CentOS7.3下的一个iptables配置

前端之家收集整理的这篇文章主要介绍了CentOS7.3下的一个iptables配置前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

centos7.3默认使用的防火墙应该是firewall,而不是iptables。而我们如果想要再服务器上使用iptables防火墙,在配置防火墙之前,我们需要先关闭firewall,安装iptables。


当前环境:

[root@localhost~]#cat/etc/redhat-release
CentOSLinuxrelease7.3.1611(Core)
[root@localhost~]#uname-r
3.10.0-514.el7.x86_64
[root@localhost~]#


查看firewall状态:

[root@localhost~]#systemctlstatusfirewalld
●firewalld.service-firewalld-dynamicfirewalldaemon
Loaded:loaded(/usr/lib/systemd/system/firewalld.service;disabled;vendorpreset:enabled)
Active:inactive(dead)
Docs:man:firewalld(1)
[root@localhost~]#

如果要关闭firewall防火墙,则执行

[root@localhost~]#systemctlstopfirewalld

如果要设置开机不启动,则执行

[root@localhost~]#systemctldisablefirewalld
[root@localhost~]#

接下来安装iptables服务

[root@localhost~]#yum-yinstalliptables-services

查看iptables状态,执行

[root@localhost~]#systemctlstatusiptables.service
●iptables.service-IPv4firewallwithiptables
Loaded:loaded(/usr/lib/systemd/system/iptables.service;disabled;vendorpreset:disabled)
Active:inactive(dead)
[root@localhost~]#

设置开机启动

[root@localhost~]#systemctlenableiptables.service
Createdsymlinkfrom/etc/systemd/system/basic.target.wants/iptables.serviceto/usr/lib/systemd/system/iptables.service.
[root@localhost~]#systemctlstatusiptables.service
●iptables.service-IPv4firewallwithiptables
Loaded:loaded(/usr/lib/systemd/system/iptables.service;enabled;vendorpreset:disabled)
Active:inactive(dead)
[root@localhost~]#

启动iptables服务

[root@localhost~]#systemctlstartiptables.service
[root@localhost~]#systemctlstatusiptables.service
●iptables.service-IPv4firewallwithiptables
Loaded:loaded(/usr/lib/systemd/system/iptables.service;enabled;vendorpreset:disabled)
Active:active(exited)sinceTue2017-08-1522:27:23EDT;1sago
Process:2243ExecStart=/usr/libexec/iptables/iptables.initstart(code=exited,status=0/SUCCESS)
MainPID:2243(code=exited,status=0/SUCCESS)
Aug1522:27:23localhost.localdomainsystemd[1]:StartingIPv4firewallwithiptables...
Aug1522:27:23localhost.localdomainiptables.init[2243]:iptables:Applyingfirewallrules:[OK]
Aug1522:27:23localhost.localdomainsystemd[1]:StartedIPv4firewallwithiptables.
[root@localhost~]#

查看iptables默认访问规则

[root@localhost~]#iptables-L-nv
ChainINPUT(policyACCEPT0packets,0bytes)
pktsbytestargetprotoptinoutsourcedestination
453348ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED
00ACCEPTicmp--**0.0.0.0/00.0.0.0/0
00ACCEPTall--lo*0.0.0.0/00.0.0.0/0
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:22
9702REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited
ChainFORWARD(policyACCEPT0packets,0bytes)
pktsbytestargetprotoptinoutsourcedestination
00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited
ChainOUTPUT(policyACCEPT36packets,4064bytes)
pktsbytestargetprotoptinoutsourcedestination
[root@localhost~]#

查看iptables配置文件的默认规则设置:

[root@localhost~]#cat/etc/sysconfig/iptables
#sampleconfigurationforiptablesservice
#youcaneditthismanuallyorusesystem-config-firewall
#pleasedonotaskustoaddadditionalports/servicestothisdefaultconfiguration
*filter
:INPUTACCEPT[0:0]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[0:0]
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
-AINPUT-picmp-jACCEPT
-AINPUT-ilo-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT
-AINPUT-jREJECT--reject-withicmp-host-prohibited
-AFORWARD-jREJECT--reject-withicmp-host-prohibited
COMMIT
[root@localhost~]#

常用iptables配置范例:

[root@localhost~]#iptables-L-nv
ChainINPUT(policyDROP0packets,0bytes)
pktsbytestargetprotoptinoutsourcedestination
00pingicmp--**0.0.0.0/00.0.0.0/0icmptype8stateNEW
393016ACCEPTall--**0.0.0.0/00.0.0.0/0ctstateRELATED,ESTABLISHED
00ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED
00ACCEPTall--lo*0.0.0.0/00.0.0.0/0
00ACCEPTall--**192.168.112.00.0.0.0/0
00ACCEPTall--**10.0.10.00.0.0.0/0
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:80
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:444
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:443
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:843
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8001
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8002
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8003
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8080
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:10050
00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:10051
ChainFORWARD(policyACCEPT0packets,0bytes)
pktsbytestargetprotoptinoutsourcedestination
ChainOUTPUT(policyACCEPT31packets,2884bytes)
pktsbytestargetprotoptinoutsourcedestination
Chainping(1references)
pktsbytestargetprotoptinoutsourcedestination
00ACCEPTicmp--**0.0.0.0/00.0.0.0/0icmptype8limit:avg1/secburst5
00ACCEPTicmp--**0.0.0.0/00.0.0.0/0
[root@localhost~]#

此时如果想保存当前配置到某个文件(这里用access.txt),可以使用iptables-save命令:

[root@localhost~]#iptables-save>access.txt
[root@localhost~]#cataccess.txt
#Generatedbyiptables-savev1.4.21onTueAug1522:41:422017
*nat
:PREROUTINGACCEPT[9:702]
:INPUTACCEPT[0:0]
:OUTPUTACCEPT[5:380]
:POSTROUTINGACCEPT[5:380]
COMMIT
#CompletedonTueAug1522:41:422017
#Generatedbyiptables-savev1.4.21onTueAug1522:41:422017
*raw
:PREROUTINGACCEPT[96:7170]
:OUTPUTACCEPT[66:8472]
:OUTPUT_direct-[0:0]
:PREROUTING_direct-[0:0]
-APREROUTING-jPREROUTING_direct
-AOUTPUT-jOUTPUT_direct
COMMIT
#CompletedonTueAug1522:41:422017
#Generatedbyiptables-savev1.4.21onTueAug1522:41:422017
*security
:INPUTACCEPT[87:6468]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[66:8472]
:FORWARD_direct-[0:0]
:INPUT_direct-[0:0]
:OUTPUT_direct-[0:0]
-AINPUT-jINPUT_direct
-AFORWARD-jFORWARD_direct
-AOUTPUT-jOUTPUT_direct
COMMIT
#CompletedonTueAug1522:41:422017
#Generatedbyiptables-savev1.4.21onTueAug1522:41:422017
*mangle
:PREROUTINGACCEPT[96:7170]
:INPUTACCEPT[96:7170]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[66:8472]
:POSTROUTINGACCEPT[66:8472]
:FORWARD_direct-[0:0]
:INPUT_direct-[0:0]
:OUTPUT_direct-[0:0]
:POSTROUTING_direct-[0:0]
:PREROUTING_ZONES-[0:0]
:PREROUTING_ZONES_SOURCE-[0:0]
:PREROUTING_direct-[0:0]
:PRE_public-[0:0]
:PRE_public_allow-[0:0]
:PRE_public_deny-[0:0]
:PRE_public_log-[0:0]
-APREROUTING-jPREROUTING_direct
-APREROUTING-jPREROUTING_ZONES_SOURCE
-APREROUTING-jPREROUTING_ZONES
-AINPUT-jINPUT_direct
-AFORWARD-jFORWARD_direct
-AOUTPUT-jOUTPUT_direct
-APOSTROUTING-jPOSTROUTING_direct
-APREROUTING_ZONES-gPRE_public
-APRE_public-jPRE_public_log
-APRE_public-jPRE_public_deny
-APRE_public-jPRE_public_allow
COMMIT
#CompletedonTueAug1522:41:422017
#Generatedbyiptables-savev1.4.21onTueAug1522:41:422017
*filter
:INPUTDROP[9:702]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[66:8472]
:ping-[0:0]
-AINPUT-picmp-micmp--icmp-type8-mstate--stateNEW-jping
-AINPUT-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
-AINPUT-ilo-jACCEPT
-AINPUT-s192.168.112.0/32-jACCEPT
-AINPUT-s10.0.10.0/32-jACCEPT
-AINPUT-ptcp-mtcp--dport80-jACCEPT
-AINPUT-ptcp-mtcp--dport444-jACCEPT
-AINPUT-ptcp-mtcp--dport443-jACCEPT
-AINPUT-ptcp-mtcp--dport843-jACCEPT
-AINPUT-ptcp-mtcp--dport8001-jACCEPT
-AINPUT-ptcp-mtcp--dport8002-jACCEPT
-AINPUT-ptcp-mtcp--dport8003-jACCEPT
-AINPUT-ptcp-mtcp--dport8080-jACCEPT
-AINPUT-ptcp-mtcp--dport10050-jACCEPT
-AINPUT-ptcp-mtcp--dport10051-jACCEPT
-Aping-picmp-micmp--icmp-type8-mlimit--limit1/sec-jACCEPT
-Aping-picmp-jACCEPT
COMMIT
#CompletedonTueAug1522:41:422017
[root@localhost~]#

