Iptables command/zh cn

From DD-WRT Wiki

Jump to: navigation, search

You are here: DD-WRT wiki mainpage / Scripting / SSH/Telnet & The CLI / iptables

Iptables IPv4 NAT和包过滤的强力管理工具。 可用来设置,维护和检测Linux内核中的IP包过滤规则组成的表.

Iptables 命令可以通过 command line interface输入,和/或dd-wrt管理面板保存的防火墙脚本输入. 建议在命令行先测试确认规则. 这样,如果碰巧出了大错误(比如关闭了route的入口), 简单的重启路由器即可修复,而不用硬件重置. 想使得规则在路由器重启后仍然生效,需要把它们保存在刚才提到的防火墙脚本中.

我认为我们应该在页面上放些关于 Firewall Builder的内容 , 他们有点联系...


[edit] 基本用法

iptables -[AD] 链名 规则 [选项]
iptables -[RI] 链名 规则序号 规则 [选项]
iptables -D 链名 规则序号 [选项]
iptables -[LFZ] [链名] [选项]
iptables -[NX] 链名
iptables -E 旧链名 新链名
iptables -P 链名 target [选项]
iptables -h (打印这个帮助信息)

[edit] 命令

--append -A chain     附加到链上
--delete  -D chain     从链上删除匹配的规则
--delete  -D chain rulenum
                                从链上删除规则??rule rulenum (1 = first)
--insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
                              Replace rule rulenum (1 = first) in chain
--list      -L [chain]    List the rules in a chain or all chains
--flush   -F [chain]    Delete all rules in  chain or all chains
--zero    -Z [chain]   Zero counters in chain or all chains
--new    -N chain      Create a new user-defined chain
             -X [chain]   Delete a user-defined chain
--policy  -P chain target
                              Change policy on chain to target
             -E old-chain new-chain
                              Change chain name, (moving any references)

[edit] 选项

--proto    -p [!] proto
                              protocol: by number or name, eg. `tcp'
--source  -s [!] address[/mask]
                              source specification. The mask can be either a network mask or a plain number,
                              specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is
                              equivalent to A "!" argument before the address specification inverts the
                              sense of the address.
--destination  -d [!] address[/mask]
                              destination specification
--sport [!] port[:endport]
                              source port (use `:' when specifying range)
--dport [!] port[:endport]
                              destination port
--in-interface  -i [!] input name[+]
                              network interface name ([+] for wildcard)
--jump    -j target
                              target for rule (may load target extension)
--match  -m match
                              extended match (may load extension)
--state state
                              connection states to match: 
                                   INVALID NEW ESTABLISHED RELATED
--tcp-flags [!] mask 
                              match when the TCP flags are as specified:
                                   SYN ACK FIN RST URG PSH ALL NONE
--numeric    -n         numeric output of addresses and ports
--out-interface -o [!] output name[+]
                              network interface name ([+] for wildcard)
--table        -t table  table to manipulate (default: `filter')
--verbose   -v          verbose mode
--line-numbers         print line numbers when listing
--exact       -x          expand numbers (display exact values)
--fragment  -f          match second or further fragments only
--modprobe=<command>     try to insert modules using this command
--set-counters PKTS BYTES    set the counter during insert/append
--version    -V          print package version

MAC v1.3.7 options:
 --mac-source [!] XX:XX:XX:XX:XX:XX
                              Match source MAC address

[edit] 接口

When using the -i or -o to define the physical interfaces, remember that by default:
vlan0 is the 4 LAN ports
vlan1 is the WAN port (ppp0 is the WAN interface when PPPoE is used)
eth1 is the WIFI
br0 is a bridge connecting the 4 LAN and the WIFI together

Note: ppp0 is the WAN interface when PPPoE is used. This information is from IPv6 page and quoted here: "The detailled configuration steps are targeted toward users with a basic DHCP connection for the WAN part. So, if using PPPoE will require replacing vlan1 with ppp0 in each instance. Other connection types will vary."

Tip: To list the network interfaces on the router use 'ifconfig' on the command line.

[edit] 表Tables, 链Chains, 和操作Targets

[edit] 表Tables

The main tables we are concerned with are the "filter" table and the "nat" table. To list the contents of either table, do

iptables -t filter -L
iptables -t nat -L

The filter table is default and this includes chains like INPUT, OUTPUT, and FORWARD. The nat table is for Network Address Translation and it includes the PREROUTING and POSTROUTING chains.

[edit] 链Chains

INPUT is for packets destined to or entering the router's local sockets.

OUTPUT is for packets sourced from or leaving the router's local sockets.

FORWARD is for packets being forwarded through the router (e.g. packets not necessarily destined for local sockets).

PREROUTING is for manipulating packets before they are routed.

POSTROUTING is for manipulating packets after they are routed.

