热门标签
热门文章
- 1鸿蒙HarmonyOS实战-UIAbility页面跳转_鸿蒙ability跳转
- 2Android中的拖拽_android recycleview 跨控件拖拽
- 3Android Studio安装和使用教程(全文图解)
- 4Kubernetes(4) Pod 的探测(Probes)与钩子(Hooks)实战
- 52年前端经验,做的项目没什么技术含量,怎么办?_程序员项目不出众
- 6qtcreator配置交叉编译工具链,主要为编译交叉qmake_qtcreator配置交叉编译器
- 7mmcblk0:error -84的解决办法_mmcblk0: error -84
- 8list组件
- 9unity通过点击按钮获取手机验证码_unity手机验证码
- 1005_动态sql_动态sql与关联映射习题
当前位置: article > 正文
iptables基础命令详解_iptables -l
作者:你好赵伟 | 2024-03-08 16:22:20
赞
踩
iptables -l
详细请参考: 朱双印个人日志-iptables详解
1、基本概念:四表五链
四表(按规则优先级):raw –> mangle –> nat –> filter
五链:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
图片来自:https://www.zsythink.net/archives/1199
2、规则管理
1)查询
iptables -L [链名] [-t 表名]
-vL 看详细信息(v必须在L前,也可-L -v分开写不分前后)
省略-t 默认查询filter表
-n将source与destination显示为ip格式
# 查看nat表规则的简单信息 yunweixiaocai:~ # iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination # 查看filter表INPUT链规则的详细信息(-t filter可省略) yunweixiaocai:~ # iptables -L INPUT -t filter -v Chain INPUT (policy ACCEPT 214M packets, 322G bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:49537 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:49537 13 429 ACCEPT udp -- any any anywhere anywhere udp dpt:60129
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
2)添加规则
iptables -t 表名 -I/A 链名 [number] -s IP地址 -j 具体规则
-I代表在规则最前面插入,-A代表在规则最后面追加,I时可以用number指定插入的位置,–line(–line-numbers)显示序号
规则有以下几种:
ACCEPT:允许数据包通过。
DROP:直接丢弃数据包,不给任何回应信息
REJECT:拒绝数据包通过,必要时会给数据发送端一个响应的信息
SNAT:源地址转换
MASQUERADE:是SNAT的一种特殊形式,适用于动态的、临时会变的ip上。
DNAT:目标地址转换。
REDIRECT:在本机做端口映射。
LOG:在/var/log/messages文件中记录日志信息,然后将数据包传递给下一条规则,也就是说除了记录以外不对数据包做任何其他操作,仍然让下一条规则去匹配。
3)删除规则
清空指定表指定链的规则: iptables -F [链名] [-t 表名]
清空指定表所有链的规则: iptables -F [-t 表名]
删除一条:iptables -t 表名 -D 链名 number
删除一条:iptables -t 表名 -D 链名 -s IP地址 -j 具体规则
yunweixiaocai:~ # iptables -D INPUT 2 -t filter
yunweixiaocai:~ # iptables -D INPUT -s 10.247.83.92 -j DROP
- 1
- 2
4)修改规则
修改某条规则:iptables -t 表名 -R 链名 number -s IP地址 -j 具体规则
修改默认策略:iptables -t 表名 -P 链名 默认规则
yunweixiaocai:~ # iptables -R INPUT 1 -s 10.247.83.92 -j ACCEPT
yunweixiaocai:~ # iptables -t filter -P INPUT ACCEPT
- 1
- 2
5)其他条件设定
# 1、-s 源地址IP,多个逗号隔开(生成多条规则) yunweixiaocai:~ # iptables -t filter -I INPUT -s 10.247.83.93,10.247.83.94 -j ACCEPT yunweixiaocai:~ # iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.247.83.94 anywhere ACCEPT all -- 10.247.83.93 anywhere # 可指定网段 yunweixiaocai:~ # iptables -t filter -I INPUT -s 10.247.83.0/24 -j ACCEPT yunweixiaocai:~ # iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.247.83.0/24 anywhere # !取反 yunweixiaocai:~ # iptables -t filter -I INPUT ! -s 10.247.83.0/24 -j ACCEPT yunweixiaocai:~ # iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- !10.247.83.0/24 anywhere # 2、-d 目标IP地址,用法同-s yunweixiaocai:~ # iptables -I INPUT ! -d 10.247.83.0/24 -j ACCEPT yunweixiaocai:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere !10.247.83.0/24 # 3、-p 协议类型(tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh) yunweixiaocai:~ # iptables -I INPUT -p tcp -j ACCEPT yunweixiaocai:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere # 4、-i 网卡接口 yunweixiaocai:~ # iptables -I INPUT -i eth0 -j ACCEPT yunweixiaocai:~ # iptables -vL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 53 4403 ACCEPT all -- eth0 any anywhere anywhere
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
