Linux防火牆之iptables常用擴充套件匹配條件(一)
上一篇博文講了iptables的基本匹配條件和隱式匹配條件,回顧請參考https://www.cnblogs.com/qiuhom-1874/p/12269717.html;今天在來說說iptabels的一些常用的顯示擴充套件匹配條件,所謂顯示擴充套件匹配條件?顯示擴充套件匹配條件就是我們需要用到一些擴充套件的模組,用-m選項去指定動態載入。要用iptabels的擴充套件匹配條件的前提是,我們的系統上要有對應的擴充套件模組。在Linux主機上/usr/lib64/xtables/這個目錄用來存放iptables的模組的,這裡面的模組以libip6t開頭的,表示適用於ipv6,其餘的是ipv4協議版本的模組。這個目錄下的模組命名是這樣的,libipt_或者libip6t_後面的名字如果全是大寫,則該模組用於處理動作擴充套件模組,如果是小寫就是匹配條件的擴充套件模組。對於這些模組的幫助資訊,在centos上用man iptables就可以找到相應的說明和用法,以及模組的選項等等,在centos7上我們要檢視擴充套件模組的用法幫助,需要用man iptables-extensions 來檢視;瞭解了iptables的擴充套件模組,我們接下來說說常用的幾種擴充套件模組的使用和說明
1、multiport擴充套件,這個擴充套件模組主要用於匹配多個源埠或目標埠,前面我們瞭解了tcp和udp他們都有兩個隱式擴充套件來指定連續或單個源埠或目標埠,它不能同時指定多個離散的埠,multiport這個模組就可以以離散方式定義多埠匹配,當然它也支援連續的埠匹配,連續埠匹配同tcp/udp的連續埠匹配用法和寫法一直,它也支援,連續和非連續埠的混合匹配,但這個模組最多匹配15個埠。這裡的15個埠不同於我們理解的15個埠,這裡的15個埠是說用逗號隔開的離散埠,也就是說連續的埠,在這裡只算一個。
[!] --source-ports,--sports port[,port|,port:port]...,這個選項表示匹配多個源埠
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 18 packets, 1292 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -s 172.16.0.0/16 -d 192.168.0.99 -p tcp -m multiport --sports 20:50,80,3306,9000 -j ACCEPT
[root@test ~]# iptables -A my_chain -s 172.16.0.0/16 -d 192.168.0.99 -p tcp -m multiport ! --sports 53,123,323 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1740 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 172.16.0.0/16 192.168.0.99 multiport sports 20:50,80,3306,9000
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 172.16.0.0/16 192.168.0.99 multiport sports !53,123,323
[root@test ~]#
提示:--sports支援對指定埠取反,表示匹配除了指定埠以外的其他埠。
[!] --destination-ports,--dports port[,port|,port:port]...,這個選項表示匹配多個目標埠
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 528 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 620 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp -m multiport --dports 22,80,3306,41319 -j ACCEPT
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp -m multiport ! --dports 22,80,3306,41319 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
152 12112 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 multiport dports 22,80,3306,41319
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.99 multiport dports !22,80,3306,41319
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1580 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
[!] --ports port[,port|,port:port]...多個源或目標埠
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 18 packets, 1292 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp -m multiport --ports 22,3306,41319 -j ACCEPT
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp -m multiport ! --ports 22,3306,41319 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
121 9468 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.99 multiport ports 22,3306,41319
6 304 DROP tcp -- * * 0.0.0.0/0 192.168.0.99 multiport ports !22,3306,41319
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25 packets, 3120 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:--ports表示匹配到的埠不管是源還是目標,只要是指定的埠都能匹配得到,然後做出相應的處理動作
2、iprange擴充套件,此擴充套件模組主要用於匹配連續的ip地址範圍
[!] --src-range from[-to] 此選項表示匹配源ip地址範圍
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 25 packets, 1832 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1832 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p tcp -m iprange --src-range 192.168.0.200-192.168.0.245 -j ACCEPT
[root@test ~]# iptables -A INPUT -p tcp -m iprange ! --src-range 192.168.0.200-192.168.0.245 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
