filter功能就是比较常用的,ACCEPT,DROP,REJECT,定义了哪些允许哪些不允许
首先一个普通的debian操作系统,关掉所有防火墙规格
root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 147K packets, 18M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 67169 packets, 8344K bytes) pkts bytes target prot opt in out source destination
DROP所有入方向eth0网卡ICMP包
root@iptables:~# iptables -t filter -A INPUT -i eth0 -p icmp -j DROP root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 7 packets, 508 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- eth0 any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes) pkts bytes target prot opt in out source destination
从外面发送三个ping包进行测试,内部tcpdump抓包可以看到request
root@iptables:~# tcpdump -i eth0 icmp -en tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:29:18.816586 fa:16:3e:92:36:49 > fa:16:3e:a8:79:61, ethertype IPv4 (0x0800), length 98: 10.77.16.2 > 10.77.38.115: ICMP echo request, id 12515, seq 1, length 64 14:29:19.816268 fa:16:3e:92:36:49 > fa:16:3e:a8:79:61, ethertype IPv4 (0x0800), length 98: 10.77.16.2 > 10.77.38.115: ICMP echo request, id 12515, seq 2, length 64 14:29:20.816250 fa:16:3e:92:36:49 > fa:16:3e:a8:79:61, ethertype IPv4 (0x0800), length 98: 10.77.16.2 > 10.77.38.115: ICMP echo request, id 12515, seq 3, length 64
REJECT所有入方向eth0网卡ICMP包
root@iptables:~# iptables -t filter -A INPUT -i eth0 -p icmp -j REJECT root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 7 packets, 508 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT icmp -- eth0 any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes) pkts bytes target prot opt in out source destination
从外面发送三个ping包进行测试,内部tcpdump抓包可以看到request和reply,但是ping的地方如下
$ ping -c 3 10.77.38.115 PING 10.77.38.115 (10.77.38.115) 56(84) bytes of data. From 10.77.38.115 icmp_seq=1 Destination Port Unreachable From 10.77.38.115 icmp_seq=2 Destination Port Unreachable From 10.77.38.115 icmp_seq=3 Destination Port Unreachable --- 10.77.38.115 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms
继续限制下src ip的cidr
root@iptables:~# iptables -t filter -A INPUT -i eth0 -s 10.77.0.0/16 -p icmp -j DROP root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 8 packets, 657 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- eth0 any 10.77.0.0/16 anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination
比如开了一个nginx,但禁止访问80端口,可以屏蔽dport
root@iptables:~# iptables -t filter -A INPUT -p tcp --dport 80 -j DROP root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 17 packets, 1437 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 11 packets, 1148 bytes) pkts bytes target prot opt in out source destination
telnet测试
$ telnet 10.77.38.115 80 Trying 10.77.38.115... ^C
如果想一次性屏蔽多个port,也可以一次做到
root@iptables:~# iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443,8080 -j DROP root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 6 packets, 456 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere anywhere multiport dports http,https,http-alt Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 460 bytes) pkts bytes target prot opt in out source destination
再加一个TCP状态,只允许10.77.0.0/16网段的访问本机10.77.38.115上的nginx HTTP服务,并且进来的只允许NEW和ESTABLISHED进来,出去的只允许ESTABLISHED出去
root@iptables:~# iptables -t filter -A INPUT -s 10.77.0.0/16 -d 10.77.38.115 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT root@iptables:~# iptables -t filter -A OUTPUT -s 10.77.38.115 -d 10.77.0.0/16 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT root@iptables:~# iptables -L -v Chain INPUT (policy ACCEPT 32 packets, 2433 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any 10.77.0.0/16 10.77.38.115 tcp dpt:http state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1716 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any 10.77.38.115 10.77.0.0/16 tcp dpt:http state ESTABLISHED