[edit] 操作Targets

ACCEPT - packets are accepted/allowed

DROP - packets are dropped/denied

REJECT - packets are rejected/denied

logaccept - packets are accepted and logged to /tmp/var/log/messages

logdrop - packets are dropped and logged to /tmp/var/log/messages

logreject - packets are rejected and logged to /tmp/var/log/messages

DNAT is for altering packet's destination address.

SNAT is for altering packet's source address.

TRIGGER - dynamically redirect input ports based on output traffic (aka port triggering)

[edit] TRIGGER Target Options

The trigger target has additional options which must appear immediately after it on the command line

--trigger-type [dnat|in|out] 
--trigger-proto [tcp|udp|all]    (if this option is not specificed the default is all)
--trigger-match [port[-port]]   (a port or a range of ports which the outbound connection uses)
--trigger-relate [port[-port]]    (a port or range of ports to open on the inbound side)

[edit] 例子

I think examples are the best way to demonstrate the use of iptables. (Take note, chains are to be typed in caps as shown!)

[edit] Listing the rules in a chain


iptables -L INPUT

You will find that it is really slow to list all many rules after you enter the above iptables command since it is doing reverse DNS lookups to convert IP addresses to host names. You can add -n option to only see numerical addresses. (Note '' = 'anywhere' (any address, any port); and '0' prot is 'any' protocol.)

iptables -nL INPUT

To get a little more detailed list, with actual IP numbers and packet counts for each rule, I can do

iptables -vnL INPUT

Suppose I might want to add a rule so that I can ssh into my router from a specific host/address outside. Then I might type the following:

iptables -A INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept

So I am saying: Append to the INPUT chain a rule allowing protocol tcp, with a source address of <my external IP that i want access from> traffic destined for port 22 on my router, jump to logaccept. I could have used -j ACCEPT which simply jumps to ACCEPT, but in this case I want to log it just to keep track so I use logaccept, which is a chain we have set up for this purpose.

Note: Simply adding a rule to the INPUT chain may be enough to allow remote SSH access from the WAN. However, if your router is still in NAT/Gateway mode and you wish to remap the SSH port to something less traditional on the WAN side (say port 2222), you may Insert a PREROUTING rule instead. This is actually how the GUI does it when you enable remote WAN SSH management.

iptables -A INPUT -p tcp -m tcp -d `nvram get lan_ipaddr` --dport 22 -j logaccept 
iptables -t nat -A PREROUTING -p tcp -m tcp -d `nvram get wan_ipaddr` --dport 2222 -j DNAT --to-destination `nvram get lan_ipaddr`:22

Now if I type

iptables -L INPUT 

I see my shiny new rule appended to the INPUT chain. However, this is no good because in my case I have a rule blocking this traffic which occurs BEFORE the rule allowing it.

How do I change it? Simple.

First let's delete the rule we just made

iptables -L INPUT --line-numbers

will list the rules with their rule numbers. Let's say our rule is number 11

iptables -D INPUT 11   

Clearly this Deletes rule number 11 from the input chain.

Now instead of Appending I am going to Insert my rule into the number 1 (by default) position.

iptables -I INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept

So now rule number 1 is my new rule and the other rules have all shifted down a position.

If I wanted to change the IP address or any other aspect of my ssh rule I could use the -R (Replace) option for a specific rule number, and simply type in the new rule, i.e.

iptables -R INPUT 1 -p tcp -s --dport 22 -j ACCEPT

This would replace rule number 1 on the INPUT chain with the new rule which has a new source IP address and jumps to ACCEPT instead of logaccept.

One more example: I want to run a mini web server on my router. Let's assume that it is already running on port 8000 and I can access it from the LAN side, but not from the WAN side. With

iptables -I INPUT -p tcp -d --dport 8000 -j logaccept

the port 8000 will be opened. But I also have to setup NAT PREROUTING, so that the kernel forwards all packets on port 8000 from the outside to itself,

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 8000 -j DNAT --to

[edit] 端口转发至特定局域网IPPort Forwarding to a specific LAN IP

Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to
iptables -I FORWARD -p tcp -d --dport 443 -j ACCEPT

If you want to restrict the source IP (a question that is asked a lot on the forums), add -s to one of your rules (replacing the IP address with the real one of course).

iptables -t nat -I PREROUTING -p tcp -s -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to
iptables -I FORWARD -p tcp -d --dport 443 -j ACCEPT

This should make it so only one IP address is able to access your forwarded port from the Internet.

In order for me to get this to work (v.24) I needed to put the "-s" in the "iptables -I FORWARD" command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!

[edit] 拒绝登录特定IPDeny access to a specific IP address

iptables -I FORWARD -d -j DROP

Which would DROP all packets destined to the given IP. Useful to block access to whatnot. If you want to log the entry when the IP is blocked you would set the jump location to logdrop, instead of DROP.

[edit] 拒绝登录特定子网Deny access to a specific Subnet

iptables -I FORWARD -s -j DROP

[edit] Deny access to a specific IP address range with Logging

iptables -I FORWARD -m iprange --src-range -j logdrop

Many builds do not have the iprange match but you can use clever subnet masks to accomplish something similar as well, if the range aligns well on subnet boundaries. You may also be able to download a version of iptables that includes the iprange match via Optware.

[edit] Deny access to a specific Outbound IP address with logging

iptables -I OUTPUT -d -j logdrop

This becomes useful if there is a program that wants to gain an outbound connection to a specific address, but you don't want to allow the connection. In this specific example Windows uses this IP incorrectly as a broadcast address (search Google for more info). While viewing your router logs you will see Windows broadcast to this IP several times per minute. By default the router passes the broadcast and announces to everyone outside of your router that your PC exists. This rule will block traffic to this specific outbound IP and add an entry into the router log.

[edit] Block SMTP traffic except to specified hosts

Simple Mail Transfer Protocol operates on tcp port 25.

/usr/sbin/iptables -I FORWARD 1 -p tcp -d safe.server1.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 2 -p tcp -d safe.server2.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 3 -p tcp --dport 25 -j logdrop

Which would accept and log all smtp traffic to safe.server1.com and safe.server2.com, while blocking and dropping all other outgoing smtp traffic.

[edit] Block outgoing SMTP traffic except from specified hosts

Simple Mail Transfer Protocol operates on tcp port 25.

iptables -I FORWARD 1 -p tcp -s --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s --dport 25 -j REJECT

Which would accept outgoing SMTP traffic from your internal SMTP server ( but reject outgoing SMTP traffic from all other hosts on your LAN ( Useful to enforce all your LAN clients to use your internal SMTP server, as well as to block any viruses and spam-generating trojans from sending mail to remote servers on their own.

Change "REJECT" to "logdrop" or "ACCEPT" to "logaccept" to add logging.

Caution! This will also block internal users from using your external IP as their SMTP server.

[edit] Allow HTTP traffic only to specific domain(s)

Similarly, we can use the above method to filter other ports and protocols as well, such as standard web traffic operating on tcp port 80.

iptables -I FORWARD 1 -p tcp -d dd-wrt.com --dport 80 -j ACCEPT
iptables -I FORWARD 2 -p tcp --dport 80 -j DROP

Which would accept all http traffic to dd-wrt.com, while blocking outgoing http traffic to anywhere else. If you wish to allow multiple sites, insert additional rules before the DROP (making sure to order and number them correctly).

[edit] Block all traffic except HTTP HTTPS and FTP

This example blocks everything except our normal web traffic, encrypted (ssl), and the file transfer protocol.

iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP

Caution! Users are still able to get through the firewall if they are sly enough to use these permitted port numbers for their P2P or other application. In that case, you should consider using Access Restrictions to mitigate the possibility of that happening.

[edit] Reject clients from accessing the router's configuration

This should prevent clients on the LAN (interface br0) from accessing the configuration interface of the router through any of the following ports (telnet/23, ssh/22, http/80, https/443)

iptables -I INPUT -i br0 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br0 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br0 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br0 -p tcp --dport https -j REJECT --reject-with tcp-reset

Tip: If you disable management from the LAN, be sure to enable remote management on the WAN (or vice versa) or you will probably lock yourself out of the router.

[edit] Restrict access by MAC address

In this example, we will demonstrate how to restrict access to the router's web interface by MAC address. In other words, only the computer having the specified MAC address should be able to access the web interface from the LAN.

First, if there are no Access Restrictions policies enabled and filtering by MAC addresses, you may need to insert the iptables mac module manually:

insmod ipt_mac
iptables -I INPUT -p tcp --dport 80 -m mac ! --mac-source 00:12:34:56:78:9A -j REJECT --reject-with tcp-reset

Notice the ! (bang) which is another new concept introduced here. It means "NOT". So, by inspecting the rule closely, we see that it will REJECT packets destined to port 80 of the router so long as they do NOT originate from our computer with the desired MAC address.

Caution! As usual when dealing with MAC addresses, be aware that it is possible for malicious user(s) to spoof their MAC address with that of a trusted machine. You can help combat this by use of static ARP entries, VLANs, etc.

[edit] Modifying the TTL

The Time To Live is the maximum number of routers a packet will travel through before it is discarded. In certain situations, it may prove useful to increase it (typically) in order to make your network more reliable.

  • Example 1: Set the incoming TTL to 10, before the router routes it into the LAN
iptables -t mangle -I PREROUTING -i `nvram get wan_iface` -j TTL --ttl-set 10
  • Example 2: Set the outgoing TTL to 128, just as if a Windows machine was connected directly to the modem.
iptables -t mangle -I POSTROUTING -o `nvram get wan_iface` -j TTL --ttl-set 128
  • Example 3: Try to hide the fact that an outgoing packet was routed, by incrementing the TTL by one.
iptables -t mangle -I POSTROUTING -o `nvram get wan_iface` -j TTL --ttl-inc 1

[edit] Firewall Forwarded Ports

如果开启了DD-WRT的SPI 防火墙功能, 路由器会被很好的保护. 而iptables一个使用的用途是保护转发到内网IP的特定端口。这样做最简单的方法是:

  • 通过DD-WRT的web页面"端口转发"建立转现内网IP的端口转发。
  • Supplement those rules with custom iptables on the Firewall script found under Administration - Commands interface to restrict which hosts can access the ports involved

[edit] 端口转发例子

The current port forwarded setup via the web GUI will be used as the basis to illustrate some examples:

  • Application: ssh Port: 4022 Protocol: TCP forward to IP address: Port: 22
  • Application: ftp Port: 21 Protocol: TCP forward to IP address: Port: 21

The example here port forwards external IP on port 4022 to internal server for ssh and external port 21 to internal server for ftp.

[edit] 防火墙规则例子

你可能想限制ssh端口来防范脚本小子, and prevent brute force attack. 这样你可以限制一分钟可尝试建立3次新ssh链接. 任何进一步破解ssh端口的尝试会被丢弃:

iptables -I FORWARD -p tcp -d --dport 22 -j DROP
iptables -I FORWARD -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min -j ACCEPT
iptables -I FORWARD -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT

FTP access can also be limited to a certain network or network range in the following manner:

iptables -I FORWARD -p tcp -d --dport 21 -j DROP
iptables -I FORWARD -p tcp -s --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp -s --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

You can of course combine both, rate limit and IP addresses limiting. This following example limits ssh connection from with the same rate limit applied, along with the FTP rules all on the same script:

# limit SSH connection from script kiddies in Amazon's network
iptables -I FORWARD -p tcp -d --dport 22 -j DROP
iptables -I FORWARD -p tcp -s --dport 22 -m state --state NEW -m limit --limit 3/min -j ACCEPT
iptables -I FORWARD -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
# limit FTP connection to two subnets
iptables -I FORWARD -p tcp -d --dport 21 -j DROP
iptables -I FORWARD -p tcp -s --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp -s --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

For multiport INPUT (or FORWARD if you choose) rate limiting, the following syntax rules can be esstablshed:

wanf=`nvram get wan_iface`
iptables -I INPUT 2 -i $wanf -p tcp -m multiport --dports 21,22,80,82 -j logdrop
iptables -I INPUT 2 -i $wanf -p tcp -m state --state NEW -m multiport --dports 21,22,80,82 -m limit --limit 3/minute --limit-burst 2 -j logaccept

To verify that the rules are working, open a terminal session and type iptables -vnL | more

If you're adding a lot of rules, it helps to separate them with comments using the # prefix. You can of course use the basics of iptables explained in this article to make your rules more complex to suit your needs. However, instead of ordering the rules, the examples here merely insert these new ones on top of the FORWARD chain. This ensures that the firewall rules that limit traffic appear on top of the chain and gets applied first.

You may examine these rules on the router at anytime by accessing the router's command prompt and running the command "iptables -vnL"

[edit] Logging

You can consider turning on logging temporarily for any of your rules. This is useful if you're testing new setup to confirm that the rules are doing what you intend to block or allow. First enable logging via the web UI at Security - Firewall tab. Then substitute the jump target or "-j" to a logging target for each of your iptables rule:

  • DROP with logdrop
  • REJECT with logreject
  • ACCEPT with logaccept

Example if you wanted to check and confirm if traffic forwarded to port 21 is correctly dropped you would substitute:

iptables -I FORWARD -p tcp -d --dport 21 -j DROP


iptables -I FORWARD -p tcp -d --dport 21 -j logdrop

Logged data can be viewed on the web UI on the same page or on the command prompt in the file "/var/log/messages"

[edit] Firewall blocks DHCP renewal responses

iptables -I INPUT -p udp --dport 68 -j ACCEPT

The default configuration of the firewall blocks DHCP renewal responses which causes the router's DHCP client to request a new IP and for current connections to be dropped whether the address changes or not. ~phuzi0n Use this command to fix it. Replace ACCEPT with logaccept to verify it is functioning.

[edit] 警告

在开机程序中增加 iptables 命令会增加把自己困在盒子外面不能操作的风险,那样除了重新开始别无他法. 如果你在试验新的命令,在iptables命令之前增加一段等待的时间,可以避免陷入这种困境. 这样在命令起作用之前给自己,比如说5分钟(sleep 300)的时间。如果命令事与愿违,你又不能登陆,简单的通过关机重启,你就有5分钟时间能登陆进去.

[edit] 参见

[edit] 扩展资源