56 iptables (三)
2016-11-18 本文已影响136人
StarShift
IPtables 常用命令
- 查看防火墙的状态
iptables -L -n -v --line-numbers
- 启动/停止/重启防火墙
# service iptables stop
# service iptables start
# service iptables restart
- 插入规则
iptables -I INPUT 2 -s 202.54.1.2 -j DROP
- 查找一条规则
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
一些例子
#清除所有规则(慎用)
iptables -F
iptables -X
iptables -Z
#查看iptable和行号
iptables -nL --line-number
#保存当前防火墙配置
service iptables save
#手动编辑防火墙策略
vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Jul 24 09:42:09 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#开放本地和Ping
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
#配置内网白名单
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
#配置外网白名单
-A INPUT -s 180.168.36.198 -j ACCEPT
-A INPUT -s 180.168.34.218 -j ACCEPT
-A INPUT -s 222.73.202.251 -j ACCEPT
#控制端口
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
#拒绝其它
-A INPUT -j DROP
-A FORWARD -j DROP
#开放出口
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jul 24 09:40:16 2015
#重启生效
service iptables restart
#复查结果
iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
5 ACCEPT all -- 172.16.0.0/12 0.0.0.0/0
6 ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
7 ACCEPT all -- 180.168.36.198 0.0.0.0/0
8 ACCEPT all -- 180.168.34.218 0.0.0.0/0
9 ACCEPT all -- 222.73.202.251 0.0.0.0/0
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
12 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
一个脚本
#!/bin/bash
#0 0 * * * /root/start_iptables.sh
#清除配置
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
#开放本地和Ping
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
#配置内网白名单
/sbin/iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
#配置外网白名单
/sbin/iptables -A INPUT -s 180.168.36.198 -j ACCEPT
/sbin/iptables -A INPUT -s 180.168.34.218 -j ACCEPT
/sbin/iptables -A INPUT -s 222.73.202.251 -j ACCEPT
#控制端口
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#拒绝其它
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -j DROP
#开放出口
/sbin/iptables -A OUTPUT -j ACCEPT
chmod 755 /root/start_iptables.sh
crontab -e
0 0 * * * /root/start_iptables.sh
iptables 实现端口转发
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.125.128 --dport 8124 -j DNAT --to 192.168.125.129:8123
iptables -A FORWARD -o eth0 -d 192.168.125.129 -p tcp --dport 8123 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.125.129 -p tcp --sport 8123 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.125.129 -p tcp --dport 8123 -j SNAT --to 192.168.125.128
vim /etc/sysctl.conf
root@ubuntu:~# sysctl -p
net.ipv4.ip_forward = 1
