buyfakett/reference
1
0
Fork 0
mirror of https://github.com/jaywcjlove/reference.git synced 2025-06-17 20:51:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
1ec8c25bd8f4a2a4179e192793e710daedb80458
reference/docs/iptables.html
jaywcjlove 196204fcdb doc: update docs/pip.md 4ca8110520
2025-05-11 17:34:02 +00:00

578 lines
120 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en" data-color-mode="dark">
<head>
<meta charset="utf-8">
<title>iptables 备忘清单
&#x26; iptables cheatsheet &#x26; Quick Reference</title>
<meta content="width=device-width, initial-scale=1" name="viewport">
<meta description="iptables 是一个配置 Linux 内核防火墙的命令行工具,是 netfilter 项目的一部分。这个快速参考备忘单显示了它的常用命令使用清单
入门,为开发人员分享快速参考备忘单。">
<meta keywords="iptables,reference,Quick,Reference,cheatsheet,cheat,sheet">
<meta name="author" content="jaywcjlove">
<meta name="license" content="MIT">
<meta name="funding" content="https://jaywcjlove.github.io/#/sponsor">
<meta rel="apple-touch-icon" href="../icons/touch-icon-iphone.png">
<meta rel="apple-touch-icon" sizes="152x152" href="../icons/touch-icon-ipad.png">
<meta rel="apple-touch-icon" sizes="180x180" href="../icons/touch-icon-iphone.png">
<meta rel="apple-touch-icon" sizes="167x167" href="../icons/touch-icon-ipad-retina.png">
<meta rel="apple-touch-icon" sizes="120x120" href="../icons/touch-icon-iphone-retina.png">
<link rel="icon" href="../icons/favicon.svg" type="image/svg+xml">
<link href="../style/style.css" rel="stylesheet">
<link href="../style/katex.css" rel="stylesheet">
</head>
<body><nav class="header-nav"><div class="max-container"><a href="../index.html" class="logo"><svg viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" height="1em" width="1em">
<path d="m21.66 10.44-.98 4.18c-.84 3.61-2.5 5.07-5.62 4.77-.5-.04-1.04-.13-1.62-.27l-1.68-.4c-4.17-.99-5.46-3.05-4.48-7.23l.98-4.19c.2-.85.44-1.59.74-2.2 1.17-2.42 3.16-3.07 6.5-2.28l1.67.39c4.19.98 5.47 3.05 4.49 7.23Z" fill="#c9d1d9"></path>
<path d="M15.06 19.39c-.62.42-1.4.77-2.35 1.08l-1.58.52c-3.97 1.28-6.06.21-7.35-3.76L2.5 13.28c-1.28-3.97-.22-6.07 3.75-7.35l1.58-.52c.41-.13.8-.24 1.17-.31-.3.61-.54 1.35-.74 2.2l-.98 4.19c-.98 4.18.31 6.24 4.48 7.23l1.68.4c.58.14 1.12.23 1.62.27Zm2.43-8.88c-.06 0-.12-.01-.19-.02l-4.85-1.23a.75.75 0 0 1 .37-1.45l4.85 1.23a.748.748 0 0 1-.18 1.47Z" fill="#228e6c"></path>
<path d="M14.56 13.89c-.06 0-.12-.01-.19-.02l-2.91-.74a.75.75 0 0 1 .37-1.45l2.91.74c.4.1.64.51.54.91-.08.34-.38.56-.72.56Z" fill="#228e6c"></path>
</svg>
<span class="title">Quick Reference</span></a><div class="menu"><a href="javascript:void(0);" class="searchbtn" id="searchbtn"><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
<path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><span>搜索</span><span>⌘K</span></a><a href="https://github.com/jaywcjlove/reference/blob/main/docs/iptables.md" class="edit" target="__blank"><svg viewBox="0 0 36 36" fill="currentColor" height="1em" width="1em"><path d="m33 6.4-3.7-3.7a1.71 1.71 0 0 0-2.36 0L23.65 6H6a2 2 0 0 0-2 2v22a2 2 0 0 0 2 2h22a2 2 0 0 0 2-2V11.76l3-3a1.67 1.67 0 0 0 0-2.36ZM18.83 20.13l-4.19.93 1-4.15 9.55-9.57 3.23 3.23ZM29.5 9.43 26.27 6.2l1.85-1.85 3.23 3.23Z"></path><path fill="none" d="M0 0h36v36H0z"></path></svg><span>编辑</span></a><button id="darkMode" type="button"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor" class="light" height="1em" width="1em">
<path d="M6.995 12c0 2.761 2.246 5.007 5.007 5.007s5.007-2.246 5.007-5.007-2.246-5.007-5.007-5.007S6.995 9.239 6.995 12zM11 19h2v3h-2zm0-17h2v3h-2zm-9 9h3v2H2zm17 0h3v2h-3zM5.637 19.778l-1.414-1.414 2.121-2.121 1.414 1.414zM16.242 6.344l2.122-2.122 1.414 1.414-2.122 2.122zM6.344 7.759 4.223 5.637l1.415-1.414 2.12 2.122zm13.434 10.605-1.414 1.414-2.122-2.122 1.414-1.414z"></path>
</svg>
<svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 24 24" class="dark" height="1em" width="1em">
<path d="M12 11.807A9.002 9.002 0 0 1 10.049 2a9.942 9.942 0 0 0-5.12 2.735c-3.905 3.905-3.905 10.237 0 14.142 3.906 3.906 10.237 3.905 14.143 0a9.946 9.946 0 0 0 2.735-5.119A9.003 9.003 0 0 1 12 11.807z"></path>
</svg>
</button><script src="../js/dark.js?v=1.8.3"></script><a href="https://github.com/jaywcjlove/reference" class="" target="__blank"><svg viewBox="0 0 16 16" fill="currentColor" height="1em" width="1em"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.012 8.012 0 0 0 16 8c0-4.42-3.58-8-8-8z"></path></svg></a></div></div></nav><div class="wrap h1body-exist max-container"><header class="wrap-header h1wrap"><h1 id="iptables-备忘清单"><svg viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg" fill="currentColor" height="1em" width="1em">
<path d="M107.946667 838.4l57.173333 23.893333v-385.28l-103.68 250.026667c-17.493333 43.52 3.413333 93.44 46.506667 111.36z m832-157.866667L728.32 169.813333a85.888 85.888 0 0 0-77.226667-52.48c-11.093333 0-22.613333 1.706667-33.706666 6.4L302.933333 253.866667a85.290667 85.290667 0 0 0-46.08 110.933333l211.626667 510.72a85.248 85.248 0 0 0 110.933333 46.08l314.026667-130.133333a85.077333 85.077333 0 0 0 46.506667-110.933334zM336.213333 373.333333c-23.466667 0-42.666667-19.2-42.666666-42.666666s19.2-42.666667 42.666666-42.666667 42.666667 19.2 42.666667 42.666667-19.2 42.666667-42.666667 42.666666z m-85.333333 469.333334c0 46.933333 38.4 85.333333 85.333333 85.333333h61.866667l-147.2-355.84v270.506667z"></path>
</svg><a aria-hidden="true" tabindex="-1" href="#iptables-备忘清单"><span class="icon icon-link"></span></a>iptables 备忘清单</h1><div class="wrap-body">
<p>iptables 是一个配置 Linux 内核防火墙的命令行工具,是 <a href="https://en.wikipedia.org/wiki/Netfilter">netfilter</a> 项目的一部分。这个快速参考备忘单显示了它的常用命令使用清单</p>
</div></header><div class="menu-tocs"><div class="menu-btn"><svg aria-hidden="true" fill="currentColor" height="1em" width="1em" viewBox="0 0 16 16" version="1.1" data-view-component="true">
<path fill-rule="evenodd" d="M2 4a1 1 0 100-2 1 1 0 000 2zm3.75-1.5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zM3 8a1 1 0 11-2 0 1 1 0 012 0zm-1 6a1 1 0 100-2 1 1 0 000 2z"></path>
</svg></div><div class="menu-modal"><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#入门">入门</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#介绍">介绍</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#安装-iptables">安装 iptables</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#服务管理">服务管理</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#命令参数">命令参数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#开始配置规则">开始配置规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#删除插入规则">删除/插入规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#显示规则">显示规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#列出特定链的规则">列出特定链的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#保存规则">保存规则</a><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#iptables-示例">iptables 示例</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#清空当前的所有规则和计数">清空当前的所有规则和计数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#配置允许-ssh-端口连接">配置允许 ssh 端口连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许本地回环地址可以正常使用">允许本地回环地址可以正常使用</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#设置默认的规则">设置默认的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#配置白名单">配置白名单</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#开启相应的服务端口">开启相应的服务端口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#保存规则到配置文件中">保存规则到配置文件中</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#列出已设置的规则">列出已设置的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#清除已有规则">清除已有规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#删除已添加的规则">删除已添加的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#开放指定的端口">开放指定的端口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#屏蔽-ip">屏蔽 