Basic Iptables - Debian/RedHat (转)

rainren

如以前有人贴过就请删除吧！

http://www.howtoforge.com/linux_iptables_sarge

1. 
   
2. 
   
3. The System
   
4. Debian Sarge 3.1 Vanilla 2.6.12.4 kernel from mirrors.kernel.org iptables administration utility version 1.2.11-10
   
5. 
   
6. 
   
7. 
   
8. 
   
9. Preparation
   
10. This How-To is performed on a Debian Sarge 3.1 box, though the commands and syntax should work for any linux distro. Before you can configure iptables, you first must ensure that it has been compiled into the kernel, and that you have the proper userland utilities installed.
    
11. 
    
12. 
    
13. You should have a config file from when the kernel was compiled. Grep'ing it for "CONFIG_IP_NF" should produce '=y' or '=m' for most of the lines/options. Here you see that "CONFIG_IP_NF_IPTABLES" was compiled as a kernel module.
    
14. 
    
15. 
    
16. 
    
17. # cat /boot/config-2.4.30 | grep -i "CONFIG_IP_NF"
    
18. 
    
19. CONFIG_IP_NF_CONNTRACK=m
    
20. CONFIG_IP_NF_FTP=m
    
21. CONFIG_IP_NF_AMANDA=m
    
22. CONFIG_IP_NF_TFTP=m
    
23. CONFIG_IP_NF_IRC=m
    
24. CONFIG_IP_NF_QUEUE=m
    
25. CONFIG_IP_NF_IPTABLES=m
    
26. CONFIG_IP_NF_MATCH_LIMIT=m
    
27. CONFIG_IP_NF_MATCH_MAC=m
    
28. CONFIG_IP_NF_MATCH_PKTTYPE=m
    
29. CONFIG_IP_NF_MATCH_MARK=m
    
30. CONFIG_IP_NF_MATCH_MULTIPORT=m
    
31. CONFIG_IP_NF_MATCH_TOS=m
    
32. CONFIG_IP_NF_MATCH_RECENT=m
    
33. CONFIG_IP_NF_MATCH_ECN=m
    
34. CONFIG_IP_NF_MATCH_DSCP=m
    
35. CONFIG_IP_NF_MATCH_AH_ESP=m
    
36. CONFIG_IP_NF_MATCH_LENGTH=m
    
37. CONFIG_IP_NF_MATCH_TTL=m
    
38. CONFIG_IP_NF_MATCH_TCPMSS=m
    
39. CONFIG_IP_NF_MATCH_HELPER=m
    
40. CONFIG_IP_NF_MATCH_STATE=m
    
41. CONFIG_IP_NF_MATCH_CONNTRACK=m
    
42. CONFIG_IP_NF_MATCH_UNCLEAN=m
    
43. CONFIG_IP_NF_MATCH_OWNER=m
    
44. CONFIG_IP_NF_FILTER=m
    
45. CONFIG_IP_NF_TARGET_REJECT=m
    
46. CONFIG_IP_NF_TARGET_MIRROR=m
    
47. CONFIG_IP_NF_NAT=m
    
48. CONFIG_IP_NF_NAT_NEEDED=y
    
49. CONFIG_IP_NF_TARGET_MASQUERADE=m
    
50. CONFIG_IP_NF_TARGET_REDIRECT=m
    
51. CONFIG_IP_NF_NAT_AMANDA=m
    
52. CONFIG_IP_NF_NAT_SNMP_BASIC=m
    
53. CONFIG_IP_NF_NAT_IRC=m
    
54. CONFIG_IP_NF_NAT_FTP=m
    
55. CONFIG_IP_NF_NAT_TFTP=m
    
56. CONFIG_IP_NF_MANGLE=m
    
57. CONFIG_IP_NF_TARGET_TOS=m
    
58. CONFIG_IP_NF_TARGET_ECN=m
    
59. CONFIG_IP_NF_TARGET_DSCP=m
    
60. CONFIG_IP_NF_TARGET_MARK=m
    
61. CONFIG_IP_NF_TARGET_LOG=m
    
62. CONFIG_IP_NF_TARGET_ULOG=m
    
63. CONFIG_IP_NF_TARGET_TCPMSS=m
    
64. CONFIG_IP_NF_ARPTABLES=m
    
65. CONFIG_IP_NF_ARPFILTER=m
    
66. CONFIG_IP_NF_ARP_MANGLE=m
    
67. CONFIG_IP_NF_COMPAT_IPCHAINS=m
    
68. CONFIG_IP_NF_NAT_NEEDED=y
    
69. CONFIG_IP_NF_COMPAT_IPFWADM=m
    
70. CONFIG_IP_NF_NAT_NEEDED=y
    
71. 
    
