Master Iptables

January 7, 2025

数据包

接收
发送
转发 路由器

iptables 三要素

table

tables allow you to do very specific things with packets. 对数据包做特定的处理

filter table `default`

mangle table

nat table

raw table

chain

each of these tables are composed of a few default chains. These chains allow you to filter packets at various points.

PREROUTING

INPUT

OUTPUT

FORWARD

POSTROUTING

target

terminating target

一旦匹配立刻决定一个网络包的最终命运。如 ACCEPT,DROP,REJECT
chain 上的 target 依次匹配, 一旦匹配就执行关联的操作。匹配不到执行默认的 target
可以配置 default policy, 也是一个 target
所有 chain 的 default policy 是 ACCEPT

non-terminating target

如 LOG 记录 kernel 日志

iptables examples

-t 不指定，默认是 filter table. 为啥? filter 常用呗

New-chain Xdelete-chain List Insert Append Delete Replace Flush Policy jump match module source destination numeric 不进行 reverse dns lookup protocol input interface onput interface

list rules

iptables -L –line-numbers
iptables -A INPUT -p tcp –dport 22 -j LOG
iptables -D INPUT -p tcp –dport 22 -j LOG

append rules

iptables -A INPUT -s 221.194.47.0/24 -j REJECT

delete rules

iptables -D INPUT -s 221.194.47.0/24 -j REJECT
iptables -D INPUT 12
iptables -D INPUT 9
iptables -F
iptables -F INPUT

insert/replace rules

iptables -I INPUT 1 -s 114.114.114.114 -j ACCEPT
iptables -R INPUT 1 -s 59.45.175.10 -J ACCEPT

protocals/modules

iptables -A INPUT -p tcp -m tcp -dport 22 -s 59.45.175.0/24 -j DROP
iptables -A INPUT -p tcp -m multiport -dports 22,49101 -s 59.45.175.0/24 -j DROP
iptables -A input -p icmp -m icmp -icmp-type 17 -j DROP

connection tracking module

change default policy

iptables -P INPUT DROP
iptables -t nat -P INPUT DROP

custom chain

iptables -N ssh-rules
iptables -A ssh-rules -s 18.130.0.0./16 -j ACCEPT
iptables -A ssh-rules -s 18.11.0.0/16 -j ACCEPT
iptables -A ssh-rules -j DROP
iptables -A INPUT -p tcp -m tcp –dport 22 -j ssh-rules

默认的 iptables 配置

所有 chain 的默认 policy 都是 ACCEPT

[root@node96 ~]# iptables -t filter -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination 

[root@node96 ~]# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

[root@node96 ~]# iptables -t mangle -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination 

[root@node96 ~]# iptables -t raw -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

References

Last updated on April 27, 2025

My Source List lsof examples