Iptables Filter

filter功能就是比较常用的,ACCEPT,DROP,REJECT,定义了哪些允许哪些不允许

首先一个普通的debian操作系统,关掉所有防火墙规格

root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 147K packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 67169 packets, 8344K bytes)
 pkts bytes target     prot opt in     out     source               destination

DROP所有入方向eth0网卡ICMP包

root@iptables:~# iptables -t filter -A INPUT -i eth0 -p icmp -j DROP
root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 7 packets, 508 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       icmp --  eth0   any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes)
 pkts bytes target     prot opt in     out     source               destination

从外面发送三个ping包进行测试,内部tcpdump抓包可以看到request

root@iptables:~# tcpdump -i eth0 icmp -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:29:18.816586 fa:16:3e:92:36:49 > fa:16:3e:a8:79:61, ethertype IPv4 (0x0800), length 98: 10.77.16.2 > 10.77.38.115: ICMP echo request, id 12515, seq 1, length 64
14:29:19.816268 fa:16:3e:92:36:49 > fa:16:3e:a8:79:61, ethertype IPv4 (0x0800), length 98: 10.77.16.2 > 10.77.38.115: ICMP echo request, id 12515, seq 2, length 64
14:29:20.816250 fa:16:3e:92:36:49 > fa:16:3e:a8:79:61, ethertype IPv4 (0x0800), length 98: 10.77.16.2 > 10.77.38.115: ICMP echo request, id 12515, seq 3, length 64

REJECT所有入方向eth0网卡ICMP包

root@iptables:~# iptables -t filter -A INPUT -i eth0 -p icmp -j REJECT
root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 7 packets, 508 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     icmp --  eth0   any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes)
 pkts bytes target     prot opt in     out     source               destination

从外面发送三个ping包进行测试,内部tcpdump抓包可以看到request和reply,但是ping的地方如下

$ ping -c 3 10.77.38.115
PING 10.77.38.115 (10.77.38.115) 56(84) bytes of data.
From 10.77.38.115 icmp_seq=1 Destination Port Unreachable
From 10.77.38.115 icmp_seq=2 Destination Port Unreachable
From 10.77.38.115 icmp_seq=3 Destination Port Unreachable

--- 10.77.38.115 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms

继续限制下src ip的cidr

root@iptables:~# iptables -t filter -A INPUT -i eth0 -s 10.77.0.0/16 -p icmp -j DROP
root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 8 packets, 657 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       icmp --  eth0   any     10.77.0.0/16        anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
 pkts bytes target     prot opt in     out     source               destination

比如开了一个nginx,但禁止访问80端口,可以屏蔽dport

root@iptables:~# iptables -t filter -A INPUT -p tcp --dport 80 -j DROP
root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 17 packets, 1437 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 11 packets, 1148 bytes)
 pkts bytes target     prot opt in     out     source               destination

telnet测试

$ telnet 10.77.38.115 80
Trying 10.77.38.115...
^C

如果想一次性屏蔽多个port,也可以一次做到

root@iptables:~# iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443,8080 -j DROP
root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 6 packets, 456 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             multiport dports http,https,http-alt

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3 packets, 460 bytes)
 pkts bytes target     prot opt in     out     source               destination

再加一个TCP状态,只允许10.77.0.0/16网段的访问本机10.77.38.115上的nginx HTTP服务,并且进来的只允许NEW和ESTABLISHED进来,出去的只允许ESTABLISHED出去

root@iptables:~# iptables -t filter -A INPUT -s 10.77.0.0/16 -d 10.77.38.115 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
root@iptables:~# iptables -t filter -A OUTPUT -s 10.77.38.115 -d 10.77.0.0/16 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
root@iptables:~# iptables -L -v
Chain INPUT (policy ACCEPT 32 packets, 2433 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     10.77.0.0/16        10.77.38.115        tcp dpt:http state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 17 packets, 1716 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     10.77.38.115        10.77.0.0/16        tcp dpt:http state ESTABLISHED

 

 

 

 

 

发表回复