zoukankan      html  css  js  c++  java

  • iptables基本用法

    iptables是一个很好用的数据包过滤工具,可以针对host,port等进行数据包拦截等操作。

    本文主要介绍iptables的两个操作:drop和reject.

    1.drop

    drop顾名思义,就是丢包,不回复任何数据。

    设置策略:

    iptables -A OUTPUT -p tcp --dport 3306 -d 192.168.0.101 -j DROP

    查看策略:

    [root@localhost lanyang]# iptables -nxvL
Chain INPUT (policy ACCEPT 4 packets, 505 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      49     3025 DROP       tcp  --  *      *       0.0.0.0/0            192.168.0.101       tcp dpt:3306

    测试代码,参考golang中mysql建立连接超时时间timeout 测试
    其中

    timeout=5s
readTimeout=6s

    效果演示:

    2019/10/27 18:34:52 start
2019/10/27 18:34:52 value: 1
2019/10/27 18:34:55 start
2019/10/27 18:34:55 value: 1
2019/10/27 18:34:58 start
2019/10/27 18:34:58 value: 1
2019/10/27 18:35:01 start
[mysql] 2019/10/27 18:35:07 packets.go:36: read tcp 192.168.0.104:54462->192.168.0.101:3306: i/o timeout
2019/10/27 18:35:07 query failed: invalid connection
2019/10/27 18:35:10 start
[mysql] 2019/10/27 18:35:15 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:20 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:35:20 query failed: driver: bad connection
2019/10/27 18:35:23 start
[mysql] 2019/10/27 18:35:28 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:33 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:38 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:35:38 query failed: driver: bad connection
2019/10/27 18:35:41 start
[mysql] 2019/10/27 18:35:46 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:51 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:35:56 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:35:56 query failed: driver: bad connection
2019/10/27 18:35:59 start
[mysql] 2019/10/27 18:36:04 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:36:09 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
[mysql] 2019/10/27 18:36:14 driver.go:81: net.Error from Dial()': dial tcp 192.168.0.101:3306: i/o timeout
2019/10/27 18:36:14 query failed: driver: bad connection

    2.reject

    reject有很多种策略,包括:

    icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
tcp-reset

    默认是icmp-port-unreachable.

    2.1 默认策略icmp-port-unreachable

    设置规则:

    iptables -A OUTPUT -p tcp --dport 3306 -d 192.168.1.107 -j REJECT

    查看规则:

    sudo iptables -nxvL
Chain INPUT (policy ACCEPT 5 packets, 515 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 372 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       4      260 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.107      tcp dpt:3306 reject-with icmp-port-unreachable

    效果演示

    2020/03/29 16:35:09 start
2020/03/29 16:35:09 value: 1
2020/03/29 16:35:12 start
2020/03/29 16:35:12 value: 1
2020/03/29 16:35:15 start
[mysql] 2020/03/29 16:35:21 packets.go:36: read tcp 192.168.1.107:49654->192.168.1.107:3306: i/o timeout
2020/03/29 16:35:21 query failed: invalid connection
2020/03/29 16:35:24 start
[mysql] 2020/03/29 16:35:25 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:26 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:26 query failed: driver: bad connection
2020/03/29 16:35:29 start
2020/03/29 16:35:30 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:33 start
2020/03/29 16:35:34 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:37 start
2020/03/29 16:35:38 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:41 start
[mysql] 2020/03/29 16:35:42 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:43 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:35:46 start
[mysql] 2020/03/29 16:35:47 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:48 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:49 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:49 query failed: driver: bad connection
2020/03/29 16:35:52 start
[mysql] 2020/03/29 16:35:53 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:54 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:35:55 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:35:55 query failed: driver: bad connection
2020/03/29 16:35:58 start
[mysql] 2020/03/29 16:35:59 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:00 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:01 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:01 query failed: driver: bad connection
2020/03/29 16:36:04 start
[mysql] 2020/03/29 16:36:05 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:06 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:07 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:36:10 start
[mysql] 2020/03/29 16:36:11 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:12 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:13 query failed: dial tcp 192.168.1.107:3306: connect: connection refused
2020/03/29 16:36:16 start
[mysql] 2020/03/29 16:36:17 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:18 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
[mysql] 2020/03/29 16:36:19 driver.go:81: net.Error from Dial()': dial tcp 192.168.1.107:3306: i/o timeout
2020/03/29 16:36:19 query failed: driver: bad connection

    2.2 tcp-reset

    设置规则:

    # iptables -A INPUT -p tcp --dport 3306 -d 192.168.1.111 -j REJECT --reject-with tcp-reset

    该规则直接返回给客户端TCP RST.

    查看规则:

    [root@localhost lanyang]# iptables -nxvL
Chain INPUT (policy ACCEPT 34 packets, 3139 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      22     1325 REJECT     tcp  --  *      *       0.0.0.0/0            192.168.1.111       tcp dpt:3306 reject-with tcp-reset 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 48 packets, 2509 bytes)
    pkts      bytes target     prot opt in     out     source               destination

    测试代码,参考golang中mysql建立连接超时时间timeout 测试
    其中

    timeout=1s
readTimeout=6s

    效果演示:

    2020/03/29 22:27:24 start
2020/03/29 22:27:24 value: 1
2020/03/29 22:27:27 start
2020/03/29 22:27:27 value: 1
2020/03/29 22:27:30 start
2020/03/29 22:27:30 value: 1
2020/03/29 22:27:33 start
2020/03/29 22:27:33 value: 1
2020/03/29 22:27:36 start
[mysql] 2020/03/29 22:27:36 packets.go:36: read tcp 192.168.1.111:47784->192.168.1.111:3306: read: connection reset by peer
2020/03/29 22:27:36 query failed: invalid connection
2020/03/29 22:27:39 start
2020/03/29 22:27:39 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:42 start
2020/03/29 22:27:42 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:45 start
2020/03/29 22:27:45 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:48 start
2020/03/29 22:27:48 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:51 start
2020/03/29 22:27:51 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:54 start
2020/03/29 22:27:54 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:27:57 start
2020/03/29 22:27:57 query failed: dial tcp 192.168.1.111:3306: connect: connection refused
2020/03/29 22:28:00 start

    3.参考

    iptables(8) - Linux man page

    iptables 之 REJECT 与 DROP 对比
  • 相关阅读:
    Maven插件系列之spring-boot-maven-plugin
    Java中getResourceAsStream的用法
    【redis】【linux】-bash: redis-cli: 未找到命令
    【bat】杀死指定端口
    【bat】查看端口占用情况
    【java】【springboot】nohup: 无法运行命令'java': 没有那个文件或目录
    【springboot】启动指定内存大小
    【java】【spring】源码分析,@AliasFor互为别名
    【idea】设置安装插件位置
    【记录】【springboot】java.lang.NoClassDefFoundError: org/w3c/dom/ElementTraversal解决
  • 原文地址:https://www.cnblogs.com/lanyangsh/p/12601618.html
Copyright © 2011-2022 走看看