IP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#指定数据包出去的网络接口">指定数据包出去的网络接口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#查看已添加的规则">查看已添加的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#启动网络转发规则">启动网络转发规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#端口映射">端口映射</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#字符串匹配">字符串匹配</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止-windows-蠕虫的攻击">阻止 Windows 蠕虫的攻击</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#防止-syn-洪水攻击">防止 SYN 洪水攻击</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许环回连接">允许环回连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许已建立和相关的传入连接">允许已建立和相关的传入连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许已建立的传出连接">允许已建立的传出连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#内部到外部">内部到外部</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#丢弃无效数据包">丢弃无效数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止-ip-地址">阻止 IP 地址</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止和-ip-地址并拒绝">阻止和 IP 地址并拒绝</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止与网络接口的连接">阻止与网络接口的连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-ssh">允许所有传入的 SSH</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的传入-ssh">允许来自特定 IP 地址或子网的传入 SSH</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传出-ssh">允许传出 SSH</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的传入-rsync">允许来自特定 IP 地址或子网的传入 Rsync</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传入-http">允许传入 HTTP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传入-https">允许传入 HTTPS</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传入-http-和-https">允许传入 HTTP 和 HTTPS</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的-mysql">允许来自特定 IP 地址或子网的 MySQL</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许-mysql-到特定的网络接口">允许 MySQL 到特定的网络接口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的-postgresql">允许来自特定 IP 地址或子网的 PostgreSQL</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许-postgresql-到特定的网络接口">允许 PostgreSQL 到特定的网络接口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止传出-smtp-邮件">阻止传出 SMTP 邮件</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-smtp">允许所有传入的 SMTP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-imap">允许所有传入的 IMAP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-imaps">允许所有传入的 IMAPS</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-pop3">允许所有传入的 POP3</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-pop3s">允许所有传入的 POP3S</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#在公共接口上删除专用网络地址">在公共接口上删除专用网络地址</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#将所有传出到-facebook-网络">将所有传出到 Facebook 网络</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#记录和丢弃数据包">记录和丢弃数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#记录和丢弃日志条目数量有限的数据包">记录和丢弃日志条目数量有限的数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#丢弃或接受来自-mac-地址的流量">丢弃或接受来自 Mac 地址的流量</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止或允许-icmp-ping-请求">阻止或允许 ICMP Ping 请求</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-multiport-指定多个端口">使用 multiport 指定多个端口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-random-或-nth-进行负载平衡">使用 random* 或 nth* 进行负载平衡</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-limit-和-iplimit-限制连接数">使用 limit 和 iplimit* 限制连接数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#维护要匹配的最近连接列表">维护要匹配的最近连接列表</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#匹配数据包数据负载中的-string">匹配数据包数据负载中的 “string*”</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#带有时间的基于时间的规则">带有“时间*”的基于时间的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#基于-ttl-值的数据包匹配">基于 TTL 值的数据包匹配</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#防止端口扫描">防止端口扫描</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#ssh-暴力破解保护">SSH 暴力破解保护</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#同步泛洪保护">同步泛洪保护</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-synproxy-缓解-syn-泛洪">使用 SYNPROXY 缓解 SYN 泛洪</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止非-syn-的新数据包">阻止非 SYN 的新数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#强制碎片数据包检查">强制碎片数据包检查</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#xmas-包">XMAS 包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#丢弃所有-null-数据包">丢弃所有 NULL 数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止不常见的-mss-值">阻止不常见的 MSS 值</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止带有虚假-tcp-标志的数据包">阻止带有虚假 TCP 标志的数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止来自私有子网的数据包欺骗">阻止来自私有子网的数据包(欺骗)</a><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#另见">另见</a></div></div><div class="h1wrap-body"><div class="wrap h2body-exist"><div class="wrap-header h2wrap"><h2 id="入门"><a aria-hidden="true" tabindex="-1" href="#入门"><span class="icon icon-link"></span></a>入门</h2><div class="wrap-body">
</div></div><div class="h2wrap-body"><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="介绍"><a aria-hidden="true" tabindex="-1" href="#介绍"><span class="icon icon-link"></span></a>介绍</h3><div class="wrap-body">
<p>iptables 使用三个不同的链来允许或阻止流量:输入(input)、输出(output)和转发(forward)</p>
<ul>
<li>输入(input) —— 此链用于控制传入连接的行为</li>
<li>输出(output) —— 此链用于传出连接</li>
<li>转发(forward) —— 这条链用于传入的连接,这些连接实际上不是在本地传递的,比如路由和 NATing</li>
</ul>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="安装-iptables"><a aria-hidden="true" tabindex="-1" href="#安装-iptables"><span class="icon icon-link"></span></a>安装 iptables</h3><div class="wrap-body">
<p>CentOS 7 上默认安装了 firewalld 作为防火墙,使用 iptables 建议关闭并禁用 firewalld。</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ systemctl stop firewalld
</span><span class="code-line">$ systemctl disable firewalld
</span></code></pre>
<p>安装 iptables</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ yum <span class="token function">install</span> <span class="token parameter variable">-y</span> iptables-services
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="服务管理"><a aria-hidden="true" tabindex="-1" href="#服务管理"><span class="icon icon-link"></span></a>服务管理</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ systemctl status iptables <span class="token comment"># 查看服务状态</span>
</span><span class="code-line">$ systemctl <span class="token builtin class-name">enable</span> iptables <span class="token comment"># 启用服务</span>
</span><span class="code-line">$ systemctl disable iptables <span class="token comment"># 禁用服务</span>
</span><span class="code-line">$ systemctl start iptables <span class="token comment"># 启动服务</span>
</span><span class="code-line">$ systemctl restart iptables <span class="token comment"># 重启服务</span>
</span><span class="code-line">$ systemctl stop iptables <span class="token comment"># 关闭服务</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-3"><div class="wrap-header h3wrap"><h3 id="命令参数"><a aria-hidden="true" tabindex="-1" href="#命令参数"><span class="icon icon-link"></span></a>命令参数</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-3-->
<p>基本语法:</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables<span class="token punctuation">(</span>选项<span class="token punctuation">)</span><span class="token punctuation">(</span>参数<span class="token punctuation">)</span>
</span></code></pre>
<hr>
