分享程序员开发的那些事...
更新时间:2022-09-22 09:44:53
关于iptables的详细状态可以查看http://os.51cto.com/art/201108/285209.htm
时常在服务器的防火墙上看到有这些规则,
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED,我觉得有必要搞下这个iptables了
下面就来谈谈iptables
一.首先iptables有四种状态
NEW,ESTABLISHED,RELATED,INVALID。
NEW状态:主机连接目标主机,在目标主机上看到的第一个想要连接的包
ESTABLISHED状态:主机已与目标主机进行通信,判断标准只要目标主机回应了第一个包,就进入该状态。
RELATED状态:主机已与目标主机进行通信,目标主机发起新的链接方式,例如ftp
INVALID状态:无效的封包,例如数据破损的封包状态
二.其次再来谈谈上述规则的作用
你会发现有这条
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
经常又会看见这条规则
3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主机不满足RELATED的情况,会给它返回host-prohibited
添加方式:iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
第二条规则的含义其实是:调用状态模块,匹配当状态为RELATED和ESTABLISHED的所有数据包通过,换句话说就是允许所有已经建立的连接,表现为本机可以ping其他主机,但是其他主机无法ping本机,只接受自己发出去的响应包,这是万能的一句话,允许所有自己发出去的包进来。后面跟具体规则
第三条规则的含义其实是:依据第二条来的,所有不满足第二条规则的,都会被拒绝,而且会给主机返回一个host-prohibited的消息。需要注意的则是,所有位于第三条规则之下的规则都无法生效,位于该规则之上的都会生效
三.口说无凭,下面我们来做个实验看看
只添加iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT,完全没有任何作用
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2.添加两条规则,防火墙规则如图,会产生自己能ping其他主机,但是其他主机ping不通自己的情况
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主机不满足RELATED的情况,会给它返回host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 10438 bytes)
num pkts bytes target prot opt in out source destination
效果图:
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# ping 123.56.16.77
PING 123.56.16.77 (123.56.16.77) 56(84) bytes of data.
64 bytes from 123.56.16.77: icmp_seq=1 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=2 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=3 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=4 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=5 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=6 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=7 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=8 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=9 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=10 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=11 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=12 ttl=55 time=24.7 ms
^C
--- 123.56.16.77 ping statistics ---
13 packets transmitted, 12 received, 7% packet loss, time 12039ms
rtt min/avg/max/mdev = 24.660/24.720/24.788/0.149 ms
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# exit
logout
Connection to 101.132.109.227 closed.
Welcome to aliyun Elastic Compute Service!
[root@xz-server1 ~]# ping 101.132.109.227
PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.
From 101.132.109.227 icmp_seq=1 Destination Host Prohibited
From 101.132.109.227 icmp_seq=2 Destination Host Prohibited
From 101.132.109.227 icmp_seq=3 Destination Host Prohibited
From 101.132.109.227 icmp_seq=4 Destination Host Prohibited
From 101.132.109.227 icmp_seq=5 Destination Host Prohibited
From 101.132.109.227 icmp_seq=6 Destination Host Prohibited
From 101.132.109.227 icmp_seq=7 Destination Host Prohibited
From 101.132.109.227 icmp_seq=8 Destination Host Prohibited
From 101.132.109.227 icmp_seq=9 Destination Host Prohibited
From 101.132.109.227 icmp_seq=10 Destination Host Prohibited
From 101.132.109.227 icmp_seq=11 Destination Host Prohibited
From 101.132.109.227 icmp_seq=12 Destination Host Prohibited
From 101.132.109.227 icmp_seq=13 Destination Host Prohibited
From 101.132.109.227 icmp_seq=14 Destination Host Prohibited
^C
--- 101.132.109.227 ping statistics ---
14 packets transmitted, 0 received, +14 errors, 100% packet loss, time 13480ms
结论:下面两条规则必须连用(filter表INPUT链规则是ACCEPT的时候),其他主机ping包过来的时候直接拒绝,并且返回给它host-prohibited信息。
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
那么下面还需要说明一点的是,当filter表INPUT链默认规则是DROP的时候,命中iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited该规则,依旧会返回host-prohibited信息。没有命中规则的,不会返回任何信息,直接被drop掉
修改INPUT默认规则:
iptables -P INPUT DROP
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.0.0/16 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@xz-server1 ~]# ping 101.132.109.227
PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.
From 101.132.109.227 icmp_seq=1 Destination Host Prohibited
From 101.132.109.227 icmp_seq=2 Destination Host Prohibited
From 101.132.109.227 icmp_seq=3 Destination Host Prohibited
From 101.132.109.227 icmp_seq=4 Destination Host Prohibited
From 101.132.109.227 icmp_seq=5 Destination Host Prohibited
From 101.132.109.227 icmp_seq=6 Destination Host Prohibited
From 101.132.109.227 icmp_seq=7 Destination Host Prohibited
From 101.132.109.227 icmp_seq=8 Destination Host Prohibited
From 101.132.109.227 icmp_seq=9 Destination Host Prohibited
From 101.132.109.227 icmp_seq=10 Destination Host Prohibited
From 101.132.109.227 icmp_seq=11 Destination Host Prohibited
From 101.132.109.227 icmp_seq=12 Destination Host Prohibited
From 101.132.109.227 icmp_seq=13 Destination Host Prohibited
^C
--- 101.132.109.227 ping statistics ---
13 packets transmitted, 0 received, +13 errors, 100% packet loss, time 12441ms
本文转自飞奔的小GUI博客51CTO博客,原文链接http://blog.51cto.com/9237101/2052865如需转载请自行联系原作者
ziwenzhou