iptables 防火墙
Centos 5.4(REEL 5.4)安装完成后默认的防火墙设置
[root@localhost sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
也可以查看/etc/sysconfig/iptables
[root@localhost sysconfig]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
一下分析说明:
通过iptables -L 查看在INPUT表中第一个规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere #可以看出这里首先定义了一个规则,然后以后要添加的规则都在这个规则之后,这个规则的说明是在最后
=================================================================
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
最前面的几条规则,我们可以理解但是最后一句就很难理解
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
从结果上来看,这条规则的作用是拒绝所有
-j REJECT 在iptables帮助文档里面有一下说明This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to
DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which
are only called from those chains. The following option controls the nature of the error packet returned:
--reject-with type
The type given can be
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
我们简单的翻译一下,REJECT 是用来返回一个错误的包来回应匹配包,其他的等价于DROP,所以它是一个拒绝TARGET,在规则的结束。这个TARGET仅仅用在INPUT,FORWARD和
OUTPUT链和用户自定义的链,下列选项是用来定义返回错误的结果的:
The type given can be
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
从以上,我们可以看出,定义了icmp主机拒绝,返回一个Destination host unreachable错误,但是由于有之前一句的存在,所以能够PING通-A RH-Firewall-1-INPUT -p icmp -
-icmp-type any -j ACCEPT。
这样子,我们就能理解
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
拒绝所有的anywhere所有端口 icmp-host-prohibited
下面我们做一个实验:
把其中一条给注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
这样子的话,我们就ping 不通了,而然后把
最下面一条
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
把其中 --reject-with 替换成其他的
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
这样子的话,就知道不通的 条件,就会返回不通的包
第一种情况:
注释掉 在/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面的
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这样子,我们ping包返回的错误结果就是
C:\Documents and Settings\Administrator>ping 172.16.3.101
Pinging 172.16.3.101 with 32 bytes of data:
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
第二种情况
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-net-unreachable
在这种情况下返回的错误包是:
C:\Documents and Settings\Administrator>ping 172.16.3.101
Pinging 172.16.3.101 with 32 bytes of data:
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
第三种情况:
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-proto-unreachable
这种情况下返回的错误结果为:
C:\Documents and Settings\Administrator>ping 172.16.3.101
Pinging 172.16.3.101 with 32 bytes of data:
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
=======================================================
有以上三个实验结果,可以看出
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这句的意思是拒绝所有的主机切ping包返回的错误结果是有 --reject-with 后面的
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-rst alias
icmp-admin-prohibited ICMP administratively prohibited (*)
admin-prohib alias
这些选项控制的,也就是说,--reject-with 的作用是定义 返回错误包的。
感谢我的师傅。
阅读(6170) | 评论(0) | 转发(0) |