<table><thead><tr><th align="left">参数</th><th>作用</th></tr></thead><tbody><tr><td align="left"><code>-P</code></td><td>设置默认策略: <br><em>iptables -P INPUT (DROP</em></td></tr><tr><td align="left"><code>-F</code></td><td>清空规则链</td></tr><tr><td align="left"><code>-L</code></td><td>查看规则链</td></tr><tr><td align="left"><code>-A</code></td><td>在规则链的末尾加入新规则</td></tr><tr><td align="left"><code>-I</code></td><td><code>num</code> 在规则链的头部加入新规则</td></tr><tr><td align="left"><code>-D</code></td><td><code>num</code> 删除某一条规则</td></tr><tr><td align="left"><code>-s</code></td><td>匹配来源地址 <code>IP/MASK</code> <br>加叹号"!"表示除这个 <code>IP</code></td></tr><tr><td align="left"><code>-d</code></td><td>匹配目标地址</td></tr><tr><td align="left"><code>-i</code></td><td>网卡名称 匹配从这块网卡流入的数据</td></tr><tr><td align="left"><code>-o</code></td><td>网卡名称 匹配从这块网卡流出的数据</td></tr><tr><td align="left"><code>-p</code></td><td>匹配协议,如 tcp,udp,icmp</td></tr><tr><td align="left"><code>--dport num</code></td><td>匹配目标端口号</td></tr><tr><td align="left"><code>--sport num</code></td><td>匹配来源端口号</td></tr></tbody></table>
<hr>
<pre class="wrap-text"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> 表名 <span class="token operator">&#x3C;</span>-A/I/D/R<span class="token operator">></span> 规则链名 <span class="token punctuation">[</span>规则号<span class="token punctuation">]</span> <span class="token operator">&#x3C;</span>-i/o 网卡名<span class="token operator">></span> <span class="token parameter variable">-p</span> 协议名 <span class="token operator">&#x3C;</span>-s 源IP/源子网<span class="token operator">></span> <span class="token parameter variable">--sport</span> 源端口 <span class="token operator">&#x3C;</span>-d 目标IP/目标子网<span class="token operator">></span> <span class="token parameter variable">--dport</span> 目标端口 <span class="token parameter variable">-j</span> 动作
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="开始配置规则"><a aria-hidden="true" tabindex="-1" href="#开始配置规则"><span class="icon icon-link"></span></a>开始配置规则</h3><div class="wrap-body">
<p>默认情况下,所有链都配置为接受规则,因此在强化过程中,建议从拒绝所有配置开始,然后只打开需要的端口:</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">--policy</span> INPUT DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">--policy</span> OUTPUT DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">--policy</span> FORWARD DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="删除插入规则"><a aria-hidden="true" tabindex="-1" href="#删除插入规则"><span class="icon icon-link"></span></a>删除/插入规则</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<p>按链条和编号删除规则</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-D</span> INPUT <span class="token number">10</span>
</span></code></pre>
<p>按规范删除规则</p>
<pre class="wrap-text"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-D</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<!--rehype:className=wrap-text-->
<p>刷新所有规则,删除所有链,并接受所有</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-P</span> INPUT ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> FORWARD ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> OUTPUT ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-F</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-F</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-X</span>
</span></code></pre>
<hr>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token comment"># 冲洗所有链</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span>
</span><span class="code-line"><span class="token comment"># 刷新单链</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span> INPUT
</span><span class="code-line"><span class="token comment"># 插入规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token number">2</span> <span class="token parameter variable">-s</span> <span class="token number">202.54</span>.1.2 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="显示规则"><a aria-hidden="true" tabindex="-1" href="#显示规则"><span class="icon icon-link"></span></a>显示规则</h3><div class="wrap-body">
<p>详细打印出所有活动的 <code>iptables</code> 规则</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-n</span> <span class="token parameter variable">-L</span> <span class="token parameter variable">-v</span>
</span></code></pre>
<p>...具有行号的相同输出:</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-n</span> <span class="token parameter variable">-L</span> <span class="token parameter variable">-v</span> --line-numbers
</span></code></pre>
<p>最后,相同的数据输出但与 <code>INPUT</code>/<code>OUTPUT</code> 链相关:</p>
<pre class="wrap-text"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT <span class="token parameter variable">-n</span> <span class="token parameter variable">-viptables</span> <span class="token parameter variable">-L</span> OUTPUT <span class="token parameter variable">-n</span> <span class="token parameter variable">-v</span> --line-numbers
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="列出特定链的规则"><a aria-hidden="true" tabindex="-1" href="#列出特定链的规则"><span class="icon icon-link"></span></a>列出特定链的规则</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT
</span><span class="code-line"><span class="token comment"># 具有规则规范的相同数据:</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-S</span> INPUT
</span><span class="code-line"><span class="token comment"># 包含数据包计数的规则列表</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT <span class="token parameter variable">-v</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="保存规则"><a aria-hidden="true" tabindex="-1" href="#保存规则"><span class="icon icon-link"></span></a>保存规则</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token comment"># 在基于 Debian 的系统上</span>
</span><span class="code-line">$ netfilter-persistent save
</span><span class="code-line"><span class="token comment"># 在基于 RedHat 的系统上</span>
</span><span class="code-line">$ <span class="token function">service</span> iptables save
</span></code></pre>
</div></div></div></div></div><div class="wrap h2body-exist"><div class="wrap-header h2wrap"><h2 id="iptables-示例"><a aria-hidden="true" tabindex="-1" href="#iptables-示例"><span class="icon icon-link"></span></a>iptables 示例</h2><div class="wrap-body">
<!--rehype:body-class=cols-2-->
</div></div><div class="h2wrap-body cols-2"><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="清空当前的所有规则和计数"><a aria-hidden="true" tabindex="-1" href="#清空当前的所有规则和计数"><span class="icon icon-link"></span></a>清空当前的所有规则和计数</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-F</span> <span class="token comment"># 清空所有的防火墙规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-X</span> <span class="token comment"># 删除用户自定义的空链</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-Z</span> <span class="token comment"># 清空计数</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="配置允许-ssh-端口连接"><a aria-hidden="true" tabindex="-1" href="#配置允许-ssh-端口连接"><span class="icon icon-link"></span></a>配置允许 ssh 端口连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
<p><code>22</code> 为你的 <code>ssh</code> 端口, <code>-s 192.168.1.0/24</code> 表示允许这个网段的机器来连接,其它网段的 <code>ip</code> 地址是登陆不了你的机器的。<code>-j ACCEPT</code> 表示接受这样的请求</p>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许本地回环地址可以正常使用"><a aria-hidden="true" tabindex="-1" href="#允许本地回环地址可以正常使用"><span class="icon icon-link"></span></a>允许本地回环地址可以正常使用</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 本地圆环地址就是那个127.0.0.1</span>
</span><span class="code-line"><span class="token comment"># 是本机上使用的,它进与出都设置为允许</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="设置默认的规则"><a aria-hidden="true" tabindex="-1" href="#设置默认的规则"><span class="icon icon-link"></span></a>设置默认的规则</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 配置默认的不让进</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> INPUT DROP
</span><span class="code-line"><span class="token comment"># 默认的不允许转发</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> FORWARD DROP
