Linux防火牆之iptables入門
阿新 • • 發佈:2020-02-06
一、防火牆的概念
什麼是防火牆?防火牆是一臺或一組裝置,用以在網路間實施訪問控制策略;事實上一個防火牆能夠包含OSI模型中的很多層,並且可能會涉及進行資料包過濾的裝置,它可以實施資料包檢查和過濾,在更高的層次中對某應用程式實現某一策略,或做更多類似的事情。防火牆的功能主要是隔離功能,工作在網路或主機邊緣,對進出網路或主機的資料包基於一定的規則檢查,並在匹配某規則定義的行為進行處理的一組功能元件,基本上的實現都是預設情況下關閉所有的訪問,只開放允許訪問的策略;防火牆分主機防火牆、網路防火牆、硬體防火牆、軟體防火牆、網路層防火牆、應用層防火牆等;主機防火牆指定的是針對服務當前主機做的訪問策略的防火牆;網路防火牆指服務範圍為防火牆一側的區域網;硬體防火牆指在專用硬體級別實現部分功能的防火牆,另一部分功能基於軟體實現;軟體防火牆指運行於通用硬體平臺之上的防火牆應用軟體;網路層防火牆指OSI模型下四層的防火牆,主要針對OSI模型下四層的網路報文的訪問策略控制;應用層防火牆/代理伺服器指OSI模型中的應用層的防火牆,它主要在應用層進行操作,針對應用層的程式資料報文進行訪問策略控制;
二、網路型防火牆和應用層防火牆的優缺點
網路層防火牆主要是包過濾,網路層對資料包進行選擇,選擇的依據是系統內設定的過濾邏輯,被稱為訪問控制列表(ACL),通過檢查資料流中每個資料的源地址,目標地址,所用埠和協議狀態等因素,或他們的組合來取定是否允許該資料包通過;優點對使用者來說透明,處理速度快且易於維護;缺點無法檢查應用層資料,如病毒等;
應用層防火牆我們又稱代理服務型防火牆,它將所有跨越防火牆的網路通訊鏈路分為兩段;內外網使用者的訪問都是通過代理伺服器上的“鏈路”來實現,這種防火牆優點是在應用層對資料進行檢查,比較安全,確定是增加防火牆的負載。
現實生產環境中所使用的防火牆一般都是二者結合體,即現檢查網路資料,通過之後在送到應用層去檢查。
三、iptables簡介
先來說說核心元件netfilter,它是Linux2.4以後的核心版本引入的一個子系統,它作為一個通用的、抽象的框架,提供一整套的hook(勾子)函式的管理機制,使得諸如資料包過濾、網路地址轉換和基於協議型別的連線追蹤成為了可能;它在核心中選取了五個位置放置了五個hook(勾子)函式分別是INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING,而這五個勾子函式向用戶開放,使用者可以通過一個命令工具(iptables)向其寫入規則;從上面的介紹不難理解,iptables只是管理netfilter上規則的一個使用者空間的工具,真正實現防火牆的功能是netfilter,我們知道核心空間的功能,使用者是沒有辦法直接使用,必須通過使用者空間的軟體去呼叫才可以使用。這也不難說明了iptables它是一個工具,而不是一個服務。
四、iptables的組成以及資料包的傳輸過程
iptables由五個表和五個鏈以及一些規則組成,五個表分別是filter、nat、mangle、raw、security,這五張表每張表都有不同的作用,filter表,主要是過濾報文策略的定義,根據預定義的規則過濾符合條件的資料包才允許或拒絕通行。nat表是地址轉換規則表,它上面主要定義一些地址轉換規則。mangle表是修改資料標記位規則表,raw是關閉NAT表上啟用的連線跟蹤機制,加快封包穿越防火牆速度,security用於強制訪問控制(MAC)網路規則,有Linux安全模組(如selinux)實現;他們的優先順序由高到低的順序為security--->raw---->mangle---->nat---->filter
五個內建的鏈(chain)就是我們上面說的五個勾子函式INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING,netfilter表和鏈對應關係如下圖
上圖沒有畫出securiyt表所工作的鏈,它和filter表一樣,都工作在INPUT、FORWARD、OUTPUT鏈上。上圖主要是說明了五個表的工作位置,瞭解了表和鏈的對應關係,我們在來看看資料包過濾匹配流程
如上圖所示,從網路A訪問網路B,首先資料要先到達我們防火牆的網絡卡上,核心根據資料包目的IP判斷是否需要轉送出去,在路由之前資料報文要通過raw、mangel、nat這三個表中的規則,如果通過了這三張表中的規則後,資料才能決定到底是發往本機還是通過本機轉發出去,如果是發往本機的,則資料會經過PREROUTING鏈,來到INPUT鏈,在進入使用者空間訪問使用者空間的應用程序時,資料首先要通過,INPUT鏈上的所有規則,才可以訪問本機使用者空間的程序,使用者空間程序接受到遠端使用者請求的資料報文後,響應報文會來到OUTPUT鏈上,這個鏈主要檢查由本機發出的資料包,只有資料包滿足出站規則後,它才能通過OUTPUT,當資料報文通過OUTPUT鏈後,資料報文會經過路由,來到POSTROUTING鏈,然後POSTROUTING鏈上的規則會對出站報文進行匹配,滿足匹配策略POSTROUTING鏈放行或拒絕;如果資料包不是發往本機,則資料報文會經過PREROUTING鏈來到FORWARD鏈上,在FORWARD鏈上也有規則,資料符合FORWARD鏈上定義的規則,則通過或不通過(這個要看鏈上的處理動作怎麼定義的,我們這裡假設是匹配通過,不匹配這不通過來說明資料報文過濾匹配流程),如果資料通過了FORWARD鏈上的所有規則,這時資料會再次經過路由來到POSTROUTING鏈,同理它需要通過POSTROUTING上的所有規則後才能把到達下一個網路,從而實現資料包的轉發;
通過上圖,不難發現數據報文的流向有三種,第一種是到本機來到,第二種是從本機出去的,第三種是經由本機轉發的;流入本機的報文首先要通過PREROUTING鏈然後通過後來到INPUT鏈,通過後最後到達使用者空間程序;流出本機的資料報文走向是使用者空間程序---->OUTPUT---->POSTROUTING;經本機轉發出去的報文走向:PREROUTING --> FORWARD --> POSTROUTING
瞭解了資料報文的走向後,我們在來說說路由功能和發生的時間點,報文進入本機後,核心通過資料報的目標ip來判斷此資料包是發往本機還是轉發,如果是發往本機,則資料報文會送到INPUT鏈,如果不是發往本機的資料報文會送到FORWARD鏈,這時報文進入本機前端路由;在報文離開本機之前,核心會根據目標地址IP來判斷資料報文由那個介面送往下一跳(下一個網路)
當一個數據包進入網絡卡時,資料包首先進入PREROUTING鏈,核心根據資料包目的IP判斷是否需要轉送出去;如果資料包就是進入本機的,資料包就會到達INPUT鏈。資料包到達INPUT鏈後,任何程序都會收到它。本機上執行的程式可以傳送資料包,這些資料包經過OUTPUT鏈,然後到達POSTROUTING鏈輸出;如果資料包是要轉發出去的,且核心允許轉發,資料包就會向右移動,經過FORWARD鏈,然後到達POSTROUTING鏈輸出;
五、ipatbles規則
規則(rule)是由匹配條件和匹配動作組成,根據規則的匹配條件嘗試匹配報文,對匹配成功的報文根據規則定義的處理動作作出處理。匹配條件有基本匹配條件和擴充套件匹配條件,基本匹配條件就是內建匹配條件,原生就有的,擴充套件匹配條件是由擴充套件模組定義,需要安裝特定的模組才可以實現特定的擴充套件匹配;處理動作分基本處理動作,就是內建,原生支援的動作,擴充套件處理動作,由擴充套件模組定義,還有就是使用者自定義處理(就是把匹配到達報文叫由自定義鏈來處理,這也是自定義鏈被主鏈呼叫的方式),iptables的鏈分內建鏈,和自定義鏈,內建的鏈就是對應五個勾子函式;自定義鏈式用於內建鏈的擴充套件和補充,可實現更靈活的規則管理機制,它只有被內建鏈呼叫才能生效;
iptables規則新增需要考量以下幾點
1、要實現那種功能,判斷規則該新增到那張表上的那個位置(iptables匹配規則的順序是從上至下依次匹配,匹配到了就安裝匹配到的處理動作做出處理,沒有匹配到就按預設動作處理,所以新增規則需要考慮新增到那個位置)
2、報文流經的路徑必須清楚,需要判斷把規則新增到哪個鏈上
3、報文的流向,判斷源和目標
4、匹配規則,根據業務需求,怎麼去匹配規則
六、iptables命令使用和選項說明
[root@test ~]# iptables -h
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
[root@test ~]#
