安装iptable

yum install iptables-services

  1. [root@riyimei ~]# systemctl status iptables.service 
  2. Unit iptables.service could not be found.
  3. [root@riyimei ~]# cd /etc/sysconfig
  4. [root@riyimei sysconfig]# 
  5. [root@riyimei sysconfig]# ls -l
  6. total 84
  7. -rw-r--r--. 1 root root  436 Jan 11 13:44 anaconda
  8. -rw-r--r--. 1 root root  483 Jan 11 13:44 authconfig
  9. drwxr-xr-x. 2 root root   43 Jan 11 13:41 cbq
  10. drwxr-xr-x. 2 root root    6 Aug  9  2019 console
  11. -rw-r--r--. 1 root root  150 Aug  8  2019 cpupower
  12. -rw-------. 1 root root  110 Aug  9  2019 crond
  13. -rw-------. 1 root root 1390 Apr 11  2018 ebtables-config
  14. -rw-r--r--. 1 root root   73 Aug  9  2019 firewalld
  15. lrwxrwxrwx. 1 root root   15 Jan 11 13:42 grub -> ../default/grub
  16. -rw-r--r--. 1 root root  798 Aug  9  2019 init
  17. -rw-------  1 root root 2134 Apr  2 23:57 ip6tables-config
  18. -rw-------  1 root root 2116 Apr  2 23:57 iptables-config
  19. -rw-r--r--. 1 root root  903 Aug  6  2019 irqbalance
  20. -rw-r--r--. 1 root root 1733 Aug  8  2019 kdump
  21. -rw-r--r--. 1 root root  180 Jan 11 13:44 kernel
  22. -rw-r--r--. 1 root root  200 Oct 30  2018 man-db
  23. drwxr-xr-x. 2 root root    6 Aug  9  2019 modules
  24. -rw-r--r--. 1 root root  634 Aug  9  2019 netconsole
  25. -rw-r--r--. 1 root root   22 Jan 11 13:44 network
  26. drwxr-xr-x. 2 root root 4096 Jun 25 09:52 network-scripts
  27. -rw-r--r--. 1 root root   15 Aug  4  2017 rdisc
  28. -rw-r--r--. 1 root root  905 Aug  9  2019 readonly-root
  29. -rw-r--r--. 1 root root  196 Aug  6  2019 rsyslog
  30. -rw-r--r--. 1 root root    0 Jun 10  2014 run-parts
  31. lrwxrwxrwx. 1 root root   17 Jan 11 13:42 selinux -> ../selinux/config
  32. -rw-r-----. 1 root root  506 Aug  9  2019 sshd
  33. -rw-r--r--. 1 root root  610 Oct 31  2018 wpa_supplicant
  34. [root@riyimei sysconfig]# 
  35. [root@riyimei sysconfig]# 
  36. [root@riyimei sysconfig]# 
  37. [root@riyimei sysconfig]# yum install iptables-services
  38. Loaded plugins: fastestmirror
  39. Loading mirror speeds from cached hostfile
  40.  * base: mirrors.aliyun.com
  41.  * extras: mirrors.aliyun.com
  42.  * updates: mirrors.aliyun.com
  43. Resolving Dependencies
  44. --> Running transaction check
  45. ---> Package iptables-services.x86_64 0:1.4.21-34.el7 will be installed
  46. --> Finished Dependency Resolution
  48. Dependencies Resolved
  50. =======================================================================================================================================
  51.  Package                                Arch                        Version                            Repository                 Size
  52. =======================================================================================================================================
  53. Installing:
  54.  iptables-services                      x86_64                      1.4.21-34.el7                      base                       52 k
  56. Transaction Summary
  57. =======================================================================================================================================
  58. Install  1 Package
  60. Total download size: 52 k
  61. Installed size: 23 k
  62. Is this ok [y/d/N]: y
