当前位置：首页 > news >正文

陕西煤化建设集团铜川分公司网站中高端社交网站建设服务商

news 2025/9/14 23:04:19

陕西煤化建设集团铜川分公司网站,中高端社交网站建设服务商,购物网站建设成本,镇江网站网站建设文章目录 1. multiport模块2. iprange模块3. string模块4. time模块5. icmp模块6. connlimit模块7. limit模块8.tcp扩展模块9.state模块10 Iptables自定义链1.1 为什么要使用自定义链1.2 创建自定义链1.3 引用自定义链1.4 重命名自定义链1.5 删除自定义链 1. multiport模块常… 文章目录 1. multiport模块2. iprange模块3. string模块4. time模块5. icmp模块6. connlimit模块7. limit模块8.tcp扩展模块9.state模块10 Iptables自定义链1.1 为什么要使用自定义链1.2 创建自定义链1.3 引用自定义链1.4 重命名自定义链1.5 删除自定义链 1. multiport模块常用的扩展匹配条件如下 -p tcp -m multiport –sports 用于匹配报文的源端口可以指定离散的多个端口号,端口之间用”逗号”隔开。 -p udp -m multiport –dports 用于匹配报文的目标端口可以指定离散的多个端口号端口之间用”逗号”隔开。示例仅允许10.0.0.1访问本机80、443、20、21、22 [root]# iptables -t filter -I INPUT -s 10.0.0.1 -d 10.0.0.5 -p tcp -m multiport --dports 20,21,22,80,443 -j ACCEPT [root]# iptables -t filter -A INPUT -p tcp -j DROP[root]# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 10.0.0.1 10.0.0.5 multiport dports 20,21,22,80,443 2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 2. iprange模块包含的扩展匹配条件如下指定一段连续的ip地址范围 --src-range from[-to]: 源地址范围Match source IP in the specified range. --dst-range from[-to] 目标地址范围Match destination IP in the specified range.示例10.0.0.1-10.0.0.7 地址段都不允许ping 10.0.0.5 [root]# iptables -t filter -I INPUT -p icmp -m iprange --src-range 10.0.0.1-10.0.0.7 -j DROP[root]# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 1 packets, 104 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.7Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 104 bytes) num pkts bytes target prot opt in out source destination 3. string模块匹配指定字符串 --string pattern # 指定要匹配的字符串Matches the given pattern. --algo {bm|kmp} # 匹配的查询算法可用算法为bm、kmp此选项为必需选项。Select the pattern matching strategy. (bm Boyer-Moore, kmp Knuth-Pratt-Morris)示例应用返回的数据报文包含hello则丢弃其他的正常通过。配置规则filter、OUTPUT、[root]# iptables -t filter -F [root]# iptables -t filter -I OUTPUT -p tcp -m string --string hello --algo bm -j DROP[root]# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match hello ALGO name bm TO 655354. time模块根据时间段匹配报文 --timestart hh:mm[:ss] # 开始时间--timestop hh:mm[:ss] 结束时间Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroesare allowed (e.g. 06:03) and correctly interpreted as base-10.--monthdays day[,day...] # 指定一个月的某一天Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 willof course not match on months which do not have a 31st day; the same goes for 28- or 29-day February.--weekdays day[,day...] # 指定周还是周天 Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun, or valuesfrom 1 to 7, respectively. You may also use two-character variants (Mo, Tu, etc.).--kerneltz 使用内核时区而且不是utc时间示例拒绝每天8300030~18001000任何主机发送icmp请求协议 [root]# iptables -t filter -I INPUT -p icmp -m time --timestart 00:30 --timestop 10:30 -j DROP[root]# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 00:30:00 to 10:30:00 UTCChain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 5. icmp模块针对的协议ICMP用来检查 ICMP 数据包的类型 [!] --icmp-type {type[/code]|typename} ICMP 类型使用字符串或数字显示echo-request (8) ICMP 协议请求echo-reply (0) ICMP 协议回显destination-unreachable(3)ICMP 协议目标不可达比方说若要禁止从其他主机 ping 本机但是允许本机 ping 其他主机。 # iptables -A INPUT -p icmp --icmp-type 8 -j DROP # iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT # iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT # iptables -A INPUT -p icmp -j DROP或者 #iptables -t filter -I INPUT -p icmp --icmp-type echo-request -j DROProotkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 4 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 6. connlimit模块 connlimit 模块是对连接数量进行限制的并发连接数 --connlimit-upto n # 如果现有连接数小于或等于 n 则匹配Match if the number of existing connections is below or equal n.--connlimit-above n # 如果现有连接数大于n 则匹配Match if the number of existing connections is above n. 限制每个客户端主机允许两个telnet连接 [root]# iptables -t filter -I INPUT -p tcp --dport 23 -m connlimit --connlimit-above 2 -j REJECTrootkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 #conn src/32 2 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 7. limit模块 limit 模块是对”报文到达速率”进行限制的。就是想要限制单位时间内流入的包的数量就能用 limit 模块。可以以秒为单位进行限制也可以以分钟、小时、天作为单位进行限制。常用的扩展匹配条件如下 –limit rate[/second|/minute|/hour|/day] Maximum average matching rate: specified as a number, with an optional /second, /minute’, /hour, or /day’ suffix; the default is 3/hour. --limit-burst numberMaximum initial number of packets to match: this number gets recharged by one every time the limitspecified above is not reached, up to this number; the default is 5.1.限制每分钟接收10个icmp的数据报文 [rootlb01 ~]# iptables -t filter -I INPUT -p icmp -m limit --limit 10/minute -j ACCEPT [rootlb01 ~]# iptables -t filter -A INPUT -p icmp -j DROProotkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 1 104 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 2 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 2.允许10个数据报文快速通过超过的数据报文 1/m [rootlb01 ~]# iptables -t filter -I INPUT -p icmp -m limit --limit 1/m --limit-burst 10 -j ACCEPT [rootlb01 ~]# iptables -t filter -A INPUT -j DROProotkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 10 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 3.限速限制传输的带宽不可以超过500k 500 * 1000 500000 /1500 333 包[rootlb01 ~]# iptables -t filter -I OUTPUT -p tcp -m limit --limit 300/s -j ACCEPT [rootlb01 ~]# iptables -t filter -A OUTPUT -p tcp -j DROProotkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 303/sec burst 5 2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 8.tcp扩展模块常用的扩展匹配条件如下 –sport 用于匹配 tcp 协议报文的源端口可以使用冒号指定一个连续的端口范围。 –dport 用于匹配 tcp 协议报文的目标端口可以使用冒号指定一个连续的端口范围。 –tcp-flags 用于匹配报文的tcp头的标志位。 –syn 用于匹配 tcp 新建连接的请求报文相当于使用 –tcp-flags SYN,RST,ACK,FIN SYN。注意-p tcp与 -m tcp 并不冲突-p 用于匹配报文的协议-m 用于指定扩展模块的名称这个扩展模块也叫 tcp。示例如下 iptables -t filter -I OUTPUT -d 192.168.1.146 -p tcp -m tcp --sport 22 -j REJECT iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m tcp --dport 22:25 -j REJECT iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m tcp --dport :22 -j REJECT iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m tcp --dport 80: -j REJECT iptables -t filter -I OUTPUT -d 192.168.1.146 -p tcp -m tcp ! --sport 22 -j ACCEPTiptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT iptables -t filter -I OUTPUT -p tcp -m tcp --sport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN,ACK -j REJECT iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags ALL SYN -j REJECT iptables -t filter -I OUTPUT -p tcp -m tcp --sport 22 --tcp-flags ALL SYN,ACK -j REJECT iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT只有客户端能主动连接服务器22端口示例三次握手过程客户端 --》服务端22 端口客户端 ---》 syn 1服务端 ---》 syn ack 1客户端 --》 ack 1服务端配置INPUTsyn 1ack 1OUTPUT:syn,ack 1ack 