提示:除了以上用-h來了解iptables的簡要用法和說明外,我們還可以通過man 8 iptables來了解每個選項的詳細說明
-t選項表示指定表名,預設是filter表,-A表示追加規則到最後,-s表示指定源ip地址 -j 表示處理的動作;iptables命令大概可以分二段段,第一段是指明規則位置,第二段是規則本身,規則又需要指明匹配條件和處理動作;上圖命令表示在INPUT鏈上的filter表上追加一條規則到最後,規則內容為源地址為192.168.0.1的報文將丟棄;注意-A後面需要跟鏈名,鏈名必須得大寫。
總結命令使用格式:iptables [-t tablesname] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]
tablesname: raw,mangle,nat,[filter]預設不指定就是filter;
COMMAND子命令,指明對規則的增刪查改
1、鏈管理
-N:new,自定義一條新的規則鏈
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 7 packets, 488 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 524 bytes) pkts bytes target prot opt in out source destination [root@test ~]# iptables -N my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1556 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]#
-X:delete,刪除自定義的空的規則鏈(刪除一條自定義鏈的前提是,自定義連未被主鏈引用,也就是引用計數為0,其次是自定義鏈必須是空連,就是沒有任何規則的鏈)
[root@test ~]# iptables -A my_chain -s 192.168.0.0/24 -j ACCEPT [root@test ~]# iptables -A INPUT -s 192.168.0.0/24 -j my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 24 1688 my_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 1488 bytes) pkts bytes target prot opt in out source destination Chain my_chain (1 references) pkts bytes target prot opt in out source destination 24 1688 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]# iptables -X my_chain iptables: Too many links. [root@test ~]# iptables -F INPUT [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 25 packets, 1780 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 1552 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination 94 6516 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]# iptables -X my_chain iptables: Directory not empty. [root@test ~]# iptables -F my_chain [root@test ~]# iptables -X my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1556 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes) pkts bytes target prot opt in out source destination [root@test ~]#
-P:policy,設定預設策略;對filter表中的鏈而言,其預設策略有:ACCEPT接受,允許。DROP:丟棄
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 29890 packets, 10M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31689 packets, 26M bytes) pkts bytes target prot opt in out source destination [root@test ~]# iptables -P FORWARD ACCEPT [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 5 packets, 356 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) pkts bytes target prot opt in out source destination [root@test ~]# iptables -nvL
-E:重新命名自定義連;
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 104 7344 you_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 37 packets, 4120 bytes) pkts bytes target prot opt in out source destination Chain you_chain (1 references) pkts bytes target prot opt in out source destination 104 7344 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]# iptables -E you_chain my_chain [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 178 12540 my_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes) pkts bytes target prot opt in out source destination Chain my_chain (1 references) pkts bytes target prot opt in out source destination 178 12540 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test ~]#
提示:重新命名自定義鏈,引用計數不為零是可以被重新命名的
2、規則管理
-A:append ,追加規則到指定表達最後
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2208 340K my_chain all -- * * 192.168.0.0/24 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1382 packets, 253K bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (1 references)
pkts bytes target prot opt in out source destination
2208 340K ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2360 351K my_chain all -- * * 192.168.0.0/24 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1048 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (1 references)
