本文章來給各位同學介紹最常用25個的iptables策略分享,希望這些方法對各位朋友伺服器安全會有協助哦。
1,清空存在的策略
當你開始建立新的策略,你可能想清除所有的預設策略,和存在的策略,可以這麼做:
代碼如下 |
複製代碼 |
iptables -F 或者iptables –flush
|
2,設定預設策略
預設鏈策略是ACCEPT,改變所有的鏈策略為DROP:
代碼如下 |
複製代碼 |
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
|
3,阻止一個指定的ip
代碼如下 |
複製代碼 |
BLOCK_THIS_IP=“x.x.x.x” iptables -A INPUT -s ”$BLOCK_THIS_IP“ -j DROP iptables -A INPUT -i eth0 -s “$BLOCK_THIS_IP” -j DROP iptables -A INPUT -i eth0 -p tcp -s “$BLOCK_THIS_IP” -j DROP
|
4,允許SSH
允許所有通過eth0介面使用ssh協議串連本機:
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
|
5,允許某個網段通過ssh串連
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
|
6,允許http和https
允許所有進來的web流量:http協議的80連接埠
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
|
允許所有進來的web流量:https協議的443連接埠
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
|
7,多個策略聯合一起
允許ssh,http,https:
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT
|
8,允許SSH串連其他主機
代碼如下 |
複製代碼 |
iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
|
9,允許SSH串連指定的網段
代碼如下 |
複製代碼 |
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
|
10,允許https出去
代碼如下 |
複製代碼 |
iptables -A OUTPUT -o eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
|
11,對web請求做負載平衡(每三個包,均衡到指定伺服器,需要擴充iptables)
代碼如下 |
複製代碼 |
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443 iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443 iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443
|
12,允許ping
代碼如下 |
複製代碼 |
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT
|
13,允許ping遠程
代碼如下 |
複製代碼 |
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
|
14,允許本地迴環
代碼如下 |
複製代碼 |
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
|
15,允許內網訪問外部網路
這個例子eth1 串連外部網路,eth0串連內部網路
代碼如下 |
複製代碼 |
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
|
16,允許DNS出去
代碼如下 |
複製代碼 |
iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT
|
17,允許NIS串連
NIS連接埠是動態,當ypbind啟動時它分配連接埠。
首先運行 rpcinfo -p 顯示得到連接埠號碼,這個例子使用連接埠850,853。
代碼如下 |
複製代碼 |
iptables -A INPUT -p tcp –dport 111 -j ACCEPT iptables -A INPUT -p udp –dport 111 -j ACCEPT iptables -A INPUT -p tcp –dport 853 -j ACCEPT iptables -A INPUT -p udp –dport 853 -j ACCEPT iptables -A INPUT -p tcp –dport 850 -j ACCEPT iptables -A INPUT -p udp –dport 850 -j ACCEPT
|
上面的例子當ypbind重新啟動時將失效,有2種解決方案:
(1)分配nis服務靜態ip(2) 使用精妙的指令碼
18,允許指定網段串連Rsync
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT
|
19,允許mysql從指定的網段串連
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT
|
20,允許sendmail或者postfix
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 25 -m state –state ESTABLISHED -j ACCEPT
|
21,允許IMAP和IMAPS
代碼如下 |
複製代碼 |
IMAP: iptables -A INPUT -i eth0 -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 143 -m state –state ESTABLISHED -j ACCEPT IMAPS: iptables -A INPUT -i eth0 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 993 -m state –state ESTABLISHED -j ACCEPT
|
22,允許POP3和POP3S
POP3:
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 110 -m state –state ESTABLISHED -j ACCEPT POP3S: iptables -A INPUT -i eth0 -p tcp –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 995 -m state –state ESTABLISHED -j ACCEPT
|
23,預防DOS攻擊
代碼如下 |
複製代碼 |
iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT
|
-m : 使用iptables擴充
–limit 25/minute : 限制分鐘串連請求數
–limit-burst:觸發閥值,一次湧入資料包數量
24,連接埠轉寄
來自442的都轉到22連接埠
代碼如下 |
複製代碼 |
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 –dport 422 -j DNAT –to 192.168.102.37:22
|
你還必須明確允許442連接埠
代碼如下 |
複製代碼 |
iptables -A INPUT -i eth0 -p tcp –dport 422 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 422 -m state –state ESTABLISHED -j ACCEPT
|
25,包丟棄日誌
你也許想查看所有丟棄包的日誌。
代碼如下 |
複製代碼 |
首先建立一個新鏈叫 LOGGING iptables -N LOGGING 確保所有的串連跳到LOGGING iptables -A INPUT -j LOGGING 記錄這些包通過自訂名字 “log-prefix” iptables -A LOGGING -m limit –limit 2/min -j LOG –log-prefix “IPTables Packet Dropped:” –log-level 7 最後丟棄這些資料包 iptables -A LOGGING -j DROP |