# # # #firewalld和iptables # #
A firewall is a plugin on the kernel
There are two types of firewall: Firewalld and iptables
Writes data to the kernel via iptables
I. FIREWALLD
Firewall domain:
Trusted home internal work public external DMZ block drop
1. About Iptables
Yum Install Iptables
Systemctl Stop FIREWALLD # #关闭火墙
Systemctl Mask Firewalld.service # #冻结火墙
IPTABLES-NL # #查看服务情况, display policy
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0 staterelated,established
ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 State NEW tcpdpt:22
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-withicmp-host-prohibited
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-withicmp-host-prohibited
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
2. Use of firewall
Systemctl Stop Iptables.service # #关闭iptables
Systemctl Mask Iptables.service # #冻结iptables
Systemctl unmask Firewalld.service # #解冻firewalld
Systemctl Start Firewalld.service # #开启firewalld
CMD command:
Firewall-cmd--state # #查看火墙运行状态
Firewall-cmd--get-active-zones # #查看正在使用的区域
Firewall-cmd--get-default-zone # #查看当前默认区域
Firewall-cmd--get-zones # #查看所有可使用区域
Firewall-cmd--zone=public--list-all # #查看public域的允许的服务和开启的端口以及地址伪装功能的状态, and some strategies
Firewall-cmd--get-services # #查看所有能设定的服务
Firewall-cmd--list-all-zones # #查看所有区域的所有服务和端口
Firewall-cmd--SET-DEFAULT-ZONE=DMZ # #设定当前默认区域为非军事区
Specify areas for network segments and devices to operate on:
Firewall-cmd--permanent--zone=internal--add-source=172.25.254.110 # #指定110的默认域为internal, and save forever
Firewall-cmd--permanent--zone=internal--remove-source=172.25.254.110 # #将指定的110的域删除
Firewall-cmd--permanent--zone=internal--add-internal=eth0
# #指定eth0这个端口的域为internal
Firewall-cmd--permanent--zone=internal--change-public=eth0
# #更改eth0这个端口的域为public
Firewall-cmd--permanent--zone=internal--remove-interface=eth0
# #删除eth0这个端口的域
The specified zone operates on service and port domains:
Firewall-cmd--permanent--zone=public--add-service=http
# #在publlic域中永久设定添加http服务
Firewall-cmd--permanent--zone=public--remove-service=http
Firewall-cmd--zone=public--list-ports
# #列出public所有端口
Firewall-cmd--permanent--zone=public--add-port=8080/tcp
Firewall-cmd--permanent--zone=public--remove-port=8080/tcp
Note: Add the--permanent parameter to make the setting effective need to reload the firewall
Firewall-cmd--reload
/etc/firewalld/zones
You can modify the corresponding region name. xml file in this directory to add or remove services, restart the service or reload when you are finished editing
/lib/firewalld/services
Now the default FIREWALLD domain, the system will move the files of the default domain under etc to the Lib execution
If you want to change or add a service to the files under etc, this is permanent; add a temporary with a command, want to permanently add--permanent, and restart the service
Firewall-cmd--reload # #重新加载, but does not prevent programs from running if a program is running
Firewall-cmd--complete-reload # #比较强制重新加载, but if a program is running, it will immediately stop the program from running
3.directory Rules
With the Firewall-cmd tool, you can use the--direct option to add or remove chains during run time.