pkts bytes target prot opt in out source destination
2360 351K ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.99
[root@test ~]#
-I:insert, 插入,要指明位置,省略時表示第一條;
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 195 packets, 13312 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 121 packets, 12112 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 41319 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -I my_chain -d 192.168.0.99 -p tcp --dport 80 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 124 packets, 10836 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 114 packets, 10648 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -I my_chain 2 -d 192.168.0.99 -p tcp --dport 8080 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 620 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 1176 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]#
-D:delete,刪除;刪除規則需啊喲指明規則序號,或者明規則本身
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 18 packets, 1136 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 3072 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -D my_chain 1
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -D my_chain -d 192.168.0.99 -p tcp --dport 8080 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]#
-R:replace,替換指定鏈上的指定規則;需指明替換第幾條規則
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
[root@test ~]# iptables -R my_chain 1 -d 192.168.0.100 -p tcp --dport 22 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:22
[root@test ~]#
-F:flush,清空指定的規則鏈;若為指定鏈 ,則表示清空filter表所在的所有鏈
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 38 packets, 2560 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29 packets, 3648 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:22
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 16 packets, 1108 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11 packets, 1028 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 41319 -j ACCEPT
[root@test ~]# iptables -A my_chain -d 192.168.0.99 -p tcp --dport 80 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
139 9668 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:80
[root@test ~]# iptables -F my_chain
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 13824 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
-Z:zero,置零指定鏈上的計數器,若為指定則表示,清空filter表所在的所有鏈上的規則計數器;iptables的每條規則都有兩個計數器:(1) 匹配到的報文的個數;(2) 匹配到的所有報文的大小之和;
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
783 59868 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
50 4212 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27 packets, 3364 bytes)
pkts bytes target prot opt in out source destination
8 672 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -Z OUTPUT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
822 62468 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
60 5052 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -Z
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31 2124 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1764 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
2、檢視指定鏈上的規則
-L:list, 列出指定鏈上的所有規則;-n:numberic,以數字格式顯示地址和埠;-v:verbose,詳細資訊,支援-vv -vvv來指定詳細程度
