![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2019-09-19
原理
iptables 的原理是在 "table" 上設置 rule 去篩選網絡包,
Netfilter Default 分別有 NAT, FILTER, MANGLE 這 3 個 table,
它們可以理解成 Netfilter 相應的功能.
而 rule 則是由 match 及 target 兩者組成,
match 是篩選條件, target 是處理方法.
而每一個 table 都有各自的 hook points, 不過單一個 hook points 可以屬於多個 table,
反之即是每 table 可能有相同的 hook points.
hook points 可以看作為一個網絡攔截點, 網絡包一定要經過它們才能到達 "目的地"
攔截點分別設置在網卡及本機的進出口, 例外的是 FORWARD ,
它則是網卡與本機之間的繞道, 有 routing 的作用.
目錄
- Hook Points
- Rule 的數量
- Modules
- 擴充模組
- 一切從查看開始
- 查看有什麼 tables
- 查看有什麼 tables
- Policy 與 Target
- local port range
- state 與 Conntrack
- 在 Debian 上的 iptable 應用
- 一般操作介紹
- 建立自定義的 Chain
- Ping
- Share Network (MASQUERADE)
- SNAT 與 Masquerade
- Accounting
- port redirect
- 時間限制
- 內容過濾
- 限用量
- Load balancing
- owner
- ippool
- 連線狀態
- 多 Port 多 IP
- 相反
- 為 rule 加 remark
- TCP 的過濾選項
- Linux 做 Router
- iptables-save 與 iptables-restore
- iptables 的 frontend
- Block Some IP
- Block Some Port
- helper
- jump 興 goto
- loopback
- Target: MARK
- DNS 工具
Hook Points
Hook points 分別有 PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING 五點.
用在輸入指令時, 它們一定要大寫字母.
NAT table 示意圖:
--------> PREROUTING ------------------------->
/\
|
<-------- POSTROUTING <--------OUTPUT<--------FILTER table 示意圖:
----------> INPUT -------->
|
FORWARD
|
\/
<---------- OUTPUT <-------MANGLE table 示意圖:
----------> PREROUTING --------> INPUT -------->
|
FORWARD
|
\/
<---------- POSTROUTING <-------- OUTPUT <--------5 hook:
- PREROUTING, POSTROUTING 是進出 "網卡" 的首關,
- INPUT, OUTPUT 是進出 "本機" 的首關,
- FORWARD 則是繞過本機.
而系統是會以 hook points 去分類 table, 順序處理 mangle, nat 及 filter 等 rules.
例如當有 packet 到了 INPUT hook points 時, 那 filter 及 mangle 都有這 hook points,
那 packet就會先到 mangle 再到 filter 的 rule.
所以 table 是有次序的
mangle -> nat -> filter
Rule 的數量
視乎主機 Memory 的數量
如果有用 conntrack 那就要看 net.netfilter.nf_conntrack_max 了
Default
net.netfilter.nf_conntrack_max = 65536
Modules
# Debian 9
lsmod | grep tables
ebtables 36864 1 ebtable_filter
ip6_tables 28672 1 ip6table_filter
ip_tables 24576 3 iptable_mangle,iptable_filter,iptable_nat
x_tables 36864 12 xt_multiport,ipt_REJECT,iptable_mangle,ip_tables,ebtables,iptable_filter,
xt_tcpudp,ipt_MASQUERADE,xt_CHECKSUM,ip6table_filter,xt_conntrack,ip6_tables
擴充模組
iptable 本身只是自帶 IP Protocol 這過濾功能,
如果要增加其他的篩選條件(功能), 則要載入額外的 modules 來實現. 如 TCP, UDP, ICMP 等.
載入modules 指令:
modprobe ipt_limit <--- 在 /lib/iptables/
載入後就可以使用
Usage
-p or --protocol -m or --match
i.e.
iptables ... -m connlimit ...
同一條 rule 可用到多個 modules
iptables .... -m limit -m icmp ...
P.S.
