iptables常用命令及配置样例

iptables -L -n
iptablse -t nat -L -n

 

 

IPFW 或 Netfilter 的封包流向，local process 不会经过 FORWARD Chain，
因此 lo 只在 INPUT 及 OUTPUT 二个 chain 作用。

 

样例1：

 

#!/bin/sh
#
# 静态安全防火墙脚本
#
# created by yejr,2007-03-20
#
#

#定义信任IP列表
#内部ip子网
MY_IP_LIST_1=192.168.8.0/24
#外部ip子网
MY_IP_LIST_2=1.2.3.0/24
#所有
ALL_IP=0/0

#北京ADSL动态IP列表
BJADSL_IP_LIST=221.218.0.0/16

#定义端口列表

#涉及ftp端口
FTP_PORT_1=20
FTP_PORT_RANGE="1023:65535"
FTP_PORT_2=21

#dns端口
DNS_PORT=53

#httpd端口
HTTP_PORT=80

#ssh 端口
SSH_PORT=4321

IPT="/sbin/iptables"

# 内网
LC_IFACE="eth1"
LC_ADDR="192.168.8.2"

# 公网
INET_IFACE="eth0"
INET_ADDR="1.2.3.4"

# 本机
LO_IFACE="lo"
LO_ADDR=127.0.0.1

# 定义接受请求速率限制
MAX_NUM_PACKS=1024

# 核心模块
/sbin/modprobe ip_tables

# ftp模块
/sbin/modprobe ip_nat_ftp

# 限速模块
/sbin/modprobe ip_conntrack

# 重新设置防火墙到默认状态
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
#$IPT -P OUTPUT ACCEPT
$IPT -F
$IPT -X

# 先拒绝所有请求
$IPT -P INPUT DROP
#$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

##########################################
# 设定一些内核参数
##########################################

#启动 SYN 泛洪保护
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#启用反向路径源认证,防止欺骗 
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#关闭 icom echo 广播包请求
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#拒绝源路由包
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#仅仅接收发给默认网关列表中网关的ICMP重定向消息
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

#记录来自非法ip的请求
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

##########################################
# 建立规则
##########################################
# 无效请求包规则
$IPT -N bad_packets

# 另一个恶意 TCP 包规则
$IPT -N bad_tcp_packets

# ICMP规则(进/出)
$IPT -N icmp_packets

# 来自公网的UDP请求规则
$IPT -N inet_udp_inbound

# 从本机发往公网的UDP请求规则,默认全部允许
$IPT -N udp_outbound

# 来自公网的 TCP 请求规则
$IPT -N inet_tcp_inbound
# 从本机发往公网的 TCP 请求规则,默认全部允许
$IPT -N tcp_outbound

##########################################
# 恶意请求规则
##########################################

# 立刻断掉非法的包并且记录
$IPT -A bad_packets -p ALL -m state --state INVALID \
-j LOG --log-prefix "IPTABLES_INVALID_PACKET:"
$IPT -A bad_packets -p ALL -m state --state INVALID \
-j DROP

# 再次检查 TCP 包是否还有问题
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# 都正确了,返回
$IPT -A bad_packets -p ALL -j RETURN

##########################################
# 恶意 TCP 请求
##########################################
#
# 所有的 TCP 请求都必须经过以下规则过滤. 任何新请求都
# 必须以一个 sync 包开始.
# 如果不是这样的话,很可能表示这是一个扫描动作,这些有 
# NEW 状态的包会被丢弃
#
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state \
NEW -j LOG --log-prefix "IPTABLES_NEW_NOT_SYN:"
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state \
NEW -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j \
LOG --log-prefix "IPTABLES_STEALTH_SCAN:"
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j \
LOG --log-prefix "IPTABLES_STEALTH_SCAN:"
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH\
 -j LOG --log-prefix "IPTABLES_STEALTH_SCAN:"
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH\
 -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-j LOG --log-prefix "IPTABLES_STEALTH SCAN:"
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL \
SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags \
SYN,RST SYN,RST -j LOG --log-prefix \
"IPTABLES_STEALTH SCAN:"
$IPT -A bad_tcp_packets -p tcp --tcp-flags \
SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags \
SYN,FIN SYN,FIN -j LOG --log-prefix \
"IPTABLES_STEALTH SCAN:"
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# 都没问题了,返回
$IPT -A bad_tcp_packets -p tcp -j RETURN

##########################################
# ICMP 包规则
##########################################
#
# ICMP 包必须封装在一个2层的帧中,因此它们不会有碎片. 
# 带有碎片的 ICMP 包通常被
# 标记为恶意攻击
#
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "IPTABLES_ICMP Fragment:"
$IPT -A icmp_packets --fragment -p ICMP -j DROP

