📄 open source - using iptables.htm
字号:
effect, run <CODE>iptables -L</CODE> or <CODE>iptables --list</CODE>
if you like being verbose. </P>
<P>With no chains loaded, the output should look something like the
image to the right: </P>
<TABLE cellSpacing=0 cellPadding=0 width=200 align=right border=0>
<TBODY>
<TR>
<TD><A href="javascript:openFig1()"><IMG height=224
src="Open Source - Using iptables.files/0104l_f1th.jpg"
width=250></A></TD></TR>
<TR>
<TD>
<P align=right><A href="javascript:openFig1()"><I>(Click for
larger image.)</I></A></P></TD></TR></TBODY></TABLE>
<P>By default, you have an INPUT, OUTPUT, and FORWARD chain--all
with a policy of accepting packets. In other words, until you
configure some of these chains, everything is wide open. </P>
<P>If you're going to be using this computer as a firewall, you'll
want to enable IP forwarding. Issue the command: <CODE>echo "1" >
/proc/sys/net/ipv4/ip_forward</CODE>. </P>
<P>
<H3>Adding Rules</H3>
<P></P>
<P>Without any rules, <CODE>iptables</CODE> isn't going to do much,
so let's add some rules to the existing chains. If you don't want
your machine to respond to pings, for instance, add the following
rule to the INPUT chain: </P>
<P><CODE>iptables -A INPUT -p icmp -j DROP</CODE> </P>
<P>The <CODE>-A INPUT</CODE> argument tells <CODE>iptables</CODE> to
append to the INPUT chain. The <CODE>-p icmp</CODE> argument
indicates that this rule applies to the icmp protocol, and the
<CODE>-j DROP</CODE> argument indicates that packets matching this
rule should be dropped. If you send a <CODE>ping</CODE> to that
host, it will simply drop the packets and not reply. Note that you
could use either ICMP or icmp to specify the protocol; it's not
case-sensitive. </P>
<P>To reverse this rule and allow the host to respond to pings
again, issue this command: </P>
<P><CODE>iptables -D INPUT 1</CODE> </P>
<P>This tells <CODE>iptables</CODE> to drop (<CODE>-D</CODE>) the
first rule from the INPUT chain. If you have multiple rules, you may
drop any one of them without affecting the others. At some point,
you may want to start over from scratch. To clear out all rules from
a chain, use this syntax: </P>
<P><CODE>iptables -F INPUT</CODE> </P>
<P>This tells <CODE>iptables</CODE> to flush (<CODE>-F</CODE>) all
rules from the chain. </P>
<P>
<H3>Blocking <CODE>telnet</CODE> Connections</H3>
<P></P>
<P>Now for a slightly more complicated configuration. Let's say, a
firewall that automatically blocks <CODE>ssh</CODE> connections from
outside your internal network, but allows <CODE>ssh</CODE> within
the network. To preclude users from revealing username and password
combinations to the outside world, this firewall will also block
anyone inside the network from trying to use telnet outside the
network. </P>
<P>First, set a rule that allows <CODE>ssh</CODE> within the network
on the INPUT chain.</P>
<P><CODE>iptables -A INPUT -s 198.168.0.0 -p tcp --destination-port
ssh -j ACCEPT</CODE> </P>
<P>The source (<CODE>-s</CODE>) argument tells <CODE>iptables</CODE>
which network or hosts from which you're willing to accept
connections, while <CODE>--destination-port</CODE> specifies the
type of TCP connection you're willing to accept. Next, block any
connections from outside your internal network: </P>
<P><CODE>iptables -A INPUT -s ! 198.168.0.0 -p tcp
--destination-port ssh -j DROP</CODE> </P>
<P>This is almost the same command, except that it blocks all
<CODE>ssh</CODE> connections from outside networks. You may not want
to do this if you plan to connect to internal machines while you're
on the road. This also depends on the machine with
<CODE>iptables</CODE> being the gateway computer for your network.
It doesn't work if the computer with <CODE>iptables</CODE> never
sees the packets! Also, note the space between the "<CODE>!</CODE>"
and the network. I got some very odd errors before I realized there
needed to be a space between the network and "<CODE>!</CODE>"
character. </P>
<P>Finally, to block outgoing <CODE>telnet</CODE> connections, apply
this rule to the OUTPUT chain: </P>
<P><CODE>iptables -A OUTPUT -p tcp --destination-port telnet -j
DROP</CODE> </P>
<P>Instead of appending (<CODE>-A</CODE>) a rule to the INPUT chain,
we've added the rule to the OUTPUT chain. If users try to telnet
out, they'll be unable to get a connection. However, this might
frustrate users who wait indefinitely for the telnet connection to
finish. So, let's reject the packets instead of just dropping them.