1服务器输入 [rootlb01 ~]# iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST SYN -j ACCEPT [rootlb01 ~]# iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST ACK -j ACCEPT [rootlb01 ~]# iptables -t filter -A INPUT -j DROP服务端输出 [rootlb01 ~]# iptables -t filter -I OUTPUT -p tcp --sport 22 -m tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j ACCEPT [rootlb01 ~]# iptables -t filter -I OUTPUT -p tcp --sport 22 -m tcp --tcp-flags SYN,ACK,FIN,RST ACK -j ACCEPT [rootlb01 ~]# [rootlb01 ~]# iptables -t filter -A OUTPUT -j DROProotkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x10 2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 tcp flags:0x17/0x10 2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 tcp flags:0x17/0x12 3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 9.state模块 conntrack 连接追踪对于 state 模块的连接而言”连接”其中的报文可以分为5种状态分别为 NEW连接中的第一个包状态就是 NEW我们可以理解为新连接的第一个包的状态为 NEW。ESTABLISHED我们可以把 NEW 状态包后面的包的状态理解为 ESTABLISHED表示连接已建立。RELATED从字面上理解 RELATED 译为关系但是这样仍然不容易理解我们举个例子。比如 FTP 服务FTP 服务端会建立两个进程一个命令进程一个数据进程。命令进程负责服务端与客户端之间的命令传输我们可以把这个传输过程理解成 state 中所谓的一个”连接”暂称为”命令连接”。数据进程负责服务端与客户端之间的数据传输 (我们把这个过程暂称为”数据连接”)。但是具体传输哪些数据是由命令去控制的所以”数据连接”中的报文与”命令连接”有”关系”的。那么”数据连接”中的报文可能就是 RELATED 状态因为这些报文与”命令连接”中的报文有关系。(注如果想要对ftp进行连接追踪需要单独加载对应的内核模块 nf_conntrack_ftp如果想要自动加载可以配置 /etc/sysconfig/iptables-config 文件)INVALID如果一个包没有办法被识别或者这个包没有任何状态那么这个包的状态就是 INVALID可以主动屏蔽状态为 INVALID 的报文。UNTRACKED报文的状态为 untracked 时表示报文未被追踪当报文的状态为 Untracked 时通常表示无法找到相关的连接。示例允许接收远程主机的ssh和http请求NEWESTABLISHED回应仅允许本机回应ssh、http的响应是 ESABLISHED [root]# iptables -I INPUT -p tcp -m multiport --dport 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT [root]# iptables -I OUTPUT -p tcp -m multiport --sport 22,80 -m state --state ESTABLISHED -j ACCEPT[root]# iptables -A INPUT -j DROP [root]# iptables -A OUTPUT -j DROProotkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80 state NEW,ESTABLISHED 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 22,80 state ESTABLISHED 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 10 Iptables自定义链 1.1 为什么要使用自定义链当默认链中的规则非常多时不方便我们管理。想象一下如果 INPUT 链中存放了 200 条规则这 200 条规则有针对 httpd 服务的有针对 sshd 服务的有针对私网 IP 的有针对公网 IP 的假如突然想要修改针对 httpd 服务的相关规则难道还要从头看一遍这 200 条规则找出哪些规则是针对 httpd 的吗这显然不合理。所以iptables 中可以自定义链通过自定义链即可解决上述问题。假设自定义一条链链名叫 IN_WEB可以将所有针对 80 端口的入站规则都写入到这条自定义链中当以后想要修改针对 web 服务的入站规则时就直接修改 IN_WEB 链中的规则就好了即使默认链中有再多的规则也不会害怕了因为所有针对 80 端口的入站规则都存放在IN_WEB链中。 1.2 创建自定义链 #在filter表中创建IN_WEB自定义链 iptables -t filter -N IN_WEBrootkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain IN_WEB (0 references) num pkts bytes target prot opt in out source destination 1.3 引用自定义链 #在INPUT链中引用刚才创建的自定义链 iptables -t filter -I INPUT -p tcp --dport 80 -j IN_WEB iptables -t filter -L -nrootkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 IN_WEB tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain IN_WEB (1 references)1.4 重命名自定义链 #将IN_WEB自定义链重命名为WEB iptables -E IN_WEB WEBrootkaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 WEB tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain WEB (1 references) num pkts bytes target prot opt in out source destination 1.5 删除自定义链删除自定义链需要满足两个条件自定义链没有被引用。自定义链中没有任何规则。 #第一步清除自定义链中的规则 iptables -t filter -F WEB iptables -t filter -F #第二步删除自定义链 iptables -t filter -X WEB

查看全文

http://www.tj-hxxt.cn/news/133498.html