运维之基础命令--防火墙与iptables
iptables使用手册
一、简单实践
从信息查看、保存规则、清除规则、恢复规则、更改规则五个方面来学习。
1.1 信息查看
查看现有规则
[root@controller ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
....查看现有规则,显示主机ip和端口号,-n
[root@controller ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- 0.0.0.0/0 0.0.0.0/0
nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-linuxbri-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
....结果显示:
默认显示三条链的规则INPUT、FORWARD、OUTPUT,而且所有的规则都是默认接受的
每条链下面显示的信息是:
动作 协议 参数 源地址 目标地址
显示详细信息,-v
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 11839 packets, 2842K bytes)
pkts bytes target prot opt in out source destination
11839 2842K neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
12985 3090K nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-linuxbri-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....结果显示:
-v显示的内容比-L -n 显示的内容多了四个字段
pkts 规则匹配到的报文数量的多少
bytes 规则匹配到的报文内容量的大小
in 规则匹配到的流入的接口,*代表任意接口
out 规则匹配到的流出的接口
显示规则的标号 –line-numbers
[root@controller ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 13663 packets, 3221K bytes)
num pkts bytes target prot opt in out source destination
1 13663 3221K neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
2 14809 3469K nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 neutron-linuxbri-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....打印规则命令,将防火墙的编写命令给我们打印出来,可以通过这种方式来学习规则的编写。
[root@controller ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-linuxbri-FORWARD
-N neutron-linuxbri-INPUT
-N neutron-linuxbri-OUTPUT
-N neutron-linuxbri-local
-N neutron-linuxbri-scope
-N neutron-linuxbri-sg-chain
-N neutron-linuxbri-sg-fallback
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j neutron-linuxbri-INPUT
-A INPUT -j nova-api-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-linuxbri-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
....1.2 保存规则
使用 iptables-save命令可以保存规则
将当前的规则保存到文件中
[root@controller ~]# iptables-save > iptables.rules
[root@controller ~]# cat iptables.rules
# Generated by iptables-save v1.4.21 on Wed Oct 20 09:22:53 2021
*filter
:INPUT ACCEPT [16785:3861723]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16549:3883715]
:neutron-filter-top - [0:0]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-local - [0:0]
:neutron-linuxbri-scope - [0:0]
:neutron-linuxbri-sg-chain - [0:0]
:neutron-linuxbri-sg-fallback - [0:0]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
....1.3 清除规则
清除单个规则
# 先查看
[root@controller ~]# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 neutron-linuxbri-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
2 neutron-linuxbri-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
3 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
4 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
....
# 删除FORWARD的第2条规则
[root@controller ~]# iptables -D FORWARD 2
# 再次查看,删除成功
[root@controller ~]# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 neutron-linuxbri-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
2 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
3 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
....
# 如果不指定删除的序号,会报错
[root@controller ~]# iptables -D FORWARD
iptables: Bad rule (does a matching rule exist in that chain?).清除规则计数
# 查看原内容
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 3196 packets, 657K bytes)
pkts bytes target prot opt in out source destination
23118 5147K neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
24264 5395K nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....
# 清除规则计数 -Z
[root@controller ~]# iptables -Z
# 查看效果,pkts与bytes减少,即规则匹配到的报文数量与报文内容大小均减少,清除成功
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 58 packets, 11344 bytes)
pkts bytes target prot opt in out source destination
58 11344 neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
58 11344 nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....清除所有规则
# 清除默认规则
[root@controller ~]# iptables -F
# 清除自定义规则
[root@controller ~]# iptables -X
# 查看效果
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 424 packets, 84770 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 398 packets, 83826 bytes)
pkts bytes target prot opt in out source destination1.4 恢复规则
从备份文件恢复规则
# 从文件恢复
[root@controller ~]# iptables-restore < iptables.rules
# 查看确认已恢复
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 268 packets, 46570 bytes)
pkts bytes target prot opt in out source destination
268 46570 neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
268 46570 nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-linuxbri-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....1.5 更改规则
可以从ACCEPT改为DROP
# 查看原规则
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 342 packets, 49890 bytes)
pkts bytes target prot opt in out source destination
4455 836K neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4455 836K nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-linuxbri-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....
# -P 修改
[root@controller ~]# iptables -P FORWARD DROP
# 再次查看,FORWARD链修改DROP成功
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 38 packets, 5017 bytes)
pkts bytes target prot opt in out source destination
4849 905K neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4849 905K nova-api-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-linuxbri-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
....-P 更改的规则,使用 -F 不能自动还原
>[root@controller ~]# iptables -F >[root@controller ~]# iptables -L -n -v >Chain INPUT (policy ACCEPT 36 packets, 6554 bytes) >pkts bytes target prot opt in out source destination >Chain FORWARD (policy DROP 0 packets, 0 bytes) >pkts bytes target prot opt in out source destination >....
重启iptables服务后,可以使用系统所有默认规则
# 清除所有默认规则
[root@controller ~]# iptables -F
# 查看,没有默认规则
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 8 packets, 520 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt in out source destination
# 重启iptables服务
[root@controller ~]# systemctl restart iptables
# 再次查看,新增了系统的默认规则
[root@controller ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes)
pkts bytes target prot opt in out source destination运维之基础命令--防火墙与iptables
http://gsproj.github.io/2022/07/06/01_运维/01-基础命令/day22-防火墙与iptables/iptables使用/