  63. Downloading packages:
  64. iptables-services-1.4.21-34.el7.x86_64.rpm                                                                      |  52 kB  00:00:00     
  65. Running transaction check
  66. Running transaction test
  67. Transaction test succeeded
  68. Running transaction
  69.   Installing : iptables-services-1.4.21-34.el7.x86_64                                                                              1/1 
  70.   Verifying  : iptables-services-1.4.21-34.el7.x86_64                                                                              1/1 
  72. Installed:
  73.   iptables-services.x86_64 0:1.4.21-34.el7                                                                                             
  75. Complete!
  76. [root@riyimei sysconfig]# ls -l
  77. total 92
  78. -rw-r--r--. 1 root root  436 Jan 11 13:44 anaconda
  79. -rw-r--r--. 1 root root  483 Jan 11 13:44 authconfig
  80. drwxr-xr-x. 2 root root   43 Jan 11 13:41 cbq
  81. drwxr-xr-x. 2 root root    6 Aug  9  2019 console
  82. -rw-r--r--. 1 root root  150 Aug  8  2019 cpupower
  83. -rw-------. 1 root root  110 Aug  9  2019 crond
  84. -rw-------. 1 root root 1390 Apr 11  2018 ebtables-config
  85. -rw-r--r--. 1 root root   73 Aug  9  2019 firewalld
  86. lrwxrwxrwx. 1 root root   15 Jan 11 13:42 grub -> ../default/grub
  87. -rw-r--r--. 1 root root  798 Aug  9  2019 init
  88. -rw-------  1 root root  635 Apr  2 23:57 ip6tables
  89. -rw-------  1 root root 2134 Apr  2 23:57 ip6tables-config
  90. -rw-------  1 root root  550 Apr  2 23:57 iptables
  91. -rw-------  1 root root 2116 Apr  2 23:57 iptables-config
  92. -rw-r--r--. 1 root root  903 Aug  6  2019 irqbalance
  93. -rw-r--r--. 1 root root 1733 Aug  8  2019 kdump
  94. -rw-r--r--. 1 root root  180 Jan 11 13:44 kernel
  95. -rw-r--r--. 1 root root  200 Oct 30  2018 man-db
  96. drwxr-xr-x. 2 root root    6 Aug  9  2019 modules
  97. -rw-r--r--. 1 root root  634 Aug  9  2019 netconsole
  98. -rw-r--r--. 1 root root   22 Jan 11 13:44 network
  99. drwxr-xr-x. 2 root root 4096 Jun 25 09:52 network-scripts
  100. -rw-r--r--. 1 root root   15 Aug  4  2017 rdisc
  101. -rw-r--r--. 1 root root  905 Aug  9  2019 readonly-root
  102. -rw-r--r--. 1 root root  196 Aug  6  2019 rsyslog
  103. -rw-r--r--. 1 root root    0 Jun 10  2014 run-parts
  104. lrwxrwxrwx. 1 root root   17 Jan 11 13:42 selinux -> ../selinux/config
  105. -rw-r-----. 1 root root  506 Aug  9  2019 sshd
  106. -rw-r--r--. 1 root root  610 Oct 31  2018 wpa_supplicant
  107. [root@riyimei sysconfig]#
  1. root@riyimei sysconfig]# systemctl restart iptables.service 
  2. [root@riyimei sysconfig]# systemctl status iptables.service 
  3.  iptables.service - IPv4 firewall with iptables
  4.    Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
  5.    Active: active (exited) since Sat 2020-07-04 23:09:05 CST; 5s ago
  6.   Process: 5435 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
  7.  Main PID: 5435 (code=exited, status=0/SUCCESS)
  9. Jul 04 23:09:05 riyimei systemd[1]: Starting IPv4 firewall with iptables...
  10. Jul 04 23:09:05 riyimei iptables.init[5435]: iptables: Applying firewall rules: [  OK  ]
  11. Jul 04 23:09:05 riyimei systemd[1]: Started IPv4 firewall with iptables.
  12. [root@riyimei sysconfig]#

