本文以作者手头的openwrt路由器为例,描述系统默认的iptables的规则,重点关注防火墙部分,在此基础上给出作者的理解和建议。
作者的openwrt路由器有2个wan口(eth1和usb0),2个lan口网段(br-lan和eth0.3)。
默认规则
mangle
root@OpenWrt:~# iptables -t mangle -nvL Chain PREROUTING (policy ACCEPT 44977 packets, 20M bytes) pkts bytes target prot opt in out source destination 121K 52M fwmark all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 2556 packets, 297K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 36714 packets, 19M bytes) pkts bytes target prot opt in out source destination 97385 49M mssfix all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1982 packets, 232K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 38696 packets, 20M bytes) pkts bytes target prot opt in out source destination Chain fwmark (1 references) pkts bytes target prot opt in out source destination Chain mssfix (1 references) pkts bytes target prot opt in out source destination 6195 317K TCPMSS tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU 0 0 TCPMSS tcp -- * usb0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU root@OpenWrt:~#
可以看到,mangle表中其实就一组有效规则,即设定网卡的PMTU,具体参考文章(iptables杂项中的 TCPMSS 和 PMTU)。
raw
root@OpenWrt:~# iptables -t raw -nvL Chain PREROUTING (policy ACCEPT 121K packets, 52M bytes) pkts bytes target prot opt in out source destination 121K 52M delegate_notrack all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 5682 packets, 790K bytes) pkts bytes target prot opt in out source destination Chain delegate_notrack (1 references) pkts bytes target prot opt in out source destination root@OpenWrt:~#
raw表中,几乎什么都没有。
nat
洋洋洒洒一大堆,其实就做了两件事情:root@OpenWrt:~# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 19867 packets, 1639K bytes) pkts bytes target prot opt in out source destination 19949 1645K delegate_prerouting all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 1256 packets, 112K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1179 packets, 81701 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 10 packets, 2176 bytes) pkts bytes target prot opt in out source destination 4635 267K delegate_postrouting all -- * * 0.0.0.0/0 0.0.0.0/0 Chain delegate_postrouting (1 references) pkts bytes target prot opt in out source destination 4635 267K postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 11 2525 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 0 0 zone_lan_postrouting all -- * eth0.3 0.0.0.0/0 0.0.0.0/0 4623 264K zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 1 328 zone_wan_postrouting all -- * usb0 0.0.0.0/0 0.0.0.0/0 Chain delegate_prerouting (1 references) pkts bytes target prot opt in out source destination 19949 1645K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ 5032 338K zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 0 0 zone_lan_prerouting all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0 14917 1307K zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_prerouting all -- usb0 * 0.0.0.0/0 0.0.0.0/0 Chain postrouting_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain postrouting_rule (1 references) pkts bytes target prot opt in out source destination Chain postrouting_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain zone_lan_postrouting (2 references) pkts bytes target prot opt in out source destination 11 2525 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ Chain zone_lan_prerouting (2 references) pkts bytes target prot opt in out source destination 5032 338K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_wan_postrouting (2 references) pkts bytes target prot opt in out source destination 4624 264K postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 4624 264K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_prerouting (2 references) pkts bytes target prot opt in out source destination 14917 1307K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ root@OpenWrt:~#
- 定义了chain的框架,后续如果有规则,可以添加在这些自定义链上。
- 对于从wan口发出去的数据包,做了一个地址伪装MASQUERADE。
filter
root@OpenWrt:/etc/config# iptables -nvL -t filter Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 328 26094 delegate_input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6714 5451K delegate_forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 330 47229 delegate_output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain delegate_forward (1 references) pkts bytes target prot opt in out source destination 6714 5451K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */ 6637 5447K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 77 3889 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 0 0 zone_lan_forward all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_forward all -- usb0 * 0.0.0.0/0 0.0.0.0/0 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain delegate_input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 328 26094 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */ 308 22692 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 11 704 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 0 0 zone_lan_input all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0 9 2698 zone_wan_input all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_input all -- usb0 * 0.0.0.0/0 0.0.0.0/0 Chain delegate_output (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 330 47229 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */ 299 45081 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 0 0 zone_lan_output all -- * eth0.3 0.0.0.0/0 0.0.0.0/0 31 2148 zone_wan_output all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_output all -- * usb0 0.0.0.0/0 0.0.0.0/0 Chain forwarding_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain forwarding_rule (1 references) pkts bytes target prot opt in out source destination Chain forwarding_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain input_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain input_rule (1 references) pkts bytes target prot opt in out source destination Chain input_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain output_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain output_rule (1 references) pkts bytes target prot opt in out source destination Chain output_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain reject (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain syn_flood (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_dest_ACCEPT (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth0.3 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_forward (2 references) pkts bytes target prot opt in out source destination 77 3889 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */ 77 3889 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding lan -> wan */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */ 0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_input (2 references) pkts bytes target prot opt in out source destination 11 704 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */ 11 704 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_output (2 references) pkts bytes target prot opt in out source destination 0 0 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */ 0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_src_ACCEPT (1 references) pkts bytes target prot opt in out source destination 11 704 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_dest_ACCEPT (3 references) pkts bytes target prot opt in out source destination 108 6037 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_forward (2 references) pkts bytes target prot opt in out source destination 0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */ 0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_input (2 references) pkts bytes target prot opt in out source destination 9 2698 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Allow-Ping */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */ 9 2698 zone_wan_src_DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_output (2 references) pkts bytes target prot opt in out source destination 31 2148 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */ 31 2148 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_src_DROP (1 references) pkts bytes target prot opt in out source destination 9 2698 DROP all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- usb0 * 0.0.0.0/0 0.0.0.0/0 root@OpenWrt:/etc/config#可以看到filter表比较复杂,但是实际有效规则并不多:
本地回环口的数据包 INPUT->delegate_input->ACCEPT
用户自定义规则链 INPUT->delegate_input->input_rule 目前是空的
ctstate RELATED,ESTABLISHED INPUT->delegate_input->ACCEPT
ctstate INVALID INPUT->delegate_input->DROP
防SYN攻击 INPUT->delegate_input->syn_flood 采用了扩展模块limit
lan的规则 INPUT->delegate_input->zone_lan_input
- 自定义规则 INPUT->delegate_input->zone_lan_input->input_lan_rule
- ctstate DNAT INPUT->delegate_input->zone_lan_input->ACCEPT
- lan的默认动作 INPUT->delegate_input->zone_lan_input->zone_lan_src_ACCEPT->ACCEPT
来自wan口的数据 INPUT->delegate_input->zone_wan_input
- 自定义规则 INPUT->delegate_input->zone_wan_input->input_wan_rule
- 允许ping包 INPUT->delegate_input->zone_wan_input->ACCEPT
- ctstate DNAT INPUT->delegate_input->zone_wan_input->ACCEPT
- wan的默认动作 INPUT->delegate_input->zone_wan_input->zone_wan_src_DROP->DROP