@[TOC](第二十九章 Linux防火墙小节1)

实验环境准备： CentOS7

#关闭防火墙
[root@centos7 ~]# systemctl stop firewalld
#设置开机不启动
[root@centos7 ~]# systemctl disable firewalld
#卸载虚拟网卡服务
[root@centos7 ~]# yum remove libvirt-daemon -y
#重启、即可
[root@centos7 ~]# reboot

CentOS6

[root@centos6 ~]$ service iptables stop
[root@centos6 ~]$ chkconfig --list iptables

INPUT(入)

DROP(拒绝、不回应你)

示例： CentOS7 在这里插入图片描述只要从37.6访问我的都拒绝

[root@centos7 ~]# iptables -t filter -A INPUT -s 192.168.37.6 -j DROP

在这里插入图片描述 CentOS6 不通

[root@centos6 ~]$ ping 192.168.37.7
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.

CentOS7 已经有29个包匹配了这个规则、被DROP（抛弃）掉在这里插入图片描述问题：不通怎么造成的？两种： 1.一种数据包到达对方、对方不回应 2.根本没到对方清除规则

#默认'-t filter'、所以可以不写
[root@centos7 ~]# iptables -t filter -F

CentOS6 清楚规则后、ping通了

[root@centos6 ~]$ ping 192.168.37.7
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
64 bytes from 192.168.37.7: icmp_seq=1400 ttl=64 time=0.767 ms
64 bytes from 192.168.37.7: icmp_seq=1401 ttl=64 time=0.761 ms
^C
--- 192.168.37.7 ping statistics ---
1401 packets transmitted, 9 received, 99% packet loss, time 1407712ms
rtt min/avg/max/mdev = 0.281/0.639/0.931/0.237 ms

CenOS7 在抓包的时候也可看到、有去有回

[root@centos7 ~]# tcpdump  -i eth0 -nn host 192.168.37.6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:12:34.983075 IP 192.168.37.6 > 192.168.37.7: ICMP echo request, id 22538, seq 37, length 64
01:12:34.983120 IP 192.168.37.7 > 192.168.37.6: ICMP echo reply, id 22538, seq 37, length 64
01:12:34.986045 IP 192.168.37.6.22 > 192.168.37.1.60457: Flags [P.], seq 2985031191:2985031291, ack 2510012309, win 152, length 100
01:12:35.036420 IP 192.168.37.1.60457 > 192.168.37.6.22: Flags [.], ack 100, win 4104, length 0
01:12:35.984862 IP 192.168.37.6 > 192.168.37.7: ICMP echo request, id 22538, seq 38, length 64
01:12:35.984935 IP 192.168.37.7 > 192.168.37.6: ICMP echo reply, id 22538, seq 38, length 64
01:12:35.986119 IP 192.168.37.6.22 > 192.168.37.1.60457: Flags [P.], seq 100:200, ack 1, win 152, length 100
01:12:36.030480 IP 192.168.37.1.60457 > 192.168.37.6.22: Flags [.], ack 200, win 4103, length 0
01:12:36.985877 IP 192.168.37.6 > 192.168.37.7: ICMP echo request, id 22538, seq 39, length 64
01:12:36.985934 IP 192.168.37.7 > 192.168.37.6: ICMP echo reply, id 22538, seq 39, length 64
01:12:36.989079 IP 192.168.37.6.22 > 192.168.37.1.60457: Flags [P.], seq 200:300, ack 1, win 152, length 100

REJECT（拒绝、回应你）

示例 CentOS7

[root@centos7 ~]# iptables -t filter -A INPUT -s 192.168.37.6 -j REJECT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 396 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       192.168.37.6         0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination

CentOS6 告诉你不可到达

[root@centos6 ~]$ ping 192.168.37.7
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
From 192.168.37.7 icmp_seq=1 Destination Port Unreachable
From 192.168.37.7 icmp_seq=2 Destination Port Unreachable
^C
--- 192.168.37.7 ping statistics ---
2 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2092ms

iptables命令

规则格式：

iptables [-t table] SUBCOMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]

