Linux iptables防火墙
2017-03-28 00:00
369 查看
1.显示已经配置的防火墙规则:
2.删除防火墙规则:
上条命令显示的规则条目序号 INPUT可以替换成OUTPUT、FORWARD,对应不同的防火墙规则表
3.保存和重新加载防火墙规则:
You can also create your own chains on each table to hold additional rules
The built-in chains in the filter table are FORWARD, INPUT, and OUTPUT.
If a packet is coming to the host, then it needs to be evaluated by the rules in the INPUT chain.
If the packet is generated by the host itself and going out, then it needs to be evaluated by the rules in the OUTPUT chain.
The FORWARD chain is used for packets that have entered the host but are destined for some other host.
The policies you can use for packets are DROP, REJECT, and ACCEPT.
The ACCEPT policy accepts the traffic and allows it to pass through the firewall. The DROP policy discards a packet without notifying the sender. The REJECT policy also discards the packet, but it sends an ICMP packet to the sender to tell him about the rejection.
From a security perspective, you should deny all traffic by default and open the host to only the traffic to which you have explicitly granted access.
DROP for the INPUT and OUTPUT chains means incoming and outgoing traffic are not allowed unless you explicitly add rules to allow the traffic.
增加防火墙规则:
Let’s break this command into pieces so we can understand everything about it
The –A means we are adding a new rule. By default, all new rules are added to filter table unless you specify another table.
The -i flag specifies which device the traffic will use to enter the host. If you do not specify a device then iptables assumes the rule applies to all incoming network traffic from all devices.
The –p flag specifies the protocol of the packets you are filtering which is TCP in our case.
The –dport flag tells iptables to select only packets destined for port 80.
The -d selects only those packets destined for the specified IP address, 192.168.1.2. If you do not specify a destination IP address, then iptables would apply this rule to all incoming traffic on eth0 regardless of IP address.
The last flag in the rule, -j, specifies the action or the JUMP action to do, here we are accepting the packets using accept policy.
The above rule allows incoming HTTP traffic which is on port 80. We can add another rule to allow HTTPS traffic which is on port 443
You can also add rules using the -I flag, which adds rules to the top of the chain of current rules
The sequence of the rules matters. The rules are checked in the order they are added
With the -I flag you can also add a rule into a chain using a line number, so we can specify where exactly our rules placed.
Look at the following rules to understand how rules ordering matters
参考文档:https://likegeeks.com/linux-iptables-firewall-examples/
iptables -L -n --line-numbers
2.删除防火墙规则:
iptables -D INPUT number
上条命令显示的规则条目序号 INPUT可以替换成OUTPUT、FORWARD,对应不同的防火墙规则表
3.保存和重新加载防火墙规则:
sudo netfilter-persistent save 配置的防火墙规则永久生效,重启不丢失 sudo netfilter-persistent reload
Table Chains
The iptables rules are broken down into groups called chains. Each table contains default chains that are built into the table.You can also create your own chains on each table to hold additional rules
The built-in chains in the filter table are FORWARD, INPUT, and OUTPUT.
If a packet is coming to the host, then it needs to be evaluated by the rules in the INPUT chain.
If the packet is generated by the host itself and going out, then it needs to be evaluated by the rules in the OUTPUT chain.
The FORWARD chain is used for packets that have entered the host but are destined for some other host.
Chain policy
Each chain in the filter table has a policy. A policy is the default action taken.The policies you can use for packets are DROP, REJECT, and ACCEPT.
The ACCEPT policy accepts the traffic and allows it to pass through the firewall. The DROP policy discards a packet without notifying the sender. The REJECT policy also discards the packet, but it sends an ICMP packet to the sender to tell him about the rejection.
From a security perspective, you should deny all traffic by default and open the host to only the traffic to which you have explicitly granted access.
DROP for the INPUT and OUTPUT chains means incoming and outgoing traffic are not allowed unless you explicitly add rules to allow the traffic.
增加防火墙规则:
$ iptables -A INPUT -i eth0 -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
Let’s break this command into pieces so we can understand everything about it
The –A means we are adding a new rule. By default, all new rules are added to filter table unless you specify another table.
The -i flag specifies which device the traffic will use to enter the host. If you do not specify a device then iptables assumes the rule applies to all incoming network traffic from all devices.
The –p flag specifies the protocol of the packets you are filtering which is TCP in our case.
The –dport flag tells iptables to select only packets destined for port 80.
The -d selects only those packets destined for the specified IP address, 192.168.1.2. If you do not specify a destination IP address, then iptables would apply this rule to all incoming traffic on eth0 regardless of IP address.
The last flag in the rule, -j, specifies the action or the JUMP action to do, here we are accepting the packets using accept policy.
The above rule allows incoming HTTP traffic which is on port 80. We can add another rule to allow HTTPS traffic which is on port 443
$ iptables -A INPUT -i eth0 -p tcp --dport 443 -d 192.168.1.2 -j ACCEPT
Iptables Rules Order
When you use the -A flag to add a rule, it is appended to the end of the current rules in a chain.You can also add rules using the -I flag, which adds rules to the top of the chain of current rules
The sequence of the rules matters. The rules are checked in the order they are added
With the -I flag you can also add a rule into a chain using a line number, so we can specify where exactly our rules placed.
Look at the following rules to understand how rules ordering matters
$ iptables -I INPUT 1 -i eth0 -p tcp -j ACCEPT $ iptables -I INPUT 2 -i eth0 -p tcp --dport 80 -j DROP
参考文档:https://likegeeks.com/linux-iptables-firewall-examples/
相关文章推荐
- 用 IPTABLES 构建 Linux 防火墙
- Linux防火墙之IPtables概念与用法
- Linux防火墙iptables学习笔记(四)iptables实现NAT
- 测试freebsd上的pf防火墙和linux上的iptables防火墙-zz
- Linux防火墙IPTables配置方法详解
- 用Linux+iptables构建防火墙实例
- RHCE课程-RH253Linux服务器架设笔记十-Iptables防火墙 推荐
- linux 防火墙 iptables
- Linux防火墙之IPtables概念与用法
- 使用 netfilter/iptables 为 Linux(内核 2.4.x)配置防火墙
- linux 防火墙(服务iptables和snortd)
- 【Linux中防火墙Iptables】【指令详解】【中文】
- 解决Linux iptables防火墙和vsftpd的问题
- Linux iptables 防火墙的配置
- linux 下防火墙 iptables 的使用
- 使用 netfilter/iptables 为 Linux(内核 2.4.x )配置防火墙
- 利用 iptables 构建 linux 防火墙
- linux iptables 防火墙 学习
- Linux系列-Red Hat5平台下的Iptables防火墙应用(一)翻出老家底——咱们来学Iptables
- 转帖:用Linux+Iptables构建防火墙实例