iptables基础配置
ChangeLog
# 2018.6.8
增加IPv6部分
1. 基础命令
查看现有配置
默认filter
表
iptables -nvL --line-numbers
看nat
表
iptables -t nat -nvL --line-numbers
-A和-I的区别
添加一条规则到尾部:
iptables -A INPUT -s 192.168.1.5 -j DROP
插入一条规则到第三行,将行数直接写到规则链的后面:
iptables -I INPUT 3 -s 192.168.1.3 -j DROP
删除用-D参数
iptables -D INPUT 14
清空已有的iptables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
2. 常用配置 (INPUT方向)
对loopback访问不限制
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
对连接状态的控制
conntrack
模组基于连接状态判断数据包,连接状态分为4种,分别是:
- NEW:新连接数据包
- ESTABLISHED:已连接数据包
- RELATED:和出有送的数据包
- INVALID:无效数据包
首要,要允许已建立连接的数据同行。
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
禁止无效的连接
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP
接下来,就只针对NEW
状态的连接创建规则了。
允许 ping
iptables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
允许ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
避免暴力破解和端口扫描,一般需要安装fail2ban。
apt install fail2ban
fail2ban的版本需要大于0.10才支持ipv6,使用--version查看
fail2ban-client --version
Cloudflare的流量
新建CLOUDFLARE
链表
iptables -N CLOUDFLARE
ip6tables -N CLOUDFLARE
将来自80/443端口的流量,应用到CLOUDFLARE链表。
iptables -A INPUT -p tcp -m multiport --dports http,https -j CLOUDFLARE
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j CLOUDFLARE
根据https://www.cloudflare.com/ips/
的列表,允许来自Cloudflare的流量。
iptables -A CLOUDFLARE -s 103.21.244.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 103.22.200.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 103.31.4.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 104.16.0.0/12 -j ACCEPT
iptables -A CLOUDFLARE -s 108.162.192.0/18 -j ACCEPT
iptables -A CLOUDFLARE -s 131.0.72.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 141.101.64.0/18 -j ACCEPT
iptables -A CLOUDFLARE -s 162.158.0.0/15 -j ACCEPT
iptables -A CLOUDFLARE -s 172.64.0.0/13 -j ACCEPT
iptables -A CLOUDFLARE -s 173.245.48.0/20 -j ACCEPT
iptables -A CLOUDFLARE -s 188.114.96.0/20 -j ACCEPT
iptables -A CLOUDFLARE -s 190.93.240.0/20 -j ACCEPT
iptables -A CLOUDFLARE -s 197.234.240.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 198.41.128.0/17 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2400:cb00::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2405:8100::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2405:b500::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2606:4700::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2803:f800::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2c0f:f248::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2a06:98c0::/29 -j ACCEPT
# use ipset
ipset flush CLOUDFLAREv4
ipset destroy CLOUDFLAREv4
ipset create CLOUDFLAREv4 hash:net
ipset add CLOUDFLAREv4
ipset add CLOUDFLAREv4 103.21.244.0/22
ipset add CLOUDFLAREv4 103.22.200.0/22
ipset add CLOUDFLAREv4 103.31.4.0/22
ipset add CLOUDFLAREv4 104.16.0.0/12
ipset add CLOUDFLAREv4 108.162.192.0/18
ipset add CLOUDFLAREv4 131.0.72.0/22
ipset add CLOUDFLAREv4 141.101.64.0/18
ipset add CLOUDFLAREv4 162.158.0.0/15
ipset add CLOUDFLAREv4 172.64.0.0/13
ipset add CLOUDFLAREv4 173.245.48.0/20
ipset add CLOUDFLAREv4 188.114.96.0/20
ipset add CLOUDFLAREv4 190.93.240.0/20
ipset add CLOUDFLAREv4 197.234.240.0/22
ipset add CLOUDFLAREv4 198.41.128.0/17
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set CLOUDFLAREv4 src -j ACCEPT
禁止其他来源的http和https流量。
iptables -A CLOUDFLARE -j DROP
ip6tables -A CLOUDFLARE -j DROP
默认策略
全局禁止(重要),相当于cisco路由器最后配置的deny tcp any any
iptables -P INPUT DROP
ip6tables -P INPUT DROP
全局允许(默认,不安全)
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
永久保存iptables
debian/ubuntu
安装iptables-persistent
apt install iptables-persistent
保存ipv4:
iptables-save > /etc/iptables/rules.v4
保存ipv6:
ip6tables-save > /etc/iptables/rules.v6
恢复ipv4:
iptables-restore < /etc/sysconfig/iptables
centos/rhel
保存
service iptables save