centos7.3默认使用的防火墙应该是firewall,而不是iptables。而我们如果想要再服务器上使用iptables防火墙,在配置防火墙之前,我们需要先关闭firewall,安装iptables。
当前环境:
1
2
3
4
5
|
[root@localhost ~]
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@localhost ~]
# uname -r
3.10.0-514.el7.x86_64
[root@localhost ~]
#
|
查看firewall状态:
1
2
3
4
5
6
|
[root@localhost ~]
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (
/usr/lib/systemd/system/firewalld
.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs:
man
:firewalld(1)
[root@localhost ~]
#
|
如果要关闭firewall防火墙,则执行
1
|
[root@localhost ~]
#systemctl stop firewalld
|
如果要设置开机不启动,则执行
1
2
|
[root@localhost ~]
# systemctl disable firewalld
[root@localhost ~]
#
|
接下来安装iptables服务
1
|
[root@localhost ~]
# yum -y install iptables-services
|
查看iptables状态,执行
1
2
3
4
5
|
[root@localhost ~]
# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (
/usr/lib/systemd/system/iptables
.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost ~]
#
|
设置开机启动
1
2
3
4
5
6
7
|
[root@localhost ~]
# systemctl enable iptables.service
Created
symlink
from
/etc/systemd/system/basic
.target.wants
/iptables
.service to
/usr/lib/systemd/system/iptables
.service.
[root@localhost ~]
# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (
/usr/lib/systemd/system/iptables
.service; enabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost ~]
#
|
启动iptables服务
1
2
3
4
5
6
7
8
9
10
11
|
[root@localhost ~]
# systemctl start iptables.service
[root@localhost ~]
# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (
/usr/lib/systemd/system/iptables
.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2017-08-15 22:27:23 EDT; 1s ago
Process: 2243 ExecStart=
/usr/libexec/iptables/iptables
.init start (code=exited, status=0
/SUCCESS
)
Main PID: 2243 (code=exited, status=0
/SUCCESS
)
Aug 15 22:27:23 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Aug 15 22:27:23 localhost.localdomain iptables.init[2243]: iptables: Applying firewall rules: [ OK ]
Aug 15 22:27:23 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
[root@localhost ~]
#
|
查看iptables默认访问规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@localhost ~]
# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
45 3348 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT all -- lo * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
state NEW tcp dpt:22
9 702 REJECT all -- * * 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
0 0 REJECT all -- * * 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 36 packets, 4064 bytes)
pkts bytes target prot opt
in
out
source
destination
[root@localhost ~]
#
|
查看iptables配置文件的默认规则设置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@localhost ~]
# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@localhost ~]
#
|
常用iptables配置范例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@localhost ~]
# iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
0 0
ping
icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
icmptype 8 state NEW
39 3016 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT all -- * * 192.168.112.0 0.0.0.0
/0
0 0 ACCEPT all -- * * 10.0.10.0 0.0.0.0
/0
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:444
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:843
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8001
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8002
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8003
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:10050
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:10051
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
Chain OUTPUT (policy ACCEPT 31 packets, 2884 bytes)
pkts bytes target prot opt
in
out
source
destination
Chain
ping
(1 references)
pkts bytes target prot opt
in
out
source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
icmptype 8 limit: avg 1
/sec
burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
[root@localhost ~]
#
|
此时如果想保存当前配置到某个文件(这里用access.txt),可以使用iptables-save命令:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
[root@localhost ~]
# iptables-save >access.txt
[root@localhost ~]
# cat access.txt
# Generated by iptables-save v1.4.21 on Tue Aug 15 22:41:42 2017
*nat
:PREROUTING ACCEPT [9:702]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5:380]
:POSTROUTING ACCEPT [5:380]
COMMIT
# Completed on Tue Aug 15 22:41:42 2017
# Generated by iptables-save v1.4.21 on Tue Aug 15 22:41:42 2017
*raw
:PREROUTING ACCEPT [96:7170]
:OUTPUT ACCEPT [66:8472]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Aug 15 22:41:42 2017
# Generated by iptables-save v1.4.21 on Tue Aug 15 22:41:42 2017
*security
:INPUT ACCEPT [87:6468]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:8472]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Aug 15 22:41:42 2017
# Generated by iptables-save v1.4.21 on Tue Aug 15 22:41:42 2017
*mangle
:PREROUTING ACCEPT [96:7170]
:INPUT ACCEPT [96:7170]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:8472]
:POSTROUTING ACCEPT [66:8472]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Aug 15 22:41:42 2017
# Generated by iptables-save v1.4.21 on Tue Aug 15 22:41:42 2017
*filter
:INPUT DROP [9:702]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:8472]
:
ping
- [0:0]
-A INPUT -p icmp -m icmp --icmp-
type
8 -m state --state NEW -j
ping
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.112.0
/32
-j ACCEPT
-A INPUT -s 10.0.10.0
/32
-j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 843 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8003 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10051 -j ACCEPT
-A
ping
-p icmp -m icmp --icmp-
type
8 -m limit --limit 1
/sec
-j ACCEPT
-A
ping
-p icmp -j ACCEPT
COMMIT
# Completed on Tue Aug 15 22:41:42 2017
[root@localhost ~]
#
|
如果不小心把配置全部清理了,这是可以用iptables-restore 命令重新将配置导入:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
[root@localhost ~]
# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 by
pkts bytes target prot opt
in
out
source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 by
pkts bytes target prot opt
in
out
source
destination
[root@localhost ~]
# iptables-restore access.
[root@localhost ~]
# iptables -L
Chain INPUT (policy DROP 0 packets, 0 by
pkts bytes target prot opt
in
out
source
destination
0 0
ping
icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
icmptype 8 state NEW
5 356 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT all -- * * 192.168.112.0 0.0.0.0
/0
0 0 ACCEPT all -- * * 10.0.10.0 0.0.0.0
/0
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:444
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:843
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8001
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8002
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8003
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:10050
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:10051
Chain FORWARD (policy ACCEPT 0 packets, 0 by
pkts bytes target prot opt
in
out
source
destination
Chain OUTPUT (policy ACCEPT 4 packets, 416 by
pkts bytes target prot opt
in
out
source
destination
Chain
ping
(1 referen
pkts bytes target prot opt
in
out
source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
icmptype 8 limit: avg 1
/sec
burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
[root@localhost
|
部分规则解释说明:
摘自:http://www.cnblogs.com/alwu007/p/6693822.html
[root@localhost ~]# systemctl enable iptables.service
编辑并修改配置文件/etc/sysconfig/iptables,使用下面的配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:TEST - [0:0]
-A INPUT -j TEST
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -i eth1 -d 192.168.1.100 --syn -m recent --name suduip --rcheck --seconds 1 --hitcount 15 -j DROP
-A INPUT -p tcp -i eth1 -d 192.168.1.100 --syn -m recent --name suduip --
set
-A INPUT -i eth1 -p tcp -m tcp -d 192.168.1.100 --syn -m connlimit --connlimit-above 50 --connlimit-mask 32 --connlimit-saddr -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m length --length 0:128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
... ...
-A INPUT -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j TEST
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j TEST
-A TEST -j RETURN
COMMIT
|
1.检查替换eth1;2.检查替换-d ip;3.若是centos6.8,检查iptables版本是v1.4.7还是v1.4.21,前者不支持–connlimit-saddr选项,去掉即可。下面,我简单解释一下这个配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
# filter表
*filter
# INPUT链默认策略为ACCEPT
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# 自定义TEST链
:TEST - [0:0]
# 进入TEST链(从后面配置看,TEST链只是RETURN了回来,没有其他规则)
-A INPUT -j TEST
# 接受连接状态是RELATED和ESTABLISHED的包
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 接受ICMP协议的包
-A INPUT -p icmp -j ACCEPT
# 接受回环接口的包
-A INPUT -i lo -j ACCEPT
# 同一源IP1秒内最多可发起14次目的地址是192.168.1.100的TCP连接请求,15次及以上的包将被接口eth1丢弃
# 为什么同时指定-i和-d?猜测:路由器里的路由表可能人为或未及时更新导致路由表映射错误,导致发到接口eth1的包的目的IP错误。为了防止此类包,则需同时指定-i和-d
-A INPUT -p tcp -i eth1 -d 192.168.1.100 --syn -m recent --name suduip --rcheck --seconds 1 --hitcount 15 -j DROP
-A INPUT -p tcp -i eth1 -d 192.168.1.100 --syn -m recent --name suduip --set
# 同一源IP只允许50个目的地址是192.168.1.100的TCP连接请求,超出的包将被接口eth1丢弃
-A INPUT -i eth1 -p tcp -m tcp -d 192.168.1.100 --syn -m connlimit --connlimit-above 50 --connlimit-mask 32 --connlimit-saddr -j DROP
# 此条规则有问题(猜测,可能是--length 129 -j DROP)
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m length --length 0:128 -j ACCEPT
# 下面这些规则对TCP连接请求包开放部分端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
... ...
# 丢弃所有包
-A INPUT -j DROP
# 上一条规则已经丢弃了所有包,此条规则貌似到不了
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j TEST
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j TEST
-A TEST -j RETURN
COMMIT
|
重启iptables
1
|
[root@localhost ~]
# systemctl restart iptables.service
|
查看防火墙规则是否已应用
1
|
[root@localhost ~]
# iptables -L -nv
|
本文转自027ryan 51CTO博客,原文链接:http://blog.51cto.com/ucode/1956698
,如需转载请自行联系原作者