[root@test ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere test tcp dpt:41319 ACCEPT icmp -- anywhere test icmp echo-request Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- test anywhere icmp echo-reply Chain my_chain (0 references) target prot opt source destination [root@test ~]# iptables -Ln iptables: No chain/target/match by that name. [root@test ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 192.168.0.99 tcp dpt:41319 ACCEPT icmp -- 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) target prot opt source destination [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 4 packets, 284 bytes) pkts bytes target prot opt in out source destination 205 14232 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 73 6132 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 160 packets, 18172 bytes) pkts bytes target prot opt in out source destination 73 6132 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]# iptables -nL -vv Chain INPUT (policy ACCEPT 4 packets, 284 bytes) pkts bytes target prot opt in out source destination 244 16780 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 93 7812 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 185 packets, 21408 bytes) pkts bytes target prot opt in out source destination 93 7812 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination libiptc vlibxtables.so.10. 1544 bytes. Table `filter' Hooks: pre/in/fwd/out/post = ffffffff/0/220/2b8/ffffffff Underflows: pre/in/fwd/out/post = ffffffff/188/220/378/ffffffff Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 6 Flags: 00 Invflags: 00 Counters: 244 packets, 16780 bytes Cache: 00000000 Match name: `tcp' Target name: `' [40] verdict=NF_ACCEPT Entry 1 (200): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 93 packets, 7812 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 2 (392): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 4 packets, 284 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 3 (544): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=NF_DROP Entry 4 (696): SRC IP: 192.168.0.99/255.255.255.255 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 93 packets, 7812 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 5 (888): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 185 packets, 21408 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 6 (1040): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`my_chain' Entry 7 (1216): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=RETURN Entry 8 (1368): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`ERROR' [root@test ~]# iptables -nL -vvv Chain INPUT (policy ACCEPT 4 packets, 284 bytes) pkts bytes target prot opt in out source destination 288 18748 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 97 8148 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 264 packets, 32648 bytes) pkts bytes target prot opt in out source destination 97 8148 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination libiptc vlibxtables.so.10. 1544 bytes. Table `filter' Hooks: pre/in/fwd/out/post = ffffffff/0/220/2b8/ffffffff Underflows: pre/in/fwd/out/post = ffffffff/188/220/378/ffffffff Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 6 Flags: 00 Invflags: 00 Counters: 288 packets, 18748 bytes Cache: 00000000 Match name: `tcp' Target name: `' [40] verdict=NF_ACCEPT Entry 1 (200): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 192.168.0.99/255.255.255.255 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 97 packets, 8148 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 2 (392): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 4 packets, 284 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 3 (544): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=NF_DROP Entry 4 (696): SRC IP: 192.168.0.99/255.255.255.255 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 1 Flags: 00 Invflags: 00 Counters: 97 packets, 8148 bytes Cache: 00000000 Match name: `icmp' Target name: `' [40] verdict=NF_ACCEPT Entry 5 (888): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 264 packets, 32648 bytes Cache: 00000000 Target name: `' [40] verdict=NF_ACCEPT Entry 6 (1040): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`my_chain' Entry 7 (1216): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [40] verdict=RETURN Entry 8 (1368): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `ERROR' [64] error=`ERROR' [root@test ~]#
