centos7.3默认使用的防火墙应该是firewall,而不是iptables。而我们如果想要再服务器上使用iptables防火墙,在配置防火墙之前,我们需要先关闭firewall,安装iptables。
当前环境:
[root@localhost~]#cat/etc/redhat-release CentOSLinuxrelease7.3.1611(Core) [root@localhost~]#uname-r 3.10.0-514.el7.x86_64 [root@localhost~]#
查看firewall状态:
[root@localhost~]#systemctlstatusfirewalld ●firewalld.service-firewalld-dynamicfirewalldaemon Loaded:loaded(/usr/lib/systemd/system/firewalld.service;disabled;vendorpreset:enabled) Active:inactive(dead) Docs:man:firewalld(1) [root@localhost~]#
如果要关闭firewall防火墙,则执行
[root@localhost~]#systemctlstopfirewalld
如果要设置开机不启动,则执行
[root@localhost~]#systemctldisablefirewalld [root@localhost~]#
接下来安装iptables服务
[root@localhost~]#yum-yinstalliptables-services
查看iptables状态,执行
[root@localhost~]#systemctlstatusiptables.service ●iptables.service-IPv4firewallwithiptables Loaded:loaded(/usr/lib/systemd/system/iptables.service;disabled;vendorpreset:disabled) Active:inactive(dead) [root@localhost~]#
设置开机启动
[root@localhost~]#systemctlenableiptables.service Createdsymlinkfrom/etc/systemd/system/basic.target.wants/iptables.serviceto/usr/lib/systemd/system/iptables.service. [root@localhost~]#systemctlstatusiptables.service ●iptables.service-IPv4firewallwithiptables Loaded:loaded(/usr/lib/systemd/system/iptables.service;enabled;vendorpreset:disabled) Active:inactive(dead) [root@localhost~]#
启动iptables服务
[root@localhost~]#systemctlstartiptables.service [root@localhost~]#systemctlstatusiptables.service ●iptables.service-IPv4firewallwithiptables Loaded:loaded(/usr/lib/systemd/system/iptables.service;enabled;vendorpreset:disabled) Active:active(exited)sinceTue2017-08-1522:27:23EDT;1sago Process:2243ExecStart=/usr/libexec/iptables/iptables.initstart(code=exited,status=0/SUCCESS) MainPID:2243(code=exited,status=0/SUCCESS) Aug1522:27:23localhost.localdomainsystemd[1]:StartingIPv4firewallwithiptables... Aug1522:27:23localhost.localdomainiptables.init[2243]:iptables:Applyingfirewallrules:[OK] Aug1522:27:23localhost.localdomainsystemd[1]:StartedIPv4firewallwithiptables. [root@localhost~]#
查看iptables默认访问规则
[root@localhost~]#iptables-L-nv ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 453348ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 00ACCEPTall--lo*0.0.0.0/00.0.0.0/0 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:22 9702REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainOUTPUT(policyACCEPT36packets,4064bytes) pktsbytestargetprotoptinoutsourcedestination [root@localhost~]#
查看iptables配置文件的默认规则设置:
[root@localhost~]#cat/etc/sysconfig/iptables #sampleconfigurationforiptablesservice #youcaneditthismanuallyorusesystem-config-firewall #pleasedonotaskustoaddadditionalports/servicestothisdefaultconfiguration *filter :INPUTACCEPT[0:0] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[0:0] -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -AINPUT-picmp-jACCEPT -AINPUT-ilo-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT -AINPUT-jREJECT--reject-withicmp-host-prohibited -AFORWARD-jREJECT--reject-withicmp-host-prohibited COMMIT [root@localhost~]#
常用iptables配置范例:
