iptables 简单来说是Linux的防火墙工具,在三层上对数据包进行控制。
三张表: filter(作用是过滤数据包,Ip规则常用这个表
nat(地址转换)
mangle(包改造,用得少)
五个数据链位置:
PREROUTER(前路由,是否发给我的?)
INPUT (入口,从这进入Linxu内核)
FORWARD(转发,过道手,但不进INPUT)
OUTPUT( 出口,内核里面处理好了从这出去)
AFTERROUTER(后路由,出去)
常用的就是在INPUT 和OUTPUT ,filter表里加控制规则
simple example :
1、清空iptables : iptables -F
2、设立默认规则: iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
3、设立INPUT,OUTPUT规则
iptables -A INPUT -s 192.168.153.0/24 -d 192.168.153.133 -p tcp -j ACCEPT
iptables -A INPUT -s 192.168.153.0/24 -d 192.168.153.133 -p icmp -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 192.168.0.0/16 -p icmp --icmp-type 0 -j ACCEPT
说明:
-A append
-s source
-d destination
-p protocal
-j 动作 : ACCEPT REJECT DROP
--icmp-type 0 (回包)
--icmp-type 8 (发出的包)
效果如下:
$ iptables -L -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 93 3961 ACCEPT tcp -- any any 192.168.153.0/24 192.168.153.133
2 23 1380 ACCEPT icmp -- any any 192.168.153.0/24 192.168.153.133
3 276 23184 ACCEPT icmp -- any any anywhere 192.168.0.0/16 icmp echo-reply
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 26 2184 ACCEPT icmp -- any any 192.168.0.0/16 anywhere icmp echo-request
2 0 0 ACCEPT tcp -- any any 192.168.0.0/16 anywhere
3 4 240 ACCEPT icmp -- any any 192.168.0.0/16 anywhere