本機防火牆規則命令
可決定封包是否可進入本機,或本機封包是否可往外發送,以及是否可以代轉封包...
Chain
table 共有 mangle、filter、nat 三個,各自的 chain 如下:
~# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
封包進 chain 的先後順序
封包由外網進入本機
要求封包(Request)
mangle PREROUTING -> nat PREROUTING -> mangle INPUT -> nat INPUT -> filter INPUT
回應封包(Reply)
mangle OUTPUT -> filter OUTPUT -> mangle POSTROUTING
封包由本機出去外網
要求封包(Request)
mangle OUTPUT -> nat OUTPUT -> filter OUTPUT -> mangle POSTROUTING -> nat POSTROUTING
回應封包(Reply)
mangle PREROUTING -> mangle INPUT -> filter INPUT
封包經由本機直接轉發(沒有進入本機)
要求封包(Request)
mangle PREROUTING -> nat PREROUTING -> mangle FORWARD -> filter FORWARD ->
mangle POSTROUTING -> nat POSTROUTING
回應封包(Reply)
mangle PREROUTING -> mangle FORWARD -> filter FORWARD -> mangle POSTROUTING
規則下法
iptables
-t [ mangle | nat | filter ]
-I [ I(插入條例) | A(附加條例) | D(刪除條例) | X(刪除Chain) | F(清除Chain) | N(建立Chain) ]
-s XX.XX.XX.XX/mask(來源IP或網段)
-d XX.XX.XX.XX/mask(目的IP或網段)
-i XXX(來源介面(最後可加上 + 代表萬用字))
-o XXX(目的介面(最後可加上 + 代表萬用字))
-m [ connmark | mark | iprange | length | limit | quota | mac | multiport | physdev | pkttype | tcpmss | time ]
connmark [ --mark XX ]
mark [ --mark XX[/mask] ]
iprange [ --src-range ip[-ip] | --dst-range ip[-ip] ]
length [ --length length[:length] ]
limit [ --limit [ XX/sec | XX/min | XX/hour | XX/day ](封包數限制) | --limit-burst XX ]
quota [ --quota XX(每秒多少bytes) ]
mac [ --mac-source XX:XX:XX:XX:XX:XX ]
multiport [ --sports XX[,XX:XX,XX...] | --dports XX[,XX:XX,XX...] | --ports XX[,XX:XX,XX...] ]
physdev [ --physdev-in XX(橋接介面名稱(可使用+)) | --physdev-out XX(橋接介面名稱(可使用+)) ]
pkttype [ --pkt-type [unicast or host | broadcast or bcast | multicast or mcast ] ]
tcpmss [ --mss XX[:XX] ]
time [ --datestart time | --datestop time | --timestart time | --timestop time | --monthdays value | --weekdays value | --kerneltz XX ]
-p [ tcp | udp | icmp | all ]
tcp [ --sport XX[:XX] | --dport XX[:XX] | --tcp-flags [SYN ACK FIN RST URG PSH ALL NONE] | --tcp-option XX ]
udp [ --sport XX[:XX] | --dport XX[:XX] ]
icmp [ --icmp-type [ 8(要求) | 0(回應) ] ]
-j [ ACCEPT(允許) | DROP(拒絕) | RETURN(停止判斷) | LOG(記錄) | CONNMARK | MARK(標記) | TCPMSS | REDIRECT(換Port) ]
CONNMARK [ --set-mark XX ]
MARK [ --set-mark XX[/mask] | --or-mark XX | --and-mark XX | --xor-mark XX ]
TCPMSS [ --set-mss XX | --clamp-mss-to-pmtu(自動) ]
REDIRECT [ --to-ports XX[-XX] ]
註:可加 ! 反向
實例
// 查看條例(如不指定 PREROUTING,則看 mangle 全部)
iptables -t mangle -nvL PREROUTING
// 插入在第三筆(不指定位置,則插入在開頭)
iptables -t mangle -I PREROUTING 3 -i eth+ -j ACCEPT
// 刪除
iptables -t mangle -D PREROUTING 3 // 刪除 PREROUTING 的第三筆
iptables -t mangle -D PREROUTING -i eth+ -j ACCEPT // 刪除 PREROUTING 的 -i eth+ -j ACCEPT
// 建立 Chain
iptables -t mangle -N myChain // 建立 Chain
iptables -t mangle -A PREROUTING -j myChain // 進到 myChain 執行條例
// 只更換PORT
iptables -t nat -A OUTPUT -p tcp --dport 8888 -j REDIRECT --to-port 80
// DNAT
iptables -t nat -A PREROUTING -s 1.1.1.1 -d 2.2.2.2 -p tcp --dport 8888 -j DNAT --to-destination 192.168.1.1:80
// SNAT
iptables -t nat -A POSTROUTING -d 192.168.1.6 -p tcp --dport 80 -j SNAT --to-source 192.168.1.1
// 出去的封包來源IP自動NAT
iptables -t nat -A POSTROUTING -j MASQUERADE
// 標記
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x1/0xff // 設定標記
iptables -t mangle -A PREROUTING -m mark --mark 0x1/0xff -j ACCEPT // 判斷標記
// 阻擋HTTP連線
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DROP
// 阻擋來源IP連線
iptables -t mangle -A PREROUTING -s 192.168.1.1 -j DROP
很久之前的記錄(留存)
ebtables 有三個 table
broute 的 Chain 有 BROUTING
filter 的 Chain 有 INPUT、FORWARD、OUTPUT
nat 的 Chain 有 PREROUTING、OUTPUT、POSTROUTING
iptables 有兩個 table
mangle 的 Chain 有 PREROUTING、INPUT、OUTPUT、FORWARD、POSTROUTING
filter 的 Chain 有 PREROUTING、OUTPUT、FORWARD、POSTROUTING
PING 到本機
ebtables.brout.BROUTING -> ebtables.nat.PREROUTING -> iptables.mangle.PREROUTING ->
iptables.nat.PREROUTING -> ebtables.filter.INPUT -> iptables.mangle.INPUT ->
OK(進到本機,之後是回應) ->
iptables.mangle.OUTPUT -> ebtables.nat.OUTPUT -> ebtables.filter.OUTPUT ->
ebtables.nat.POSTROUTING -> iptables.mangle.POSTROUTING
從本機 PING
iptables.mangle.OUTPUT -> iptables.nat.OUTPUT -> ebtables.nat.OUTPUT ->
ebtables.filter.OUTPUT -> ebtables.nat.POSTROUTING -> iptables.mangle.POSTROUTING ->
iptables.nat.POSTROUTING -> OK(出去機器,之後是外網回應) ->
ebtables.nat.PREROUTING -> iptables.mangle.PREROUTING -> ebtables.filter.INPUT ->
iptables.mangle.INPUT
封包轉送FORWARD
ebtables.broute.BROUTING -> ebtables.nat.PREROUTING -> iptables.mangle.PREROUTING ->
iptables.nat.PREROUTING -> ebtables.filter.FORWARD -> iptables.mangle.FORWARD ->
iptables.nat.FORWARD -> ebtables.nat.POSTROUTING -> iptables.mangle.POSTROUTING ->
iptables.nat.POSTROUTING -> OK(之後是外網回應) ->
ebtables.broute.BROUTING -> ebtables.nat.PREROUTING -> iptables.mangle.PREROUTING ->
ebtables.filter.FORWARD -> iptables.mangle.FORWARD -> ebtables.nat.POSTROUTING ->
iptables.mangle.POSTROUTING
沒有留言:
張貼留言