TCP, UDP 則是用 -p tcp 及 -p udp 載入
在舊的系統上可能沒有 nf_conntrack, 那 ip_local_port_range 就很重要了
一切從查看開始
iptables -L -v
ptables -L --line-numbers
iptables -L -t nat
iptables -t nat -L PREROUTING
查看支援的功能
cat /proc/net/ip_tables_*
- ip_tables_matches
- ip_tables_targets
- ...
查看有什麼 tables
cat /proc/net/ip_tables_names
nat filter
Policy 與 Target
當某一 packet 不中 table 上的任何一條 rule, 系統就會以 Policy (ACCEPT/DROP) 去處理它.
Default 係會用 ACCEPT 在 Input, Forward, Output 的 hook point 上
此外, 用戶亦可定義自己的 Policy 如 ETURN
* Policy 只適用於 built-in chain (用 -N 建立的 chain 是不能設定 Policy 的)
ACCEPT 是把網包進入下一個階段 (table, hook point)
DROP 則是不要此包
REJECT send back an error packet in response (ICMP) (--reject-with type, default 的 type 係 icmp-port-unreachable)
type:
- no-route
- addr-unreach
- port-unreach (default)
- tcp-reset (tcp connection only)
* 除了以上的 Target 外, 其他的處理方式都要載入擴充模組, 另外還有其他 Target, 如 QUEUE, RETURN, LOG, ULOG
QUEUE
即把 packet 輸出去比 userspace 程式處理 (libipq)
RETURN
如果是在使用者自定的 chain 時, 則返回原來的 chain, 如果在內建的 chain 時, 即用 Policy 指定去處理
RETURN has the same effect of falling off the end of a chain: for a rule in a built-in chain, the policy of the chain is executed. For a rule in a user-defined chain, the traversal continues at the previous chain, just after the rule which jumped to this chain.
ROUTE
不經系統的路遊表就重發網包, 用於 mangle table 的 PREROUTING point
stop() {
echo "DANGER: Unloading firewall's Packet Filters!"
$IPTABLES --flush
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
}
local port range
cat /proc/sys/net/ipv4/ip_local_port_range
Default: 32768 ~ 61000
即時修改:
echo "25000 65000" > /proc/sys/net/ipv4/ip_local_port_range
檔案 sysctl.conf:
net.ipv4.ip_local_port_range="30000 65000"
state 與 Conntrack
Allowing Established Sessions
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
OR
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
state: module is simpler (and maybe less error prone). It's also longer in kernel.
( connection tracking state for packet )
conntrack: conntrack extension superseded state
( connection tracking state for packet/connection )
man iptables-extensions:
--ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT]
如果沒有 conntrack, 就用唔到以下 3 條 rule
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
那就要
iptables -A INPUT -p tcp --dport 32768:61000 -j ACCEPT iptables -A INPUT -p udp --dport 32768:61000 -j ACCEPT
在 Debian 上的 iptable 應用
方式1:
把寫好的 script 放入 rc.d 資料夾內, 待開機時自動執行它.
方式2:
// 保存 iptables 上的 rule
# iptables-save > /root/dsl.fwLoad iptables rules
// 在網卡設定post-up 時自動載入 rule
# vi /etc/network/interfaces
# post-up iptables-restore < /root/dsl.fw
方式3:
安裝 firewall 管理工具, 如 shorewall.
一般操作介紹
查看 rule
--list [chain [rulenum]] ( -L )
附加選項:
配合 --verbose (-v) 就會有 Counter 的統計數據及介面卡,
而 --line-numbers 則可以看到行數
List Specific Chain
# -S, --list-rules [chain]
# Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save.
iptables -S Block53
加,減,取代 Rule
加 Rule ( -A / -I)
--append <chain>( -A ) # 在 chain 的尾加上 rule
--insert <chain> [rulenum] ( -I ) # 在 rulenum 前插入 rule, 當無註明時, 就在 chain 的頭 ( 1 ) 插入
減 (刪除 rule)
-D <chain> <rulenum>
-D <chain> <rule-specification>
i.e. 假設要刪除 rule 16 及 17
iptables -D INPUT 16
iptables -D INPUT 17
Output:
iptables: Index of deletion too big.
出錯是正常的, 因為 rule 17 變成 rule 16 了 !!
i.e.
iptables -D INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
一定要完整定義才刪除到 !! 原 rule 是 "iptables -I INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN"
取代
( -R ) --replace <chain> <rulenum>
rulenum 係由 1 開始數起
清空
(-F) --flush [chain] 清空系統上所有 Rule
(-Z) --zero [chain] 重置 Table 上的 Counter
當沒有 Rule 合用時
--policy <chain> <target>
條件
(-p) --proto <proto> // tcp | udp | icmp | all
(-s) --source address[/mask] | ip1,ip2....
(-d) --destination address[/mask]
(-i) --in-interface <name>
(-o)--out-interface<name>
處理方式
--jump( -j ) <target>
<< 其他 >>
--numeric ( -n ) 用數字來顯示 port num
--table( -t ) 在那 table 上加 rule, default 係 Filter table
建立自定義的 Chain
# Create a new user-defined chain
-N chain
# Delete chain (The chain must be empty and no referring, 所以 Del chian 前要 "iptables -F CHAIN" )
-X chain
Example:
Script: blockip53.sh
#### DNS # "#" 了原本兩行 #-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT #-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -N Block53 -A INPUT -p udp --dport 53 -m state --state NEW -j Block53 -A INPUT -p tcp --dport 53 -m state --state NEW -j Block53 -A Block53 -j ACCEPT
Setting: /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
Ping
Packet
type | code | checksum | identifier | squence number | variable dataping example
PING 8.8.8.8 (8.8.8.8): 56 data bytes
56 data bytes <= variable data (data padding)
No Ping:
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
--icmp-type N
- 0 reply <-- 回應 ping
- 8 echo <-- 接受 ping (echo-request)
Many of these ICMP types have a "code" field. Here we list the types
again with their assigned code fields.
比如 8 的 "reply"有 Codes 0 (No Code)
Limit Ping: limit module
iptables -A INPUT -p icmp -m limit --limit 2/s --limit-burst 2 -j ACCEPT iptables -A INPUT -p icmp -j DROP
Share Network (MASQUERADE)
same as the SNAT target, but it does not require any --to-source option, 但要配合 "-o"
好處: 在沒有 static wan ip 的情況下也可以用到 (i.e. DHCP connections)
* The MASQUERADE target also has the effect that connections are forgotten when an interface goes down
# 簡易
# "-s 192.168.200.0/24" 並非必要
iptables -tnat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE# 當有多粒 Wan IP 時
# 想指定用某粒 Wan IP (x.x.x.x) 出街時, 那只有用 SNAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.xKernel Allow IPv4 forward
cat /proc/sys/net/ipv4/ip_forward
1
注意事項:
# 要有 FORWARD rules, 因為
iptables -nL | grep FORWARD
Chain FORWARD (policy DROP)
i.e. VPN
WAN(eth0)<--->LAN(tap0)
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT iptables -A FORWARD -j DROP
i.e. LXC
# Masquerade
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i lxcbr0 -o eth0 -s 192.168.200.0/24 -j ACCEPT進階使用(--to-ports)
# 指定 port mapping 的 range
# By default MASQUERADE (like SNAT) tries to retain the original port of the machine establishing the connection.
# But of course, if two hosts use the same one then it will have to choose another one for the second host.
iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 31000-40000Example
*filter ... -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state NEW -s 192.168.200.0/24 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Port forwarding(http, https) -A PREROUTING -p tcp ! -s 192.168.200.0/24 --dport 80 -j DNAT --to-destination 192.168.200.34:80 -A PREROUTING -p tcp ! -s 192.168.200.0/24 --dport 443 -j DNAT --to-destination 192.168.200.34:443 # Internet -A POSTROUTING -s 192.168.200.0/24 -o ens5 -j MASQUERADE COMMIT
SNAT 與 Masquerade
SNAT(source network address translation) 與 Masquerade 極為相似, 在多架 PC 共享單一條寬頻線時尤其重要 !!!
