Chinaunix首页 | 论坛 | 博客
  • 博客访问: 217295
  • 博文数量: 53
  • 博客积分: 2059
  • 博客等级: 大尉
  • 技术积分: 577
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-30 03:03
文章分类
文章存档

2012年(4)

2011年(19)

2010年(30)

分类: LINUX

2010-06-23 21:28:52

iptables 防火墙
Centos 5.4(REEL 5.4)安装完成后默认的防火墙设置
[root@localhost sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
也可以查看/etc/sysconfig/iptables
[root@localhost sysconfig]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
一下分析说明:
通过iptables -L 查看在INPUT表中第一个规则
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere   #可以看出这里首先定义了一个规则,然后以后要添加的规则都在这个规则之后,这个规则的说明是在最后
=================================================================
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
最前面的几条规则,我们可以理解但是最后一句就很难理解
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
从结果上来看,这条规则的作用是拒绝所有
-j  REJECT 在iptables帮助文档里面有一下说明This  is  used  to  send back an error packet in response to the matched packet: otherwise it is equivalent to

DROP so it is a terminating TARGET, ending rule traversal.  This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which

are only called from those chains.  The following option controls the nature of the error packet returned:
--reject-with type
              The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
我们简单的翻译一下,REJECT 是用来返回一个错误的包来回应匹配包,其他的等价于DROP,所以它是一个拒绝TARGET,在规则的结束。这个TARGET仅仅用在INPUT,FORWARD和

OUTPUT链和用户自定义的链,下列选项是用来定义返回错误的结果的:
The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
从以上,我们可以看出,定义了icmp主机拒绝,返回一个Destination host unreachable错误,但是由于有之前一句的存在,所以能够PING通-A RH-Firewall-1-INPUT -p icmp -

-icmp-type any -j ACCEPT。
这样子,我们就能理解
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
拒绝所有的anywhere所有端口 icmp-host-prohibited
下面我们做一个实验:
把其中一条给注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
这样子的话,我们就ping 不通了,而然后把
最下面一条
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
把其中 --reject-with 替换成其他的
icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
这样子的话,就知道不通的 条件,就会返回不通的包
第一种情况:
注释掉 在/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面的
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这样子,我们ping包返回的错误结果就是
C:\Documents and Settings\Administrator>ping 172.16.3.101

Pinging 172.16.3.101 with 32 bytes of data:

Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
第二种情况
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with  icmp-net-unreachable
在这种情况下返回的错误包是:
C:\Documents and Settings\Administrator>ping 172.16.3.101

Pinging 172.16.3.101 with 32 bytes of data:

Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
第三种情况:
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with  icmp-proto-unreachable
这种情况下返回的错误结果为:
C:\Documents and Settings\Administrator>ping 172.16.3.101

Pinging 172.16.3.101 with 32 bytes of data:

Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
=======================================================
有以上三个实验结果,可以看出
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这句的意思是拒绝所有的主机切ping包返回的错误结果是有 --reject-with 后面的
  icmp-net-unreachable        ICMP network unreachable
    net-unreach                 alias
    icmp-host-unreachable       ICMP host unreachable
    host-unreach                alias
    icmp-proto-unreachable      ICMP protocol unreachable
    proto-unreach               alias
    icmp-port-unreachable       ICMP port unreachable (default)
    port-unreach                alias
    icmp-net-prohibited         ICMP network prohibited
    net-prohib                  alias
    icmp-host-prohibited        ICMP host prohibited
    host-prohib                 alias
    tcp-reset                   TCP RST packet
    tcp-rst                     alias
    icmp-admin-prohibited       ICMP administratively prohibited (*)
    admin-prohib                alias
这些选项控制的,也就是说,--reject-with 的作用是定义 返回错误包的。
感谢我的师傅。










阅读(6170) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~