iptables - usage
来源:互联网 发布:windows 窗口应用程序 编辑:程序博客网 时间:2024/06/06 09:28
iptables commands / docs
execute command apropos iptables to find something about iptabls.
root:notfound/ # apropos iptablesip6tables-save (8) - dump iptables rules to stdoutiptables (8) - administration tool for IPv4/IPv6 packet filtering and NATiptables-extensions (8) - list of extensions in the standard iptables distributioniptables-restore (8) - Restore IP Tablesiptables-save (8) - dump iptables rules to stdoutiptables-xml (1) - Convert iptables-save format to XMLIf you are interested in iptables, you can type man iptables for more details.
IPTABLES(8) iptables 1.4.21 IPTABLES(8)NAME iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT............iptables modules / libraries
root:not/ # ls -l /lib/modules/`uname -r`/kernel/net/netfilter/root:not/ # ls -l /lib/iptables/iptables packet-filtering-HOWTO
- packet-filtering-HOWTO
- iptables-documentation
Personal machine iptables demo
root:not/ # cat /etc/iptables/iptables.rules # Generated by iptables-save v1.4.21 on Thu Apr 30 13:58:26 2015*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [9:524]-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT-A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --sport 8080 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p udp -m udp --sport 1194 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --sport 23456 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --sport 6667 -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --dport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A INPUT -p tcp -m tcp --sport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A INPUT -p tcp -m tcp --dport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A INPUT -p tcp -m tcp --sport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 23456 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPTCOMMIT# Completed on Thu Apr 30 13:58:26 2015Client iptables shell script
lab:~/ $ cat ~/sectools/linux/iptables_client.sh #!/bin/bash## configuration iptables# ///////////////////////////////////////////////////////////# Author: nixawk# Webpage: http://blog.csdn.net/nixawk# Date: Dec 9 05:59:16 EST 2014# ///////////////////////////////////////////////////////////# ============================================================# Initialize all settings (iptables, srcip, dstip, and so on)# ============================================================# Check current user permision.if [[ "$UID" -ne 0 ]];then echo "[-] Must be root to execute it."fi# Get iptables pathIPTSBIN="$(which iptables)"INTERFACE="eth0"if [[ -e "$IPTSBIN" ]];then echo "$IPTSBIN"else echo "[-] could not find iptables" exit 1fi# Get source ip (TCP data out, from localhost)SRCIP=`ip addr show $INTERFACE | grep "inet " |awk -F " " '{print $2}' | awk -F "/" '{print $1}'`# Get destination ip (TCP data out, from localhost)DSTIP="0.0.0.0/0"## ============================================================# set default filter policy to [DROP]# ============================================================function filter_default_policy { echo "[+] iptable filter: from [ACCEPT] to [DROP]" $IPTSBIN -t filter -P INPUT DROP $IPTSBIN -t filter -P OUTPUT DROP $IPTSBIN -t filter -P FORWARD DROP}# # ============================================================# TCP Filter (data otside or inside)# ============================================================function filter_tcp_out { local proto="TCP" echo "[+] ----> filter $proto outside" while [ -n "$1" ]; do rule="$IPTSBIN -t filter -A OUTPUT --proto ${proto} --source ${SRCIP} --destination ${DSTIP} --destination-port ${1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" echo "$rule" `$rule` # execute command shift done }function filter_tcp_in { local proto="tcp" echo "[+] ----> filter $proto inside" while [ -n "$1" ]; do rule="$IPTSBIN -t filter -A INPUT --proto ${proto} --source ${DSTIP} --destination ${SRCIP} --source-port ${1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" echo $rule `$rule` shift done }## ===========================================================# UDP Filter (UDP data outside or inside)# ===========================================================function filter_udp_out { local proto="udp" echo "[+] ----> filter $proto outside " while [ -n "$1" ]; do rule="$IPTSBIN -t filter -A OUTPUT --proto ${proto} --source ${SRCIP} --destination ${DSTIP} --destination-port ${1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" echo $rule | bash -x shift done }function filter_udp_in { local proto="udp" echo "[+] ----> filter $proto inside " while [ -n "$1" ]; do rule="$IPTSBIN -t filter -A INPUT --proto ${proto} --source ${DSTIP} --destination ${SRCIP} --source-port ${1} -m state --state ESTABLISHED,RELATED -j ACCEPT" echo $rule | bash -x shift done }## ===========================================================# ICMP Filter # ===========================================================function filter_icmp_out { local proto="icmp" echo "[+] ----> filter $proto outside" # DROP ICMP REPLY FROM LOCALHOST rule="$IPTSBIN -t filter -A OUTPUT --proto ${proto} --source ${SRCIP} --destination ${DSTIP} --icmp-type echo-request -j ACCEPT" echo $rule | bash -x} function filter_icmp_in { local proto="icmp" echo "[+] ----> filter $proto inside" # ALLOW ICMP REQUEST rule="$IPTSBIN -t filter -A INPUT --proto ${proto} --source ${DSTIP} --destination ${SRCIP} --icmp-type echo-reply -j ACCEPT" echo $rule | bash -x }## ============================================================# Flush IPTABLES Rules# ============================================================function flush_rules { $IPTSBIN -t filter -P INPUT ACCEPT $IPTSBIN -t filter -P OUTPUT ACCEPT $IPTSBIN -t filter -P FORWARDD ACCEPT rule="$IPTSBIN -t filter -F" echo "$rule" | bash -x}## ============================================================# List IPTABLES Rules# ============================================================function list_rules { rule="$IPTSBIN -L -n -v" echo "$rule" | bash -x}## =============================# Main # +============================flush_rules # flush iptables rules, default rules action is ACCEPT.filter_default_policy # Translate [ACCEPT] to [DROP] # ------------------------filter_tcp_out 25 80 110 443 8080 # filter TCP DATA OUTSIDE, PORT 80/...filter_tcp_in 25 80 110 443 8080 # filter TCP DATA INSIDE, # ------------------------ # ------------------------filter_udp_out 53 # filter UDP outsidefilter_udp_in 53 # # ------------------------ # ------------------------filter_icmp_out # filter icmp outsidefilter_icmp_in # filter icmp inside # ------------------------list_rules # list current rulesReferences
- http://www.iptables.org/documentation/
1 0
- iptables usage
- iptables - usage
- usage
- IPTABLES
- Iptables
- iptables
- iptables
- Iptables
- iptables
- iptables
- iptables
- iptables
- IPTABLES
- iptables
- iptables
- iptables
- iptables
- iptables
- Struts2 验证码图片实例
- 按键精灵 间隔固定时间截屏
- jfreechart例子
- EditText的变化流程(请用post方法)
- 第一次开通博客
- iptables - usage
- objective-c自学总结(三)---面向对象的封装,继承与多态
- Java在游戏服务器开发中的应用
- Linux与Windows的区别-文件系统
- 关于MSB和LSB的C语言操作
- Android——adb常用命令
- Android连按两次返回退出解决方法
- iOS6中UIViewController被弃用的方法(: first deprecated in iOS 6.0)
- 关于树的重心的自我理解
