zoukankan      html  css  js  c++  java
  • iptables修改

    https://fedoraproject.org/wiki/How_to_edit_iptables_rules?rd=User_talk:Rforlot

    Listing Rules

    Current running iptables Rules can be viewed with the command

    iptables -L

    .

    Note.png
    Numeric port value
    The list of Rules with the -L command option shows ports by their service name rather than port number. To see the port number instead, include the -nargument.
    iptables -L -n
    Note.png
    Viewing counters
    Rules listed with the -L command option do not include matching counters. To include matching counters, include -v argument.
    iptables -L -v

    Example of iptables Rules allowing any connections already established or related, icmp requests, all local traffic, and ssh communication:

    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Note that Rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a Rule rejecting ssh connections is created, and afterward another Rule is specified allowing ssh, the Rule to reject is applied and the later Rule to accept the ssh connection is not.

    Appending Rules

    The following adds a Rule at the end of the specified chain of iptables:

    [root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Notice the last line in chain INPUT. There are now five Rules in that chain.

    Deleting Rules

    To delete a Rule, you must know its position in the chain. The following example deletes an existing Rule created earlier that is currently in the fifth position:

    [root@server ~]# iptables -D INPUT 5
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Inserting Rules

    Create a Rule at the top (first) position:

    [root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.

    Replacing Rules

    Rules may be specified to replace existing Rules in the chain.

    In the example shown previously, the first Rule given allows connections to the http port (port 80) from anywhere. The following replaces this Rule, restricting connections to the standard http port (port 80) only from the network address range 192.168.0.0/24:

    [root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 

    Flushing Rules

    To flush or clear iptables Rules, use the --flush-F option :

    iptables -F <chain>

    Specifying a <chain> is optional; without a chain specification, all chains are flushed.

    Example to flush Rules in the OUTPUT chain :

    [root@server ~]# iptables -F OUTPUT
    Stop (medium size).png
    Default chain policys care
    Be aware of the default chain policy. For example, if the INPUT policy is DROP or REJECT and the Rules are flushed, all incoming traffic will be dropped or rejected and network communication broken.

    Making changes persistent

    The iptables Rules changes using CLI commands will be lost upon system reboot. However, iptables comes with two useful utilities: iptables-save and iptables-restore.

    • iptables-save prints a dump of current iptables rules to stdout. These may be redirected to a file:
    [root@server ~]# iptables-save > iptables.dump 
    [root@server ~]# cat iptables.dump 
    # Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011
    *filter
    :INPUT DROP [45:2307]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1571:4260654]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    COMMIT
    # Completed on Wed Dec  7 20:10:49 2011
    • iptables-restore : restore a dump of rules made by iptables-save.
    [root@server ~]# iptables-restore < iptables.dump 
    [root@server ~]# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    Upon stopping the service, the current iptables Rules are saved in a file, and upon starting the service, this file is restored. The affected files are:

    • /etc/sysconfig/iptables
      for IPv4
    • /etc/sysconfig/ip6tables
      for IPv6

    If preferred, these files may be editted directly, and iptables service restarted to commit the changes. The format is similar to that of the iptables CLI commands:

    # Generated by iptables-save v1.4.12 on Wed Dec  7 20:22:39 2011
    *filter <--------------------------------------------------------- Specify the table of the next rules
    :INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
    :FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
    :OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
    -A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
    -A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
    # Completed on Wed Dec  7 20:22:39 2011

    If needed, to reset packet and byte counters, use -Z--zero :

    iptables -Z <chain> <rule_number>

    It is possible to reset only reset a single rule counter. It can be useful, if you want to know how many packets were captured for a specific rule.

  • 相关阅读:
    JAVA 冒泡排序代码
    随机数生成机制
    C#学习成果 兔子计算
    C#学习成果 质数判断
    3.24学习成果
    制作登录界面,登录成功后把用户名放在session里,在第3个页面读取session显示用户名
    编写一个简易的留言薄,实现添加留言和显示留言内容等功能
    编写一个jsp程序,实现用户登录,当用户输入的用户或密码错误时,将页面重定向到错误提示页,并在该页面显示30秒后 自动回到用户登录界面
    jsp输出当前时间
    jsp输出九九乘法表
  • 原文地址:https://www.cnblogs.com/wucg/p/3333588.html
Copyright © 2011-2022 走看看