• iptables修改


    https://fedoraproject.org/wiki/How_to_edit_iptables_rules?rd=User_talk:Rforlot

    Listing Rules

    Current running iptables Rules can be viewed with the command

    iptables -L

    .

    Note.png
    Numeric port value
    The list of Rules with the -L command option shows ports by their service name rather than port number. To see the port number instead, include the -nargument.
    iptables -L -n
    Note.png
    Viewing counters
    Rules listed with the -L command option do not include matching counters. To include matching counters, include -v argument.
    iptables -L -v

    Example of iptables Rules allowing any connections already established or related, icmp requests, all local traffic, and ssh communication:

    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Note that Rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a Rule rejecting ssh connections is created, and afterward another Rule is specified allowing ssh, the Rule to reject is applied and the later Rule to accept the ssh connection is not.

    Appending Rules

    The following adds a Rule at the end of the specified chain of iptables:

    [root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Notice the last line in chain INPUT. There are now five Rules in that chain.

    Deleting Rules

    To delete a Rule, you must know its position in the chain. The following example deletes an existing Rule created earlier that is currently in the fifth position:

    [root@server ~]# iptables -D INPUT 5
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Inserting Rules

    Create a Rule at the top (first) position:

    [root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.

    Replacing Rules

    Rules may be specified to replace existing Rules in the chain.

    In the example shown previously, the first Rule given allows connections to the http port (port 80) from anywhere. The following replaces this Rule, restricting connections to the standard http port (port 80) only from the network address range 192.168.0.0/24:

    [root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Flushing Rules

    To flush or clear iptables Rules, use the --flush-F option :

    iptables -F <chain>

    Specifying a <chain> is optional; without a chain specification, all chains are flushed.

    Example to flush Rules in the OUTPUT chain :

    [root@server ~]# iptables -F OUTPUT
    Stop (medium size).png
    Default chain policys care
    Be aware of the default chain policy. For example, if the INPUT policy is DROP or REJECT and the Rules are flushed, all incoming traffic will be dropped or rejected and network communication broken.

    Making changes persistent

    The iptables Rules changes using CLI commands will be lost upon system reboot. However, iptables comes with two useful utilities: iptables-save and iptables-restore.

    • iptables-save prints a dump of current iptables rules to stdout. These may be redirected to a file:
    [root@server ~]# iptables-save > iptables.dump 
    [root@server ~]# cat iptables.dump 
    # Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011
    *filter
    :INPUT DROP [45:2307]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1571:4260654]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    COMMIT
    # Completed on Wed Dec  7 20:10:49 2011
    • iptables-restore : restore a dump of rules made by iptables-save.
    [root@server ~]# iptables-restore < iptables.dump 
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    Upon stopping the service, the current iptables Rules are saved in a file, and upon starting the service, this file is restored. The affected files are:

    • /etc/sysconfig/iptables
      for IPv4
    • /etc/sysconfig/ip6tables
      for IPv6

    If preferred, these files may be editted directly, and iptables service restarted to commit the changes. The format is similar to that of the iptables CLI commands:

    # Generated by iptables-save v1.4.12 on Wed Dec  7 20:22:39 2011
    *filter <--------------------------------------------------------- Specify the table of the next rules
    :INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
    :FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
    :OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
    -A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
    -A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
    # Completed on Wed Dec  7 20:22:39 2011

    If needed, to reset packet and byte counters, use -Z--zero :

    iptables -Z <chain> <rule_number>

    It is possible to reset only reset a single rule counter. It can be useful, if you want to know how many packets were captured for a specific rule.

  • 相关阅读:
    Netty事件监听和处理(上)
    Netty事件监听和处理(上)
    Netty事件监听和处理(上)
    nginx 反向代理转发导致css,js,图片失效
    nginx 反向代理转发导致css,js,图片失效
    nginx 反向代理转发导致css,js,图片失效
    【leetcode】507.Perfect Number
    【leetcode】507.Perfect Number
    【leetcode】507.Perfect Number
    Javascript中的类实现
  • 原文地址:https://www.cnblogs.com/wucg/p/3333588.html
Copyright © 2020-2023  润新知