72. 
    
73. This isn't all that necessary, since you'll find out real quick whether iptables works or not once we try to add some rules.
    
74. 
    
75. 
    
76. You can check whether you have the iptables administration utility installed by executing:
    
77. 
    
78. # dpkg -l iptables
    
79. iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to
    
80. 
    
81. ...or for rpm based distro:
    
82. 
    
83. # rpm -qa | grep iptablesiptables-xxxxx
    
84. 
    
85. ...or you can just see if the binary is there!
    
86. 
    
87. # which iptables
    
88. /sbin/iptables
    
89. 
    
90. 
    
91. If the utility is missing you can install it like so:
    
92. 
    
93. APT
    
94. 
    
95. # apt-get update && apt-get install iptables
    
96. 
    
97. RPM
    
98. 
    
99. # rpm -Uvh iptables-xxxx.rpm
    
100. Preparing ################################# [100%]
     
101. 
     
102. 
     
103. 
     
104. 
     
105. The Main Files
     
106. 
     
107. 
     
108. 
     
109. Debian
     
110. /etc/init.d/iptables – INIT script to start|stop|restart the service (and save rulesets). This file is no longer default as of Sarge but you can still get it (I'll show you).
     
111. /var/lib/iptables – Debian's home for the 'active' and 'inactive' iptables-save counter files (i.e. The saved rulesets). On RedHat you would find the saved rules in '/etc/sysconfig/iptables'.
     
112. /var/lib/iptables/active – Active Counters (more on that later)
     
113. /var/lib/iptables/inactive – Inactive Counters
     
114. /sbin/iptables – The administration utility/binary.
     
115. 
     
116. 
     
117. 
     
118. RedHat
     
119. /etc/init.d/iptables – INIT script to start|stop|restart the service (and save rulesets).
     
120. /etc/sysconfig/iptables – RedHat's file for the iptables-save counter files (i.e. The saved rulesets).
     
121. /sbin/iptables – The administration utility/binary.
     
122. 
     
123. 
     
124. 
     
125. A Little About IPTables
     
126. 
     
127. To see what rulesets we currently have in place, execute:
     
128. 
     
129. # iptables --list
     
130. Chain INPUT (policy ACCEPT)
     
131. target prot opt source destination
     
132. 
     
133. Chain FORWARD (policy ACCEPT)
     
134. target prot opt source destination
     
135. 
     
136. Chain OUTPUT (policy ACCEPT)
     
137. target prot opt source destination
     
138. 
     
139. 
     
140. This is what you will see when there are no rule sets in place. Looking at this we see 3 'Chains'.
     
141. 
     
142. 
     
143. 
     
144. 
     
145. INPUT - Holds rules for traffic directed at this server.
     
146. FORWARD – Holds rules for traffic that will be forwarding on to an IP behind this server (i.e. If this box serves as a firewall for other servers).
     
147. OUTPUT – Holds rules for traffic that is coming from this server out to the internet.
     
148. 
     
149. 
     
150. Mainly we will be dealing with traffic directed at this server, and will be issuing rules for the INPUT Chain. When traffic passes through the kernel, it determines a “TARGET” based on whether the packet matches a rule or not. General targets are:
     
151. 
     
152. 
     
153. 
     
154. 
     
155. ACCEPT – Traffic is accepted for delivery.
     
156. REJECT – Traffic is rejected, sending a packet back to the sending host.
     
157. DROP - The traffic is dropped. Nothing is sent back to the sending host.
     
158. 
     
159. 
     
160. 
     
161. 
     
162. Configuring Rule Sets
     
163. 
     
164. So, lets get down to it. Its important to note that the order in which rules are appended is very important. For example, if your first rule is to deny everything... then no matter what you specifically allow, it will be denied.
     
165. 
     
166. 
     
167. Also to note is that nothing you do is saved on disk until you execute 'iptables-save' (or use the init script to save). All counters/rulesets are in memory. Once the server reboots, or you execute 'iptables --flush' everything you've worked on is gone. Personally I work out of a bash script file called 'iptables-rules.sh', which allows me to keep everything organized and commented. If I make a mistake, I have no worries if I just want to flush all the rules out, I just go right back to my bash script and start editing again, save it out and execute the script (this however will not run at startup... that will be covered in the next section).
     
