iptables 扩展匹配 第三章

获取帮助：

　centos 6 :man iptables

　centos 7: man iptables-extensions

扩展匹配：

　　　　隐式扩展：当使用-p指定某一协议之后,协议自身所支持的扩展就叫做隐式扩展、使用[tcp|udp|icmp]指定某特定协议后、自动能对协议进行扩展。可省略 -m 选项

　　　　　　　　

-p tcp 
                 --dport  PORT [-PORT]；目标端口匹配 
                 --sport  PORT [-PORT] :源端口 
                    --tcp-flags: 
                        SYN ，ACK ，FIN ，RST ，PSH ，URG 
                        --syn :   #简写，新建链接时第一次请求
                        
                -p udp 
                    --dport 
                    --sport 
                    
                -p icmp 
                    --icmp-type
                        0: echo-reply 
                        8: echo-request 
                    #只允许本机ping ，不响应 ping 包 
                        iptables -I INPUT -d 192.168.100.230 -p icmp --icmp-type 0 -j ACCEPT 
                     

[root@nginx etc]# iptables -I INPUT -d 10.2.61.22 -p tcp --dport 22 -j ACCEPT
[root@nginx etc]# 
[root@nginx etc]# iptables -I OUTPUT -s 10.2.61.22 -p tcp --sport 22 -j ACCEPT
[root@nginx etc]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  158 12612 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpt:22
 1153 83636 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22          
    9   700 ACCEPT     all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   18  1688 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            tcp spt:22
  895 90672 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0           
   13  1004 ACCEPT     all  --  *      ens192  0.0.0.0/0            0.0.0.0/0           
[root@nginx etc]# iptables -I INPUT -d 10.2.61.22 -p tcp --dport 22:8080 -j ACCEPT    #多个端口

　

[root@nginx etc]# iptables -A INPUT -d 10.2.61.22 -p icmp --icmp-type 0 -j ACCEPT           #INPUT 允许应答报文 ，只能自己ping 别人，不响应ping
[root@nginx etc]# iptables -A OUTPUT -s 10.2.61.22 -p icmp --icmp-type 8 -j ACCEPT　　　　　　#OUTPUT 允许请求报文

　　　　　　　

　　　　　　　　　　

　　　　显示扩展：必须要明确指定的扩展模块

　　　　　　　　-m

1.multiport 扩展

1.multiport 扩展
        以离散方式定义多端口匹配，最多15 个端口 
      [!] --source-ports,--sports port[,port|,port:port]...#指明多个源端口
      [!] --destination-ports,--dports port[,port|,port:port]...#指明多个目标端口 
      
      [!] --ports port[,port|,port:port]... #同时匹配源和目的端口
     

    列子： 同时限制22,80 端口
     iptables -I INPUT -s 192.168.0.0/16 -d 192.168.100.230 -p tcp -m multiport --dports 80,22 -j ACCEPT

[root@nginx /]# iptables -I INPUT -d 10.2.61.22 -p tcp -m multiport --dports 22,80 -j ACCEPT
[root@nginx /]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.2.61.22           multiport dports 22,80

[root@nginx /]# iptables -I OUTPUT -s 10.2.61.22 -p tcp -m multiport --sports 22,80 -j ACCEPT
[root@nginx /]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  446 38871 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 22,80
 2341  192K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpts:22:8080
  732 57576 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            10.2.61.22           icmptype 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   544 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 22,80
 2499  463K ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            tcp spt:22
    0     0 ACCEPT     icmp --  *      *       10.2.61.22           0.0.0.0/0            icmptype 8
[root@nginx /]# 

2.iprange 扩展

2.iprange 扩展
    指明连续的IP 地址范围 ，一般不能扩展为整个网络
    
    [!] --src-range from[-to]   #连续的源地址范围
    [!] --dst-range from[-to]    #连续的目的地址范围
iptables -I INPUT -d 192.168.100.230 -p tcp -m multiport --dports 22:23,25,80 -m iprange --src-range 192.168.100.2-192.168.100.199 -j ACCEPT
iptables -I OUTPUT -s 192.168.100.230 -p tcp -m multiport --sports 22:23,25,80 -m iprange --dst-range 192.168.100.2-192.168.100.199 -j ACCEPT    

