Difference between revisions of "Iptables (简体中文)"

From ArchWiki
Jump to: navigation, search
(Add zh_CN page)
 
Line 1: Line 1:
 +
[[Category:简体中文]]
 
[[Category:Security (简体中文)]]
 
[[Category:Security (简体中文)]]
 
[[Category:Networking (简体中文)]]
 
[[Category:Networking (简体中文)]]
Line 30: Line 31:
 
=== 表 ===
 
=== 表 ===
  
iptables contains four tables: raw, filter, nat and mangle.
+
iptables 包含四个表: raw, filter, nat 和 mangle。
  
 
=== 链 ===
 
=== 链 ===
{{expansion}}
+
链用来指定规则,一个数据包从链的顶端开始,向下移动直到匹配某个规则。 有三个内建规则 {{ic|INPUT}}{{ic|OUTPUT}} {{ic|FORWARD}}。所有本地外发包会通过 {{ic|OUTPUT}} 链,所有从外部进入的数据会通过 {{ic|INPUT}} 链,所有不进入本地的路由数据会通过 {{ic|FORWARD}} 链。三个内建链都有没有规则匹配时的默认目标,用户可以定义更加有效的链。
Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: {{ic|INPUT}}, {{ic|OUTPUT}} and {{ic|FORWARD}}. All outbound, locally-generated traffic passes through the {{ic|OUTPUT}} chain, all inbound traffic addressed to the machine itself passes through the {{ic|INPUT}} chain, and all routed traffic which should not be delivered locally passes through the {{ic|FORWARD}} chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.
+
  
=== 目的 ===
+
=== 目标 ===
  
A "target" is the result that occurs when a packet hits a rule. Targets are specified using "jump" (-j). The most common targets are ACCEPT, DROP, REJECT and LOG.
+
"目标" 是数据包匹配某个规则后的结果。目标通过 "jump" (-j) 定义。最常用的目标是 ACCEPT, DROP, REJECT 和 LOG。
  
 
=== 模块 ===
 
=== 模块 ===
  
There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.
+
有许多模块可以用来扩展 iptables,例如 connlimit, conntrack, limit 和 recent。这些模块增添了功能,可以进行更复杂的过滤。
  
 
== 配置 ==
 
== 配置 ==
Line 48: Line 48:
 
=== 从命令行 ===
 
=== 从命令行 ===
  
You can check the current ruleset and the number of hits per rule by using the command:
+
检查当前规则和匹配数:
  
 
{{hc|# iptables -nvL|Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 
{{hc|# iptables -nvL|Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
Line 59: Line 59:
 
  pkts bytes target    prot opt in    out    source              destination}}
 
  pkts bytes target    prot opt in    out    source              destination}}
  
If the output looks like the above, then there are no rules.
+
上面的结果表明还没有配置规则。
  
You can flush and reset iptables to default using these commands:
+
可以通过下面命令将 iptables 规则重置:
  
 
  # iptables -P INPUT ACCEPT
 
  # iptables -P INPUT ACCEPT
Line 71: Line 71:
 
=== 配置文件 ===
 
=== 配置文件 ===
  
The configuration file at {{ic|/etc/conf.d/iptables}} points to the location of the configuration file. The ruleset is loaded when the daemon is started.
+
{{ic|/etc/conf.d/iptables}} 指向了具体规则集配置文件。守护进程启动时会装入规则集。
  
 
{{hc|/etc/conf.d/iptables|2=# Configuration for iptables rules
 
{{hc|/etc/conf.d/iptables|2=# Configuration for iptables rules
Line 86: Line 86:
 
#IPTABLES_FORWARD=0}}
 
#IPTABLES_FORWARD=0}}
  
To save the current ruleset, use this command:
+
保存当前规则的命令:
  
 
  # rc.d save iptables
 
  # rc.d save iptables
  
To load the ruleset, use this command:
+
装入规则的命令:
  
 
  # rc.d restart iptables
 
  # rc.d restart iptables
Line 96: Line 96:
 
=== 保存计数 ===
 
=== 保存计数 ===
  
You can also, optionally, save byte and packet counters. To accomplish this, edit {{ic|/etc/rc.d/iptables}}
+
同时还可以保存过滤的数据大小和数据包个数。编辑 {{ic|/etc/rc.d/iptables}}
  
In the '''save)''' section, change the line:
+
'''save)''' 部分,将:
 
  /usr/sbin/iptables-save > $IPTABLES_CONF
 
  /usr/sbin/iptables-save > $IPTABLES_CONF
to
+
改成
 
  /usr/sbin/iptables-save -c > $IPTABLES_CONF
 
  /usr/sbin/iptables-save -c > $IPTABLES_CONF
In the '''stop)''' section, add the following to save before stopping:
+
'''stop)''' 部分,加入如下内容:
 
  stop)
 
  stop)
 
       $0 save
 
       $0 save
 
       sleep 2
 
       sleep 2
In the '''start)''' section, change the line:
+
'''start)''' 部分,将:
 
  /usr/sbin/iptables-restore < $IPTABLES_CONF
 
  /usr/sbin/iptables-restore < $IPTABLES_CONF
to
+
改成
 
  /usr/sbin/iptables-restore -c < $IPTABLES_CONF
 
  /usr/sbin/iptables-restore -c < $IPTABLES_CONF
and save the file
+
然后保存文件
  
 
=== 指南 ===
 
=== 指南 ===
Line 119: Line 119:
 
== 日志 ==
 
== 日志 ==
  
The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a LOGDROP chain can be created instead.
+
LOG 目标可以用来记录匹配某个规则的数据包。和 ACCEPT DROP 规则不同,进入 LOG 目标之后数据包会继续沿着链向下走。所以要记录所有丢弃的数据包,只需要在 DROP 规则前加上相应的 LOG 规则。但是这样会比较复杂,影响效率,所以应该创建一个 LOGDROP 链。
  
 
  ## /etc/iptables/iptables.rules
 
  ## /etc/iptables/iptables.rules
Line 128: Line 128:
 
  :OUTPUT ACCEPT [0:0]
 
  :OUTPUT ACCEPT [0:0]
 
   
 
   
  ... other user defined chains ..
+
  ... 其它链 ..
 
   
 
   
 
  ## LOGDROP chain
 
  ## LOGDROP chain
Line 136: Line 136:
 
  -A LOGDROP -j DROP
 
  -A LOGDROP -j DROP
 
   
 
   
  ... rules ...
+
  ... 规则 ...
 
   
 
   
 
  ## log AND drop packets that hit this rule:
 
  ## log AND drop packets that hit this rule:
 
  -A INPUT -m state --state INVALID -j LOGDROP
 
  -A INPUT -m state --state INVALID -j LOGDROP
 
   
 
   
  ... more rules ...
+
  ... 更多规则 ...
  
=== 现在日志级别 ===
+
=== 限制日志级别 ===
  
The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your {{ic|/var}} partition) by causing writes to the iptables log.
+
limit 模块可以用来防止 iptable 的日志过大,产生无用的硬盘写操作。如果不进行限制,攻击者可以通过不停写 iptables 日志填满磁盘(或至少是 {{ic|/var}} 分区)
  
'''-m limit''' is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:
+
'''-m limit''' 可以调用 limit 模块,然后使用 --limit 设置平均速率,--limit-burst 设置初始迸发速率。例如:
  
 
  -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
 
  -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
  
This appends a rule to the LOGDROP chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.
+
这将在 LOGDROP 链上加上规则,记录最开始的十个包,然后每分钟仅记录 5 个包。只要没有突破"limit rate""limit burst" 将会重置为 1。
  
 
=== syslog-ng ===
 
=== syslog-ng ===
  
Assuming you are using [[syslog-ng]] which is the default in Archlinux, you can control where iptables' log output goes this way:
+
使用 Arch 默认的 [[syslog-ng]] 可以控制 iptables 日志的输出文件:
 
  filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
 
  filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
to
+
修改为
 
  filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
 
  filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
  
This will stop logging iptables output to {{ic|/var/log/everything.log}}.
+
iptables 的日志就不会输出到 {{ic|/var/log/everything.log}}
  
If you also want iptables to log to a different file than {{ic|/var/log/iptables.log}}, you can simply change the file value of destination d_iptables here (still in {{ic|syslog-ng.conf}})
+
iptables 也可以不输出到 {{ic|/var/log/iptables.log}},只需设置{{ic|syslog-ng.conf}} 中的 d_iptables 为需要的日志文件。
 
  destination d_iptables { file("/var/log/iptables.log"); };
 
  destination d_iptables { file("/var/log/iptables.log"); };
  
 
=== ulogd ===
 
=== ulogd ===
  
[http://www.netfilter.org/projects/ulogd/index.html ulogd] is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target.  The package {{Pkg|ulogd}} is available in the {{ic|[community]}} reopository.
+
[http://www.netfilter.org/projects/ulogd/index.html ulogd] 是专门用于 netfilter 的日志工具,可以代替默认的 LOG 目标。软件包 {{Pkg|ulogd}} 位于 {{ic|[community]}} 源。
  
 
== 参见 ==
 
== 参见 ==
 
{{Wikipedia|iptables}}
 
{{Wikipedia|iptables}}
* [http://www.netfilter.org/projects/iptables/index.html Official Iptables Website]
+
* [http://www.netfilter.org/projects/iptables/index.html 官方网站]
* [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html Iptables Tutorial 1.2.2] by Oskar Andreasson
+
* [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html Iptables 教程 1.2.2]

Revision as of 05:24, 20 December 2011

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary end

iptables 是一个 Linux 内核中的强大 防火墙,是 netfilter 项目的一部分。可以直接配置,也可以通过许多 前端图形界面配置。iptables 用于 ipv4 ip6tables 用于 ipv6

安装

Note: 内核需要编译进去 iptables 支持,所有 Arch Linux 官方内核都有此功能。

首先,安装 官方软件源 中的 iptables 用户工具。

然后将 iptables 添加到 /etc/rc.conf 中的 DAEMONS 数组 以使其自动启动:

/etc/rc.conf
...