144 12000 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.0.200-192.168.0.245
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range ! 192.168.0.200-192.168.0.245
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
[!] --dst-range from[-to],此選項表示匹配目標地址範圍
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 2096 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1856 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A OUTPUT -p tcp -m iprange --dst-range 192.168.0.100-192.168.0.245 -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p tcp -m iprange ! --dst-range 192.168.0.100-192.168.0.245 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 103 packets, 7240 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
175 16212 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.0.100-192.168.0.245
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range ! 192.168.0.100-192.168.0.245
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
3、mac擴充套件,該模組用於匹配主機的MAC地址,適用於PREROUTING和FORWARD,INPUT鏈上
[!] --mac-source XX:XX:XX:XX:XX:XX,此選項表示匹配源MAC地址
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p tcp -m mac --mac-source 00:24:81:68:ce:45 -j ACCEPT
[root@test ~]# iptables -A INPUT -s 192.168.0.151 -p tcp -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 65 packets, 16202 bytes)
pkts bytes target prot opt in out source destination
18 1480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:24:81:68:CE:45
0 0 DROP tcp -- * * 192.168.0.151 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 70 packets, 19646 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
4、string擴充套件,此模組主要對報文中的應用層資料做字串模式匹配檢測
--algo {bm|kmp} ,指定字串匹配檢測演算法,這個必須指定
--from offset:從第幾個位元組開始匹配
--to offset :到底幾個位元組結束
[!] --string pattern 指定要檢測到字串模式
[!] --hex-string pattern 知道那個要檢測字串模式,16進位制格式
示例:入站報文有loganalyzer的字眼的報文,給予丟棄
在沒有設定規則的是可以正常訪問的
新增如下規則
[root@test ~]# iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "loganalyzer" -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 35 packets, 2328 bytes)
pkts bytes target prot opt in out source destination
8 1840 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 STRING match "loganalyzer" ALGO name bm TO 65535
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 28 packets, 3200 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:可以看到添加了規則後,我們客戶端就不能再訪問我們的網站了,這個就是通過過濾字串來實現控制使用者的訪問
5、time擴充套件,此模組根據將報文到達的時間與指定的時間範圍進行匹配
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 指定開始日期
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 指定結束日期
--timestart hh:mm[:ss] 指定開始時間
--timestop hh:mm[:ss] 指定結束時間
[!] --monthdays day[,day...] 指定每個月的幾號
[!] --weekdays day[,day...] 指定星期幾,1 – 7 分別表示星期一到星期日
--kerneltz:使用核心配置的時區而非預設的UTC,CentOS7系統預設為UTC;注意: centos6 不支援kerneltz ,--localtz指定本地時區(預設)
通常情況我們用--mouthdays 和--timestart 、--timestop結合或者--weekdays day 和--timestart 、--timestop來結合使用很少和--datastart 、datastop使用;最後我們還有指定為使用的時區,如果我們不指定,它預設使用的是UTC時區,在centos6 上需要用--localtz來指定時區
示例:允許任何客戶端在晚上的20:00:00 到20:50:00 通過telnet 來訪問我們伺服器
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p tcp --dport 23 -m time --timestart 20:00:00 --timestop 20:50:00 --kerneltz -j ACCEPT
[root@test ~]# iptables -A INPUT -p tcp --dport 23 -j DROP
[root@test ~]# iptables -A OUTPUT -p tcp --sport 23 -m time --timestart 20:00:00 --timestop 20:50:00 --kerneltz -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p tcp --sport 23 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 TIME from 20:00:00 to 20:50:00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:23 TIME from 20:00:00 to 20:50:00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:23
