内核:netfilter
2、四表- raw:数据包跟踪
- mangle:标记数据包
- nat:网络地址转换
- filter:数据包过滤
- PREROUTING:路由之前
- INPUT:数据包流入
- FORWARD:数据包经过
- OUTPUT:数据包流出
- POSTROUTING:路由之后
执行顺序由上到下
4、匹配条件协议:
-p tcp
-p icmp (仅有ping使用)
-p udp
端口:必须和协议一起写
--dport 目标端口
--sport 源端口
端口范围匹配:
--sport:源端口1:源端口2
--dport: 目标端口1:目标端口2
目标动作:target
ACCEPT:允许通过
DROP:直接丢弃,不给出任何回应
REJECT:拒绝通过,必要时会给出提示
LOG:记录日志信息,然后传给下一条规则继续匹配
SNAT:修改数据包源地址
DNAT:修改数据包目的地址
REDIRECT:重定向
查看规则列表
-L:列出所有的规则条目
-n:以数字形式显示地址、端口等信息
-v:以更详细的方式显示规则信息
–line-numbers:查看规则时,显示规则的序号
SNAT
修改源IP地址:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 202.106.18.8
DNAT
修目标IP地址:
iptables -t nat -A PREROUTING -s 202.106.18.8 -j DNAT --to 192.168.1.8
二、安装及命令 1、安装#在Centos 7下面安装命令 [root@node ~]# yum install iptables iptables-services iptables-devel -y #启动iptables [root@node ~]# systemctl start iptables #查看iptables状态 [root@nod ~]# systemctl status iptables #停止firewall防火墙 [root@nod ~]# systemctl stop firewalld2、命令
#1、命令格式,默认表为filter iptables -t 表名 动作 链名 匹配规则 -j 目标动作 #几个注意事项: (1)不指定表名时,默认指filter表 (2)不指定链名时,默认指表内的所有链 (3)除非设置链的默认策略,否则必须指定匹配条件 (4)动作、链名、目标动作使用大写字母,其余均为小写 #2、-F:清空所有规则 [root@nod ~]# iptables -F #3、查询表,默认表为filter [root@nod ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #4、-A:在链的末尾追加一条规则 [root@nod ~]# iptables -t filter -A INPUT -p icmp -s 192.168.0.100 -j REJECT [root@nod ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #5、-I:在链的开头(或指定序号)插入一条规则 [root@nod ~]# iptables -I INPUT -p tcp -s master --dport 8083 -j REJECT [root@nod ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8083 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #6、插入一条规则,插入到第三条 [root@nod ~]# iptables -I INPUT 3 -p tcp -s master --dport 8081 -j REJECT [root@nod ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8083 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8081 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #7、修改规则,把第三行规则替换掉 [root@nod ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8083 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8082 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #8、-D:删除链内指定序号(或内容)的一条规则 [root@nod ~]# iptables -D INPUT -p tcp -s master --dport 8082 -j REJECT [root@nod ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8083 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #9、根据行号查询规则 [root@nod ~]# iptables -nL --line Chain INPUT (policy ACCEPT) num target prot opt source destination 1 REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8083 reject-with icmp-port-unreachable 2 REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable 3 REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination #10、根据行号删除规则 [root@nod ~]# iptables -D INPUT 2 [root@nod ~]# iptables -nL --line Chain INPUT (policy ACCEPT) num target prot opt source destination 1 REJECT tcp -- 192.168.1.100 0.0.0.0/0 tcp dpt:8083 reject-with icmp-port-unreachable 2 REJECT icmp -- 192.168.0.100 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination #11、列出规则详细 iptables -S INPUT [root@nod ~]# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 192.168.1.100/32 -p tcp -m tcp --dport 8083 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.0.100/32 -p icmp -j REJECT --reject-with icmp-port-unreachable #12、其他命令 (1)-P:为指定的链设置默认规则 iptables -P chain target [root@nod ~]# iptables -t filter -P INPUT DORP [root@nod ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 (2)新建链 iptables -N chain (3)链的重命名 iptables -E old-chain new-chain (4)删除自定义链 iptables -X [chain]
