Comparison between firewall and iptables: firewalliptables

Source: Internet
Author: User

Comparison between firewall and iptables: firewalliptables
Firewall1 and Introduction introduce several related terms before introducing the zone, because if you do not understand these terms, the zone will not start.

Target: default action, which has four optional values: default, ACCEPT, % REJECT %, and DROP. If this parameter is not set, the default value is default.

Service: the student has already explained this to everyone. He indicates a service.

Port: port. You can set the port directly without passing through the service.

Interface: interface, which can be understood as a NIC

Source: source Address, which can be an IP address or an IP address segment

Icmp-block: icmp packets are blocked and can be set according to the icmp type.

Masquerade: disguised IP address, that is, NAT Forwarding Based on the source NIC address

Forward-port: port forwarding

Rule: Custom Rules

View the status: firewall-cmd-stat
Restart: service firewalld restart
Iptables view status service iptables status

2. The defined network service and port parameters, system parameters, and cannot be modified in the System Configuration directory (do not change it.

Firewalld determines which zone is used for an accepted request in three ways:

1. source, that is, source address 2 and interface. The default zone3 and user configuration directory configured in network adapter 3, etc/firewalld. conf that receives the request
[root@xxx]# vim /etc/firewalld/firewalld.conf lockdown-whitelist.xmlhelpers/ services/icmptypes/ zones/ipsets/

4. Use the command line

# Add a port to allow access, permanently valid firewall-cmd -- permanent -- add-port = 9527/tcpfirewall-cmd [-- permanent] [-- zone = zone] -- list-sourcesfirewall-cmd [-- permanent] [-- zone = zone] -- query-source = source [/mask] firewall-cmd [-- permanent] [-- zone = zone] -- add-source = source [/mask] firewall-cmd [-- zone = zone] -- change-source = source [/mask] firewall-cmd [-- permanent] [-- zone = zone] -- remove-source = source [/mask] # firewall -cmd parameter description # -- list-sources: used to list all bound source addresses of the specified zone # -- query-source: used to query whether the specified zone is bound with the specified source address # -- add-source: it is used to bind a source address to the specified zone (only one binding is allowed, and an error is returned when the second binding is to a different zone) # -- change-source: it is used to change the zone bound to the source address. If it is not bound, it will be bound, which is the same as -- add-source # -- remove-source: deletes the binding between the source address and the zone.

To view all the currently active zonefirewall-cmd-get-active-zones instances, to forward tcp requests received on port 80 to port 8080, run the following command: firewall-cmd-add-forward- port = 80: proto = tcp: toport = 8080.

Firewall-cmd [-permanent] [-zone = zone]-list-ports

5. modify the configuration file to add a port
 
 
  
   
Public
  
  
   
For use in public areas.
  
  
   
   
  
  
  
  
  
  
  
  
   
   
  
  
  
  
  
  
  
  
   Allow specified ip address, specify port and Protocol
   
  
  
  
  
  
  
  
  
   
Access Port 9527 of the server through any ip Address
   
  
 
1. Add the required rules. The open source ip address is 122.10.70.234, the port is 514, and the protocol is tcp. 2. The open source ip address is 123.60.20.14, the port is 10050-10051, and the protocol is tcp; /3. Open source ip address is arbitrary, port 9527, protocol tcp; 3. Reload the firewall without changing the status: firewall-cmd-reload 4. Set an ip address to access a service. firewall-cmd-permanent-zone = public-add-rich-rule = "rule family =" ipv4 "source address =" 192.168.0.4/24 "service name =" http "accept" iptables

The iptables command is a common firewall software in Linux and is part of the netfilter project. It can be configured directly or through many front-end and graphical interfaces.

Iptables-t table name <-A/I/D/R> rule chain name [Rule number] <-I/o Nic Name>-p protocol name <-s source IP address/ source subnet> -- sport source port <-d target IP Address/target subnet> -- dport target port-j action ------------------------------ table name includes: raw: advanced features, such as URL filtering. Mangle: Packet modification (QOS), used to achieve service quality. Net: address translation, used for gateway routers. Filter: packet filtering, used for firewall rules. ------------------------------- Rule chain names include: INPUT chain: processing INPUT data packets. OUTPUT chain: process OUTPUT data packets. PORWARD chain: Process forwarded data packets. PREROUTING chain: used for destination address translation (DNAT ). POSTOUTING chain: used for source address translation (SNAT ). ------------------------------- Actions include: accept: receiving data packets. DROP: drops data packets. REDIRECT: Redirection, ing, and transparent proxy. SNAT: source address conversion. DNAT: Destination Address Translation. MASQUERADE: an IP address disguise (NAT) used for ADSL. LOG: LOG record. ------------------------------- Iptables-a input-p tcp -- dport 22-j ACCEPT # Allow access to end 22 kiptables-a output-j ACCEPT # Allow access from all hosts to iptables-a input-j reject # prohibit other unpermitted rules from accessing iptables-L-n-v # view rules ------------------------------- format: iptables [-t table] COMMAND chain CRETIRIA-j ACTION-t table: three filters nat mangleCOMMAND: defines how to manage the rule chain: specify the chain on which your next rule operates. CRETIRIA can be omitted when you define a policy: Specify the matching standard-j ACTION: specify how to process the rule. -P: Set the Default policy (set whether the default door is closed or open). Generally, there are only two default policies: iptables-p input (DROP | ACCEPT) the default setting is disabled/the default setting is enabled. For example, iptables-p input drop rejects the default setting. No action is defined, so all the rules for external connections, including Xshell connections, are rejected -------------------------------

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.