Firewall Management for Linux

Change oricle-linux7 system, found that iptables management methods have a small change, record the problems encountered.

Iptables

• The Linux system has installed the Iptables and FIREWALLD two firewall management tools by default, but may not be able to find the command when using the service iptables Save command, and the iptables configuration file is in/etc/ Sysconfig/iptables, but the newly installed server may not have this file, generally need to install iptables-service;

• I am accustomed to using iptables firewall tools;

yum -y install iptables-services   # 先更新iptables-services,可以发现在/etc/sysconfig/目录下已经有Iptables文件，同时可以使用service来管理iptables了systemctl stop firewalld     # 先关闭防火墙systemctl start iptables     # 启动防火墙systemctl enable iptables    # 将防火墙设置成开机自启动systemctl iptables save      # 将当前配置的防火墙设置保存到/etc/sysconfig/iptables目录下

Attention:

1. Firewalld and iptables are mutually independent firewall management tools;

2. When ' Systemctl iptables save ' executes, iptables will read the/etc/sysconfig/iptables-config file and then read the/etc/sysconfig/iptables file;

Extended

service iptables status  # 查看防火墙的状态service iptables start   # 开启防火墙service iptables stop    # 关闭防火墙service iptables restart # 重启防火墙

• Configuring the Iptables parameter

Firewalls require open ports for external access, settings filtering, and so on. Therefore, configuration files are required, and all configurations are saved in/etc/sysconfig/iptables, which can be configured in two ways:

• Method One: Directly modify the Iptables file

*filter:INPUT ACCEPT [0:0]   # 允许流量输入:FORWARD ACCEPT [0:0] # 允许转发:OUTPUT ACCEPT [0:0]  # 允许流出-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT  # 允许ping通-A INPUT -i lo -j ACCEPT  # 默认允许网卡流入数据-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT  # 添加一条规则，允许22端口-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT  # 提交设置# 在后面添加相关的命令行

• Detailed parameters

-A  :添加一条规则，针对什么数据包，INPUT流入的数据包，OUTPUT流出的数据包，FORWARD转发的数据包-p  :指定协议，如TCP，UDP–dport：目标端口，当数据从外部进入服务器为目标端口–sport：源端口，数据从服务器出去，则为数据源端口使用–j ：指定策略规则，ACCEPT(允许接收)、DROP(拒绝接收,无响应)、REJECT(拒绝接收，有响应)-s : 指定某一个IP地址的访问，加叹号“!”表示除这个IP外 -L  查看规则链-F  清空规则链-I num  在规则链的头部加入新规则-D num  删除某一条规则-d  匹配目标地址-i 网卡名称 匹配从这块网卡流入的数据-o 网卡名称 匹配从这块网卡流出的数据

• Method Two: Use the command line to dynamically modify the Save

iptables -P INPUT -j DROPservice iptables save  

Attention

1. The firewall rules are matched from top to bottom, so be sure to put the allowed action in front of the reject action, otherwise all traffic will be rejected, causing any host to be inaccessible.

Firewalld

• Another firewall management tool for Linux;

service firewalld status  # 查看防火墙的状态service firewalld start   # 开启防火墙service firewalld stop    # 关闭防火墙service firewalld restart # 重启防火墙

• Management ports

# 开启一个端口firewall-cmd --zone=public --add-port=80/tcp --permanent# 重新载入firewall-cmd --reload# 查看某个端口的状态是否开启firewall-cmd --zone=public --query-port=80/tcp# 关闭某个端口firewall-cmd --zone=public --remove-port=80/tcp --permanent

• Parameters

--permanent : 设置命令永久有效--add-port : 开启一个端口--remove-port : 关闭一个端口

Using Systemctl

• Systemctl is a combination of chkconfig and service system management tools, more powerful and convenient;

systemctl start firewalld    # 开启防火墙systemctl stop firewalld    # 关闭防火墙，开机启动systemctl restart firewalld  # 重新启动防火墙systemctl status firewalld   # 查看防火墙的状态systemctl disable firewalld  # 永久关闭防火墙，不再开机自启动systemctl enable firewalld   # 设置防火墙开机自启动systemctl is-enabled firewalld systemctl start iptables    # 开启防火墙systemctl stop iptables    # 关闭防火墙，开机启动systemctl restart iptables  # 重新启动防火墙systemctl status iptables   # 查看防火墙的状态systemctl disable iptables  # 永久关闭防火墙，不再开机自启动systemctl enable iptables   # 设置防火墙开机自启动

Firewall Management for Linux