</P>
<P><CODE>iptables -F OUTPUT</CODE> <BR><CODE>iptables -A OUTPUT -p
tcp --destination-port telnet -j REJECT</CODE> </P>
<P>After flushing the OUTPUT chain, we use almost the same command
as the one used to block outgoing telnet connections, and jump (-j)
to rejecting the packets. This will give users a "connection
refused" error if they try to telnet out. </P>
<P>If you want to allow telnet connections within the internal
network, flush the previous rules and use these commands to </P>
<P>set rules that allow telnet inside the network, but not outside:
</P>
<P><CODE>iptables -A OUTPUT -p tcp --destination-port telnet -d
198.168.0.0 -j ACCEPT</CODE> <BR><CODE>iptables -A OUTPUT -p tcp
--destination-port telnet -d ! 198.168.0.0 -j REJECT</CODE> </P>
<TABLE cellSpacing=0 cellPadding=0 width=200 align=right border=0>
<TBODY>
<TR>
<TD><A href="javascript:openFig2()"><IMG height=224
src="Open Source - Using iptables.files/0104l_f2th.jpg"
width=250></A></TD></TR>
<TR>
<TD>
<P align=right><A href="javascript:openFig2()"><I>(Click for
larger image.)</I></A></P></TD></TR></TBODY></TABLE>
<P>You may want to run <CODE>iptables -L</CODE> again to see what
rules you've got going and make sure they've all been entered
correctly. Your output should look something like the image to the
right: </P>
<P>
<H3>Summary</H3>
<P></P>
<P>I've covered the basics of using <CODE>iptables</CODE>. As you
can see, <CODE>iptables</CODE> isn't terribly complicated, but it is
very powerful. If you've never messed with packet filtering before,
using <CODE>iptables</CODE> may seem a bit intimidating. However,
once you try it, you'll get the hang of it in no time. </P>
<P>Note that <CODE>iptables</CODE> is still maturing. If you think
you've done everything right, but aren't getting the results you
expect, you may want to consult the Netfilter mailing list archives
(<A href="http://lists.samba.org/pipermail/netfilter/"
target=_new>http://lists.samba.org/pipermail/netfilter/</A>) and
possibly sign up for the mailing list. The mailing list is
relatively low-volume and will give you access to the most
up-to-date information. </P>
<P>That's all on Netfilter and <CODE>iptables</CODE> for now. Feel
free to send me an email at <A
href="mailto:jbrockmeier@earthlink.net">jbrockmeier@earthlink.net</A>
if you have questions or comments. <!-- Resources --></P>
<P>
<H3>Resources</H3><BR>The Netfilter Project Homepage (<A
href="http://netfilter.samba.org/"
target=_new>http://netfilter.samba.org/</A>)<BR>Netfilter Mailing
List (<A href="http://lists.samba.org/pipermail/netfilter/"
target=_new>http://lists.samba.org/pipermail/netfilter/</A>)
<P></P></TD><!-- body end --></TR></TBODY></TABLE></TD>
<TD vAlign=top align=left>
<TABLE cellSpacing=5 cellPadding=5 border=0>
<TBODY>
<TR>
<TD><!-- begin skyscraper ad--><!-- AD: 'http://as.cmpnet.com/html.ng/site=sdmg&affiliate=unix&pagepos=sky&target=.&country=china&state=' --><A
href="http://as.cmpnet.com/event.ng/Type=click&FlightID=10477&AdID=15031&TargetID=1205&Segments=1411,1470&Targets=1205&Values=31,43,51,60,72,81,90,100,140,206,442,645,646,655,918,944,945,964,1184,1388,1785,1944,2018,2310,2325,2352&RawValues=IP,66.77.26.214,&Redirect=https://www.sdmediagroup.com/circ/subscribe.cgi?user_keycode=2sbx"
target=_top><IMG height=600 alt=""
src="Open Source - Using iptables.files/sysadmin_600.gif" width=120
border=0></A><IMG height=1
src="C:\Documents and Settings\hlm\My Documents\文档\防火墙技术\Open Source - Using iptables.files\dcfc(1).gif"
width=1 border=0><BR><BR><!-- indusrty brains -->
<TABLE cellSpacing=0 cellPadding=0 width=160 border=0>
<TBODY>
<TR>
<TD align=middle><B>MarketPlace</B><BR>
<TABLE cellSpacing=1 cellPadding=0 width=160 bgColor=#000000
border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=2 width=160
bgColor=#ffffff border=0>
<TBODY>
<TR>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -