一, 显示扩展
显示扩展必须使用 - m 选项指定使用的扩展, 必须显示指明使用的扩展模块用如下方式查看:
$ rpm -ql iptables | grep "\.so"
查看显示扩展使用说明:
- # CentOS 6
- $ man iptables
- # CentOS 7
- $ man iptables-extension
二, 扩展选项
2.1 multiport 扩展
以离散方式定义多端口匹配, 最多指定 15 个端口.
[!] --source-ports, --sports port[,port|,port:port]...: 指明多个源端口
[!] --destination-ports, --dport port[,port|port:port]...: 指明多个离散的目标端口
--ports port[,port|port:port]...: 既能匹配源端口, 又能匹配目标端口
示例: 放行其他主机对 192.168.123.101 主机 22 号端口和 80 端口的访问
- $ iptables -t filter -I INPUT -s 0.0.0.0/0 -d 192.168.123.101 -p tcp -m multiport --dports 22,80 -j ACCEPT
- $ iptables -t filter -I OUTPUT -d 0.0.0.0/0 -s 192.168.123.101 -p tcp -m multiport --sports 22,80 -j ACCEPT
- $ iptables -L -n -v
- Chain INPUT (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 378 42192 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 multiport dports 22,80
- ...
- Chain OUTPUT (policy DROP 2 packets, 152 bytes)
- pkts bytes target prot opt in out source destination
- 135 19800 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 multiport sports 22,80
2.2 iprange 扩展
指明连续 (但一般是不能扩展为整个网络)IP 地址范围时使用.
示例: 仅允许 192.168.123.1 至 192.168.123.10 来访问 192.168.123.101 主机的 22 号端口和 80 端口
- $ iptables -t filter -I INPUT -d 192.168.123.101 -p tcp -m multiport --dports 22:23,80 -m iprange --src-range 192.168.123.1-192.168.123.10 -j ACCEPT
- $ iptables -t filter -I OUTPUT -s 192.168.123.101 -p tcp -m multiport --sports 22:23,80 -m iprange --dst-range 192.168.123.1-192.168.123.10 -j ACCEPT
- $ iptables -L -n -v
- Chain INPUT (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 271 29080 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 multiport dports 22:23,80 source IP range 192.168.123.1-192.168.123.10
- ...
- ...
- Chain OUTPUT (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 23 3288 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 multiport sports 22:23,80 destination IP range
- ...
2.3 string 扩展
检查报文中出现的字符串.
--algo {bm|kmp}: bm(Boyer-moore) 算法; kmp(Kunth-Pratt-morris) 算法.
- [!] --string pattern
- [!] --hex-string pattern
示例: 如果 192.168.123.101 主机网页的响应报文中带有 "movie" 字符, 就拒绝响应
$ iptables -t filter -I OUTPUT -s 192.168.123.101 -d 0.0.0.0/0 -m string --algo bm --string "movie" -j REJECT
2.4 time 扩展
根据报文到达的时间与指定时间范围进行匹配.
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
- --timestart hh:mm[:ss]
- --timestop hh:mm[:ss]
- [!] --monthdays day[,day...]
- [!] --weekdays day[,day...]
示例: 禁止在下午 14 点至 16 点之间访问 192.168.123.101 主机的 80 端口
- $ iptables -t filter -I INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp --dport 80 -m time --timestart 14:00 --timestop 16:00 -j REJECT
- $ iptables -L -n -v
- Chain INPUT (policy ACCEPT 3 packets, 228 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.123.101 tcp dpt:80 TIME from 14:00:00 to 16:00:00 UTC reject-with icmp-port-unreachable
- ...
2.5 connlimit 扩展
根据每个客户端 IP(也可以是地址块) 做并发连接数数量匹配.
--connlimit-above n: 连接的数量大于 n
--connlimit-upto n: 连接的数量小于 n
示例: 当其他的主机对 192.168.123.101 主机 22 号端口的连接大于 3 个, 则拒绝后面的连接.
- $ iptables -t filter -I INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp --dport 22 -m connlimit --connlimit-above 3 -j REJECT
- $ iptables -L -n
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- REJECT tcp -- 0.0.0.0/0 192.168.123.101 tcp dpt:22 #conn src/32> 3 reject-with icmp-port-unreachable
- ...
2.6 limit 扩展
基于手法报文的速率做检查.