[root@nginx ~]# iptables -I INPUT -d 10.2.61.22 -p tcp  -m multiport --dports 8080,8090 -m iprange --src-range 10.2.61.1-10.2.61.100   -j ACCEPT   #地址范文在一个 C 段中
[root@nginx ~]# iptables -I OUTPUT -s 10.2.61.22 -p tcp  -m multiport --sports 8080,8090 -m iprange --dst-range 10.2.61.1-10.2.61.100   -j ACCEPT

3.string 扩展

3.string 扩展
    检查报文中出现的字符串 
     --algo {bm|kmp} 
     bm = Boyer-Moore, 
     kmp = Knuth-Pratt-Morris
 
     --from offset   #左偏移
     --from offset   #右偏移
     [!] --string pattern
     
    iptables -I OUTPUT -m string --algo bm --string 'test' -j LOG 
    iptables -A INPUT -p tcp --dport 80 -m  string  --algo  bm  --string 'GET /index.html' -j LOG
     iptables -I OUTPUT -s 192.168.100.150  -m string --algo bm --string 'test' -j REJECT

[root@nginx ~]# iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /' -j LOG

[root@nginx ~]# tail -f /var/log/messages
Feb 19 02:50:54 nginx systemd-logind: New session 1882 of user root.
Feb 19 02:50:54 nginx systemd: Starting Session 1882 of user root.
Feb 19 03:01:01 nginx systemd: Started Session 1883 of user root.
Feb 19 03:01:01 nginx systemd: Starting Session 1883 of user root.
Feb 19 03:24:42 nginx systemd-logind: Removed session 1882.
Feb 19 03:24:58 nginx systemd: Started Session 1884 of user root.
Feb 19 03:24:58 nginx systemd-logind: New session 1884 of user root.
Feb 19 03:24:58 nginx systemd: Starting Session 1884 of user root.
Feb 19 03:53:52 nginx kernel: IN=ens192 OUT= MAC=00:0c:29:a9:72:71:00:0c:29:73:98:2f:08:00 SRC=10.2.61.21 DST=10.2.61.22 LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=59396 DF PROTO=TCP SPT=36804 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 
Feb 19 03:56:36 nginx kernel: IN=ens192 OUT= MAC=00:0c:29:a9:72:71:00:0c:29:73:98:2f:08:00 SRC=10.2.61.21 DST=10.2.61.22 LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=7382 DF PROTO=TCP SPT=36806 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 

4.time 扩展 ：定时执行策略

4.time 扩展 ：定时执行策略

              -m time --weekdays Sa,Su

              -m time --datestart 2007-12-24 --datestop 2007-12-27
              
              -m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59

              -m time --timestart 12:30 --timestop 13:30

              -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28

              -m time --weekdays Mo --timestart 23:00  --timestop 01:00 

--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] #起始日期

       --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]  #结束日期
    
    #限制在某个时间段内拒绝某些请求
    iptables -IINPUT -d 192.168.100.230 -p tcp --dport 80 -m time --timestart 14:00 --timestop 16:00 -j REJECT
   #一周内固定时间限制
    iptables -I FORWARD -s 172.17.1.132 -d 192.168.1.119 -m time --timestart 09:40 --timestop 09:59 --weekdays Wed,Thu -j DROP

[root@nginx ~]# iptables -I INPUT -p tcp -d 10.2.61.22 --dport 80 -m time --timestart 20:00 --timestop 06:00 -j REJECT      #晚上八点早上6点禁止访问

 5.connlimit #并发连接限制 ，单个地址或者地址块

  [!] --connlimit-above n   #链接上限 
      --connlimit-upto n #链接数量小于 n 
  iptables  -A  INPUT  -p  tcp  --syn  --dport  80  -m   connlimit  --connlimit-above 2 -j REJECT
  iptables  -I  INPUT -d 192.168.100.230 -p  tcp  --syn  --dport  22  -m   connlimit  --connlimit-above 4 -j REJECT