[root@localhost~]#iptables-L-nv ChainINPUT(policyDROP0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 00pingicmp--**0.0.0.0/00.0.0.0/0icmptype8stateNEW 393016ACCEPTall--**0.0.0.0/00.0.0.0/0ctstateRELATED,ESTABLISHED 00ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED 00ACCEPTall--lo*0.0.0.0/00.0.0.0/0 00ACCEPTall--**192.168.112.00.0.0.0/0 00ACCEPTall--**10.0.10.00.0.0.0/0 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:80 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:444 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:443 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:843 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8001 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8002 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8003 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8080 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:10050 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:10051 ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination ChainOUTPUT(policyACCEPT31packets,2884bytes) pktsbytestargetprotoptinoutsourcedestination Chainping(1references) pktsbytestargetprotoptinoutsourcedestination 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0icmptype8limit:avg1/secburst5 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 [root@localhost~]#
此时如果想保存当前配置到某个文件(这里用access.txt),可以使用iptables-save命令:
[root@localhost~]#iptables-save>access.txt [root@localhost~]#cataccess.txt #Generatedbyiptables-savev1.4.21onTueAug1522:41:422017 *nat :PREROUTINGACCEPT[9:702] :INPUTACCEPT[0:0] :OUTPUTACCEPT[5:380] :POSTROUTINGACCEPT[5:380] COMMIT #CompletedonTueAug1522:41:422017 #Generatedbyiptables-savev1.4.21onTueAug1522:41:422017 *raw :PREROUTINGACCEPT[96:7170] :OUTPUTACCEPT[66:8472] :OUTPUT_direct-[0:0] :PREROUTING_direct-[0:0] -APREROUTING-jPREROUTING_direct -AOUTPUT-jOUTPUT_direct COMMIT #CompletedonTueAug1522:41:422017 #Generatedbyiptables-savev1.4.21onTueAug1522:41:422017 *security :INPUTACCEPT[87:6468] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[66:8472] :FORWARD_direct-[0:0] :INPUT_direct-[0:0] :OUTPUT_direct-[0:0] -AINPUT-jINPUT_direct -AFORWARD-jFORWARD_direct -AOUTPUT-jOUTPUT_direct COMMIT #CompletedonTueAug1522:41:422017 #Generatedbyiptables-savev1.4.21onTueAug1522:41:422017 *mangle :PREROUTINGACCEPT[96:7170] :INPUTACCEPT[96:7170] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[66:8472] :POSTROUTINGACCEPT[66:8472] :FORWARD_direct-[0:0] :INPUT_direct-[0:0] :OUTPUT_direct-[0:0] :POSTROUTING_direct-[0:0] :PREROUTING_ZONES-[0:0] :PREROUTING_ZONES_SOURCE-[0:0] :PREROUTING_direct-[0:0] :PRE_public-[0:0] :PRE_public_allow-[0:0] :PRE_public_deny-[0:0] :PRE_public_log-[0:0] -APREROUTING-jPREROUTING_direct -APREROUTING-jPREROUTING_ZONES_SOURCE -APREROUTING-jPREROUTING_ZONES -AINPUT-jINPUT_direct -AFORWARD-jFORWARD_direct -AOUTPUT-jOUTPUT_direct -APOSTROUTING-jPOSTROUTING_direct -APREROUTING_ZONES-gPRE_public -APRE_public-jPRE_public_log -APRE_public-jPRE_public_deny -APRE_public-jPRE_public_allow COMMIT #CompletedonTueAug1522:41:422017 #Generatedbyiptables-savev1.4.21onTueAug1522:41:422017 *filter :INPUTDROP[9:702] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[66:8472] :ping-[0:0] -AINPUT-picmp-micmp--icmp-type8-mstate--stateNEW-jping -AINPUT-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -AINPUT-ilo-jACCEPT -AINPUT-s192.168.112.0/32-jACCEPT -AINPUT-s10.0.10.0/32-jACCEPT -AINPUT-ptcp-mtcp--dport80-jACCEPT -AINPUT-ptcp-mtcp--dport444-jACCEPT -AINPUT-ptcp-mtcp--dport443-jACCEPT -AINPUT-ptcp-mtcp--dport843-jACCEPT -AINPUT-ptcp-mtcp--dport8001-jACCEPT -AINPUT-ptcp-mtcp--dport8002-jACCEPT -AINPUT-ptcp-mtcp--dport8003-jACCEPT -AINPUT-ptcp-mtcp--dport8080-jACCEPT -AINPUT-ptcp-mtcp--dport10050-jACCEPT -AINPUT-ptcp-mtcp--dport10051-jACCEPT -Aping-picmp-micmp--icmp-type8-mlimit--limit1/sec-jACCEPT -Aping-picmp-jACCEPT COMMIT #CompletedonTueAug1522:41:422017 [root@localhost~]#
