56 iptables (三)

IPtables 常用命令

1. 查看防火墙的状态

iptables -L -n -v --line-numbers

2. 启动/停止/重启防火墙

# service iptables stop
# service iptables start
# service iptables restart

3. 插入规则

iptables -I INPUT 2 -s 202.54.1.2 -j DROP

4. 查找一条规则

iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1

一些例子

#清除所有规则(慎用)
iptables -F
iptables -X
iptables -Z

#查看iptable和行号
iptables -nL --line-number

#保存当前防火墙配置
service iptables save

#手动编辑防火墙策略
vi /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Fri Jul 24 09:42:09 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#开放本地和Ping
-A INPUT -i lo -j ACCEPT  
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT
#配置内网白名单
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
#配置外网白名单
-A INPUT -s 180.168.36.198 -j ACCEPT 
-A INPUT -s 180.168.34.218 -j ACCEPT 
-A INPUT -s 222.73.202.251 -j ACCEPT 
#控制端口
-A INPUT -p tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp --dport 22 -j ACCEPT
#拒绝其它
-A INPUT -j DROP 
-A FORWARD -j DROP 
#开放出口
-A OUTPUT -j ACCEPT 
COMMIT
# Completed on Fri Jul 24 09:40:16 2015 

#重启生效
service iptables restart

#复查结果

iptables -nL --line-number

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     all  --  10.0.0.0/8           0.0.0.0/0           
5    ACCEPT     all  --  172.16.0.0/12        0.0.0.0/0           
6    ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0           
7    ACCEPT     all  --  180.168.36.198       0.0.0.0/0           
8    ACCEPT     all  --  180.168.34.218       0.0.0.0/0           
9    ACCEPT     all  --  222.73.202.251       0.0.0.0/0           
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
12   DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

一个脚本

#!/bin/bash
#0 0 * * * /root/start_iptables.sh

#清除配置
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
#开放本地和Ping
/sbin/iptables -A INPUT -i lo -j ACCEPT  
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
/sbin/iptables -A INPUT -p icmp -j ACCEPT
#配置内网白名单
/sbin/iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
#配置外网白名单
/sbin/iptables -A INPUT -s 180.168.36.198 -j ACCEPT 
/sbin/iptables -A INPUT -s 180.168.34.218 -j ACCEPT 
/sbin/iptables -A INPUT -s 222.73.202.251 -j ACCEPT 
#控制端口
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#拒绝其它
/sbin/iptables -A INPUT -j DROP 
/sbin/iptables -A FORWARD -j DROP 
#开放出口
/sbin/iptables -A OUTPUT -j ACCEPT 


chmod 755 /root/start_iptables.sh
crontab -e
0 0 * * * /root/start_iptables.sh

iptables 实现端口转发

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.125.128 --dport 8124 -j DNAT --to 192.168.125.129:8123

iptables -A FORWARD -o eth0 -d 192.168.125.129 -p tcp --dport 8123 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.125.129 -p tcp --sport 8123 -j ACCEPT

iptables -t nat -A POSTROUTING -d 192.168.125.129 -p tcp --dport 8123 -j SNAT --to 192.168.125.128


vim /etc/sysctl.conf

root@ubuntu:~# sysctl -p
net.ipv4.ip_forward = 1