[root@nginx ~]# iptables -L -n -v 
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   152 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 #conn src/32 > 3 reject-with icmp-port-unreachable
  514 42092 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
    2   228 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 STRING match  "GET /" ALGO name bm TO 65535 LOG flags 0 level 4
    7   379 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
   23  1189 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080,8090 source IP range 10.0.0.1-10.0.0.255
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080:8090 source IP range 10.0.0.1-10.0.0.255
    0     0            tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            10.2.61.22           icmptype 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 15 packets, 1106 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6  1102 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
   16  2176 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
    0     0 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080,8090 destination IP range 10.0.0.1-10.0.0.255
    0     0 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080:8090 destination IP range 10.0.0.1-10.0.0.255
 3521  586K ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 22,80
 2499  463K ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            tcp spt:22
    0     0 ACCEPT     icmp --  *      *       10.2.61.22           0.0.0.0/0            icmptype 8
[root@nginx ~]# iptables -I INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT    #限制ssh 新建链接数量为3 ，首先需要有放行的策略 ，否则拒绝了 -.-
[root@nginx ~]#  iptables -I  INPUT 1 -p tcp --dport 22 -j ACCEPT       #插入序号为1 的规则

 6.limit 扩展

    基于收发报文的速率做检查
    令牌桶过滤器：
      --limit rate[/second|/minute|/hour|/day]
    --limit-burst number   #限制超过这个值 策略开始进行匹配计数

     iptables -A INPUT -d 192.168.100.230 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 30/minute -j ACCEPT
　　　　#限制 icmp ping 包峰值 5 个 ，每分钟30 个。

 7.state 扩展

    根据链接追踪机制检查链接的状态
    调整链接追踪功能所能容纳的最大链接数量
    /proc/sys/net/nf_conntrack_max  #追踪链接的最大限制
    cat /proc/net/nf_conntrack      #追踪信息
 #不同协议或链接的追踪时长
 /proc/sys/net/netfilter/

[root@nginx ~]# cat /proc/sys/net/netfilter/nf_conntrack_max #centos7 查看链接追中最大限制
65536

 
可追踪的链接状态：
    NEW :新发出的请求，链接追踪模板中不存在此链接的相关信息，因此识别为第一次发起的请求
    ESTABLISHED :NEW 状态后，链接追踪模板中为其建立的条目失效前期间所进行的通信状态
    RELATED ：相关的链接，如ftp 协议的命令链接和数据链接的关系叫做相关链接
    INVALIDE ：无法识别的链接
    
     --state state 
        --state STATE1,STATE2 
        iptables -I INPUT -p tcp -d 192.168.100.230 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT    
　　　　#对于访问本机的80 端口 ，只允许NEW 和ESTABLISHED 状态链接，访问 对于  80 端口的回应只允许回应ESTABLISHED 

[root@nginx ~]# iptables -I INPUT -p tcp  --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@nginx ~]# iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
[root@nginx ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
    7   374 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
 1619  129K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    3   152 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 #conn src/32 > 3 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           tcp dpt:80 TIME from 20:00:00 to 06:00:00 UTC reject-with icmp-port-unreachable
    2   228 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 STRING match  "GET /" ALGO name bm TO 65535 LOG flags 0 level 4
    7   379 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
   23  1189 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080,8090 source IP range 10.2.61.1-10.2.61.100
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080,8090 source IP range 10.0.0.1-10.0.0.255
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080:8090 source IP range 10.0.0.1-10.0.0.255
    0     0            tcp  --  *      *       0.0.0.0/0            10.2.61.22           multiport dports 8080
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            10.2.61.22           icmptype 0
  252 25105 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.100.230      icmptype 8 limit: avg 30/min burst 5
  151 12612 ACCEPT     icmp --  *      *       0.0.0.0/0            10.2.61.22           icmptype 8 limit: avg 30/min burst 5

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 state ESTABLISHED
    6  1102 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 state ESTABLISHED
    6  1102 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
   16  2176 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080,8090 destination IP range 10.2.61.1-10.2.61.100
    0     0 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080,8090 destination IP range 10.0.0.1-10.0.0.255
    0     0 ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 8080:8090 destination IP range 10.0.0.1-10.0.0.255
 5219  899K ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            multiport sports 22,80
 2499  463K ACCEPT     tcp  --  *      *       10.2.61.22           0.0.0.0/0            tcp spt:22
    0     0 ACCEPT     icmp --  *      *       10.2.61.22           0.0.0.0/0            icmptype 8
  125 10428 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

[root@nginx ~]# iptables -L -n --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED       #iptables 规则匹配从上往下，NEW 状态第一次，把 ESTABLISHED 放在第一位增加后续访问的命中率，提升速度
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,8080,8090,8888 state NEW
4    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0
5    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED    #OUTPUT 规则中允许进入的数据就允许出去，
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
[root@nginx ~]#