Three-table five-chain
Accessing native data, passing through the kernel's data filter
Things that do not go through the native kernel, data conversion NAT
Include all data (first two all data) use mangle when the first two tables are not enough
Firewall-cmd--direct--get-all-rules # #获取全部的链
Firewall-cmd--direct--add-rule IPv4 filter INPUT 2-s 172.25.254.110-p tcp--dport 22-j ACCEPT # #添加一条链在filter的INPUT的下面 , it is allowed to set source 110 to access Port 22
Firewall-cmd--direct--add-rule IPv4 filter INPUT 2! -S 172.25.254.110-p tcp--dport 22-j ACCEPT # #添加一条链在filter的INPUT的下面, set to allow all sources except source 110 to access Port 22
Firewall-cmd--direct--remove-rule IPv4 filter INPUT 2-s 172.25.254.110-ptcp--dport 22-j ACCEPT
Firewall-cmd--direct--remove-rule IPv4 filter INPUT 2! -S 172.25.254.110-p TCP--dport 22-jaccept
4.icmp-block
Use this command to block one or more ICMP types. The ICMP type is one of the ICMP types supported by FIREWALLD. For example, ping 172.25.254.110 is used for ICMP
Firewall-cmd--get-icmptypes # #查看icmp含有的命令
Firewall-cmd--add-icmp-block=destination-unreachale # #ping不通该主机的ip
Firewall-cmd--add-icmp-block=echo-request # #ping不了
Firewall-cmd--add-icmp-block=echo-request--timeout=5 # #刚开始ping不通, you can ping it in 5 seconds.
5. Address spoofing and Source address translation
Firewall-cmd--add-masquerade # #开启地址伪装功能
firewall-cmd--add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.10 # #所有通过22端口访问110主机, will be transferred to 10 on this host
Firewall-cmd--add-rich-rule= "rule Family=ipv4 sourceaddress=172.25.254.100 Masquerade" # #ip隐藏, say my IP is 10, I through 110 this host to connect 100 this host, on 100 this host with the W-i command to see the IP is 110, instead of 10
6. Router Function Masquerade
Two computers in different network areas, such as 192 want to ping 172 This segment of the network, you need to do an address translation through a router
Before testing:
(1) Use desktop as a router
To open the address camouflage function, also need I to two virtual network card, set two virtual network card IP, one is 192, the other is 172.
(2) Use server as test host
Modify the server's IP to 192, and modify the gateway to 192
Systemctl Restart Network
Route-n # #查看网关是否添加成功
Test:
(1) Ping 172 is not ping at the beginning of the server
(2) Inside the desktop
Firewall-cmd--permanent--add-masquerade # #开启地址伪装功能
sysctl-a | grep forward # #查看一些功能是否开启
Vim/etc/sysctl.conf
Net.ipv4.ip_forward = 1
Sysctl-p
Net.ipv4.ip_forward = 1
Firewall-cmd--reload
Two. iptables
1.iptables of activation
Systemctl Stop Firewalld
Systemctl Mask Firewalld # #冻结firewalld
Systemctl start iptables # #如果显示冻结, open with unmask first
Systemctl unmask iptables
Systemctl start iptables
Application of 2.iptables
IPTABLES-NL # #查看所有表的情况
Iptables-t NAT-NL # #查看nat表的情况
Iptables-f # #刷新策略 (empty chain rules only)
Iptables-n Redhat # #添加自定义链名
iptables-d Redhat # #删除自定义链下的策略
Iptables-x Redhat # #删除自定义链
IPTABLES-E Rehdat # #修改名称
Iptables--state # #查看状态
Iptables-i Lo # #设置端口进来
Iptables-o eth0 # #设置从网络接口eth0出去
Iptables-s # #source Source
IPTABLES-A # #增加
Iptables-i # #插入 The first line of a linked list
Iptables-r # #替换
Iptables-p # #修改默认
3. Re-write policy (data optimization)
(1) Clear the original policy and add a new policy and save
Vim/etc/sysconfig/iptables # #策略存放的路径
Iptables-f # # (empty) Refresh the original policy
Cat/etc/sysconfig/iptables # #查看后发现, the original strategy was emptied
(2) Add a new strategy
Iptables-a input-m State--staterelated,established-j ACCEPT
Iptables-a input-m State--state new-p TCP--dport 22-j ACCEPT
Iptables-a input-m State--state new-p TCP--dport 80-j ACCEPT
Iptables-a input-m State--state new-p TCP--dport 53-j ACCEPT
IPTABLES-NL # #查看新添加的策略
Service Iptables Save # #保存添加的策略
IPTABLES-NL # #新策略添加成功
Cat/etc/sysconfig/iptables # #查看策略
Linux from getting started to mastering--firewalld and Iptables