此时 web 的ip:port成了原点。
netfilter 属于内核的一部分,内核中设置关卡,所有进出报文需通过关卡(input/output关卡)检查以做出放行、阻止,iptables中称为链。
IP_FORWARD用于将报文转发给其他机器
5种链:
路由前: PREROUTING
转发: FORWARD
路由后: POSTROUTING
进入本机: INPUT
从本机出去: OUTPUT
4种table:
filter: 负责过滤功能,iptables_filter,内核模块
nat: network address translation, iptables_nat
mangle: iptable_mangle, 报文拆解、修改、重装
raw: iptable_raw, 关闭nat上启用的连接追踪
优先级: raw->mangle->nat->filter
链与able:
prerouting: raw/nat/mangle
input: mangle/filter (centos7 nat)
forward: mangle/filter
output: raw/nat/mangle/filter
postrouting: mangle/nat
表(功能) ----链(钩子)
raw: prerouting/output
mangle: prerouting/input/forward/output/postrouting
nat: prerouting/ouput/postrouting(centos7 input)
filter: input/forward/output
linux主机支持转发:
/pro/sys/net/ipv4/ip_forward
规则:
基本条件: source ip, destination ip
扩展条件: source port, destination port
协作(target):
ACCEPT: 允许通过
DROP: 直接丢弃,不回复。
REJECT: 拒绝,回复响应信息
SNAT: 源地址转换, 内网用户用同一个公网连接外网
MASQUERADE: SNAT的特殊形式,用于动态、临时可能变动的ip上
DNAT: 目标地址转换
REDIRECT: 本机做端口映射
LOG: /var/log/messages文件中记录日志信息,除了记录不作任何操作,让数据包匹配下一条rule
三、命令
1. 查看表 iptables -t filter(默认)/raw/mangle/nat -L INPUT -v
-t: target
-L: list
-v: verbose
-I: insert (链的首部)
-A: append (链的尾部)
-s: source
-j: jump
-F: flush
-R: replace
-P: policy
[root@k8s-node1 sysconfig]# iptables --help
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
示例:
iptables --line-numbers -vnL INPUT
iptables -t filter -I INPUT <line-num> -s <source-ip> -j DROP
iptables -t filter -D INPUT <rule line-num>
iptables -t filter -D INPUT -s <source-ip> -j DROP
iptables -t filter -F <rule name>
iptables -t filter -R INPUT <rule line-no> -s <source-ip> -j <target>
iptables -t filter -P INPUT DROP
四、保存规则
/etc/sysconfig/iptables
iptables save
cat /etc/sysconfig/iptables
iptables restart重启(未保存会丢失)
iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
会覆盖
更多推荐
所有评论(0)