Iptables (简体中文)

From ArchWiki
Revision as of 11:55, 19 December 2011 by Fengchao (Talk | contribs) (Add zh_CN page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Summary help replacing me
建立和配置 iptables 的信息。
Sysctl#TCP/IP stack hardening

iptables 是一个 Linux 内核中的强大 防火墙,是 netfilter 项目的一部分。可以直接配置,也可以通过许多 前端图形界面配置。iptables 用于 ipv4 ip6tables 用于 ipv6


Note: 内核需要编译进去 iptables 支持,所有 Arch Linux 官方内核都有此功能。

首先,安装 官方软件源 中的 iptables 用户工具。

然后将 iptables 添加到 /etc/rc.conf 中的 DAEMONS 数组 以使其自动启动:


DAEMONS=(... iptables network ...)


iptables contains four tables: raw, filter, nat and mangle.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Iptables (简体中文)#)

Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. All outbound, locally-generated traffic passes through the OUTPUT chain, all inbound traffic addressed to the machine itself passes through the INPUT chain, and all routed traffic which should not be delivered locally passes through the FORWARD chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.


A "target" is the result that occurs when a packet hits a rule. Targets are specified using "jump" (-j). The most common targets are ACCEPT, DROP, REJECT and LOG.


There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.



You can check the current ruleset and the number of hits per rule by using the command:

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

If the output looks like the above, then there are no rules.

You can flush and reset iptables to default using these commands:

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X


The configuration file at /etc/conf.d/iptables points to the location of the configuration file. The ruleset is loaded when the daemon is started.

# Configuration for iptables rules

# Enable IP forwarding (both IPv4 and IPv6)
# NOTE: this is not the recommended way to do this, and is supported only for
# backward compatibility. Instead, use /etc/sysctl.conf and set the following
# options:
# * net.ipv4.ip_forward=1
# * net.ipv6.conf.default.forwarding=1
# * net.ipv6.conf.all.forwarding=1

To save the current ruleset, use this command:

# rc.d save iptables

To load the ruleset, use this command:

# rc.d restart iptables


You can also, optionally, save byte and packet counters. To accomplish this, edit /etc/rc.d/iptables

In the save) section, change the line:

/usr/sbin/iptables-save > $IPTABLES_CONF


/usr/sbin/iptables-save -c > $IPTABLES_CONF

In the stop) section, add the following to save before stopping:

     $0 save
     sleep 2

In the start) section, change the line:

/usr/sbin/iptables-restore < $IPTABLES_CONF


/usr/sbin/iptables-restore -c < $IPTABLES_CONF

and save the file



The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a LOGDROP chain can be created instead.

## /etc/iptables/iptables.rules


... other user defined chains ..

## LOGDROP chain
:LOGDROP - [0:0]

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG

... rules ...

## log AND drop packets that hit this rule:
-A INPUT -m state --state INVALID -j LOGDROP

... more rules ...


The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your /var partition) by causing writes to the iptables log.

-m limit is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG

This appends a rule to the LOGDROP chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.


Assuming you are using syslog-ng which is the default in Archlinux, you can control where iptables' log output goes this way:

filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };


filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };

This will stop logging iptables output to /var/log/everything.log.

If you also want iptables to log to a different file than /var/log/iptables.log, you can simply change the file value of destination d_iptables here (still in syslog-ng.conf)

destination d_iptables { file("/var/log/iptables.log"); };


ulogd is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target. The package ulogd is available in the [community] reopository.