iptables 那点小知识

Anddy

浏览: 191470 次
性别:
来自: 深圳

最近访客更多访客>>

freshair0401

xxhh

zerolv

JHercules_qz

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

Linux

CentOS Ubuntu Linux SSH 防火墙

了解服务器防火墙应该是玩服务器必须上的一课。

linux的防火墙安全的好坏主要是 iptables 配置得如何，我认为。

于是乎，进入主题iptables的配置。（环境是centos 5.5）

iptables 需了解的几个基本概念： TARGET , CHAINS（user-defined and built-in chains）, TABLE

1. TABLE

描述如下：

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

TABLE 里存放的就是各种内置的或者用户定义的链。 iptables存在着多种不同table ，比如：filter，nat,mangle,raw 。

2. CHAINS

描述如下：

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches.

This is called a ‘target’, which may be a jump to a user-defined chain in the same table.

chain 中包含各种规则(rule), 规则用来匹配数据包(packet)，同时了规则指定了如果匹配成功则对数据包(packet）做什么处理，这就是所谓的target 。也就是如果匹配成功，就交给taget 处理。

3. TARGETS

描述如下：

A firewall rule specifies criteria for a packet, and a target. （可以忽略）

If the packet does not match, the next rule in the chain is the examined;

if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. （这句话得认真看）

如果匹配成功，则数据包交给由Target所决定的下一条rule处理。而Target 指定了什么？ Target 可以是用户定义的链，也可以是 ACCEPT ，DROP ，QUEUE，RETURN 。

接下来看看这个四个单词是神马？

ACCEPT means to let the packet through.

DROP means to drop the packet on the floor.

QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number ’0’ in this case. Please also see the NFQUEUE target as described later in this man page.) （这个在此忽略！！！）

RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

其他三个不用解释了。

基本概念清理完毕，开始写脚本

#!/bin/bash
#
# iptables example configuration script
#
#
# If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT 
# otherwise once we flush the current rules we will be locked out of our server.
#
iptables -P INPUT ACCEPT 
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Allow Httpd on tcp port 22 
#
iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Create a new CHAIN called LOGNDROP
#
iptables -N LOGNDROP
#
# the standard DROP at the bottom of the INPUT chain is replaceed with LOGNDROP
# 
iptables -A INPUT -j LOGNDROP 
#
#
# add protocol descriptions so it makes sense looking at the log 
#
iptables -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 4
iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 4
iptables -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 4


#
# drop the traffic at the end of the LOGNDROP chain. 
#
iptables -A LOGNDROP -j DROP

# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v

注释应该很详细了，提醒一点，上面定义了一个LOGNDROP 链，并为该链添加了3条rules 。

附加修改syslog.conf的配置文件

#
#config syslog 
#

iptableslog=`cat /etc/syslog.conf | awk '{print $2}' | grep iptables.log`

if [ "$iptableslog"="/var/log/iptables.log" ]; then 
	echo "setup for iptables log Have already exists" 
else 
	echo "# Save Denied messages  to  iptalbes.log" > /etc/syslog.conf
	echo "kern.warning                                            /var/log/iptables.log" > /etc/syslog.conf
fi

然后tail -f /var/log/iptables.log 查看被Denied的Packet，可以看到来源的IP 。

这些都是iptables鸡毛蒜皮的小事情， iptables还大有文章，继续学习。

参考：

http://wiki.ubuntu.org.cn/IptablesHowTo#More_detailed_Logging_.E5.85.B3.E4.BA.8E.E6.97.A5.E5.BF.97.E8.AE.B0.E5.BD.95.E7.9A.84.E6.9B.B4.E5.A4.9A.E7.BB.86.E8.8A.82

Basic Iptables How to for Ubuntu Server Edition Ubuntu 服务器版 Iptables 基本设置指南

http://wiki.centos.org/HowTos/Network/IPTables

HowTos>

Network>

IPTables (centos)

http://hi.baidu.com/duxf/blog/item/1ec6b00e14ce3dcd7acbe14e.html Iptables配置+访问日志记录

1
顶

1
踩

分享到：

虚拟机centos静态配置IP | Mysql 主从备份 Duplicate entry for key P ...

2011-05-24 21:11
浏览 2080
评论(0)
分类:操作系统
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论