Sharing

2013年2月17日 星期日

iptables 設定筆記


基本的操作可以參考鳥哥的文章

http://linux.vbird.org/linux_server/0250simple_firewall.php

列出某一個 Table 的 Rule
root@ubuntu:~$ iptables -t nat -L -n                                                            
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  tcp  --  192.168.228.0/22    !192.168.228.0/22     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.228.0/22    !192.168.228.0/22     masq ports: 1024-65535
MASQUERADE  all  --  192.168.228.0/22    !192.168.228.0/22
SNAT       all  --  0.0.0.0/0            0.0.0.0/0            source IP range 192.168.229.1-192.168.231.254 destination
IP range 172.18.203.1-172.18.203.250 to:172.18.203.254
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in eth1
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in eth2
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in eth3
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap0
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap1
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap2
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap3
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap4
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap5
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap6
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap7
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap8
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap9
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vnet0
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vnet1

列出某一個 Table 的 Rule 並且加上編號, 這個編號在刪除 rule 時會用到
root@ubuntu:~$ iptables -t nat -nL --line-numbers          
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  tcp  --  192.168.228.0/22    !192.168.228.0/22     masq ports: 1024-65535
2    MASQUERADE  udp  --  192.168.228.0/22    !192.168.228.0/22     masq ports: 1024-65535
3    MASQUERADE  all  --  192.168.228.0/22    !192.168.228.0/22
4    SNAT       all  --  0.0.0.0/0            0.0.0.0/0            source IP range 192.168.229.1-192.168.231.254 destina
tion IP range 172.18.203.1-172.18.203.250 to:172.18.203.254
5    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in eth1
6    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in eth2
7    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in eth3
8    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap0
9    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap1
10   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap2
11   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap3
12   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap4
13   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap5
14   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap6
15   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap7
16   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap8
17   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap9
18   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vnet0
19   MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vnet1


列出某一個 table 的 rule 指令
root@ubuntu:~$ iptables-save -t nat
# Generated by iptables-save v1.4.12 on Mon Feb 18 14:43:37 2013
*nat
:PREROUTING ACCEPT [17013:1897631]
:INPUT ACCEPT [12931:1479517]
:OUTPUT ACCEPT [7294:518260]
:POSTROUTING ACCEPT [7677:530072]
-A POSTROUTING -s 192.168.228.0/22 ! -d 192.168.228.0/22 -o eth2 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.228.0/22 ! -d 192.168.228.0/22 -o eth2 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.228.0/22 ! -d 192.168.228.0/22 -o eth2 -j MASQUERADE
-A POSTROUTING -m iprange --src-range 192.168.229.1-192.168.231.254 --dst-range 172.18.203.1-172.18.203.250 -j SNAT --to-source 172.18.203.254
-A POSTROUTING -o eth0 -m physdev --physdev-in eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in eth2 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in eth3 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap0 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap1 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap2 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap3 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap4 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap5 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap6 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap7 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap8 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in tap9 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in vnet0 -j MASQUERADE
-A POSTROUTING -o eth0 -m physdev --physdev-in vnet1 -j MASQUERADE
COMMIT
# Completed on Mon Feb 18 14:43:37 2013

刪除某個 chain 的第 n 條 rule
root@ubuntu:~$ iptables -t nat -D POSTROUTING 4

沒有留言: