ChangeLog

# 2018.6.8
增加IPv6部分


[========]

1. 基础命令

查看现有配置

默认filter

iptables -nvL --line-numbers 

nat

iptables -t nat -nvL --line-numbers 

-A和-I的区别

添加一条规则到尾部:

iptables -A INPUT -s 192.168.1.5 -j DROP

插入一条规则到第三行,将行数直接写到规则链的后面:

iptables -I INPUT 3 -s 192.168.1.3 -j DROP

删除用-D参数

iptables -D INPUT 14

清空已有的iptables

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X


ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

2. 常用配置 (INPUT方向) #

对loopback访问不限制

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

对连接状态的控制

conntrack模组基于连接状态判断数据包,连接状态分为4种,分别是:
- NEW:新连接数据包
- ESTABLISHED:已连接数据包
- RELATED:和出有送的数据包
- INVALID:无效数据包

首要,要允许已建立连接的数据同行。

iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


ip6tables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

禁止无效的连接


iptables -A INPUT   -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT  -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

ip6tables -A INPUT   -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT  -m conntrack --ctstate INVALID -j DROP
ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP

接下来,就只针对NEW状态的连接创建规则了。

允许 ping

iptables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT

允许ssh

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

避免暴力破解和端口扫描,一般需要安装fail2ban。

apt install fail2ban

fail2ban的版本需要大于0.10才支持ipv6,使用--version查看

fail2ban-client --version

Cloudflare的流量

新建CLOUDFLARE链表

iptables -N CLOUDFLARE
ip6tables -N CLOUDFLARE

将来自80/443端口的流量,应用到CLOUDFLARE链表。

iptables -A INPUT -p tcp -m multiport --dports http,https -j CLOUDFLARE
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j CLOUDFLARE

根据https://www.cloudflare.com/ips/的列表,允许来自Cloudflare的流量。

iptables -A CLOUDFLARE -s 103.21.244.0/22  -j ACCEPT
iptables -A CLOUDFLARE -s 103.22.200.0/22  -j ACCEPT
iptables -A CLOUDFLARE -s 103.31.4.0/22    -j ACCEPT
iptables -A CLOUDFLARE -s 104.16.0.0/12    -j ACCEPT
iptables -A CLOUDFLARE -s 108.162.192.0/18 -j ACCEPT
iptables -A CLOUDFLARE -s 131.0.72.0/22    -j ACCEPT
iptables -A CLOUDFLARE -s 141.101.64.0/18  -j ACCEPT
iptables -A CLOUDFLARE -s 162.158.0.0/15   -j ACCEPT
iptables -A CLOUDFLARE -s 172.64.0.0/13    -j ACCEPT
iptables -A CLOUDFLARE -s 173.245.48.0/20  -j ACCEPT
iptables -A CLOUDFLARE -s 188.114.96.0/20  -j ACCEPT
iptables -A CLOUDFLARE -s 190.93.240.0/20  -j ACCEPT
iptables -A CLOUDFLARE -s 197.234.240.0/22 -j ACCEPT
iptables -A CLOUDFLARE -s 198.41.128.0/17  -j ACCEPT


ip6tables -A CLOUDFLARE -s 2400:cb00::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2405:8100::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2405:b500::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2606:4700::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2803:f800::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2c0f:f248::/32 -j ACCEPT
ip6tables -A CLOUDFLARE -s 2a06:98c0::/29 -j ACCEPT
# use ipset

ipset flush CLOUDFLAREv4
ipset destroy CLOUDFLAREv4
ipset create CLOUDFLAREv4 hash:net
ipset add CLOUDFLAREv4

ipset add CLOUDFLAREv4 103.21.244.0/22  
ipset add CLOUDFLAREv4 103.22.200.0/22  
ipset add CLOUDFLAREv4 103.31.4.0/22    
ipset add CLOUDFLAREv4 104.16.0.0/12    
ipset add CLOUDFLAREv4 108.162.192.0/18 
ipset add CLOUDFLAREv4 131.0.72.0/22    
ipset add CLOUDFLAREv4 141.101.64.0/18  
ipset add CLOUDFLAREv4 162.158.0.0/15   
ipset add CLOUDFLAREv4 172.64.0.0/13    
ipset add CLOUDFLAREv4 173.245.48.0/20  
ipset add CLOUDFLAREv4 188.114.96.0/20  
ipset add CLOUDFLAREv4 190.93.240.0/20  
ipset add CLOUDFLAREv4 197.234.240.0/22 
ipset add CLOUDFLAREv4 198.41.128.0/17  
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set CLOUDFLAREv4 src -j ACCEPT

禁止其他来源的http和https流量。

iptables -A CLOUDFLARE -j DROP
ip6tables -A CLOUDFLARE -j DROP

默认策略

全局禁止(重要),相当于cisco路由器最后配置的deny tcp any any

iptables -P INPUT DROP
ip6tables -P INPUT DROP

全局允许(默认,不安全)

iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT

永久保存iptables

debian/ubuntu

安装iptables-persistent

apt install iptables-persistent

保存ipv4:

iptables-save > /etc/iptables/rules.v4

保存ipv6:

ip6tables-save > /etc/iptables/rules.v6

恢复ipv4:

iptables-restore < /etc/sysconfig/iptables

centos/rhel

保存

service iptables save