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
測試:在允許的時間內通過Telnet訪問伺服器
提示:可以看到在允許的時間訪問伺服器上沒有問題,我們等會不再允許的時間範圍內在訪問下,看看是不是可以正常訪問呢
提示:可以看到不再允許的時間範圍呢 是不可以訪問的
通過time模組我們可以做到在某個時間允許或拒絕客戶端的訪問,時間可以用上面的三種時間組合來確定一個範圍,也可以同其他擴充套件模組聯合使用,比如我們又要控制時間,又要控制部分源ip 來訪問我們伺服器,我們可以用-m指定iprange 的範圍,iptables裡的一條規則匹配條件都是取並集,也就說一條規則是否匹配到報文,要看這條規則裡的匹配條件是否對資料包都匹配,換句話說就是一個數據要通過某一條規則,那麼這個資料包需要滿足我們給定規則的所有條件。
示例2:允許192.168.0.10-192.168.0.200 的伺服器在21:00:00到21:20:00 允許通過Telnet訪問我們伺服器
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p tcp --dport 23 -m iprange --src-range 192.168.0.10-192.168.0.200 -m time --timestart 21:00:00 --timestop 21:20:00 --kerneltz -j ACCEPT
[root@test ~]# iptables -A INPUT -p tcp --dport 23 -j DROP
[root@test ~]# iptables -A OUTPUT -p tcp --sport 23 -m iprange --dst-range 192.168.0.10-192.168.0.200 -m time --timestart 21:00:00 --timestop 21:20:00 --kerneltz -j ACCEPT
[root@test ~]# iptables -A OUTPUT -p tcp --dport 23 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 14 packets, 924 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 source IP range 192.168.0.10-192.168.0.200 TIME from 21:00:00 to 21:20:00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11 packets, 1908 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:23 destination IP range 192.168.0.10-192.168.0.200 TIME from 21:00:00 to 21:20:00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
測試:不在允許範圍的主機和在允許範圍的主機都在允許時間是否能訪問伺服器?
提示:可以看到雖然都是在允許的時間,在允許範圍的主機是可以訪問的,不再允許範圍的主機上不能訪問的。
測試:允許的主機和不允許的主機,都在不在允許的時間是否可以訪問伺服器?
提示:可以看到都不在允許的時間,它倆是都不能訪問的,所以要滿足在允許的時間內的同時還要滿足是允許的主機才可以,它倆條件必須是交集。
6、connlimit擴充套件,此模組可根據每客戶端IP做併發連線數數量匹配,可防止CC(Challenge Collapsar挑戰黑洞)攻擊
--connlimit-upto #:連線的數量小於等於#時匹配
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 14 packets, 1004 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11 packets, 996 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -p tcp --dport 23 -m connlimit --connlimit-upto 2 -j ACCEPT
[root@test ~]# iptables -A INPUT -p tcp --dport 23 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 23 packets, 1668 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 #conn src/32 <= 2
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1548 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:以上規則表示,同一客戶端連線我本機伺服器上的23號埠(Telnet服務),如果連線數小於等於2 允許連線。
測試:同一主機開三個視窗對伺服器,看看第三個連線是否可以連線
提示:可以看到當192.168.0.151 的第三個連線是被伺服器拒絕了
--connlimit-above #:連線的數量大於#時匹配
[root@test ~]# iptables -F
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1212 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]# iptables -A INPUT -d 192.168.0.99 -p tcp --dport 23 -m connlimit --connlimit-above 2 -j DROP
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 23 packets, 1596 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.0.99 tcp dpt:23 #conn src/32 > 2
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1396 bytes)
pkts bytes target prot opt in out source destination
Chain my_chain (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
提示:我們把上面的規則更改為同一主機連線數大於2時 就丟棄,其他連線走默認同意放行連線,也就是說只要同一ip 連線數大於2 就拒絕
測試:同一主機開三個視窗對伺服器,看看第三個連線是否可以連線
提示:可以看到同一主機連線大於2時就拒絕連結了
提示:在同一主機連線數大於2時 用另外的主機去連線是不受影響的
從以上測試看,connlimit模組可以控制單臺客戶端的併發連線數,並且不對其他客戶端產生影響,通常情況--connlimit-upto 和--connlimit-above 和預設策略結合使用,如果預設策略是允許所有不匹配的報文,那麼我就用--connlimit-above 來控制連線上限,然後再拒絕。如果預設策略是拒絕所有不匹配的報文那麼我們就用--connlimit-upto來允許連線數小於等於某個數來控制連線請