基于 Iptables 构建主机防火墙
Iptables 优点: 数据包过滤机制, 它会对数据包包头数据进行分析.
1.1.1 加载相关薄块到内核
- [root@centos7 ~]# lsmod | egrep "nat|filter"
- iptable_filter 12810 0
- ip_tables 27126 1 iptable_filter
- [root@centos7 ~]# modprobe ip_tables
- [root@centos7 ~]# modprobe iptable_filter
- [root@centos7 ~]# modprobe iptable_nat
- [root@centos7 ~]# modprobe ip_conntrack
- [root@centos7 ~]# modprobe ip_conntrack_ftp
- [root@centos7 ~]# modprobe ip_nat_ftp
- [root@centos7 ~]# modprobe ipt_state
- [root@centos7 ~]# lsmod | egrep "nat|filter"
- nf_nat_ftp 12770 0
- nf_conntrack_ftp 18638 1 nf_nat_ftp
- iptable_nat 12875 0
- nf_nat_ipv4 14115 1 iptable_nat
- nf_nat 26787 2 nf_nat_ftp,nf_nat_ipv4
- nf_conntrack 133053 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
- iptable_filter 12810 0
- ip_tables 27126 2 iptable_filter,iptable_nat
- libcrc32c 12644 3 xfs,nf_nat,nf_conntrack
1.1.2 清空防火墙规则
- [root@centos7 ~]# iptables -F
- [root@centos7 ~]# iptables -X
- [root@centos7 ~]# iptables -Z
1.1.3 允许 ssh 端口通信, 本机 lo 通信
- [root@centos7 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
- [root@centos7 ~]# iptables -t filter -A INPUT -p tcp -s 192.168.10.1/24 -j ACCEPT
- [root@centos7 ~]# iptables -nL
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- [root@centos7 ~]# iptables -t filter -A INPUT -i lo -j ACCEPT
- [root@centos7 ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT
- [root@centos7 ~]# iptables -nL
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
1.1.4 修改默认规则
- [root@centos7 ~]# iptables -P INPUT DROP
- [root@centos7 ~]# iptables -P FORWARD DROP
- [root@centos7 ~]# iptables -nL
- Chain INPUT (policy DROP)
- target prot opt source destination
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- Chain FORWARD (policy DROP)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
1.1.5 配置允许网络地址段, 如办公网络, 对外开放端口 80/443 等
- [root@centos7 ~]# iptables -t filter -A INPUT -s 124.56.56.77/24 -p all -j ACCEPT
- [root@centos7 ~]# iptables -nL
- Chain INPUT (policy DROP)
- target prot opt source destination
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- ACCEPT all -- 124.56.56.0/24 0.0.0.0/0
- Chain FORWARD (policy DROP)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- # 设置对外提供服务开放端口
- [root@centos7 ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
- [root@centos7 ~]# iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
- [root@centos7 ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- [root@centos7 ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
1.1.6 允许关联数据包通过
- # 允许关联的包通过例如: FTP
- [root@centos7 ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- [root@centos7 ~]# iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
1.1.7 保存规则
service iptables save
1.1.8 检查保存的防火墙规则
- [root@centos7 ~]# cat /etc/sysconfig/iptables
- # Generated by iptables-save v1.4.21 on Sat Sep 1 14:07:33 2018
- *nat
- :PREROUTING ACCEPT [16080:2838916]
- :INPUT ACCEPT [13058:2471258]
- :OUTPUT ACCEPT [45190:2717272]
- :POSTROUTING ACCEPT [45190:2717272]
- COMMIT
- # Completed on Sat Sep 1 14:07:33 2018
- # Generated by iptables-save v1.4.21 on Sat Sep 1 14:07:33 2018
- *filter
- :INPUT DROP [736:92755]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [3:228]
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s 192.168.10.0/24 -p tcp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -s 124.56.56.0/24 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- COMMIT
- # Completed on Sat Sep 1 14:07:33 2018
来源: http://www.bubuko.com/infodetail-2753814.html