firewald
一 iptables
1 )三张表五条链
1 filter:input:通过路由表之后目的地为本机
output:由本机产生,向外转发
forward:通过路由表之后,目的地不为本机
2 nat:prerouting:数据包进入路由表之前
postrouting:数据包进入路由表之后
input
output
3 mangle:prerouting,postrouting,input,output,forward
2 )配置
在配置iptables之前如果firewalld使开启的,要先stop和disables,不然会出现问题
iptables-L:列出指定表的策略
-n:不做解析
-A:添加策略
-t:指定表名称
-F:刷掉表中的所有策略,不用-t指定表名称时,默认为filter表
-p:网络协议
--dport:端口
-s:数据来源
-j:动作
-N:增加链
-E:改变链的名称
-X:删除链
-D:删除策略
-I:插入策略
-R:修改策略
-P:修改默认策略
ACCEPT:允许
REJECT:拒绝
DROP:丢弃
iptables -nL###没有指定表,默认为filter表,查看filter表的策略###
iptables -t filter###指定表名称为filter表###
iptables -F###刷掉法ilter表中的所有策略,当没有-t指定表名称时默认为filter表###
service iptables save###保存当前策略###
iptables -A INPUT -i lo -j ACCEPT###允许lo###
iptables -A INPUT -p tcp --dport 22 -j ACCEPT###允许访问22端口###
iptables -A INPUT -s 172.25.254.250 -j ACCEPT ###允许250主机访问本机所有端口###
iptables -A INPUT -j REJECT###拒绝所有主机的数据来源###
测试:
策略读取的顺序是逐条读取的,读到满足条件了,就不再往下读
查看78主机能否访问22端口
除了250主机以外的其他主机访问80端口
yum install links -y
links http://172.25.254.112
iptables -N redhat###增加链redhat##
iptables -E redhat westos###改变链名称###
iptables -X westos ###删除链westos###
iptables -D INPUT 2###删除第二条策略###
iptables -I INPUT -p tcp --dport 80 -j REJECT###插入策略,不指定时默认为插入第一条策略 ####
iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ###修改策略###
iptables -P INPUT DROP###修改默认策略###
过程如下:
[root@desktop12 ~]# iptables -N redhat###增加链redhat##
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain redhat (0 references)
target prot opt source destination
[root@desktop12 ~]# iptables -E redhat westos###改变链名称###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain westos (0 references)
target prot opt source destination
[root@desktop12 ~]# iptables -X westos ###删除链westos###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -D INPUT 2###删除第二条策略###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -I INPUT -p tcp --dport 80 -j REJECT###插入策略,不指定时默认为插入第一条策略 ####
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ###修改策略###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# iptables -P INPUT DROP###修改默认策略###
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 172.25.254.12 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]#
[root@desktop12 ~]# iptables -P INPUT ACCEPT
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 172.25.254.12 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ###添加策略,状态为RELATED,ESTABLISHED的允许连接###
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT ###允许lo且状态为new###
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ###允许连接22端口且状态为new###
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ###允许连接80端口且状态为new###
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ###允许连接443端口且状态为new###
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT ###允许连接53端口且状态为new###
过程如下:
[root@desktop12 ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
[root@desktop12 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@desktop12 ~]# vim /etc/sys
sysconfig/ sysctl.d/ system-release
sysctl.conf systemd/ system-release-cpe
[root@desktop12 ~]# vim /etc/sysconfig/iptables
[root@desktop12 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@desktop12 ~]#
sysctl -a | grep forward###查看forward的内核参数###
vim /etc/sysctl.conf
内容:
net.ipv4.ip_forward = 1###开启内核路由功能###
sysctl -p###立即生效###
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source172.25.254.100###添加策略,将ip通过eth1输出,并进行源地址转换,将其伪装成172.25.254.100###
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.12.10###添加策略,将ip通过eth1输入,将其伪装成172.25.12.10
过程如下:
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.100
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.100
[root@localhost ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
[root@localhost ~]# vim /etc/sysctl.conf
[root@localhost ~]# sysctl -p
sysctl: /etc/sysctl.conf(5): invalid syntax, continuing...
[root@localhost ~]# vim /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.112
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 DNAT --to-dest 172.25.12.10
Bad argument `DNAT'
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.12.10
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.12.10
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.112
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.12.11
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.12.10
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.12.11
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.112
[root@localhost ~]#
(二)firewalld
一 定义:
动态防火墙后台程序 firewalld 提供了一个 动态管理的防火墙,用以支持网络 “ zones” ,以分配对一个网络及其相关链接和界面一定程度的信任,它还具备一个通向服务或者应用程序以直接增加防火墙规则的接口,而iptables则是对协议的端口进行限制。
二 与iptables的区别:
1 firewalld和iptables service 之间最本质的不同是:
iptables service 在 /etc/sysconfig/iptables 中储存配置,而 firewalld将配置储存在/usr/lib/firewalld/ 和 /etc/firewalld/ 中的各种XML文件里.