SNAT 用法:
-j SNAT --to-source add1[-add2][:p1[-p2]] <-- allocated randomly
- still open/active and continue on when the link returns
Example:
# eth0 是接駁 internet 的介面, 而 internet_ip 則是此介面上的 IP address
# 以上指令把來到 gateway (即本機) 的內網地址 (如 192.168.x.x )
# 改成 internet 的地址 (如 61.244.117.184)
# 可以用來做 1:1 Mapping
iptable -t nat -A POSTROUTING -o eh0 -j SNAT --to <internet_ip>
MASQUERADE:
- MASQUERADE automatically chooses address
- MASQUERADE forgets old connections when interface goes down
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
Check:
sysctl net.ipv4.ip_forward
Write:
sysctl -w net.ipv4.ip_forward=1
Temp:
echo "1" > /proc/sys/net/ipv4/ip_forward
Accounting
Accounting 是指統計 packet 進出的數量及大小
分別是 byte counter, packet conunter.
例子:
iptables -A INPUT -i eth0
iptables -A OUTPUT -i eth0
// 每 rule 都分別有統計的
DNAT
DNAT 又稱 Port Forward, 俗稱的 "開 Port"
它是進行目的地的 IP 及 Port 的轉換, 在多架 PC 共享單一條寬頻線時尤其重要 !!!
用法:
--to-destination a1[-a2][:p1[-p2]]
例子:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9080 \
-j dnat --to-destination 192.168.200.21:9080Remark
# NAT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -m state --state NEW -p tcp --dport 9080 -j ACCEPT
Port Redirect
Example:
iptables -t nat -A PREROUTING -p tcp --dport 1025:1030 -j REDIRECT --to-port 25
iptables -t nat -A PREROUTEING -i eth0 -p tcp --dport 80 -j redirect --to-prot 8080
以下是 iptables-save 出來的 results
/etc/sysconfig/iptables:
........................................... *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 1025:1030 -j REDIRECT --to-ports 25 COMMIT
時間限制
--timestart <time>
--timestop <time>
--days wd_list
wd_list: Sun, Mon, Tue, Wed, Thu, Fri, Sat
內容過濾
--string <sting>
i.e.
# 如果 .pif 這 sting 分別在兩個包內, 則系統會過濾唔到
iptables -A INPUT -m string .pdf -j QUEUE
限用量
--quota N # Unit: byte
i.e.
# 把去 Port 80 的包的頭 20 byte 送去 userspace 程式, 之後其餘的 DROP
iptables -A INPUT -p tpc --dport 80 -m quota --quota 20 -j ACCEPT iptables -A INPUT -p tpc --dport 80 -j DROP
Load balancing
incoming:
在 iptable 上 Load balancing 的實現方法是把網路包分配比不同 server
Example: 把 http 網絡包平均分比 3 架 Server
iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 \ -m nth --every 3 --packet 0 -j DNAT --to-destination 192.168.123.201 iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 \ -m nth --every 3 --packet 1 -j DNAT --to-destination 192.168.123.202 iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 \ -m nth --every 3 --packet 2 -j DNAT --to-destination 192.168.123.203
--every <n> n 個包為一組
--packet <n> 組內的第 n+1 個
outgoing:
透過 statistic module 實現
This module matches packets based on some statistic condition.
It supports two distinct modes settable with the --mode option.
Supported options:
--mode mode
Set the matching mode of the matching rule, supported modes are random and nth.
--probability p
Set the probability from 0 to 1 for a packet to be randomly matched.
It works only with the random mode.
--every n
Match one packet every nth packet. It works only with the nth mode (see also the --packet option).
--packet p
Set the initial counter value (0 <= p <= n-1, default 0) for the nth mode.
方案1:
-A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode nth --every 5 -j SNAT --to-source <IP1> -A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode nth --every 5 -j SNAT --to-source <IP2> -A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode nth --every 5 -j SNAT --to-source <IP3>
方案2:
-A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode random --probability 0.2 -j SNAT --to-source <IP> -A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode random --probability 0.25 -j SNAT --to-source <IP> -A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode random --probability 0.33 -j SNAT --to-source <IP> -A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode random --probability 0.5 -j SNAT --to-source <IP> -A POSTROUTING -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 \ -m statistic --mode random --probability 1 -j SNAT --to-source <IP>
owner
以包的擁有者作為過濾條件, 以此去篩選出某些包
--gid-owner gid
--pid-owner pid
--uid-owner uid
--sid-owner uid
// icmp 包是沒有擁有者的
ippool
工具 ippool
/etc/ippool.conf
連線狀態
連線狀態是由 iptables 的 ip_conntrack模組所提供
Example:
#eth0 是駁 internet 的
# NEW: Internet 上的人不可主動連入來
iptables -A FORWARD -m state NEW -i eth0 DROP
網絡包共有 4 個 state:
- NEW 新建立的連線(syn)
- ESTABLISHED 建立好的連線(Server 與 Client 完成了three way handshake)
- RELATED 同 NEW 與 ESTABLISHED 之間出現的連接, 如 ftp 的port 20, 21
- INVALID ????
可以追蹤的連線總數 /proc/sys/net/ipv4/ip_conntrack_max
多 Port 多 IP
All IP:
- 0/0 = All
range IP:
- -s 192.168.0.0/24
- -s 192.168.0.0/255.255.255.0
mult IP:
- -s IP1,IP2
iprange:
- -m iprange --src-range 192.168.1.100-192.168.1.200
- --dst-range
range Port:
- --dport 9001:9020
mult port:
- -m multiport --sports <port, port> <-- 它是要 load module 的 !!, Up to 15 ports
相反
" ! " 在 iptables 上代表相反的意思
為 rule 加 remark
Syntax
... --comment "..." ...
i.e.
TCP 的過濾選項
port
- --dport p1:p2
- --sport p1:p2
flags
- --syn
- --tcp-flags <string>
--tcp-flags [!] examine must_be_set # comma-separated
The first argument: the flags which we should examine
The second argument: flags which must be set.
Flags are: SYN ACK FIN RST URG PSH ALL NONE
i.e.
# will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
[!] --syn
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared.
Such packets are used to request TCP connection initiation;
--syn 相當於 --tcp-flags SYN,RST,ACK,FIN SYN
< UDP 的過濾選項 >
* UDP 是不支援 flag 的
--dport p1:p2
--sport p1:p2
< TCP flag 的常見組合 >
建立連線:
---SYN--->
<---ACK-SYN---
---ACK--->斷線:
---RST---> <---ACK-RST--- --ACK-FIN-->
flag:
0x00 NULL 0x01 FIN 0x02 SYN 0x03 FIN-SYN
< TCP header 結構 >
TCP at least 20-byte (fixed-format + optional part )
< ------------------------------------------- | ---------------------------------------- >
sport | dport
syn sn
ack sn
Data offset | Reserved | Control bits | Window
Checksum | Urgent Pointer
DataControl Bits: 6 bits (from left to right):
URG: Urgent Pointer field significant
ACK: Acknowledgment field significant
PSH: Push Function
RST: Reset the connection
SYN: Synchronize sequence numbers
FIN: No more data from sender
checksum also covers a 96 bit pseudo header
Source Address, Destination Address, Protocol, TCP length.
TCP Length is the TCP header
< IP header 結構 >
0 16 32
< ------------------------------------------- | ---------------------------------------- >
Ver | IHL | TOS | Total length
Fragment Identification | Flags | Fragment offseet
ttl | protocol | Header checksum
Saddr
Daddr
Data
Linux 做 Router
# 開啟 ip 包轉發功能
echo 1 > /proc/sys/net/ipv4/ip_forward
# 設定比窗大的連線狀態表
echo 40000 > /proc/sys/net/ipv4/ip_conntrack_max
# 查看連線狀態表的內容 (用肉眼係睇唔明架 ~)
cat /proc/net/ip_conntrack
之後系統就可以根據 routing table 做野了 ~
如果身在一個大網絡, 而又怕煩, 可以試用 quagga 減輕負擔
quagga - BGP/OSPF/RIP routing daemon
vi /etc/quagga/ripd.conf
hostname debian // 這裡是設定 Router 的主機名稱而已
password linux1 // 設定好你自己的密碼喔!
router rip // 啟動 Router 的 rip 功能
network 192.168.0.0/24 // 針對這個網域來進行監聽的動作!
network eth0 // 針對這個介面來進行監聽的動作
network 192.168.10.0/24 // 針對這個網域來進行監聽的動作!
network eth1 // 針對這個介面來進行監聽的動作
version 2 // 啟動的是 RIPv2 的服務
log stdout // 直接在螢幕輸出標準輸出的資料/etc/init.d/ripd start
iptables-save 與 iptables-restore
iptables-save:
在 standout 列出系統上所有的 rule
選項:
- --counter 一併列出記錄的 packet / byte
- --table 只保存某 table 上的 rule
output 格式如下:
# Comments *<table-name> :<chain-name> <chain-policy> [<packet-counter>:<byte-counter>] Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination COMMIT
在沒有加 "--counter" 的情況下, ":OUTPUT ACCEPT [265:31500]" 的數值依然會上升
iptables-restore:
它是用來導入 iptables-save 指令導出的 rule,
重要的選項有 --noflush, 它是指導入數據前不清空系統的 rule.
iptables 的 frontend
shorewall:
ferm:
chain INPUT {
policy DROP;
mod state state (RELATED ESTABLISHED) ACCEPT;
proto tcp dport (http ftp ssh) ACCEPT;
}
Block Some IP
/etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :BANNED - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT ... -A BANNED -j ACCEPT
blockip.sh
#!/bin/bash
# Usage ./blockip.sh IP REMARK
iptables -m comment --comment "$2" -I BANNED -s "$1" -j DROPRemark
* custom chain 不可以設定 policy, 因為它必須 RETURN, 所以填 "-"
iptables -nL
Chain BANNED (1 references)
...* iptables 加 rule 要用 "-I", 因為 BANNED 在 ACCEPT 在底
Block Some Port
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # WWW iptables -N Block80 iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j Block80 iptables -A Block80 -j ACCEPT
# Block IP
iptables -A Block80 -s 44.0.0.0/16 -j DROP iptables -A Block80 -s 46.0.0.0/16 -j DROP
helper
# Connection tracking module
- nf_conntrack
connection's states:
- RELATED - assigned to a packet that is initiating a new connection and which has been "expected";
Connection tracking helpers
- nf_conntrack_ftp
- nf_nat_ftp
nf_conntrack_ftp:
connection tracking can be given knowledge of application-layer protocols
the first packet of an FTP data connection will be classified as "related" instead of "new", as it is logically part of an existing connection.
The helpers only inspect one packet at a time, so if vital information for connection tracking is split across two packets,
either due to IP fragmentation or TCP segmentation, the helper will not necessarily recognize patterns and therefore not perform its operation.
Centos6
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack"
DOC
http://en.wikipedia.org/wiki/Netfilter
jump 興 goto
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet matches it.
The target can be a user-defined chain (other than the one this rule is in),
one of the special builtin targets which decide the fate of the packet immediately,
or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used),
then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.
-g, --goto chain
This specifies that the processing should continue in a user specified chain.
Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump.
說明
從 IN_ZONE_public 返回(-g)後 ... (2)
不會繼續進入其下一條規則 ... (X)
而是直接返回到上層的 -j ... (1)
然後繼續之後的規則 ... (4)
loopback
client (192.168.1.X/24) 的 Source IP 會變成 192.168.1.1 之後
192.168.1.1 --> 192.168.1.200:80
[1]
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 \
-m limit --limit 64/sec --limit-burst 10 \
-m comment --comment web-http \
-j DNAT --to-destination 192.168.1.200:80[2]
iptables -t nat -A POSTROUTING -o br-lan -s 192.168.1.0/24 \ -d 192.168.1.200 -p tcp -m tcp --dport 80 \ -j SNAT --to-source 192.168.1.1
Centos 6
/etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # ssh & mosh -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Last Rules -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Target: MARK
This target is only valid in the mangle table.
i.e.
iptables -A PREROUTING -p tcp -m tcp --dport 2222 -j MARK --set-xmark 0x64/0xffffffff
DNS 工具
- 分析包工具: ethereal, tcpdump
- 掃瞄工具: nmap, nessus
- 測試工具: ping, dig, traceroute, ntop