提示:使用檢視子命令-L如果有其他修飾子命令的選項和-L合併時,需要把 其他修飾該命令的選項需要放在-L 前面,否則會把其選項識別成鏈名
-x:exactly,顯示計數器結果的精確值,而非單位轉換後的易讀值
--line-numbers:顯示規則的序號;可縮寫為--line-num
[root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 7 packets, 502 bytes) pkts bytes target prot opt in out source destination 7196 322K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 459 38556 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13994 packets, 13M bytes) pkts bytes target prot opt in out source destination 459 38556 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 7 packets, 502 bytes) num pkts bytes target prot opt in out source destination 1 7227 324K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 2 459 38556 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14018 packets, 13M bytes) num pkts bytes target prot opt in out source destination 1 459 38556 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) num pkts bytes target prot opt in out source destination [root@test ~]# iptables -nvL --line-num Chain INPUT (policy ACCEPT 7 packets, 502 bytes) num pkts bytes target prot opt in out source destination 1 7240 325K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319 2 459 38556 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14031 packets, 13M bytes) num pkts bytes target prot opt in out source destination 1 459 38556 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0 Chain my_chain (0 references) num pkts bytes target prot opt in out source destination [root@test ~]#
-S selected,以iptables-save 命令格式顯示鏈上規則
[root@test ~]# iptables -S -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N my_chain -A INPUT -d 192.168.0.99/32 -p tcp -m tcp --dport 41319 -j ACCEPT -A INPUT -d 192.168.0.99/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s 192.168.0.99/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT [root@test ~]#
提示:如果有需要,可以將其輸出重定向到一個檔案中去,但是匯出的內容不能用於規則匯入到檔案,也就是說匯出的檔案不能用來過載iptables規則表
4、規則的匯出和匯入
iptables規則匯出到指定檔案
[root@test ~]# iptables-save > iptables.txt [root@test ~]# cat iptables.txt # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *security :INPUT ACCEPT [122:11155] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [100:10857] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *mangle :PREROUTING ACCEPT [122:11155] :INPUT ACCEPT [122:11155] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [100:10857] :POSTROUTING ACCEPT [100:10857] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *raw :PREROUTING ACCEPT [122:11155] :OUTPUT ACCEPT [100:10857] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [5:280] :POSTROUTING ACCEPT [5:280] COMMIT # Completed on Thu Feb 6 00:01:22 2020 # Generated by iptables-save v1.4.21 on Thu Feb 6 00:01:22 2020 *filter :INPUT ACCEPT [40:5587] :FORWARD DROP [0:0] :OUTPUT ACCEPT [100:10857] :my_chain - [0:0] -A INPUT -d 192.168.0.99/32 -p tcp -m tcp --dport 41319 -j ACCEPT -A INPUT -d 192.168.0.99/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s 192.168.0.99/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT COMMIT # Completed on Thu Feb 6 00:01:22 2020 [root@test ~]#
提示:儲存規則使用iptables-save命令,它預設是把鏈上的所有規則列印到標準輸出,如果需要儲存到指定檔案需要用到輸出重定向到指定檔案即可
iptables規則的匯入
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
54895 2298K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
75 6300 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 117K packets, 130M bytes)
pkts bytes target prot opt in out source destination
