实验环境:
KVM 虚拟机 centos6.7
test1:192.168.124.87 test2:192.168.124.94
场景一:
要求:1.对所有地址开放本机的tcp(80、22、10-21)端口的访问。
2.对所有主机开放本机的基于ICMP协议的数据包访问
3.其他未被访问 的端口禁止访问
答:2表达的意思是禁止ping
步骤:
(1)查看iptables 版本
[root@test1 ~]# iptables -v
iptables v1.4.7: no command specified
(2)查看test1机器的端口开放情况
[root@test1 ~]# netstat -luntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1141/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1220/master
tcp 0 0 :::22 :::* LISTEN 1141/sshd
tcp 0 0 ::1:25 :::* LISTEN 1220/master
udp 0 0 0.0.0.0:68 0.0.0.0:* 1368/dhclient
(3)查看iptables之前设置的规则
[root@test1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/ 0.0.0.0/ state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/ 0.0.0.0/
ACCEPT all -- 0.0.0.0/ 0.0.0.0/
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ state NEW tcp dpt:
REJECT all -- 0.0.0.0/ 0.0.0.0/ reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/ 0.0.0.0/ reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT)
target prot opt source destination
加n表示源地址和目的地址用数字的形式表示
(4)清除之前设置过的规则
[root@test1 ~]# iptables -F
[root@test1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(5)设置好开放的端口
[root@test1 ~]# iptables -I INPUT -p tcp --dport -j ACCEPT
[root@test1 ~]# iptables -I INPUT -p tcp --dport -j ACCEPT
[root@test1 ~]# iptables -I INPUT -p tcp --dport : -j ACCEPT
[root@test1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpts::
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpt:
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpt: Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-I 插入规则 -p 指定协议 –dport 目的端口 -j 制定动作
(6)允许icmp访问
iptables -I INPUT -p icmp -j ACCEPT
[root@test1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/ 0.0.0.0/
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpts::
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpt:
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpt: Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(7)设置拒绝规则
iptables -A INPUT -j REJECT
root@test1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/ 0.0.0.0/
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpts::
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpt:
ACCEPT tcp -- 0.0.0.0/ 0.0.0.0/ tcp dpt:
REJECT all -- 0.0.0.0/ 0.0.0.0/ reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
bingo,至此结束。。。
如果想要删除某条规则:
[root@test1 ~]# iptables -I INPUT -p tcp --dport -j ACCEPT
-D 表示删除
拓展一下,设置一下,不允许其他机器ping本机
(1)设置规则
[root@test1 ~]# iptables -I INPUT -p icmp -j REJECT
[root@test1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT icmp -- 0.0.0.0/ 0.0.0.0/ reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(2)另外一台机子测试
[root@test2 ~]# ping 192.168.124.87
PING 192.168.124.87 (192.168.124.87) () bytes of data.
From 192.168.124.87 icmp_seq= Destination Port Unreachable
From 192.168.124.87 icmp_seq= Destination Port Unreachable
From 192.168.124.87 icmp_seq= Destination Port Unreachable
From 192.168.124.87 icmp_seq= Destination Port Unreachable
From 192.168.124.87 icmp_seq= Destination Port Unreachable