# 1.-m 协议名称 -dport/-sport 指定目标端口/源端口,-m与-p协议相同时可省略-m yunweixiaocai:~ # iptables -I INPUT -p tcp -m tcp --dport 33 -j ACCEPT yunweixiaocai:~ # iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:33 # 多端口指定 -m multiport yunweixiaocai:~ # iptables -I INPUT -p tcp -m multiport --dport 33,44 -j ACCEPT yunweixiaocai:~ # iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 33,44 # 可指定端口范围 yunweixiaocai:~ # iptables -I INPUT -p tcp --dport 33:44 -j ACCEPT yunweixiaocai:~ # iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:33:44 # 2、-m iprange –src-range/–dst-range,指定连续ip yunweixiaocai:~ # iptables -I INPUT -m iprange --src-range 10.247.83.9-10.247.83.93 -j ACCEPT yunweixiaocai:~ # iptables -vnL INPUT Chain INPUT (policy ACCEPT 112 packets, 8290 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.247.83.9-10.247.83.93 # 3、-m string --algo bm/kpm --string "xxxx" 指定匹配的报文中的字符串 yunweixiaocai:~ # iptables -I INPUT -m string --algo bm --string "aaa" -j ACCEPT yunweixiaocai:~ # iptables -vnL Chain INPUT (policy ACCEPT 69 packets, 3912 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "aaa" ALGO name bm TO 65535
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
3、自定义链
iptables -t tableName -N newChainName
# 自定义链 [root@centos75 ~]# iptables -N my_chain01 # 为自定义链添加规则 [root@centos75 ~]# iptables -I my_chain01 -s 192.168.44.1 -j REJECT # 查看 [root@centos75 ~]# iptables -nvL my_chain01 Chain my_chain01 (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 192.168.44.1 0.0.0.0/0 reject-with icmp-port-unreachable # 引用到默认链 [root@centos75 ~]# iptables -I INPUT -d 192.168.44.75 -j my_chain01 # 查看默认链 [root@centos75 ~]# iptables -nvL INPUT Chain INPUT (policy ACCEPT 6 packets, 384 bytes) pkts bytes target prot opt in out source destination 6 384 my_chain01 all -- * * 0.0.0.0/0 192.168.44.75 # 重命名自定义链 [root@centos75 ~]# iptables -nvL MY_CHAIN01 Chain MY_CHAIN01 (2 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 192.168.44.2 0.0.0.0/0 reject-with icmp-port-unreachable [root@centos75 ~]# iptables -nvL INPUT Chain INPUT (policy ACCEPT 55 packets, 3496 bytes) pkts bytes target prot opt in out source destination 136 8704 MY_CHAIN01 all -- * * 0.0.0.0/0 192.168.44.75 210 13680 MY_CHAIN01 all -- * * 0.0.0.0/0 0.0.0.0/0 # 删除自定义链 [root@centos75 ~]# iptables -X MY_CHAIN01 iptables: Too many links. # 存在引用无法删除 [root@centos75 ~]# iptables -F INPUT 1 # 清空应用自定义链的引用 [root@centos75 ~]# iptables -F MY_CHAIN01 # 清空自定义链的规则 [root@centos75 ~]# iptables -X MY_CHAIN01 # 删除自定义链
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/你好赵伟/article/detail/211122
推荐阅读
相关标签