</span><span class="code-line"><span class="token comment"># 默认的可以出去</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> OUTPUT ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="配置白名单"><a aria-hidden="true" tabindex="-1" href="#配置白名单"><span class="icon icon-link"></span></a>配置白名单</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 允许机房内网机器可以访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> all <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许机房内网机器可以访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> all <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.140.0/24 <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许 183.121.3.7 访问本机的3380端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">183.121</span>.3.7 <span class="token parameter variable">--dport</span> <span class="token number">3380</span> <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="开启相应的服务端口"><a aria-hidden="true" tabindex="-1" href="#开启相应的服务端口"><span class="icon icon-link"></span></a>开启相应的服务端口</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 开启 80 端口因为web对外都是这个端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许被 ping</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp --icmp-type <span class="token number">8</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 已经建立的连接得让它进来</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="保存规则到配置文件中"><a aria-hidden="true" tabindex="-1" href="#保存规则到配置文件中"><span class="icon icon-link"></span></a>保存规则到配置文件中</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 任何改动之前先备份,请保持这一优秀的习惯</span>
</span><span class="code-line">$ <span class="token function">cp</span> /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
</span><span class="code-line">$ iptables-save <span class="token operator">></span> /etc/sysconfig/iptables
</span><span class="code-line">$ <span class="token function">cat</span> /etc/sysconfig/iptables
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="列出已设置的规则"><a aria-hidden="true" tabindex="-1" href="#列出已设置的规则"><span class="icon icon-link"></span></a>列出已设置的规则</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token punctuation">[</span>-t 表名<span class="token punctuation">]</span><span class="token punctuation">[</span>链名<span class="token punctuation">]</span>
</span></code></pre>
<hr>
<ul>
<li>四个表名 <code>raw</code><code>nat</code><code>filter</code><code>mangle</code></li>
<li>五个规则链名 <code>INPUT</code><code>OUTPUT</code><code>FORWARD</code><code>PREROUTING</code><code>POSTROUTING</code></li>
<li>filter 表包含<code>INPUT</code><code>OUTPUT</code><code>FORWARD</code>三个规则链</li>
</ul>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 列出 nat 上面的所有规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-t</span> nat
</span><span class="code-line"><span class="token comment"># ^ -t 参数指定,必须是 raw natfiltermangle 中的一个</span>
</span><span class="code-line"><span class="token comment"># 规则带编号</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-t</span> nat --line-numbers
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT
</span><span class="code-line"><span class="token comment"># 查看,这个列表看起来更详细</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-nv</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="清除已有规则"><a aria-hidden="true" tabindex="-1" href="#清除已有规则"><span class="icon icon-link"></span></a>清除已有规则</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 清空指定链 INPUT 上面的所有规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span> INPUT
</span><span class="code-line"><span class="token comment"># 删除指定的链,这个链必须没有被其它任何规则引用,</span>
</span><span class="code-line"><span class="token comment"># 而且这条上必须没有任何规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-X</span> INPUT
</span><span class="code-line"> <span class="token comment"># 如果没有指定链名,则会删除该表中所有非内置的链</span>
</span><span class="code-line"><span class="token comment"># 把指定链,或者表中的所有链上的所有计数器清零</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-Z</span> INPUT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="删除已添加的规则"><a aria-hidden="true" tabindex="-1" href="#删除已添加的规则"><span class="icon icon-link"></span></a>删除已添加的规则</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 添加一条规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.5 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<p>将所有 iptables 以序号标记显示,执行:</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-n</span> --line-numbers
</span></code></pre>
<p>比如要删除 INPUT 里序号为 8 的规则,执行:</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-D</span> INPUT <span class="token number">8</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="开放指定的端口"><a aria-hidden="true" tabindex="-1" href="#开放指定的端口"><span class="icon icon-link"></span></a>开放指定的端口</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 允许本地回环接口(即运行本机访问本机)</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">127.0</span>.0.1 <span class="token parameter variable">-d</span> <span class="token number">127.0</span>.0.1 <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许已建立的或相关连的通行</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许所有本机向外的访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许访问22端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许访问80端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许ftp服务的21端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">21</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许FTP服务的20端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">20</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 禁止其他未允许的规则访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-j</span> reject
</span><span class="code-line"><span class="token comment"># 禁止其他未允许的规则访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="屏蔽-ip"><a aria-hidden="true" tabindex="-1" href="#屏蔽-ip"><span class="icon icon-link"></span></a>屏蔽 IP</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 屏蔽恶意主机比如192.168.0.8</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.0.8 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 屏蔽单个IP的命令</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.45</span>.6.7 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 封整个段即从123.0.0.1到123.255.255.254的命令</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 封IP段即从123.45.0.1到123.45.255.254的命令</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">124.45</span>.0.0/16 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 封IP段即从123.45.6.1到123.45.6.254的命令是</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.45</span>.6.0/24 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="指定数据包出去的网络接口"><a aria-hidden="true" tabindex="-1" href="#指定数据包出去的网络接口"><span class="icon icon-link"></span></a>指定数据包出去的网络接口</h3><div class="wrap-body">
<p>只对 OUTPUTFORWARDPOSTROUTING 三个链起作用。</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-o</span> eth0
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="查看已添加的规则"><a aria-hidden="true" tabindex="-1" href="#查看已添加的规则"><span class="icon icon-link"></span></a>查看已添加的规则</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-n</span> <span class="token parameter variable">-v</span>
</span><span class="code-line">Chain INPUT <span class="token punctuation">(</span>policy DROP <span class="token number">48106</span> packets, 2690K bytes<span class="token punctuation">)</span>
</span><span class="code-line"> pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
</span><span class="code-line"> <span class="token number">5075</span> 589K ACCEPT all -- lo * <span class="token number">0.0</span>.0.0/0 <span class="token number">0.0</span>.0.0/0
</span><span class="code-line"> 191K 90M ACCEPT tcp -- * * <span class="token number">0.0</span>.0.0/0 <span class="token number">0.0</span>.0.0/0 tcp dpt:22
</span><span class="code-line">1499K 133M ACCEPT tcp -- * * <span class="token number">0.0</span>.0.0/0 <span class="token number">0.0</span>.0.0/0 tcp dpt:80
</span><span class="code-line">4364K 6351M ACCEPT all -- * * <span class="token number">0.0</span>.0.0/0 <span class="token number">0.0</span>.0.0/0 state RELATED,ESTABLISHED
</span><span class="code-line"> <span class="token number">6256</span> 327K ACCEPT icmp -- * * <span class="token number">0.0</span>.0.0/0 <span class="token number">0.0</span>.0.0/0
</span><span class="code-line">Chain FORWARD <span class="token punctuation">(</span>policy ACCEPT <span class="token number">0</span> packets, <span class="token number">0</span> bytes<span class="token punctuation">)</span>
</span><span class="code-line"> pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
</span><span class="code-line">Chain OUTPUT <span class="token punctuation">(</span>policy ACCEPT 3382K packets, 1819M bytes<span class="token punctuation">)</span>
</span><span class="code-line"> pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
</span><span class="code-line"> <span class="token number">5075</span> 589K ACCEPT all -- * lo <span class="token number">0.0</span>.0.0/0 <span class="token number">0.0</span>.0.0/0
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="启动网络转发规则"><a aria-hidden="true" tabindex="-1" href="#启动网络转发规则"><span class="icon icon-link"></span></a>启动网络转发规则</h3><div class="wrap-body">
<p>公网<code>210.14.67.7</code>让内网<code>192.168.188.0/24</code>上网</p>
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> POSTROUTING <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.188.0/24 <span class="token parameter variable">-j</span> SNAT --to-source <span class="token number">210.14</span>.67.127
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="端口映射"><a aria-hidden="true" tabindex="-1" href="#端口映射"><span class="icon icon-link"></span></a>端口映射</h3><div class="wrap-body">
<p>本机的 2222 端口映射到内网 虚拟机的 22 端口</p>
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-d</span> <span class="token number">210.14</span>.67.127 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">2222</span> <span class="token parameter variable">-j</span> DNAT --to-dest <span class="token number">192.168</span>.188.115:22
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="字符串匹配"><a aria-hidden="true" tabindex="-1" href="#字符串匹配"><span class="icon icon-link"></span></a>字符串匹配</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<p>比如,我们要过滤所有 TCP 连接中的字符串<code>test</code>,一旦出现它我们就终止这个连接,我们可以这么做:</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> string <span class="token parameter variable">--algo</span> kmp <span class="token parameter variable">--string</span> <span class="token string">"test"</span> <span class="token parameter variable">-j</span> REJECT --reject-with tcp-reset
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span>
</span><span class="code-line"><span class="token comment"># Chain INPUT (policy ACCEPT)</span>
</span><span class="code-line"><span class="token comment"># target prot opt source destination</span>
</span><span class="code-line"><span class="token comment"># REJECT tcp -- anywhere anywhere STRING match "test" ALGO name kmp TO 65535 reject-with tcp-reset</span>
</span><span class="code-line"><span class="token comment">#</span>
</span><span class="code-line"><span class="token comment"># Chain FORWARD (policy ACCEPT)</span>
</span><span class="code-line"><span class="token comment"># target prot opt source destination</span>
</span><span class="code-line"><span class="token comment">#</span>
</span><span class="code-line"><span class="token comment"># Chain OUTPUT (policy ACCEPT)</span>
</span><span class="code-line"><span class="token comment"># target prot opt source destination</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止-windows-蠕虫的攻击"><a aria-hidden="true" tabindex="-1" href="#阻止-windows-蠕虫的攻击"><span class="icon icon-link"></span></a>阻止 Windows 蠕虫的攻击</h3><div class="wrap-body">
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-j</span> DROP <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">0.0</span>.0.0/0 <span class="token parameter variable">-m</span> string <span class="token parameter variable">--algo</span> kmp <span class="token parameter variable">--string</span> <span class="token string">"cmd.exe"</span>
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="防止-syn-洪水攻击"><a aria-hidden="true" tabindex="-1" href="#防止-syn-洪水攻击"><span class="icon icon-link"></span></a>防止 SYN 洪水攻击</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">5</span>/second <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许环回连接"><a aria-hidden="true" tabindex="-1" href="#允许环回连接"><span class="icon icon-link"></span></a>允许环回连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPTiptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许已建立和相关的传入连接"><a aria-hidden="true" tabindex="-1" href="#允许已建立和相关的传入连接"><span class="icon icon-link"></span></a>允许已建立和相关的传入连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许已建立的传出连接"><a aria-hidden="true" tabindex="-1" href="#允许已建立的传出连接"><span class="icon icon-link"></span></a>允许已建立的传出连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="内部到外部"><a aria-hidden="true" tabindex="-1" href="#内部到外部"><span class="icon icon-link"></span></a>内部到外部</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-o</span> eth0 <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="丢弃无效数据包"><a aria-hidden="true" tabindex="-1" href="#丢弃无效数据包"><span class="icon icon-link"></span></a>丢弃无效数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止-ip-地址"><a aria-hidden="true" tabindex="-1" href="#阻止-ip-地址"><span class="icon icon-link"></span></a>阻止 IP 地址</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.10 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止和-ip-地址并拒绝"><a aria-hidden="true" tabindex="-1" href="#阻止和-ip-地址并拒绝"><span class="icon icon-link"></span></a>阻止和 IP 地址并拒绝</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.10 <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止与网络接口的连接"><a aria-hidden="true" tabindex="-1" href="#阻止与网络接口的连接"><span class="icon icon-link"></span></a>阻止与网络接口的连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.10 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-ssh"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-ssh"><span class="icon icon-link"></span></a>允许所有传入的 SSH</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的传入-ssh"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的传入-ssh"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的传入 SSH</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传出-ssh"><a aria-hidden="true" tabindex="-1" href="#允许传出-ssh"><span class="icon icon-link"></span></a>允许传出 SSH</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的传入-rsync"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的传入-rsync"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的传入 Rsync</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">873</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">873</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传入-http"><a aria-hidden="true" tabindex="-1" href="#允许传入-http"><span class="icon icon-link"></span></a>允许传入 HTTP</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传入-https"><a aria-hidden="true" tabindex="-1" href="#允许传入-https"><span class="icon icon-link"></span></a>允许传入 HTTPS</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传入-http-和-https"><a aria-hidden="true" tabindex="-1" href="#允许传入-http-和-https"><span class="icon icon-link"></span></a>允许传入 HTTP 和 HTTPS</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> <span class="token number">80,443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> <span class="token number">80,443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的-mysql"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的-mysql"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的 MySQL</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许-mysql-到特定的网络接口"><a aria-hidden="true" tabindex="-1" href="#允许-mysql-到特定的网络接口"><span class="icon icon-link"></span></a>允许 MySQL 到特定的网络接口</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的-postgresql"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的-postgresql"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的 PostgreSQL</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许-postgresql-到特定的网络接口"><a aria-hidden="true" tabindex="-1" href="#允许-postgresql-到特定的网络接口"><span class="icon icon-link"></span></a>允许 PostgreSQL 到特定的网络接口</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止传出-smtp-邮件"><a aria-hidden="true" tabindex="-1" href="#阻止传出-smtp-邮件"><span class="icon icon-link"></span></a>阻止传出 SMTP 邮件</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">25</span> <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-smtp"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-smtp"><span class="icon icon-link"></span></a>允许所有传入的 SMTP</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">25</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">25</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-imap"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-imap"><span class="icon icon-link"></span></a>允许所有传入的 IMAP</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">143</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">143</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-imaps"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-imaps"><span class="icon icon-link"></span></a>允许所有传入的 IMAPS</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">993</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">993</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-pop3"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-pop3"><span class="icon icon-link"></span></a>允许所有传入的 POP3</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">110</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">110</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-pop3s"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-pop3s"><span class="icon icon-link"></span></a>允许所有传入的 POP3S</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">995</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">995</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="在公共接口上删除专用网络地址"><a aria-hidden="true" tabindex="-1" href="#在公共接口上删除专用网络地址"><span class="icon icon-link"></span></a>在公共接口上删除专用网络地址</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="将所有传出到-facebook-网络"><a aria-hidden="true" tabindex="-1" href="#将所有传出到-facebook-网络"><span class="icon icon-link"></span></a>将所有传出到 Facebook 网络</h3><div class="wrap-body">
<p>获取 Facebook 作为:</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ whois <span class="token parameter variable">-h</span> v4.whois.cymru.com <span class="token string">" -v <span class="token variable"><span class="token variable">$(</span><span class="token function">host</span> facebook.com <span class="token operator">|</span> <span class="token function">grep</span> <span class="token string">"has address"</span> <span class="token operator">|</span> <span class="token function">cut</span> <span class="token parameter variable">-d</span> <span class="token string">" "</span> <span class="token parameter variable">-f4</span><span class="token variable">)</span></span>"</span> <span class="token operator">|</span> <span class="token function">tail</span> <span class="token parameter variable">-n1</span> <span class="token operator">|</span> <span class="token function">awk</span> <span class="token string">'{print $1}'</span>
</span></code></pre>
<p>降低:</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ <span class="token keyword">for</span> <span class="token for-or-select variable">i</span> <span class="token keyword">in</span> <span class="token variable"><span class="token variable">$(</span>whois <span class="token parameter variable">-h</span> whois.radb.net -- <span class="token string">'-i origin AS1273'</span> <span class="token operator">|</span> <span class="token function">grep</span> <span class="token string">"^route:"</span> <span class="token operator">|</span> <span class="token function">cut</span> <span class="token parameter variable">-d</span> <span class="token string">":"</span> <span class="token parameter variable">-f2</span> <span class="token operator">|</span> <span class="token function">sed</span> <span class="token parameter variable">-e</span> <span class="token string">'s/^[ \t]*//'</span> <span class="token operator">|</span> <span class="token function">sort</span> <span class="token parameter variable">-n</span> <span class="token parameter variable">-t</span> <span class="token builtin class-name">.</span> <span class="token parameter variable">-k</span> <span class="token number">1,1</span> <span class="token parameter variable">-k</span> <span class="token number">2,2</span> <span class="token parameter variable">-k</span> <span class="token number">3,3</span> <span class="token parameter variable">-k</span> <span class="token number">4,4</span> <span class="token operator">|</span> <span class="token function">cut</span> <span class="token parameter variable">-d</span> <span class="token string">":"</span> <span class="token parameter variable">-f2</span> <span class="token operator">|</span> <span class="token function">sed</span> <span class="token string">'s/$/;/'</span><span class="token variable">)</span></span> <span class="token punctuation">;</span> <span class="token keyword">do</span> iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-s</span> <span class="token string">"<span class="token variable">$i</span>"</span> <span class="token parameter variable">-j</span> REJECTdone
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="记录和丢弃数据包"><a aria-hidden="true" tabindex="-1" href="#记录和丢弃数据包"><span class="icon icon-link"></span></a>记录和丢弃数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> LOG --log-prefix <span class="token string">"IP_SPOOF A: "</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<p>默认情况下,所有内容都记录到 <code>/var/log/messages</code> 文件中:</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ <span class="token function">tail</span> <span class="token parameter variable">-f</span> /var/log/messagesgrep <span class="token parameter variable">--color</span> <span class="token string">'IP SPOOF'</span> /var/log/messages
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="记录和丢弃日志条目数量有限的数据包"><a aria-hidden="true" tabindex="-1" href="#记录和丢弃日志条目数量有限的数据包"><span class="icon icon-link"></span></a>记录和丢弃日志条目数量有限的数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">5</span>/m --limit-burst <span class="token number">7</span> <span class="token parameter variable">-j</span> LOG --log-prefix <span class="token string">"IP_SPOOF A: "</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="丢弃或接受来自-mac-地址的流量"><a aria-hidden="true" tabindex="-1" href="#丢弃或接受来自-mac-地址的流量"><span class="icon icon-link"></span></a>丢弃或接受来自 Mac 地址的流量</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> mac --mac-source 00:0F:EA:91:04:08 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp --destination-port <span class="token number">22</span> <span class="token parameter variable">-m</span> mac --mac-source 00:0F:EA:91:04:07 <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止或允许-icmp-ping-请求"><a aria-hidden="true" tabindex="-1" href="#阻止或允许-icmp-ping-请求"><span class="icon icon-link"></span></a>阻止或允许 ICMP Ping 请求</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp --icmp-type echo-request <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-p</span> icmp --icmp-type echo-request <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-multiport-指定多个端口"><a aria-hidden="true" tabindex="-1" href="#使用-multiport-指定多个端口"><span class="icon icon-link"></span></a>使用 multiport 指定多个端口</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> ssh,smtp,http,https <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-random-或-nth-进行负载平衡"><a aria-hidden="true" tabindex="-1" href="#使用-random-或-nth-进行负载平衡"><span class="icon icon-link"></span></a>使用 <code>random*</code><code>nth*</code> 进行负载平衡</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token assign-left variable">_ips</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token string">"172.31.250.10"</span> <span class="token string">"172.31.250.11"</span> <span class="token string">"172.31.250.12"</span> <span class="token string">"172.31.250.13"</span><span class="token punctuation">)</span>for <span class="token for-or-select variable">ip</span> <span class="token keyword">in</span> <span class="token string">"<span class="token variable">${_ips<span class="token punctuation">[</span>@<span class="token punctuation">]</span>}</span>"</span> <span class="token punctuation">;</span> <span class="token keyword">do</span> iptables <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-m</span> nth <span class="token parameter variable">--counter</span> <span class="token number">0</span> <span class="token parameter variable">--every</span> <span class="token number">4</span> <span class="token parameter variable">--packet</span> <span class="token number">0</span> <span class="token punctuation">\</span> <span class="token parameter variable">-j</span> DNAT --to-destination <span class="token variable">${ip}</span>:80done
</span></code></pre>
<p>or</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token assign-left variable">_ips</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token string">"172.31.250.10"</span> <span class="token string">"172.31.250.11"</span> <span class="token string">"172.31.250.12"</span> <span class="token string">"172.31.250.13"</span><span class="token punctuation">)</span>for <span class="token for-or-select variable">ip</span> <span class="token keyword">in</span> <span class="token string">"<span class="token variable">${_ips<span class="token punctuation">[</span>@<span class="token punctuation">]</span>}</span>"</span> <span class="token punctuation">;</span> <span class="token keyword">do</span> iptables <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-m</span> random <span class="token parameter variable">--average</span> <span class="token number">25</span> <span class="token punctuation">\</span> <span class="token parameter variable">-j</span> DNAT --to-destination <span class="token variable">${ip}</span>:80done
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-limit-和-iplimit-限制连接数"><a aria-hidden="true" tabindex="-1" href="#使用-limit-和-iplimit-限制连接数"><span class="icon icon-link"></span></a>使用 limit 和 <code>iplimit*</code> 限制连接数</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dport</span> http,https <span class="token parameter variable">-o</span> eth0 <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">20</span>/hour --limit-burst <span class="token number">5</span> <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
<p>or</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">--dport</span> http <span class="token parameter variable">-m</span> iplimit --iplimit-above <span class="token number">5</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="维护要匹配的最近连接列表"><a aria-hidden="true" tabindex="-1" href="#维护要匹配的最近连接列表"><span class="icon icon-link"></span></a>维护要匹配的最近连接列表</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--name</span> portscan <span class="token parameter variable">--rcheck</span> <span class="token parameter variable">--seconds</span> <span class="token number">100</span> <span class="token parameter variable">-j</span> DROPiptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">--dport</span> <span class="token number">443</span> <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--name</span> portscan <span class="token parameter variable">--set</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="匹配数据包数据负载中的-string"><a aria-hidden="true" tabindex="-1" href="#匹配数据包数据负载中的-string"><span class="icon icon-link"></span></a>匹配数据包数据负载中的 “string*”</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> string <span class="token parameter variable">--string</span> <span class="token string">'.com'</span> <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> string <span class="token parameter variable">--string</span> <span class="token string">'.exe'</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="带有时间的基于时间的规则"><a aria-hidden="true" tabindex="-1" href="#带有时间的基于时间的规则"><span class="icon icon-link"></span></a>带有“时间*”的基于时间的规则</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dport</span> http,https <span class="token parameter variable">-o</span> eth0 <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-m</span> <span class="token function">time</span> <span class="token parameter variable">--timestart</span> <span class="token number">21</span>:30 <span class="token parameter variable">--timestop</span> <span class="token number">22</span>:30 <span class="token parameter variable">--days</span> Mon,Tue,Wed,Thu,Fri <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="基于-ttl-值的数据包匹配"><a aria-hidden="true" tabindex="-1" href="#基于-ttl-值的数据包匹配"><span class="icon icon-link"></span></a>基于 TTL 值的数据包匹配</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">1.2</span>.3.4 <span class="token parameter variable">-m</span> ttl --ttl-lt <span class="token number">40</span> <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="防止端口扫描"><a aria-hidden="true" tabindex="-1" href="#防止端口扫描"><span class="icon icon-link"></span></a>防止端口扫描</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-N</span> port-scanningiptables <span class="token parameter variable">-A</span> port-scanning <span class="token parameter variable">-p</span> tcp --tcp-flags SYN,ACK,FIN,RST RST <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">2</span> <span class="token parameter variable">-j</span> RETURNiptables <span class="token parameter variable">-A</span> port-scanning <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="ssh-暴力破解保护"><a aria-hidden="true" tabindex="-1" href="#ssh-暴力破解保护"><span class="icon icon-link"></span></a>SSH 暴力破解保护</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token function">ssh</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--setiptables</span> <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token function">ssh</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--update</span> <span class="token parameter variable">--seconds</span> <span class="token number">60</span> <span class="token parameter variable">--hitcount</span> <span class="token number">10</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="同步泛洪保护"><a aria-hidden="true" tabindex="-1" href="#同步泛洪保护"><span class="icon icon-link"></span></a>同步泛洪保护</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-N</span> syn_floodiptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-j</span> syn_floodiptables <span class="token parameter variable">-A</span> syn_flood <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">3</span> <span class="token parameter variable">-j</span> RETURN
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> syn_flood <span class="token parameter variable">-j</span> DROPiptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">1</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">1</span> <span class="token parameter variable">-j</span> LOG --log-prefix PING-DROP:
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-j</span> DROPiptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-synproxy-缓解-syn-泛洪"><a aria-hidden="true" tabindex="-1" href="#使用-synproxy-缓解-syn-泛洪"><span class="icon icon-link"></span></a>使用 SYNPROXY 缓解 SYN 泛洪</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> raw <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-j</span> CT <span class="token parameter variable">--notrack</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID,UNTRACKED <span class="token parameter variable">-j</span> SYNPROXY --sack-perm <span class="token parameter variable">--timestamp</span> <span class="token parameter variable">--wscale</span> <span class="token number">7</span> <span class="token parameter variable">--mss</span> <span class="token number">1460</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止非-syn-的新数据包"><a aria-hidden="true" tabindex="-1" href="#阻止非-syn-的新数据包"><span class="icon icon-link"></span></a>阻止非 SYN 的新数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token operator">!</span> <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<p></p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp <span class="token operator">!</span> <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="强制碎片数据包检查"><a aria-hidden="true" tabindex="-1" href="#强制碎片数据包检查"><span class="icon icon-link"></span></a>强制碎片数据包检查</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-f</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="xmas-包"><a aria-hidden="true" tabindex="-1" href="#xmas-包"><span class="icon icon-link"></span></a>XMAS 包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp --tcp-flags ALL ALL <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="丢弃所有-null-数据包"><a aria-hidden="true" tabindex="-1" href="#丢弃所有-null-数据包"><span class="icon icon-link"></span></a>丢弃所有 NULL 数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp --tcp-flags ALL NONE <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止不常见的-mss-值"><a aria-hidden="true" tabindex="-1" href="#阻止不常见的-mss-值"><span class="icon icon-link"></span></a>阻止不常见的 MSS 值</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-m</span> tcpmss <span class="token operator">!</span> <span class="token parameter variable">--mss</span> <span class="token number">536</span>:65535 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止带有虚假-tcp-标志的数据包"><a aria-hidden="true" tabindex="-1" href="#阻止带有虚假-tcp-标志的数据包"><span class="icon icon-link"></span></a>阻止带有虚假 TCP 标志的数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,SYN FIN,SYN <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags SYN,RST SYN,RST <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,RST FIN,RST <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,ACK FIN <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ACK,URG URG <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ACK,FIN FIN <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ACK,PSH PSH <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL ALL <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL NONE <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL FIN,PSH,URG <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL SYN,FIN,PSH,URG <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止来自私有子网的数据包欺骗"><a aria-hidden="true" tabindex="-1" href="#阻止来自私有子网的数据包欺骗"><span class="icon icon-link"></span></a>阻止来自私有子网的数据包(欺骗)</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token assign-left variable">_subnets</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token string">"224.0.0.0/3"</span> <span class="token string">"169.254.0.0/16"</span> <span class="token string">"172.16.0.0/12"</span> <span class="token string">"192.0.2.0/24"</span> <span class="token string">"192.168.0.0/16"</span> <span class="token string">"10.0.0.0/8"</span> <span class="token string">"0.0.0.0/8"</span> <span class="token string">"240.0.0.0/5"</span><span class="token punctuation">)</span>for <span class="token for-or-select variable">_sub</span> <span class="token keyword">in</span> <span class="token string">"<span class="token variable">${_subnets<span class="token punctuation">[</span>@<span class="token punctuation">]</span>}</span>"</span> <span class="token punctuation">;</span> <span class="token keyword">do</span> iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-s</span> <span class="token string">"<span class="token variable">$_sub</span>"</span> <span class="token parameter variable">-j</span> DROPdoneiptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-s</span> <span class="token number">127.0</span>.0.0/8 <span class="token operator">!</span> <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div></div></div><div class="wrap h2body-not-exist"><div class="wrap-header h2wrap"><h2 id="另见"><a aria-hidden="true" tabindex="-1" href="#另见"><span class="icon icon-link"></span></a>另见</h2><div class="wrap-body">
<ul>
<li><a href="https://dunwu.github.io/linux-tutorial/linux/ops/iptables.html">Iptables 应用</a></li>
<li><a href="https://netfilter.org/">netfilter 官网</a></li>
</ul>
</div></div><div class="h2wrap-body"></div></div></div><script src="https://giscus.app/client.js" data-repo="jaywcjlove/reference" data-repo-id="R_kgDOID2-Mw" data-category="Q&#x26;A" data-category-id="DIC_kwDOID2-M84CS5wo" data-mapping="pathname" data-strict="0" data-reactions-enabled="1" data-emit-metadata="0" data-input-position="bottom" data-theme="dark" data-lang="zh-CN" crossorigin="anonymous" async></script><div class="giscus"></div></div><footer class="footer-wrap"><footer class="max-container">© 2022 <a href="https://wangchujiang.com/#/app" target="_blank">Kenny Wang</a>.</footer></footer><script src="../data.js?v=1.8.3" defer></script><script src="../js/fuse.min.js?v=1.8.3" defer></script><script src="../js/main.js?v=1.8.3" defer></script><div id="mysearch"><div class="mysearch-box"><div class="mysearch-input"><div><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
<path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><input id="mysearch-input" type="search" placeholder="搜索" autocomplete="off"><div class="mysearch-clear"></div></div><button id="mysearch-close" type="button">搜索</button></div><div class="mysearch-result"><div id="mysearch-menu"></div><div id="mysearch-content"></div></div></div></div></body>
</html>
Reference in New Issue View Git Blame Copy Permalink