iptables基础配置
ChangeLog
# 2018.6.8
增加IPv6部分
1. 基础命令
查看现有配置
默认filter表
iptables -nvL --line-numbers 看nat表
iptables -t nat -nvL --line-numbers -A和-I的区别
添加一条规则到尾部:
iptables -A INPUT -s 192.168.1.5 -j DROP插入一条规则到第三行,将行数直接写到规则链的后面:
iptables -I INPUT 3 -s 192.168.1.3 -j DROP删除用-D参数
iptables -D INPUT 14清空已有的iptables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X2. 常用配置 (INPUT方向)
对loopback访问不限制
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT对连接状态的控制
conntrack模组基于连接状态判断数据包,连接状态分为4种,分别是:
- NEW:新连接数据包
- ESTABLISHED:已连接数据包
- RELATED:和出有送的数据包
- INVALID:无效数据包
首要,要允许已建立连接的数据同行。
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
禁止无效的连接
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP接下来,就只针对NEW状态的连接创建规则了。
允许 ping
iptables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT允许ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT避免暴力破解和端口扫描,一般需要安装fail2ban。
apt install fail2banfail2ban的版本需要大于0.10才支持ipv6,使用--version查看
fail2ban-client --versionCloudflare的流量
新建CLOUDFLARE链表
iptables -N CLOUDFLARE
ip6tables -N CLOUDFLARE将来自80/443端口的流量,应用到CLOUDFLARE链表。
iptables -A INPUT -p tcp -m multiport --dports http,https -j CLOUDFLARE
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j CLOUDFLARE根据https://www.cloudflare.com/ips/的列表,允许来自Cloudflare的流量。
iptables -A CLOUDFLARE -s 103.21.244.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 103.22.200.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 103.31.4.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 104.16.0.0/12 -j ACCEPT
iptables -A CLOUDFLARE -s 108.162.192.0/18 -j ACCEPT
iptables -A CLOUDFLARE -s 131.0.72.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 141.101.64.0/18 -j ACCEPT
iptables -A CLOUDFLARE -s 162.158.0.0/15 -j ACCEPT
iptables -A CLOUDFLARE -s 172.64.0.0/13 -j ACCEPT
iptables -A CLOUDFLARE -s 173.245.48.0/20 -j ACCEPT
iptables -A CLOUDFLARE -s 188.114.96.0/20 -j ACCEPT
iptables -A CLOUDFLARE -s 190.93.240.0/20 -j ACCEPT
iptables -A CLOUDFLARE -s 197.234.240.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 198.41.128.0/17 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2400:cb00::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2405:8100::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2405:b500::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2606:4700::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2803:f800::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2c0f:f248::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2a06:98c0::/29 -j ACCEPT# use ipset
ipset flush CLOUDFLAREv4
ipset destroy CLOUDFLAREv4
ipset create CLOUDFLAREv4 hash:net
ipset add CLOUDFLAREv4
ipset add CLOUDFLAREv4 103.21.244.0/22
ipset add CLOUDFLAREv4 103.22.200.0/22
ipset add CLOUDFLAREv4 103.31.4.0/22
ipset add CLOUDFLAREv4 104.16.0.0/12
ipset add CLOUDFLAREv4 108.162.192.0/18
ipset add CLOUDFLAREv4 131.0.72.0/22
ipset add CLOUDFLAREv4 141.101.64.0/18
ipset add CLOUDFLAREv4 162.158.0.0/15
ipset add CLOUDFLAREv4 172.64.0.0/13
ipset add CLOUDFLAREv4 173.245.48.0/20
ipset add CLOUDFLAREv4 188.114.96.0/20
ipset add CLOUDFLAREv4 190.93.240.0/20
ipset add CLOUDFLAREv4 197.234.240.0/22
ipset add CLOUDFLAREv4 198.41.128.0/17
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set CLOUDFLAREv4 src -j ACCEPT
禁止其他来源的http和https流量。
iptables -A CLOUDFLARE -j DROP
ip6tables -A CLOUDFLARE -j DROP默认策略
全局禁止(重要),相当于cisco路由器最后配置的deny tcp any any
iptables -P INPUT DROP
ip6tables -P INPUT DROP全局允许(默认,不安全)
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT永久保存iptables
debian/ubuntu
安装iptables-persistent
apt install iptables-persistent保存ipv4:
iptables-save > /etc/iptables/rules.v4保存ipv6:
ip6tables-save > /etc/iptables/rules.v6恢复ipv4:
iptables-restore < /etc/sysconfig/iptablescentos/rhel
保存
service iptables save