168. 
     
169. 
     
170. Its very important that if you are working on this server remotely through ssh, that you make every effort to not lock yourself out. Therefore, our first rule will be to ensure that no matter what, I can still access ssh from my IP address.
     
171. 
     
172. 
     
173. 
     
174. # iptables -A INPUT -s 192.168.1.10 -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT
     
175. 
     
176. 
     
177. 
     
178. Lets break that down:
     
179. 
     
180. -A => Tells iptables to 'append' this rule to the INPUT Chain
     
181. -s => Source Address. This rule only pertains to traffic coming FROM this IP. Substitute with the IP address you are SSHing from.
     
182. -d => Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server.
     
183. -p => Protocol. Specifying traffic which is TCP.
     
184. --dport => Destination Port. Specifying traffic which is for TCP Port 22 (SSH)
     
185. -j => Jump. If everything in this rule matches then 'jump' to ACCEPT
     
186. 
     
187. 
     
188. 
     
189. Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff, however iptables can determine the 'state' that a packet is in. This has to do with standard TCP communication. For example, the 3 way handshake between two hosts when transmitting data.
     
190. 
     
191. 
     
192. 
     
193. 
     
194. NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.
     
195. RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.
     
196. ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.
     
197. 
     
198. 
     
199. After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:
     
200. 
     
201. 
     
202. 
     
203. # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     
204. # iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
     
205. # iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
     
206. The last rule obviously allows any traffic the leave the server.
     
207. 
     
208. 
     
209. 
     
210. Now that we have our basics set in place, lets see what iptables lists for our rulesets:
     
211. 
     
212. # iptables --list
     
213. Chain INPUT (policy ACCEPT)
     
214. target prot opt source destination
     
215. 
     
216. ACCEPT tcp -- 192.168.1.10 10.1.15.1 tcp dpt:ssh
     
217. ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
     
218. 
     
219. Chain FORWARD (policy ACCEPT)
     
220. target prot opt source destination
     
221. ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
     
222. 
     
223. Chain OUTPUT (policy ACCEPT)
     
224. target prot opt source destination
     
225. ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
     
226. 
     
227. 
     
228. From here you can add whatever rules you like. If your running a basic webserver, you'll probably need something similar to:
     
229. 
     
230. 
     
231. INIVIDUAL REJECTS FIRST:
     
232. 
     
233. -----------------------------------------------------------------------
     
234. 
     
235. BAD GUYS (Block Source IP Address):
     
236. # iptables -A INPUT -s 172.34.5.8 -j DROP
     
237. 
     
238. NO SPAMMERS (notice the use of FQDN):
     
239. # iptables -A INPUT -s mail.spammer.org -d 10.1.15.1 -p tcp --dport 25 -j REJECT
     
240. 
     
241. -----------------------------------------------------------------------
     
242. 
     
243. 
     
244. THEN OPEN IT UP:-----------------------------------------------------------------------
     
245. 
     
246. MYSQL (Allow Remote Access To Particular IP):
     
247. # iptables -A INPUT -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT
     
248. 
     
249. SSH:
     
250. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT
     
251. 
     
252. Sendmail/Postfix:
     
253. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 25 -j ACCEPT
     
254. 
     
255. FTP: (Notice how you can specify a range of ports 20-21)
     
256. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 20:21 -j ACCEPT
     
257. 
     
258. Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one rule)
     
259. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 50000:50050 -j ACCEPT
     
260. 
     
261. HTTP/Apache
     
262. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 80 -j ACCEPT
     
263. 
     
264. SSL/Apache
     
265. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 443 -j ACCEPT
     
266. 
     
267. IMAP
     
268. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 143 -j ACCEPT
     
269. 
     
270. IMAPS
     
271. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 993 -j ACCEPT
     
272. 
     
273. POP3
     
274. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 110 -j ACCEPT
     
275. 
     
276. POP3S
     
277. # iptables -A INPUT -d 10.1.15.1 -p tcp --dport 995 -j ACCEPT
     
278. 
     
279. Any Traffic From Localhost:
     
280. # iptables -A INPUT -d 10.1.15.1 -s 127.0.0.1 -j ACCEPT
     
281. 
     
