感谢支持
我们一直在努力
当前位置:服务器评测 > 教程资讯 > Linux运维 > 正文

iptables state 状态防火墙

2013-07-18 分类:Linux运维 阅读(223) 评论(0)

扩展匹配查看帮助
iptables -t filter -m icmp -h
user1 通过 user2 ping  user2 拒绝 user1 ping
iptables -t filter -A INPUT -s 172.16.1.11 -p icmp -m icmp –icmp-type echo-request -j DROP
拒绝多端口
iptables -t filter -A INPUT -s 172.16.1.11 -p tcp -m multiport –dport 80,22,21 -j DROP
拒绝一个网段
iptables -t filter -A INPUT -m iprange –src-range 192.168.1.1-192.168.1.100 -j DROP
拒绝mac通过
iptables -t filter -A INPUT -m mac –mac-source  00:0C:29:7F:54:B5 -j DROP
允许ssh拒绝scp
iptables -t filter -A INPUT -s 172.16.1.11 -p tcp –dport 22 -m tos –tos 8 -j DROP
TOS match v1.3.5 options:
[!] –tos value                Match Type of Service field from one of the
                              following numeric or descriptive values:
          Minimize-Delay 16 (0x10)      最小延迟
          Maximize-Throughput 8 (0x08)  最大吞吐量
          Maximize-Reliability 4 (0x04) 最大可靠性
          Minimize-Cost 2 (0x02)      最小开销
          Normal-Service 0 (0x00)      一般服务
state 状态防火墙
–state NEW        建立新的连接
–state ESTABLISHED 已建立连接
–state RELATED        相关的
–state INVALID        无效的

icmp 实验
通 NEW ESTABLISHED
不通  NEW ESTABLISHED RELATED INVALID
出去
iptables -t filter -A OUTPUT -p icmp -m icmp –icmp-type echo-request -m state –state NEW -j LOG –log-prefix “OUT_ICMP_NEW”
iptables -t filter -A OUTPUT -p icmp -m icmp –icmp-type echo-request -m state –state ESTABLISHED -j LOG –log-prefix “OUT_ICMP_ESTABLISHED”
iptables -t filter -A OUTPUT -p icmp -m icmp –icmp-type echo-request -m state –state RELATED -j LOG –log-prefix “OUT_ICMP_RELATED”
iptables -t filter -A OUTPUT -p icmp -m icmp –icmp-type echo-request -m state –state INVALID -j LOG –log-prefix “OUT_ICMP_INVALID”

进入
iptables -t filter -A INPUT -p icmp -m icmp –icmp-type echo-reply -m state –state NEW -j LOG –log-prefix “IN_ICMP_NEW”
iptables -t filter -A OUTPUT -p icmp -m icmp –icmp-type echo-reply -m state –state ESTABLISHED -j LOG –log-prefix “IN_ICMP_ESTABLISHED”
iptables -t filter -A OUTPUT -p icmp -m icmp –icmp-type echo-reply -m state –state RELATED -j LOG –log-prefix “IN_ICMP_RELATED”
iptables -t filter -A INPUT -p icmp -m icmp –icmp-type echo-reply -m state –state INVALID -j LOG –log-prefix “IN_ICMP_INVALID”

tcp协议 http实验
出口
iptables -t filter -A UOTPUT -p tcp –dport 80 -m state –state NEW -j LOG –log-prefix ” OUT_80_NEW”
iptables -t filter -A UOTPUT -p tcp –dport 80 -m state –state ESTABLISHED -j LOG –log-prefix ” OUT_80_ES”
iptables -t filter -A UOTPUT -p tcp –dport 80 -m state –state RELATED -j LOG –log-prefix ” OUT_80_RE”
iptables -t filter -A UOTPUT -p tcp –dport 80 -m state –state INVALID -j LOG –log-prefix ” OUT_80_IN”
进口
iptables -t filter -A INPUT -p tcp –sport 80 -m state –state NEW -j LOG –log-prefix ” IN_80_NEW”
iptables -t filter -A INPUT -p tcp –sport 80 -m state –state ESTABLISHED -j LOG –log-prefix ” IN_80_ES”
iptables -t filter -A INPUT -p tcp –sport 80 -m state –state RELATED -j LOG –log-prefix ” IN_80_RE”
iptables -t filter -A INPUT -p tcp –sport 80 -m state –state INVALID -j LOG –log-prefix ” IN_80_IN”
一共10个包 第一个包是new 其他9个是ESTABLISHED
ftp协议 tcp实验 有 NEW ESTABLISHED RELATED 3种状态

控制链路 产生2个NEW

出口
iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state NEW -j LOG –log-prefix “OUT_21_NEW”
iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state ESTABLISHED -j LOG –log-prefix “OUT_21_ES”
iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state RELATED -j LOG –log-prefix “OUT_21_RE”
iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state INVALID -j LOG –log-prefix “OUT_21_IN”