#
# 默认地,所有丢弃的 ICMP 包都不记录日志. "冲击波" 
# 以及 "蠕虫" 会导致系统发起大量
# ping 请求. 如果想要记录 icmp log 就不要把本行注释掉
#

# 允许自有服务器ip及北京地区adsl ip进行 PING
$IPT -A icmp_packets -p ICMP -s $MY_IP_LIST_2 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s $BJADSL_IP_LIST -j ACCEPT

# 拒掉其他 PING
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# 接受超时 icmp 包
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

##########################################
# TCP & UDP 包规则
##########################################

##########################################
# 来自公网的 UDP 请求
##########################################
#$IPT -A inet_udp_inbound -p UDP \
-s $MY_IP_LIST_2 --dport $DNS_PORT -j ACCEPT

# 都没问题了,返回
$IPT -A inet_udp_inbound -p UDP -j RETURN

##########################################
# 发往公网的 UDP 请求
##########################################

# 都没问题了,返回
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

##########################################
# 来自公网的 TCP 请求
##########################################

# sshd 只对 北京ADSL IP段开放
$IPT -A inet_tcp_inbound -p TCP \
-s $BJADSL_IP_LIST --dport $SSH_PORT -j ACCEPT

# 允许自有服务器 IP 的 FTP 端口请求
# FTP Data fix
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
--sport $FTP_PORT_1 --dport $FTP_PORT_RANGE ! --syn \
-m state --state RELATED -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
-m state --state ESTABLISHED -j ACCEPT
$IPT -A inet_tcp_inbound -p UDP -s $MY_IP_LIST_2 \
--dport $FTP_PORT_RANGE -j ACCEPT

$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
--dport $FTP_PORT_1 ! --syn -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
--dport $FTP_PORT_2 -j ACCEPT

#允许所有ip访问 http 服务
$IPT -A inet_tcp_inbound -p TCP -s $ALL_IP \
--dport $HTTP_PORT -j ACCEPT

# 都没问题了,返回
$IPT -A inet_tcp_inbound -p TCP -j RETURN

##########################################
# 发往公网的 TCP 请求
##########################################

# 都没问题了,返回
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

##########################################
# 其他收到的请求
##########################################

# 允许本机及本子网间的任何通信
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -d $LC_ADDR -j ACCEPT

# 来自信任ip的任何请求都接受
$IPT -A INPUT -p ALL -s $MY_IP_LIST_1 -j ACCEPT
$IPT -A INPUT -p ALL -s $MY_IP_LIST_2 -j ACCEPT

# 丢弃任何错误包
$IPT -A INPUT -p ALL -j bad_packets

# 拒掉 DOCSIS 请求
$IPT -A INPUT -p ALL -d 224.0.0.1 -j REJECT

# 接受 Established 连接
$IPT -A INPUT -p ALL -i $INET_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# 定义上面的几条路由规则
$IPT -A INPUT -p TCP -d $INET_ADDR -j inet_tcp_inbound
$IPT -A INPUT -p UDP -d $INET_ADDR -j inet_udp_inbound
$IPT -A INPUT -p ICMP -d $INET_ADDR -j icmp_packets

# 丢弃且不记录广播包
$IPT -A INPUT -m pkttype --pkt-type broadcast -j REJECT

# 记录其他未匹配到的包
$IPT -A INPUT -m limit --limit $MAX_NUM_PACKS/minute \
--limit-burst $MAX_NUM_PACKS -j LOG --log-prefix \
"IPTABLES_MISS_MATCH_INPUT:"

##########################################
# 其他发出的请求
##########################################

# 无论如何都丢弃错误的 ICMP 包,防止溢出
$IPT -A OUTPUT -m state -p icmp --state INVALID \
-j REJECT

# 允许对外的任何请求
$IPT -A OUTPUT -p ALL -s $ALL_IP -j ACCEPT

# 记录其他未匹配到的包
$IPT -A OUTPUT -m limit --limit $MAX_NUM_PACKS/minute \
--limit-burst $MAX_NUM_PACKS -j LOG --log-prefix \
"IPTABLES_MISS_MATCH_OUTPUT: "

 

 

我的样例：

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="1.2.3.4"
INET_IP_1="1.2.3.5"
INET_IFACE="eth0"
INET_BROADCAST="1.2.3.127"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE

# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.33"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#启用反向路径源认证,防止欺骗 
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#关闭 icom echo 广播包请求
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#拒绝源路由包
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#仅仅接收发给默认网关列表中网关的ICMP重定向消息
#echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

#记录来自非法ip的请求
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#
$IPTABLES -F 
$IPTABLES -X 
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X 


$IPTABLES -F -t nat
$IPTABLES -t nat -X 

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "IPTABLES_INVALID_PACKET:"
#$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 30000 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10050 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10051 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 --dport 110 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2009 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines 
# will prevent them from showing up in the logs.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will 

# be swamped as well. This rule will block them from getting logged.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets


#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

#$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP_1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP_1 -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

#$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.

#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP_1 -j ACCEPT

#
# Log weird packets that don't match the above.
#

#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

#$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain

#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#