firewald
一 iptables
1 )三張表五條鏈
1 filter:input:通過路由表之後目的地爲本機
output:由本機產生,向外轉發
forward:通過路由表之後,目的地不爲本機
2 nat:prerouting:數據包進入路由表之前
postrouting:數據包進入路由表之後
input
output
3 mangle:prerouting,postrouting,input,output,forward
2 )配置
在配置iptables之前如果firewalld使開啓的,要先stop和disables,不然會出現問題
iptables-L:列出指定表的策略
-n:不做解析
-A:添加策略
-t:指定表名稱
-F:刷掉表中的所有策略,不用-t指定表名稱時,默認爲filter表
-p:網絡協議
--dport:端口
-s:數據來源
-j:動作
-N:增加鏈
-E:改變鏈的名稱
-X:刪除鏈
-D:刪除策略
-I:插入策略
-R:修改策略
-P:修改默認策略
ACCEPT:允許
REJECT:拒絕
DROP:丟棄
iptables -nL###沒有指定表,默認爲filter表,查看filter表的策略###
iptables -t filter###指定表名稱爲filter表###
iptables -F###刷掉法ilter表中的所有策略,當沒有-t指定表名稱時默認爲filter表###
service iptables save###保存當前策略###
iptables -A INPUT -i lo -j ACCEPT###允許lo###
iptables -A INPUT -p tcp --dport 22 -j ACCEPT###允許訪問22端口###
iptables -A INPUT -s 172.25.254.250 -j ACCEPT ###允許250主機訪問本機所有端口###
iptables -A INPUT -j REJECT###拒絕所有主機的數據來源###
測試:
策略讀取的順序是逐條讀取的,讀到滿足條件了,就不再往下讀
查看78主機能否訪問22端口
除了250主機以外的其他主機訪問80端口
yum install links -y
links http://172.25.254.112
iptables -N redhat###增加鏈redhat##
iptables -E redhat westos###改變鏈名稱###
iptables -X westos ###刪除鏈westos###
iptables -D INPUT 2###刪除第二條策略###
iptables -I INPUT -p tcp --dport 80 -j REJECT###插入策略,不指定時默認爲插入第一條策略 ####
iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ###修改策略###
iptables -P INPUT DROP###修改默認策略###
過程如下:
[root@desktop12 ~]# iptables -N redhat###增加鏈redhat##
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain redhat (0 references)
target prot opt source destination
[root@desktop12 ~]# iptables -E redhat westos###改變鏈名稱###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain westos (0 references)
target prot opt source destination
[root@desktop12 ~]# iptables -X westos ###刪除鏈westos###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -D INPUT 2###刪除第二條策略###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -I INPUT -p tcp --dport 80 -j REJECT###插入策略,不指定時默認爲插入第一條策略 ####
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ###修改策略###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -P INPUT DROP###修改默認策略###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 172.25.254.12 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]#
[root@desktop12 ~]# iptables -P INPUT ACCEPT
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 172.25.254.12 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ###添加策略,狀態爲RELATED,ESTABLISHED的允許連接###
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT ###允許lo且狀態爲new###
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ###允許連接22端口且狀態爲new###
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ###允許連接80端口且狀態爲new###
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ###允許連接443端口且狀態爲new###
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT ###允許連接53端口且狀態爲new###
過程如下:
[root@desktop12 ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# vim /etc/sys
sysconfig/ sysctl.d/ system-release
sysctl.conf systemd/ system-release-cpe
[root@desktop12 ~]# vim /etc/sysconfig/iptables
[root@desktop12 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@desktop12 ~]#
sysctl -a | grep forward###查看forward的內核參數###
vim /etc/sysctl.conf
內容:
net.ipv4.ip_forward = 1###開啓內核路由功能###
sysctl -p###立即生效###
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source172.25.254.100###添加策略,將ip通過eth1輸出,並進行源地址轉換,將其僞裝成172.25.254.100###
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.12.10###添加策略,將ip通過eth1輸入,將其僞裝成172.25.12.10
過程如下:
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.100
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.100
[root@localhost ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
[root@localhost ~]# vim /etc/sysctl.conf
[root@localhost ~]# sysctl -p
sysctl: /etc/sysctl.conf(5): invalid syntax, continuing...
[root@localhost ~]# vim /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.112
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 DNAT --to-dest 172.25.12.10
Bad argument `DNAT'
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.12.10
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.12.10
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.112
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.12.11
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.12.10
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.12.11
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.112
[root@localhost ~]#
(二)firewalld
一 定義:
動態防火牆後臺程序 firewalld 提供了一個 動態管理的防火牆,用以支持網絡 “ zones” ,以分配對一個網絡及其相關鏈接和界面一定程度的信任,它還具備一個通向服務或者應用程序以直接增加防火牆規則的接口,而iptables則是對協議的端口進行限制。
二 與iptables的區別:
1 firewalld和iptables service 之間最本質的不同是:
iptables service 在 /etc/sysconfig/iptables 中儲存配置,而 firewalld將配置儲存在/usr/lib/firewalld/ 和 /etc/firewalld/ 中的各種XML文件裏.
