目录
- 练习题
- 1. 显示当前的iptables规则
- 2. 允许所有来自192.168.1.0/24的TCP流量到本机的22端口(SSH)
- 3. 禁止所有来自10.0.0.0/8的ICMP流量
- 4. 允许所有出站流量
- 5. 拒绝所有来自外部的HTTP流量(80端口,tcp协议)
- 6. 删除INPUT链中的最后一条规则
- 7. 将默认策略设置为拒绝所有输入流量
- 9. 允许UDP流量从192.168.2.0/24到本机的53端口(DNS)
- 10. 保存当前的iptables规则到文件/etc/iptables/rules.v4(需要iptables-save命令)
- 11. 假设你有一个允许所有HTTP流量(80端口)的规则,但现在你只想允许来自192.168.0.0/16的HTTP流量,你应该如何修改这个规则?
- 12. 你想要允许某个特定的IP地址(例如192.168.1.100)访问你服务器上所有的服务,应如何设置规则?
练习题
1. 显示当前的iptables规则
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:radan-http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
2. 允许所有来自192.168.1.0/24的TCP流量到本机的22端口(SSH)
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
3. 禁止所有来自10.0.0.0/8的ICMP流量
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
DROP icmp -- 10.0.0.0/8 anywhere
4. 允许所有出站流量
[root@localhost ~]
[root@localhost ~]
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
5. 拒绝所有来自外部的HTTP流量(80端口,tcp协议)
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
DROP icmp -- 10.0.0.0/8 anywhere
REJECT tcp -- anywhere anywhere tcp dpt:http reject-with icmp-port-unreachable
6. 删除INPUT链中的最后一条规则
iptables -D INPUT -1
注意:-1 表示删除最后一条规则。
[root@localhost ~]
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
2 DROP icmp -- 10.0.0.0/8 anywhere
3 REJECT tcp -- anywhere anywhere tcp dpt:http reject-with icmp-port-unreachable
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
DROP icmp -- 10.0.0.0/8 anywhere
7. 将默认策略设置为拒绝所有输入流量
iptables -P INPUT DROP
[root@localhost ~]
9. 允许UDP流量从192.168.2.0/24到本机的53端口(DNS)
iptables -A INPUT -s 192.168.2.0/24 -p udp --dport 53 -j ACCEPT
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
DROP icmp -- 10.0.0.0/8 anywhere
ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:domain
10. 保存当前的iptables规则到文件/etc/iptables/rules.v4(需要iptables-save命令)
iptables-save > /etc/iptables/rules.v4
[root@localhost ~]
[root@localhost ~]
[root@localhost ~]
*nat
:PREROUTING ACCEPT [22:2930]
:INPUT ACCEPT [22:2930]
:OUTPUT ACCEPT [167:14376]
:POSTROUTING ACCEPT [180:15052]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8088 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8088 -j DNAT --to-destination 172.17.0.3:8088
COMMIT
*mangle
:PREROUTING ACCEPT [37873:257277525]
:INPUT ACCEPT [30364:255656388]
:FORWARD ACCEPT [7509:1621137]
:OUTPUT ACCEPT [25976:1343905]
:POSTROUTING ACCEPT [33485:2965042]
COMMIT
*raw
:PREROUTING ACCEPT [37873:257277525]
:OUTPUT ACCEPT [25976:1343905]
COMMIT
*security
:INPUT ACCEPT [30332:255653088]
:FORWARD ACCEPT [7509:1621137]
:OUTPUT ACCEPT [25976:1343905]
COMMIT
*filter
:INPUT ACCEPT [344:30199]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p icmp -j DROP
-A INPUT -s 192.168.2.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8088 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
11. 假设你有一个允许所有HTTP流量(80端口)的规则,但现在你只想允许来自192.168.0.0/16的HTTP流量,你应该如何修改这个规则?
- 先找到并删除旧的规则(假设它是INPUT链中的第3条规则):
iptables -D INPUT 3
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 80 -j ACCEPT
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
DROP icmp -- 10.0.0.0/8 anywhere
ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:domain
ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:http
12. 你想要允许某个特定的IP地址(例如192.168.1.100)访问你服务器上所有的服务,应如何设置规则?
[root@localhost ~]
[root@localhost ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
DROP icmp -- 10.0.0.0/8 anywhere
ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:domain
ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:http
ACCEPT all -- 192.168.1.100 anywhere