75 6300 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 27 packets, 1976 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1816 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables-restore < iptables.txt
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 1636 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
7 588 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
7 588 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:匯入規則的檔案內容必須是iptables-save 匯出的檔案,不能用iptables -S 匯出的檔案還原。
-n, --noflush:不清除原有規則匯入
[root@test ~]# iptables -F
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 3306 -j ACCEPT
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 48 packets, 3468 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:3306
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34 packets, 3028 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables-restore -n iptables.txt
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:3306
24 1636 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:41319
4 336 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.99 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT icmp -- * * 192.168.0.99 0.0.0.0/0 icmptype 0
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:-n選項是不清空原有非自定義鏈上的規則,對於自定義鏈不管是否引用都會被清空
-t, --test:僅分析生成規則集,但不提交
[root@test ~]# iptables -F [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 24 packets, 1708 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1548 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]# iptables-restore -t iptables.txt [root@test ~]# iptables -nvL Chain INPUT (policy ACCEPT 98 packets, 7096 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 72 packets, 7188 bytes) pkts bytes target prot opt in out source destination Chain my_chain (0 references) pkts bytes target prot opt in out source destination [root@test ~]#
提示:以上匯出和匯入規則適用centos6 和centos7
centos6除上面的方式可以匯入和匯出規則,它還可以用service iptables save 或者/etc/init.d/iptables save 使用指令碼來儲存iptables規則
[root@test-node1 ~]#cat /etc/redhat-release CentOS release 6.7 (Final) [root@test-node1 ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 25 1728 you_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 2272 bytes) pkts bytes target prot opt in out source destination Chain you_chain (1 references) pkts bytes target prot opt in out source destination 25 1728 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test-node1 ~]#service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@test-node1 ~]#cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Feb 6 00:49:32 2020 *filter :INPUT ACCEPT [22:1656] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [82:8776] :you_chain - [0:0] -A INPUT -s 192.168.0.0/24 -j you_chain -A you_chain -s 192.168.0.0/24 -j ACCEPT COMMIT # Completed on Thu Feb 6 00:49:32 2020 [root@test-node1 ~]
提示:在centos6上使用指令碼的方式去匯出iptables規則,它預設覆蓋儲存在/etc/sysconfig/iptables檔案
centos6匯入規則
[root@test-node1 ~]#iptables -F [root@test-node1 ~]#iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1556 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14 packets, 1304 bytes) pkts bytes target prot opt in out source destination Chain you_chain (0 references) pkts bytes target prot opt in out source destination [root@test-node1 ~]#service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@test-node1 ~]#iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 19 1332 you_chain all -- * * 192.168.0.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes) pkts bytes target prot opt in out source destination Chain you_chain (1 references) pkts bytes target prot opt in out source destination 19 1332 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 [root@test-node1 ~]#
提示:匯入規則centos6 用restart 來匯入,不是restor