2 使用 iptables service每一個單獨更改意味着清除所有舊有的規則和從/etc/sysconfig/iptables裏讀取所有新的規則,然而使用 firewalld卻不會再創建任何新的規
則;僅僅運行規則中的不同之處。因此,firewalld可以在運行時間內,改變設置而不丟失現
行連接。
三 區域
基於用戶對網絡中設備和交通所給與的信任程度,防火牆可以用來將網絡分割成不同的區域。
NetworkManager通知firewalld一個接口歸屬某個區域,新加入的接口被分配到默認區域。
網絡區名稱 默認配置
1 trusted( 信任 ) 可接受所有的網絡連接
2 home( 家庭 ) 用於家庭網絡,僅接受ssh、mdns、ipp-client、samba-
3 client、或dhcpv6-client服
務連接
4 internal( 內部 ) 用於內部網絡,僅接受ssh、mdns、ipp-client、samba-
5 client、dhcpv6-client服務
連接
6 work( 工作 ) 用於工作區,僅接受ssh、ipp-client或dhcpv6-client服務連接
7 public( 公共 ) 在公共區域內使用,僅接受ssh或dhcpv6-client服務連接,爲firewalld的默認區域
8 external( 外部 ) 出去的ipv4網絡連接通過此區域僞裝和轉發,僅接受ssh服務連接
9 dmz( 非軍事區 ) 僅接受ssh服務接連
10 block( 限制 ) 拒絕所有網絡連接
11 drop( 丟棄 ) 任何接收的網絡數據包都被丟棄,沒有任何回覆
四 配置防火牆
1)使用圖形配置方式:
firewalld-config
圖
配置完後,service要選permanent,option要選reload firewalld
2 )使用命令行接口配置
1 firewall-cmd --state###查看firewalld狀態###
2 firewall-cmd --get-active-zones ###查看當前活動的區域,並附帶一個目前分配給它們的接口列表:###
3 firewall-cmd --get-default-zone ###查看默認區域:###
4 firewall-cmd --get-zones###查看所有可用區域:###
5 firewall-cmd --zone=public --list-all###列出指定域的所有設置:###
6 firewall-cmd --get-services###列出所有預設服務:###
過程如下:
[root@localhost ~]# firewall-cmd --state ###查看firewalld狀態###
running
[root@localhost ~]# firewall-cmd --get-active-zones ###查看當前活動的區域,並附帶一個目前分配給它們的接口列表:###
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
[root@localhost ~]# firewall-cmd --get-default-zone ###查看默認區域:###
public
[root@localhost ~]# firewall-cmd --get-zones###查看所有可用區域:###
ROL block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --zone=public --list-all ###列出指定域的所有設置:###
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --get-services###列出所有預設服務:###
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
7 firewall-cmd --set-default-zone=trusted###修改默認區域爲trusted###
過程如下:
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# firewall-cmd --set-default-zone=trusted###修改默認區域爲trusted###
success
[root@localhost ~]# firewall-cmd --get-default-zone
trusted
測試:
修改前區域爲public:訪問172.25.254.112
8 firewall-cmd --permanent --add-source=172.25.254.78 ###78主機在訪問時一直走public區域,而並不是指78主機都能連接###
9 firewall-cmd --reload###添加了永久設定之後,要重新加載###
10 firewall-cmd --permanent --remove-source=172.25.254.78###刪除該策略###
11 firewall-cmd --permanent --zone=trusted --add-source=172.25.254.78 ###78主機允許訪問,且均能連接###
過程如下:
[root@localhost ~]# firewall-cmd --permanent --add-source=172.25.254.12 ###12主機在訪問時一直走public區域###
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.12
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --permanent --remove-source=172.25.254.12
success###刪除策略###
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.254.12###12主機允許訪問###
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --remove-source=172.25.254.12
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
12 firewall-cmd --remove-interface=eth0 --zone=public ###將eth0從public下摘除###
13 firewall-cmd --add-interface=eth0 --zone=trusted###將eth1添加到trusted區域下###
14 firewall-cmd --add-service=http --zone=public###在public區域下添加http服務###
15 firewall-cmd --list-ports ###列出開啓的端口###
16 firewall-cmd --add-port=53/tcp###添加53端口,tcp協議###
過程如下:
[root@localhost ~]# firewall-cmd --remove-interface=eth0 --zone=public ###將eth0從public下摘除###
success
[root@localhost ~]# firewall-cmd --add-interface=eth0 --zone=trusted###將eth1添加到trusted區域下###
success
[root@localhost ~]# firewall-cmd --add-service=http --zone=public###在public區域下添加http服務###
success
[root@localhost ~]# firewall-cmd --list-ports ###列出端口###
[root@localhost ~]# firewall-cmd --add-port=53/tcp###添加53端口,tcp協議###
success
[root@localhost ~]# firewall-cmd --list-ports ###列出端口###
53/tcp
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports: 53/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
17 firewall-cmd --remove-service=ssh###刪除public區域的ssh服務###
18 firewall-cmd --direct --get-all-rules ###查詢寫過的策略###
19 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.12 -p tcp --dport 22 -j ACCEPT###添加策略,除了12主機都可以ssh連接上###
過程如下:
[root@localhost ~]# firewall-cmd --direct --get-all-rules ###查詢寫過的策略###
[root@localhost ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.12 -p tcp --dport 22 -j ACCEPT###添加策略,除了12主機都可以ssh連接上###
success
[root@localhost ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 '!' -s 172.25.254.12 -p tcp --dport 22 -j ACCEPT
[root@localhost ~]#
五 轉發與僞裝
1)轉發
1 firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.212###當訪問該主機的22端口時,轉發到172.25.254.212的22端口###
2 firewall-cmd --add-masquerade###打開僞裝功能###
過程如下:
[root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.1###當訪問該主機的22端口時,轉發到172.25.254.1的22端口###
success
[root@localhost ~]# firewall-cmd --add-masquerade###打開僞裝功能###
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.1
icmp-blocks:
rich rules:
[root@localhost ~]#
2 )僞裝:
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.100 masquerade'###所有從該主機出去的數據僞裝成172.25.254.100發出的數據
過程如下:
[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.100 masquerade'###所有從該主機出去的數據僞裝成172.25.254.100發出的數據
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.212
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.254.100" masquerade
[root@localhost ~]#