iptables 那点小知识

了解服务器防火墙 应该是玩服务器必须上的一课 。

linux的防火墙安全 的好坏 主要是 iptables 配置得如何，我认为。

于是乎，进入主题iptables的配置。（环境是centos 5.5） 

 

iptables 需了解的几个基本概念：  TARGET , CHAINS（user-defined and  built-in chains）, TABLE  

 

 

1. TABLE 

描述如下：

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.  Several different tables may be defined.  Each table contains a number of built-in chains and may also contain user-defined chains. 

TABLE 里存放的就是各种内置的或者用户定义的链。 iptables存在着多种不同table ，比如：filter，nat,mangle,raw 。 

 

2. CHAINS 

描述如下：

Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.

This  is  called a ‘target’, which may be a jump to a user-defined chain in the same table.

 

chain 中包含各种规则(rule), 规则用来匹配数据包(packet)， 同时了规则指定了如果匹配成功则对数据包(packet）做什么处理， 这就是所谓的target 。 也就是如果匹配成功，就交给taget 处理。 

 

3. TARGETS 

描述如下 ：

A firewall rule specifies criteria for a packet, and a target.  （可以忽略）

If the packet does not match, the next rule in the chain is the examined; 

if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain  or one of the special values ACCEPT, DROP, QUEUE, or RETURN. （这句话得认真看）

 

如果匹配成功，则数据包交给 由Target所决定的 下一条rule处理。 而Target 指定了什么？  Target 可以是 用户定义的链，也可以是 ACCEPT ，DROP ，QUEUE，RETURN 。 

 

接下来看看 这个四个单词是神马？ 

 

ACCEPT  means  to  let the packet through.  

DROP means to drop the packet on the floor.  

QUEUE means to pass the packet to userspace.  (How the packet can be received by a userspace process differs by the particular queue handler.  2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler.  Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler.  Packets with a  target of QUEUE will be sent to queue number ’0’ in this case. Please also see the NFQUEUE target as  described  later  in  this  man page.)  （这个在此忽略！！！）

RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.  If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy  determines the fate of the packet.

 

其他三个不用解释了。 

 

基本概念清理完毕，开始写脚本 

 

#!/bin/bash
#
# iptables example configuration script
#
#
# If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT 
# otherwise once we flush the current rules we will be locked out of our server.
#
iptables -P INPUT ACCEPT 
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Allow Httpd on tcp port 22 
#
iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Create a new CHAIN called LOGNDROP
#
iptables -N LOGNDROP
#
# the standard DROP at the bottom of the INPUT chain is replaceed with LOGNDROP
# 
iptables -A INPUT -j LOGNDROP 
#
#
# add protocol descriptions so it makes sense looking at the log 
#
iptables -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 4
iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 4
iptables -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 4


#
# drop the traffic at the end of the LOGNDROP chain. 
#
iptables -A LOGNDROP -j DROP

# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v

 

 

注释应该很详细了，提醒一点，上面定义了一个LOGNDROP 链， 并为该链添加了3条rules 。 

 

附加修改syslog.conf的配置文件

 

#
#config syslog 
#

iptableslog=`cat /etc/syslog.conf | awk '{print $2}' | grep iptables.log`

if [ "$iptableslog"="/var/log/iptables.log" ]; then 
	echo "setup for iptables log Have already exists" 
else 
	echo "# Save Denied messages  to  iptalbes.log" > /etc/syslog.conf
	echo "kern.warning                                            /var/log/iptables.log" > /etc/syslog.conf
fi

 

然后tail -f /var/log/iptables.log 查看被Denied的Packet， 可以看到来源的IP 。 

 

这些都是iptables鸡毛蒜皮的小事情， iptables还大有文章，继续学习。 

 

 

参考： 

http://wiki.ubuntu.org.cn/IptablesHowTo#More_detailed_Logging_.E5.85.B3.E4.BA.8E.E6.97.A5.E5.BF.97.E8.AE.B0.E5.BD.95.E7.9A.84.E6.9B.B4.E5.A4.9A.E7.BB.86.E8.8A.82

Basic Iptables How to for Ubuntu Server Edition Ubuntu 服务器版 Iptables 基本设置指南

http://wiki.centos.org/HowTos/Network/IPTables  

HowTos>

Network>

IPTables (centos)

http://hi.baidu.com/duxf/blog/item/1ec6b00e14ce3dcd7acbe14e.html Iptables配置+访问日志记录