进口
iptables -t filter -A INPUT -p tcp –sport 21 -m state –state NEW -j LOG –log-prefix “IN_21_NEW”
iptables -t filter -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j LOG –log-prefix “IN_21_ES”
iptables -t filter -A INPUT -p tcp –sport 21 -m state –state RELATED -j LOG –log-prefix “IN_21_RE”
iptables -t filter -A INPUT -p tcp –sport 21 -m state –state INVALID -j LOG –log-prefix “IN_21_IN”

数据链路

进口
iptabels -t filter -A INPUT -p tcp –sport 20 -m state –state NEW -j LOG –log-prefix “IN_20_NEW”
iptables -t filter -A INPUT -p tcp –sport 20 -m state –state ESTABLISHED -j LOG –log-prefix ” IN_20_ES”
iptables -t filter -A INPUT -p tcp –sport 20 -m state –state RELATED -j LOG –log-prefix ” IN_20_RE”
iptables -t filter -A INPUT -p tcp –sport 20 -m state –state INVALID -j LOG –log-prefix “IN_20_IN”

出口
iptabels -t filter -A OUTPUT -p tcp –dport 20 -m state –state NEW -j LOG –log-prefix “OUT_20_NEW”
iptables -t filter -A OUTPUT -p tcp –dport 20 -m state –state ESTABLISHED -j LOG –log-prefix ” OUT_20_ES”
iptables -t filter -A OUTPUT -p tcp –dport 20 -m state –state RELATED -j LOG –log-prefix ” OUT_20_RE”
iptables -t filter -A OUTPUT -p tcp –dport 20 -m state –state INVALID -j LOG –log-prefix “OUT_20_IN”

产生 RELATED 相关连接 与 ip_conntrack_ftp 相关
ls /lib/modules/2.6.18*/kernel/net/ipv4/netfilter/
加载数据模块内核
modprobe ip_conntrack_ftp

无效连接实验
出口
iptabales -t filter -A OUTPUT -p tcp –dport 80 -m state –state NEW -j LOG –log-prefix “OUT_80_NEW”
iptabales -t filter -A OUTPUT -p tcp –dport 80 -m state –state INVALID -j LOG –log-prefix “OUT_80_IN”
iptabales -t filter -A OUTPUT -p tcp –dport 80 -m state –state ESTABLISHED -j LOG –log-prefix “OUT_80_ES”
iptabales -t filter -A OUTPUT -p tcp –dport 80 -m state –state RELATED -j LOG –log-prefix “OUT_80_RE”
进口
iptabales -t filter -A INPUT -p tcp –sport 80 -m state –state NEW -j LOG –log-prefix “IN_80_NEW”
iptabales -t filter -A INPUT -p tcp –sport 80 -m state –state INVALID -j LOG –log-prefix “IN_80_IN”
iptabales -t filter -A INPUT -p tcp –sport 80 -m state –state ESTABLISHED -j LOG –log-prefix “IN_80_ES”
iptabales -t filter -A INPUT -p tcp –sport 80 -m state –state RELATED -j LOG –log-prefix “IN_80_RE”
yum install nmap 端口扫描

nmap 172.16.1.11
返回3个包
一个new 2个est
RST 重置

nmap -sA 172.16.1.11 -p 80
nmap 返回2个包
一个new 1个est

nmap -sF 172.16.1.11 -p 80
nmap 返回2个包
2个INVALID  返回两个FIN信号 端口开启会有

udp状态

iptables.sh
#!/bin/bash
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
modprobe ip_conntrack_ftp

iptables -t filter -A INPUT -p tcp –syn –dport 80 -m state –state NEW -j ACCEPT
iptables -t filter -A INPUT -p tcp –syn –dport 22 -m state –state NEW -j ACCEPT
iptables -t filter -A INPUT -p tcp –syn –dport 21 -m state –state NEW -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT

相关阅读:

Linux iptables 配置详解 http://www.linuxidc.com/Linux/2012-12/77074.htm

RHEL5.4 iptables配置详解 http://www.linuxidc.com/Linux/2010-04/25368.htm

Linux下主机充当防火墙的巧妙应用之iptables http://www.linuxidc.com/Linux/2012-09/70935.htm

Linux防火墙Iptables详细教程 http://www.linuxidc.com/Linux/2013-07/87045.htm

赞(0) 打赏
转载请注明出处:服务器评测 » iptables state 状态防火墙
分享到: 更多 (0)
标签:

相关推荐

分类

听说打赏我的人,都进福布斯排行榜啦!

支付宝扫一扫打赏

微信扫一扫打赏