2 使用 iptables service每一个单独更改意味着清除所有旧有的规则和从/etc/sysconfig/iptables里读取所有新的规则,然而使用 firewalld却不会再创建任何新的规
则;仅仅运行规则中的不同之处。因此,firewalld可以在运行时间内,改变设置而不丢失现
行连接。
三 区域
基于用户对网络中设备和交通所给与的信任程度,防火墙可以用来将网络分割成不同的区域。
NetworkManager通知firewalld一个接口归属某个区域,新加入的接口被分配到默认区域。
网络区名称 默认配置
1 trusted( 信任 ) 可接受所有的网络连接
2 home( 家庭 ) 用于家庭网络,仅接受ssh、mdns、ipp-client、samba-
3 client、或dhcpv6-client服
务连接
4 internal( 内部 ) 用于内部网络,仅接受ssh、mdns、ipp-client、samba-
5 client、dhcpv6-client服务
连接
6 work( 工作 ) 用于工作区,仅接受ssh、ipp-client或dhcpv6-client服务连接
7 public( 公共 ) 在公共区域内使用,仅接受ssh或dhcpv6-client服务连接,为firewalld的默认区域
8 external( 外部 ) 出去的ipv4网络连接通过此区域伪装和转发,仅接受ssh服务连接
9 dmz( 非军事区 ) 仅接受ssh服务接连
10 block( 限制 ) 拒绝所有网络连接
11 drop( 丢弃 ) 任何接收的网络数据包都被丢弃,没有任何回复
四 配置防火墙
1)使用图形配置方式:
firewalld-config
图
配置完后,service要选permanent,option要选reload firewalld
2 )使用命令行接口配置
1 firewall-cmd --state###查看firewalld状态###
2 firewall-cmd --get-active-zones ###查看当前活动的区域,并附带一个目前分配给它们的接口列表:###
3 firewall-cmd --get-default-zone ###查看默认区域:###
4 firewall-cmd --get-zones###查看所有可用区域:###
5 firewall-cmd --zone=public --list-all###列出指定域的所有设置:###
6 firewall-cmd --get-services###列出所有预设服务:###
过程如下:
[root@localhost ~]# firewall-cmd --state ###查看firewalld状态###
running
[root@localhost ~]# firewall-cmd --get-active-zones ###查看当前活动的区域,并附带一个目前分配给它们的接口列表:###
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
[root@localhost ~]# firewall-cmd --get-default-zone ###查看默认区域:###
public
[root@localhost ~]# firewall-cmd --get-zones###查看所有可用区域:###
ROL block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --zone=public --list-all ###列出指定域的所有设置:###
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --get-services###列出所有预设服务:###
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
7 firewall-cmd --set-default-zone=trusted###修改默认区域为trusted###
过程如下:
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# firewall-cmd --set-default-zone=trusted###修改默认区域为trusted###
success
[root@localhost ~]# firewall-cmd --get-default-zone
trusted
测试:
修改前区域为public:访问172.25.254.112
8 firewall-cmd --permanent --add-source=172.25.254.78 ###78主机在访问时一直走public区域,而并不是指78主机都能连接###
9 firewall-cmd --reload###添加了永久设定之后,要重新加载###
10 firewall-cmd --permanent --remove-source=172.25.254.78###删除该策略###
11 firewall-cmd --permanent --zone=trusted --add-source=172.25.254.78 ###78主机允许访问,且均能连接###
过程如下:
[root@localhost ~]# firewall-cmd --permanent --add-source=172.25.254.12 ###12主机在访问时一直走public区域###
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.12
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --permanent --remove-source=172.25.254.12
success###删除策略###
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.254.12###12主机允许访问###
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --remove-source=172.25.254.12
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
12 firewall-cmd --remove-interface=eth0 --zone=public ###将eth0从public下摘除###
13 firewall-cmd --add-interface=eth0 --zone=trusted###将eth1添加到trusted区域下###
14 firewall-cmd --add-service=http --zone=public###在public区域下添加http服务###
15 firewall-cmd --list-ports ###列出开启的端口###
16 firewall-cmd --add-port=53/tcp###添加53端口,tcp协议###
过程如下:
[root@localhost ~]# firewall-cmd --remove-interface=eth0 --zone=public ###将eth0从public下摘除###
success
[root@localhost ~]# firewall-cmd --add-interface=eth0 --zone=trusted###将eth1添加到trusted区域下###
success
[root@localhost ~]# firewall-cmd --add-service=http --zone=public###在public区域下添加http服务###
success
[root@localhost ~]# firewall-cmd --list-ports ###列出端口###
[root@localhost ~]# firewall-cmd --add-port=53/tcp###添加53端口,tcp协议###
success
[root@localhost ~]# firewall-cmd --list-ports ###列出端口###
53/tcp
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports: 53/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
17 firewall-cmd --remove-service=ssh###删除public区域的ssh服务###
18 firewall-cmd --direct --get-all-rules ###查询写过的策略###
19 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.12 -p tcp --dport 22 -j ACCEPT###添加策略,除了12主机都可以ssh连接上###
过程如下:
[root@localhost ~]# firewall-cmd --direct --get-all-rules ###查询写过的策略###
[root@localhost ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.12 -p tcp --dport 22 -j ACCEPT###添加策略,除了12主机都可以ssh连接上###
success
[root@localhost ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 '!' -s 172.25.254.12 -p tcp --dport 22 -j ACCEPT
[root@localhost ~]#
五 转发与伪装
1)转发
1 firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.212###当访问该主机的22端口时,转发到172.25.254.212的22端口###
2 firewall-cmd --add-masquerade###打开伪装功能###
过程如下:
[root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.1###当访问该主机的22端口时,转发到172.25.254.1的22端口###
success
[root@localhost ~]# firewall-cmd --add-masquerade###打开伪装功能###
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.1
icmp-blocks:
rich rules:
[root@localhost ~]#
2 )伪装:
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.100 masquerade'###所有从该主机出去的数据伪装成172.25.254.100发出的数据
过程如下:
[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.100 masquerade'###所有从该主机出去的数据伪装成172.25.254.100发出的数据
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.212
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.254.100" masquerade
[root@localhost ~]#