实验环境:
KVM 虚拟机 centos6.7
test1:192.168.124.87 test2:192.168.124.94
场景一:
要求:1.对所有地址开放本机的tcp(80、22、10-21)端口的访问。
2.对所有主机开放本机的基于ICMP协议的数据包访问
3.其他未被访问 的端口禁止访问
答:2表达的意思是禁止ping
步骤:
(1)查看iptables 版本
[root@test1 ~]# iptables -v iptables v1.4.7: no command specified
(2)查看test1机器的端口开放情况
[root@test1 ~]# netstat -luntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1141/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1220/master tcp 0 0 :::22 :::* LISTEN 1141/sshd tcp 0 0 ::1:25 :::* LISTEN 1220/master udp 0 0 0.0.0.0:68 0.0.0.0:* 1368/dhclient
(3)查看iptables之前设置的规则
[root@test1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
加n表示源地址和目的地址用数字的形式表示
(4)清除之前设置过的规则
[root@test1 ~]# iptables -F [root@test1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
(5)设置好开放的端口
[root@test1 ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT [root@test1 ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@test1 ~]# iptables -I INPUT -p tcp --dport 10:21 -j ACCEPT [root@test1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:10:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
-I 插入规则 -p 指定协议 --dport 目的端口 -j 制定动作
(6)允许icmp访问
iptables -I INPUT -p icmp -j ACCEPT
[root@test1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:10:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
(7)设置拒绝规则
iptables -A INPUT -j REJECT
root@test1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:10:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
bingo,至此结束。。。
如果想要删除某条规则:
[root@test1 ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
-D 表示删除
拓展一下,设置一下,不允许其他机器ping本机
(1)设置规则
[root@test1 ~]# iptables -I INPUT -p icmp -j REJECT [root@test1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
(2)另外一台机子测试
[root@test2 ~]# ping 192.168.124.87 PING 192.168.124.87 (192.168.124.87) 56(84) bytes of data. From 192.168.124.87 icmp_seq=1 Destination Port Unreachable From 192.168.124.87 icmp_seq=2 Destination Port Unreachable From 192.168.124.87 icmp_seq=3 Destination Port Unreachable From 192.168.124.87 icmp_seq=4 Destination Port Unreachable From 192.168.124.87 icmp_seq=5 Destination Port Unreachable