-t table：

raw, mangle, nat, [filter]默认

SUBCOMMAND：

1、链管理： -N：new, 自定义一条新的规则链 -X：delete，删除自定义的空的规则链 -P：Policy，设置默认策略；对filter表中的链而言，其默认策略有：

ACCEPT：接受

DROP：丢弃

E：重命名自定义链；引用计数不为0的自定义链不能够被重命名，也不能被删除

2、查看：

-L：list, 列出指定鏈上的所有规则，本选项须置后 -n：numberic，以数字格式显示地址和端口号 -v：verbose，详细信息 -vv 更详细 -x：exactly，显示计数器结果的精确值,而非单位转换后的易读值 --line-numbers：显示规则的序号常用组合：

-vnL

-vvnxL --line-numbers

-S selected,以iptables-save 命令格式显示链上规则

3、规则管理：

-A：append，追加 -I：insert, 插入，要指明插入至的规则编号，默认为第一条 -D：delete，删除

指明规则序号

指明规则本身

-R：replace，替换指定链上的指定规则编号 -F：flush，清空指定的规则链 -Z：zero，置零

iptables的每条规则都有两个计数器

匹配到的报文的个数

匹配到的所有报文的大小之和

chain：PREROUTING，INPUT，FORWARD，OUTPUT，POSTROUTING

--line-numbers：显示规则的序号

示例： CentOS7 再添加一条规则把37.18拒绝了

[root@centos7 ~]# iptables -t filter -A INPUT -s 192.168.37.18 -j REJECT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   252 REJECT     all  --  *      *       192.168.37.6         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.168.37.18        0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 712 bytes)
 pkts bytes target     prot opt in     out     source               destination

可以看到num（序号）、第二条是我们刚刚添加的

[root@centos7 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 33 packets, 2356 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   252 REJECT     all  --  *      *       192.168.37.6         0.0.0.0/0            reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       192.168.37.18        0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 23 packets, 3048 bytes)
num   pkts bytes target     prot opt in     out     source               destination

防火墙规则的次序很重要

-D 删除策略

示例： 注意：这条命令危险！！！会把自己也拒绝、因为我们XSHELL走的NAT网卡、会把我们踢掉。机房不在身边慎用！！！

[root@centos7 ~]# iptables -t filter -A INPUT -s 192.168.37.0/24 -j REJECT

在这里插入图片描述只剩下最后一位、且变成了第一位

在这里插入图片描述

-I：insert, 插入，要指明插入至的规则编号，默认为第一条

在这里插入图片描述解决方法：可以将策略做一个备份、定义一个计划任务、10分钟之后自动还原你的策略备份（）

#计划1分钟后执行、清空防火墙策略命令
[root@centos7 ~]# at now + 1 minutes
at> iptables -F
at> <EOT>				<--Ctrl+D

-R（替换）

CentOS7

[root@centos7 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      959 67845 ACCEPT     all  --  *      *       192.168.37.1         0.0.0.0/0           
2        0     0 REJECT     all  --  *      *       192.168.37.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
3        0     0 ACCEPT     all  --  *      *       192.168.37.1         0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8 packets, 928 bytes)
num   pkts bytes target     prot opt in     out     source               destination

#插入一条规则、在第二条
[root@centos7 ~]# iptables -I INPUT 2 -s 172.16.0.7/16 -j REJECT
[root@centos7 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     1019 72097 ACCEPT     all  --  *      *       192.168.37.1         0.0.0.0/0           
2        0     0 REJECT     all  --  *      *       172.16.0.0/16        0.0.0.0/0            reject-with icmp-port-unreachable	<--
3        0     0 REJECT     all  --  *      *       192.168.37.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
4        0     0 ACCEPT     all  --  *      *       192.168.37.1         0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
num   pkts bytes target     prot opt in     out     source               destination