如果不小心把配置全部清理了,这是可以用iptables-restore 命令重新将配置导入:
[root@localhost~]#iptables-L-nv ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination ChainFORWARD(policyACCEPT0packets,0by pktsbytestargetprotoptinoutsourcedestination ChainOUTPUT(policyACCEPT0packets,0by pktsbytestargetprotoptinoutsourcedestination [root@localhost~]#iptables-restoreaccess. [root@localhost~]#iptables-L ChainINPUT(policyDROP0packets,0by pktsbytestargetprotoptinoutsourcedestination 00pingicmp--**0.0.0.0/00.0.0.0/0icmptype8stateNEW 5356ACCEPTall--**0.0.0.0/00.0.0.0/0ctstateRELATED,0by pktsbytestargetprotoptinoutsourcedestination ChainOUTPUT(policyACCEPT4packets,416by pktsbytestargetprotoptinoutsourcedestination Chainping(1referen pktsbytestargetprotoptinoutsourcedestination 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0icmptype8limit:avg1/secburst5 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 [root@localhost
部分规则解释说明:
摘自:http://www.cnblogs.com/alwu007/p/6693822.html
[root@localhost ~]# systemctl enable iptables.service
编辑并修改配置文件/etc/sysconfig/iptables,使用下面的配置
*filter :INPUTACCEPT[0:0] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[0:0] :TEST-[0:0] -AINPUT-jTEST -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -AINPUT-picmp-jACCEPT -AINPUT-ilo-jACCEPT -AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--rcheck--seconds1--hitcount15-jDROP -AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--set -AINPUT-ieth1-ptcp-mtcp-d192.168.1.100--syn-mconnlimit--connlimit-above50--connlimit-mask32--connlimit-saddr-jDROP #-AINPUT-ptcp-mtcp--tcp-flagsFIN,SYN,RST,PSH,ACK,URGSYN-mlength--length0:128-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPT ...... -AINPUT-jDROP -AINPUT-jREJECT--reject-withicmp-host-prohibited -AFORWARD-jTEST -AFORWARD-jREJECT--reject-withicmp-host-prohibited -AOUTPUT-jTEST -ATEST-jRETURN COMMIT
1.检查替换eth1;2.检查替换-d ip;3.若是centos6.8,检查iptables版本是v1.4.7还是v1.4.21,前者不支持�Cconnlimit-saddr选项,去掉即可。下面,我简单解释一下这个配置
#filter表 *filter #INPUT链默认策略为ACCEPT :INPUTACCEPT[0:0] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[0:0] #自定义TEST链 :TEST-[0:0] #进入TEST链(从后面配置看,TEST链只是RETURN了回来,没有其他规则) -AINPUT-jTEST #接受连接状态是RELATED和ESTABLISHED的包 -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT #接受ICMP协议的包 -AINPUT-picmp-jACCEPT #接受回环接口的包 -AINPUT-ilo-jACCEPT #同一源IP1秒内最多可发起14次目的地址是192.168.1.100的TCP连接请求,15次及以上的包将被接口eth1丢弃 #为什么同时指定-i和-d?猜测:路由器里的路由表可能人为或未及时更新导致路由表映射错误,导致发到接口eth1的包的目的IP错误。为了防止此类包,则需同时指定-i和-d -AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--rcheck--seconds1--hitcount15-jDROP -AINPUT-ptcp-ieth1-d192.168.1.100--syn-mrecent--namesuduip--set #同一源IP只允许50个目的地址是192.168.1.100的TCP连接请求,超出的包将被接口eth1丢弃 -AINPUT-ieth1-ptcp-mtcp-d192.168.1.100--syn-mconnlimit--connlimit-above50--connlimit-mask32--connlimit-saddr-jDROP #此条规则有问题(猜测,可能是--length129-jDROP) #-AINPUT-ptcp-mtcp--tcp-flagsFIN,URGSYN-mlength--length0:128-jACCEPT #下面这些规则对TCP连接请求包开放部分端口 -AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPT ...... #丢弃所有包 -AINPUT-jDROP #上一条规则已经丢弃了所有包,此条规则貌似到不了 -AINPUT-jREJECT--reject-withicmp-host-prohibited -AFORWARD-jTEST -AFORWARD-jREJECT--reject-withicmp-host-prohibited -AOUTPUT-jTEST -ATEST-jRETURN COMMIT
重启iptables
[root@localhost~]#systemctlrestartiptables.service
查看防火墙规则是否已应用
[root@localhost~]#iptables-L-nv