如果不小心把配置全部清理了,这是可以用iptables-restore 命令重新将配置导入:

[root@localhost~]#iptables-L-nv
ChainINPUT(policyACCEPT0packets,0bytes)
pktsbytestargetprotoptinoutsourcedestination
ChainFORWARD(policyACCEPT0packets,0by
pktsbytestargetprotoptinoutsourcedestination
ChainOUTPUT(policyACCEPT0packets,0by
pktsbytestargetprotoptinoutsourcedestination
[root@localhost~]#iptables-restoreaccess.
[root@localhost~]#iptables-L
ChainINPUT(policyDROP0packets,0by
pktsbytestargetprotoptinoutsourcedestination
00pingicmp--**0.0.0.0/00.0.0.0/0icmptype8stateNEW
5356ACCEPTall--**0.0.0.0/00.0.0.0/0ctstateRELATED,0by
pktsbytestargetprotoptinoutsourcedestination
ChainOUTPUT(policyACCEPT4packets,416by
pktsbytestargetprotoptinoutsourcedestination
Chainping(1referen
pktsbytestargetprotoptinoutsourcedestination
00ACCEPTicmp--**0.0.0.0/00.0.0.0/0icmptype8limit:avg1/secburst5
00ACCEPTicmp--**0.0.0.0/00.0.0.0/0
[root@localhost


部分规则解释说明:

摘自:http://www.cnblogs.com/alwu007/p/6693822.html

[root@localhost ~]# systemctl enable iptables.service

编辑并修改配置文件/etc/sysconfig/iptables,使用下面的配置

*filter
:INPUTACCEPT[0:0]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[0:0]
:TEST-[0:0]
-AINPUT-jTEST
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
-AINPUT-picmp-jACCEPT
-AINPUT-ilo-jACCEPT
-AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--rcheck--seconds1--hitcount15-jDROP
-AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--set
-AINPUT-ieth1-ptcp-mtcp-d192.168.1.100--syn-mconnlimit--connlimit-above50--connlimit-mask32--connlimit-saddr-jDROP
#-AINPUT-ptcp-mtcp--tcp-flagsFIN,SYN,RST,PSH,ACK,URGSYN-mlength--length0:128-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPT
......
-AINPUT-jDROP
-AINPUT-jREJECT--reject-withicmp-host-prohibited
-AFORWARD-jTEST
-AFORWARD-jREJECT--reject-withicmp-host-prohibited
-AOUTPUT-jTEST
-ATEST-jRETURN
COMMIT

1.检查替换eth1;2.检查替换-d ip;3.若是centos6.8,检查iptables版本是v1.4.7还是v1.4.21,前者不支持�Cconnlimit-saddr选项,去掉即可。下面,我简单解释一下这个配置


#filter表
*filter
#INPUT链默认策略为ACCEPT
:INPUTACCEPT[0:0]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[0:0]
#自定义TEST链
:TEST-[0:0]
#进入TEST链(从后面配置看,TEST链只是RETURN了回来,没有其他规则)
-AINPUT-jTEST
#接受连接状态是RELATED和ESTABLISHED的包
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
#接受ICMP协议的包
-AINPUT-picmp-jACCEPT
#接受回环接口的包
-AINPUT-ilo-jACCEPT
#同一源IP1秒内最多可发起14次目的地址是192.168.1.100的TCP连接请求,15次及以上的包将被接口eth1丢弃
#为什么同时指定-i和-d?猜测:路由器里的路由表可能人为或未及时更新导致路由表映射错误,导致发到接口eth1的包的目的IP错误。为了防止此类包,则需同时指定-i和-d
-AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--rcheck--seconds1--hitcount15-jDROP
-AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--set
#同一源IP只允许50个目的地址是192.168.1.100的TCP连接请求,超出的包将被接口eth1丢弃
-AINPUT-ieth1-ptcp-mtcp-d192.168.1.100--syn-mconnlimit--connlimit-above50--connlimit-mask32--connlimit-saddr-jDROP
#此条规则有问题(猜测,可能是--length129-jDROP)
#-AINPUT-ptcp-mtcp--tcp-flagsFIN,URGSYN-mlength--length0:128-jACCEPT
#下面这些规则对TCP连接请求包开放部分端口
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPT
......
#丢弃所有包
-AINPUT-jDROP
#上一条规则已经丢弃了所有包,此条规则貌似到不了
-AINPUT-jREJECT--reject-withicmp-host-prohibited
-AFORWARD-jTEST
-AFORWARD-jREJECT--reject-withicmp-host-prohibited
-AOUTPUT-jTEST
-ATEST-jRETURN
COMMIT

重启iptables

[root@localhost~]#systemctlrestartiptables.service

查看防火墙规则是否已应用

[root@localhost~]#iptables-L-nv

猜你在找的CentOS相关文章