令牌桶过滤器:
- --limit rate[/second|/minute|/hour|/day]
- --limit_burst number
示例: 其他主机对 192.168.123.100 主机的 icmp 请求每秒上线最多 5 个, 一分钟最多 30 个
- $ iptables -t filter -A OUTPUT -d 0.0.0.0/0 -s 192.168.123.101 -p icmp --icmp-type 0 -j ACCEPT
- $ iptables -L -n -v
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- ...
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.123.101 icmptype 8 limit: avg 30/min burst 5
- ...
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- ...
- 0 0 ACCEPT icmp -- * * 192.168.123.101 0.0.0.0/0 icmptype 0
2.7 state 扩展
根据连接追踪机制检查连接的状态.
调整连接追踪功能所能够容纳的最大连接数量: /proc/sys/net/nf_conntrack_max
- $ cat /proc/sys/net/nf_conntrack_max
- 31248
- $ echo "65535"> /proc/sys/net/nf_conntrack_max
- $ cat /proc/sys/net/nf_conntrack_max
- 65535
已经追踪到并记录下的连接: /proc/net/nf_conntrack
- $ cat /proc/net/nf_conntrack
- ipv4 2 udp 17 19 src=192.168.123.101 dst=202.112.29.82 sport=55386 dport=123 src=202.112.29.82 dst=192.168.123.101 sport=123 dport=55386 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
- ipv4 2 udp 17 19 src=192.168.123.101 dst=5.103.139.163 sport=35028 dport=123 src=5.103.139.163 dst=192.168.123.101 sport=123 dport=35028 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
- ipv4 2 udp 17 18 src=192.168.123.101 dst=202.112.31.197 sport=41850 dport=123 src=202.112.31.197 dst=192.168.123.101 sport=123 dport=41850 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
- ipv4 2 tcp 6 299 ESTABLISHED src=192.168.123.101 dst=192.168.123.1 sport=22 dport=1214 src=192.168.123.1 dst=192.168.123.101 sport=1214 dport=22 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
- ipv4 2 udp 17 17 src=192.168.123.101 dst=5.79.108.34 sport=56947 dport=123 src=5.79.108.34 dst=192.168.123.101 sport=123 dport=56947 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
不同协议或连接类型的追踪时长: /proc/sys/net/netfilter/
可追踪的连接状态:
NEW: 新发出的请求, 连接追踪模板中不存在此连接相关的信息条目; 因此, 将其识别为第一次发出的请求.
ESTABLISHED: NEW 状态之后, 连接追踪模板中为其建立的条目失效之前期间内所进行的通信的状态.
RELATED: 相关的连接, 如 FTP 协议的命令连接与数据连接之间的关系.
INVALIED: 无法识别的连接.
[!] --state STATE1,STATE2,...
示例 1: 其他主机对 192.168.123.101 主机的 22 和 80 端口访问的状态 NEW 和 ESTABLESHED 时, 运行访问.
- $ iptables -t filter -I INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp -m multiport --dports 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT
- $ iptables -t filter -I OUTPUT -s 192.168.123.101 -d 0.0.0.0/0 -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED -j ACCEPT
- $ iptables -L -n -v
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 398 42224 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 multiport dports 22,80 state NEW,ESTABLISHED
- ...
- ...
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 6 1104 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 multiport sports 22,80 state ESTABLISHED
- ...
示例 2: 在 192.168.123.101 主机上放开被动模式的 ftp 服务
- $ lsmod | grep ftp
- $ modprobe nf_conntrack_ftp
- $ lsmod | grep ftp
- nf_conntrack_ftp 18638 0
- nf_conntrack 111302 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
- $ iptables -t filter -A INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
- $ iptables -t filter -A INPUT -d 192.168.123.101 -s 0.0.0.0/0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
- $ iptables -t filter -A OUTPUT -s 192.168.123.101 -d 0.0.0.0/0 -p tcp -m state --state ESTABLISHED -j ACCEPT
- $ iptables -L -n -v
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- ...
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 tcp dpt:21 state NEW,ESTABLISHED
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.123.101 state RELATED,ESTABLISHED
- ...
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- ...
- 0 0 ACCEPT tcp -- * * 192.168.123.101 0.0.0.0/0 state ESTABLISHED
来源: http://www.bubuko.com/infodetail-2687267.html