282. ICMP/Ping:
     
283. # iptables -A INPUT -d 10.1.15.1 -p icmp -j ACCEPT-----------------------------------------------------------------------
     
284. 
     
285. 
     
286. 
     
287. GLOBAL REJECTS LAST:
     
288. 
     
289. -----------------------------------------------------------------------
     
290. 
     
291. Reject everything else to that IP:
     
292. 
     
293. # iptables -A INPUT -d 10.1.15.1 -j REJECT
     
294. 
     
295. Or, reject everything else coming through to any IP:
     
296. # iptables -A INPUT -j REJECT
     
297. # iptables -A FORWARD -j REJECT-----------------------------------------------------------------------
     
298. 
     
299. 
     
300. Notice the we do the global REJECT lines last! These must be last.
     
301. 
     
302. 
     
303. 
     
304. 
     
305. Saving Rule Sets
     
306. 
     
307. With the init scripts, saving rule sets is quite easy. Once you are happy with your config, just do one of the following:
     
308. 
     
309. 
     
310. 
     
311. 
     
312. The Debian Way
     
313. The old style init script is no longer in Sarge by default, but it is still around for legacy use. I believe the new way is to use ' /etc/network/if-up.d' and '/etc/network/if-down.d' for iptables scripts (but I don't like that).
     
314. 
     
315. 
     
316. You can grab the legacy INIT script this way:
     
317. 
     
318. # gunzip /usr/share/doc/iptables/examples/oldinitdscript.gz -c > /etc/init.d/iptables
     
319. # chmod +x /etc/init.d/iptables
     
320. # mkdir /var/lib/iptables
     
321. # chmod 700 /var/lib/iptables
     
322. Now that you have the script in place you can do the needful.
     
323. 
     
324. 
     
325. 
     
326. 
     
327. Active Rules
     
328. The Active rules are those loaded when starting iptables:
     
329. 
     
330. # /etc/init.d/iptables save active
     
331. Saving iptables ruleset: save "active" with counters.
     
332. This saves your rules in /var/lib/iptables/active
     
333. 
     
334. 
     
335. 
     
336. 
     
337. Inactive Rules
     
338. You can also configure a second set of rules for when you stop iptables called 'inactive'. Iptables doesn't actually “stop”, it just flushes out the rule sets that are in place and then loads the 'inactive' rules.
     
339. 
     
340. 
     
341. 
     
342. # /etc/init.d/iptables stop
     
343. Loading iptables ruleset: load "inactive"
     
344. 
     
345. Therefore, you can set your 'inactive' rules, and then save them with:
     
346. 
     
347. # /etc/init.d/iptables save inactive
     
348. Saving iptables ruleset: save "inactive" with counters.
     
349. 
     
350. 
     
351. 
     
352. The RedHat Way
     
353. The RedHat INIT script is very similar. You can use it to start and stop iptables, as well as save rule sets.
     
354. 
     
355. 
     
356. To save your active rules execute the following:
     
357. 
     
358. # /etc/init.d/iptables save
     
359. This will save your rules to '/etc/sysconfig/iptables'.
     
360. 
     
361. 
     
362. When you start iptables, the rules are read from '/etc/sysconfig/iptables':
     
363. 
     
364. # /etc/init.d/iptables start
     
365. Starting iptables [OK]
     
366. 
     
367. And when you stop iptables, all rules are flushed:
     
368. 
     
369. # /etc/init.d/iptables stop
     
370. Stopping iptables [OK]
     
371. 
     
372. 
     
373. 
     
374. 
     
375. Manual Save and Restore
     
376. You can also manually use the iptables-save and iptables-restore utilities like so:
     
377. 
     
378. 
     
379. 
     
380. 
     
381. Save the rules to a files
     
382. # iptables-save > /root/iptables-save.out
     
383. 
     
384. 
     
385. 
     
386. Restore the rules
     
387. # iptables-restore -c /root/iptables-save.out
     
388. The -c tells iptables-restore that this is file was created using iptables-save, which outputs the rules as “counters”.
     
389. 
     
390. 
     
391. 
     
392. 
     
393. 
     
394. Conclusion
     
395. And there you go, iptables at its very basic. The uses of iptables are too numerous to even start truly doing a howto on them. However, for basic security and understanding of IPTables, I hope this might have helped you. If there is anything I could add, please feel free to email me.
     
396. 
     
397. 
     

复制代码