DAEMONS=(... iptables network ...)

基本概念

iptables 包含四个表: raw, filter, nat 和 mangle。

链用来指定规则,一个数据包从链的顶端开始,向下移动直到匹配某个规则。 有三个内建规则 INPUTOUTPUTFORWARD。所有本地外发包会通过 OUTPUT 链,所有从外部进入的数据会通过 INPUT 链,所有不进入本地的路由数据会通过 FORWARD 链。三个内建链都有没有规则匹配时的默认目标,用户可以定义更加有效的链。

目标

"目标" 是数据包匹配某个规则后的结果。目标通过 "jump" (-j) 定义。最常用的目标是 ACCEPT, DROP, REJECT 和 LOG。

模块

有许多模块可以用来扩展 iptables,例如 connlimit, conntrack, limit 和 recent。这些模块增添了功能,可以进行更复杂的过滤。

配置

从命令行

检查当前规则和匹配数:

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   
     
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
    
Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

上面的结果表明还没有配置规则。

可以通过下面命令将 iptables 规则重置:

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X

配置文件

/etc/conf.d/iptables 指向了具体规则集配置文件。守护进程启动时会装入规则集。

/etc/conf.d/iptables
# Configuration for iptables rules
IPTABLES_CONF=/etc/iptables/iptables.rules
IP6TABLES_CONF=/etc/iptables/ip6tables.rules

# Enable IP forwarding (both IPv4 and IPv6)
# NOTE: this is not the recommended way to do this, and is supported only for
# backward compatibility. Instead, use /etc/sysctl.conf and set the following
# options:
# * net.ipv4.ip_forward=1
# * net.ipv6.conf.default.forwarding=1
# * net.ipv6.conf.all.forwarding=1
#IPTABLES_FORWARD=0

保存当前规则的命令:

# rc.d save iptables

装入规则的命令:

# rc.d restart iptables

保存计数

同时还可以保存过滤的数据大小和数据包个数。编辑 /etc/rc.d/iptables

save) 部分,将:

/usr/sbin/iptables-save > $IPTABLES_CONF

改成

/usr/sbin/iptables-save -c > $IPTABLES_CONF

stop) 部分,加入如下内容:

stop)
     $0 save
     sleep 2

start) 部分,将:

/usr/sbin/iptables-restore < $IPTABLES_CONF

改成

/usr/sbin/iptables-restore -c < $IPTABLES_CONF

然后保存文件

指南

日志

LOG 目标可以用来记录匹配某个规则的数据包。和 ACCEPT 或 DROP 规则不同,进入 LOG 目标之后数据包会继续沿着链向下走。所以要记录所有丢弃的数据包,只需要在 DROP 规则前加上相应的 LOG 规则。但是这样会比较复杂,影响效率,所以应该创建一个 LOGDROP 链。

## /etc/iptables/iptables.rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

... 其它链 ..

## LOGDROP chain
:LOGDROP - [0:0]

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
-A LOGDROP -j DROP

... 规则 ...

## log AND drop packets that hit this rule:
-A INPUT -m state --state INVALID -j LOGDROP

... 更多规则 ...

限制日志级别

limit 模块可以用来防止 iptable 的日志过大,产生无用的硬盘写操作。如果不进行限制,攻击者可以通过不停写 iptables 日志填满磁盘(或至少是 /var 分区)。

-m limit 可以调用 limit 模块,然后使用 --limit 设置平均速率,--limit-burst 设置初始迸发速率。例如:

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG

这将在 LOGDROP 链上加上规则,记录最开始的十个包,然后每分钟仅记录 5 个包。只要没有突破"limit rate","limit burst" 将会重置为 1。

syslog-ng

使用 Arch 默认的 syslog-ng 可以控制 iptables 日志的输出文件:

filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };

修改为

filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };

iptables 的日志就不会输出到 /var/log/everything.log

iptables 也可以不输出到 /var/log/iptables.log,只需设置syslog-ng.conf 中的 d_iptables 为需要的日志文件。

destination d_iptables { file("/var/log/iptables.log"); };

ulogd

ulogd 是专门用于 netfilter 的日志工具,可以代替默认的 LOG 目标。软件包 ulogd 位于 [community] 源。

参见

Template:Wikipedia