扩展

  1. [root@riyimei ~]# ls /usr/lib64/xtables/
  2. libip6t_ah.so          libip6t_SNPT.so       libxt_addrtype.so     libxt_dscp.so       libxt_NFQUEUE.so   libxt_statistic.so
  3. libip6t_DNAT.so        libipt_ah.so          libxt_AUDIT.so        libxt_DSCP.so       libxt_NOTRACK.so   libxt_string.so
  4. libip6t_DNPT.so        libipt_CLUSTERIP.so   libxt_bpf.so          libxt_ecn.so        libxt_osf.so       libxt_SYNPROXY.so
  5. libip6t_dst.so         libipt_DNAT.so        libxt_cgroup.so       libxt_esp.so        libxt_owner.so     libxt_tcpmss.so
  6. libip6t_eui64.so       libipt_ECN.so         libxt_CHECKSUM.so     libxt_hashlimit.so  libxt_physdev.so   libxt_TCPMSS.so
  7. libip6t_frag.so        libipt_icmp.so        libxt_CLASSIFY.so     libxt_helper.so     libxt_pkttype.so   libxt_TCPOPTSTRIP.so
  8. libip6t_hbh.so         libipt_LOG.so         libxt_cluster.so      libxt_HMARK.so      libxt_policy.so    libxt_tcp.so
  9. libip6t_hl.so          libipt_MASQUERADE.so  libxt_comment.so      libxt_IDLETIMER.so  libxt_quota.so     libxt_TEE.so
  10. libip6t_HL.so          libipt_MIRROR.so      libxt_connbytes.so    libxt_iprange.so    libxt_rateest.so   libxt_time.so
  11. libip6t_icmp6.so       libipt_NETMAP.so      libxt_connlabel.so    libxt_ipvs.so       libxt_RATEEST.so   libxt_tos.so
  12. libip6t_ipv6header.so  libipt_realm.so       libxt_connlimit.so    libxt_LED.so        libxt_recent.so    libxt_TOS.so
  13. libip6t_LOG.so         libipt_REDIRECT.so    libxt_connmark.so     libxt_length.so     libxt_rpfilter.so  libxt_TPROXY.so
  14. libip6t_MASQUERADE.so  libipt_REJECT.so      libxt_CONNMARK.so     libxt_limit.so      libxt_sctp.so      libxt_TRACE.so
  15. libip6t_mh.so          libipt_SAME.so        libxt_CONNSECMARK.so  libxt_mac.so        libxt_SECMARK.so   libxt_u32.so
  16. libip6t_NETMAP.so      libipt_SNAT.so        libxt_conntrack.so    libxt_mark.so       libxt_set.so       libxt_udp.so
  17. libip6t_REDIRECT.so    libipt_ttl.so         libxt_cpu.so          libxt_MARK.so       libxt_SET.so
  18. libip6t_REJECT.so      libipt_TTL.so         libxt_CT.so           libxt_multiport.so  libxt_socket.so
  19. libip6t_rt.so          libipt_ULOG.so        libxt_dccp.so         libxt_nfacct.so     libxt_standard.so
  20. libip6t_SNAT.so        libipt_unclean.so     libxt_devgroup.so     libxt_NFLOG.so      libxt_state.so
  21. [root@riyimei ~]#

加载模块

  1. modprobe ip_tables
  2. modprobe iptable_filter
  3. modprobe iptable_nat
  4. modprobe ip_conntrack
  5. modprobe ip_conntrack_ftp
  6. modprobe ip_nat_ftp
  7. modprobe ipt_state
  1. [root@riyimei ~]# cat /etc/redhat-release 
  2. CentOS Linux release 7.7.1908 (Core)
  3. [root@riyimei ~]# lsmod |grep iptable
  4. iptable_nat            12875  0 
  5. nf_nat_ipv4            14115  1 iptable_nat
  6. iptable_filter         12810  1 
  7. ip_tables              27126  2 iptable_filter,iptable_nat
  8. [root@riyimei ~]# lsmod |grep nat
  9. nf_nat_ftp             12809  0 
  10. nf_conntrack_ftp       18478  1 nf_nat_ftp
  11. iptable_nat            12875  0 
  12. nf_nat_ipv4            14115  1 iptable_nat
  13. nf_nat                 26583  2 nf_nat_ftp,nf_nat_ipv4
  14. nf_conntrack          139224  7 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
  15. ip_tables              27126  2 iptable_filter,iptable_nat
  16. libcrc32c              12644  3 xfs,nf_nat,nf_conntrack
  17. [root@riyimei ~]#

iptable 帮助

  1. [root@riyimei ~]# iptables  -h
  2. iptables v1.4.21
  4. Usage: iptables -[ACD] chain rule-specification [options]
  5.        iptables -I chain [rulenum] rule-specification [options]
  6.        iptables -R chain rulenum rule-specification [options]
  7.        iptables -D chain rulenum [options]
  8.        iptables -[LS] [chain [rulenum]] [options]
  9.        iptables -[FZ] [chain] [options]
  10.        iptables -[NX] chain
  11.        iptables -E old-chain-name new-chain-name
  12.        iptables -P chain target [options]
  13.        iptables -h (print this help information)
  15. Commands:
  16. Either long or short options are allowed.
  17.   --append  -A chain        Append to chain
  18.   --check   -C chain        Check for the existence of a rule
  19.   --delete  -D chain        Delete matching rule from chain
  20.   --delete  -D chain rulenum
  21.                 Delete rule rulenum (1 = first) from chain
  22.   --insert  -I chain [rulenum]
  23.                 Insert in chain as rulenum (default 1=first)
  24.   --replace -R chain rulenum
  25.                 Replace rule rulenum (1 = first) in chain
  26.   --list    -L [chain [rulenum]]
  27.                 List the rules in a chain or all chains
  28.   --list-rules -S [chain [rulenum]]
  29.                 Print the rules in a chain or all chains
  30.   --flush   -F [chain]        Delete all rules in  chain or all chains
  31.   --zero    -Z [chain [rulenum]]
  32.                 Zero counters in chain or all chains
  33.   --new     -N chain        Create a new user-defined chain
  34.   --delete-chain
  35.             -X [chain]        Delete a user-defined chain
  36.   --policy  -P chain target
  37.                 Change policy on chain to target
  38.   --rename-chain
  39.             -E old-chain new-chain
  40.                 Change chain name, (moving any references)
  41. Options:
  42.     --ipv4    -4        Nothing (line is ignored by ip6tables-restore)
  43.     --ipv6    -6        Error (line is ignored by iptables-restore)
  44. [!] --protocol    -p proto    protocol: by number or name, eg. `tcp'
  45. [!] --source    -s address[/mask][...]
  46.                 source specification
  47. [!] --destination -d address[/mask][...]
  48.                 destination specification
  49. [!] --in-interface -i input name[+]
  50.                 network interface name ([+] for wildcard)
  51.  --jump    -j target
  52.                 target for rule (may load target extension)
  53.   --goto      -g chain
  54.                               jump to chain with no return
  55.   --match    -m match
  56.                 extended match (may load extension)
  57.   --numeric    -n        numeric output of addresses and ports
  58. [!] --out-interface -o output name[+]
  59.                 network interface name ([+] for wildcard)
  60.   --table    -t table    table to manipulate (default: `filter')
  61.   --verbose    -v        verbose mode
  62.   --wait    -w [seconds]    maximum wait to acquire xtables lock before give up
  63.   --wait-interval -W [usecs]    wait time to try to acquire xtables lock
  64.                 default is 1 second
  65.   --line-numbers        print line numbers when listing
  66.   --exact    -x        expand numbers (display exact values)
  67. [!] --fragment    -f        match second or further fragments only
  68.   --modprobe=<command>        try to insert modules using this command
  69.   --set-counters PKTS BYTES    set the counter during insert/append
  70. [!] --version    -V        print package version.
  71. [root@riyimei ~]#

raw —>mangle—>nat—>filter

  1. [root@riyimei ~]# iptables -t raw -L 
  2. Chain PREROUTING (policy ACCEPT)
  3. target     prot opt source               destination         
  5. Chain OUTPUT (policy ACCEPT)
  6. target     prot opt source               destination         
  7. [root@riyimei ~]# iptables -t mangle -L 
  8. Chain PREROUTING (policy ACCEPT)
  9. target     prot opt source               destination         
  11. Chain INPUT (policy ACCEPT)
  12. target     prot opt source               destination         
  14. Chain FORWARD (policy ACCEPT)
  15. target     prot opt source               destination         
  17. Chain OUTPUT (policy ACCEPT)
  18. target     prot opt source               destination         
  20. Chain POSTROUTING (policy ACCEPT)
  21. target     prot opt source               destination         
  22. [root@riyimei ~]# iptables -t nat -L 
  23. Chain PREROUTING (policy ACCEPT)
  24. target     prot opt source               destination         
  26. Chain INPUT (policy ACCEPT)
  27. target     prot opt source               destination         
  29. Chain OUTPUT (policy ACCEPT)
  30. target     prot opt source               destination         
  32. Chain POSTROUTING (policy ACCEPT)
  33. target     prot opt source               destination         
  34. [root@riyimei ~]#

image.png

raw :主要做连接追踪
mangle:对数据包进行修改
nat:修改数据包的地址和端口
filter:实现对数据包的过滤

image.png
image.png

image.png

数据包流向

image.png

iptable语法

iptables.png

示例: