分析Ebtables/Iptables实现及命令。
ebtables和iptables都是linux系统下,netfilter的配置工具,可以在链路层和网络层的几个关键节点配置报文过滤和修改规则。
ebtables更侧重vlan,mac和报文流量。
iptables侧重ip层信息,4层的端口信息。
ebtables
命令实例:
1、显示table
ebtables -t filter -L 显示filter table的内容,默认也是显示该table
ebtables -t broute -L 显示broute table的内容
ebtables -t nat -L 显示nat table的内容
显示
Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT |
2、增加一个chain
ebtables -t filter -N jason -P ACCEPT 增加一个名为jason的chain
显示
# ebtables -t filter -L Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: jason, entries: 0, policy: ACCEPT |
但其实现在不会有报文走到该chain,因为该chain没有实际挂载到任何内核报文收发点上。
3、修改一个chain的跳转
ebtables -t filter -A INPUT -j jason
显示
# ebtables -t filter -L Bridge table: filter Bridge chain: INPUT, entries: 1, policy: ACCEPT -j jason Bridge chain: FORWARD, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: jason, entries: 0, policy: DROP |
这样从br来的报文,会查询jason chain的规则,最后被丢弃。
4、修改chain的规则
ebtables -t filter -P jason DROP
显示
# ebtables -t filter -L Bridge table: filter Bridge chain: INPUT, entries: 1, policy: ACCEPT -j jason Bridge chain: FORWARD, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: jason, entries: 0, policy: DROP |
这样从br来的报文,会查询jason chain的规则,最后被丢弃。
5、清空一个chain的规则
ebtables -t filter -F INPUT
# ebtables -t filter -L Bridge table: filter Bridge chain: INPUT, entries: 1, policy: ACCEPT -j jason Bridge chain: FORWARD, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: jason, entries: 0, policy: DROP |
ebtables [-t table ] -[ACDI] chain rule specification [match extensions] [watcher extensions] target
6、规则扩展部分:
Options: --proto -p [!] proto : protocol hexadecimal, by name or LENGTH --src -s [!] address[/mask]: source mac address --dst -d [!] address[/mask]: destination mac address --in-if -i [!] name[+] : network input interface name --out-if -o [!] name[+] : network output interface name --logical-in [!] name[+] : logical bridge input interface name --logical-out [!] name[+] : logical bridge output interface name --set-counters -c chain pcnt bcnt : set the counters of the to be added rule |
网上流行的iptable/ebtables的流程图有误,在此更正如下其各个table的位置。
相关文献和链接:
- Ebtables详解:
http://www.cnblogs.com/peteryj/archive/2011/07/24/2115602.html - Iptables详解
http://blog.csdn.net/reyleon/article/details/12976341 - iptables 小结
http://blog.csdn.net/xingliyuan22/article/details/9152037 - ebtables命令
http://blog.csdn.net/rudyn/article/details/28630495
使用案例:
1、NAT loopback
https://unix.stackexchange.com/questions/282086/how-does-nat-reflection-nat-loopback-work
我的版本的ebtables/iptables规则
# ebtables ebtables v2.0.8-2 (May 2007) Usage: ebtables -[ADI] chain rule-specification [options] ebtables -P chain target ebtables -[LFZ] [chain] ebtables -[NX] [chain] ebtables -E old-chain-name new-chain-name Commands: --append -A chain : append to chain --delete -D chain : delete matching rule from chain --delete -D chain rulenum : delete rule at position rulenum from chain --change-counters -C chain [rulenum] pcnt bcnt : change counters of existing rule --insert -I chain rulenum : insert rule at position rulenum in chain --list -L [chain] : list the rules in a chain or in all chains --flush -F [chain] : delete all rules in chain or in all chains --init-table : replace the kernel table with the initial table --zero -Z [chain] : put counters on zero in chain or in all chains --policy -P chain target : change policy on chain to target --new-chain -N chain : create a user defined chain --rename-chain -E old new : rename a chain --delete-chain -X [chain] : delete a user defined chain --atomic-commit : update the kernel w/t table contained in <FILE> --atomic-init : put the initial kernel table into <FILE> --atomic-save : put the current kernel table into <FILE> --atomic-file file : set <FILE> to file Options: --proto -p [!] proto : protocol hexadecimal, by name or LENGTH --src -s [!] address[/mask]: source mac address --dst -d [!] address[/mask]: destination mac address --in-if -i [!] name[+] : network input interface name --out-if -o [!] name[+] : network output interface name --logical-in [!] name[+] : logical bridge input interface name --logical-out [!] name[+] : logical bridge output interface name --set-counters -c chain pcnt bcnt : set the counters of the to be added rule --modprobe -M program : try to insert modules using this program --version -V : print package version Environment variable: EBTABLES_ATOMIC_FILE : if set <FILE> (see above) will equal its value Standard targets: DROP, ACCEPT, RETURN or CONTINUE; The target can also be a user defined chain. Supported chains for the filter table: INPUT FORWARD OUTPUT |
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:5555 DROP tcp -- anywhere anywhere tcp dpt:5555 DROP udp -- anywhere anywhere udp dpt:5555 DROP udp -- anywhere anywhere udp dpt:5555 SPI_FW all -- anywhere anywhere ACL all -- anywhere anywhere FIREWALL all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ipfilter_chain all -- anywhere anywhere url_filter_chain tcp -- anywhere anywhere multiport dports http app_filter_chain tcp -- anywhere anywhere app_filter_chain udp -- anywhere anywhere TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU FORWARD_WAN all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain ACL (1 references) target prot opt source destination Chain FIREWALL (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:7547 ACCEPT udp -- anywhere anywhere multiport dports 35060,5060,41000:42000 ACCEPT tcp -- anywhere anywhere multiport dports domain,http,domain,telnet ACCEPT udp -- anywhere anywhere multiport dports domain,bootps,dhcpv6-server,domain,55676 ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere multiport sports domain ACCEPT udp -- anywhere anywhere multiport sports domain ACCEPT udp -- anywhere anywhere multiport dports domain ACCEPT icmp -- anywhere anywhere limit: avg 100/sec burst 150 ACCEPT igmp -- anywhere anywhere limit: avg 100/sec burst 5 DROP all -- anywhere anywhere state INVALID,NEW Chain FORWARD_WAN (1 references) target prot opt source destination Chain SPI_FW (1 references) target prot opt source destination Chain app_filter_chain (2 references) target prot opt source destination Chain ipfilter_chain (1 references) target prot opt source destination Chain url_filter_chain (1 references) target prot opt source destination |