本文主要介绍 CentOS7 中的 firewall  和 iptables。

1 firewall

1.1 what

这里引用 Red Hat 官方文档中对 firewall 的介绍。

A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through.

firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

firewalld uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.

1.2 Firewall Stack

1.3 常见用法

1. 使用 systemctl 命令,可实现 firewall 的启动、停止,以及开机自启动的开关,命令样式如下:

systemctl start/stop/enable/disable firewalld

2 iptables

1.1 what

引用 CentOS7 的 man 手册中定义,如下:

iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT.

Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches.  This is called a `target', which may be a jump to a user-defined chain in the same table.

1.2 常见用法

说明:为了使用 iptables/ip6tables 来替代 firewalld,需要禁用 firewalld,命令如下:

systemctl disable firewalld
systemctl stop firewalld

1. 使用 systemctl 命令,可实现 iptables/ip6tables 的启动、停止,以及开机自启动的开关,命令样式如下:

systemctl start/stop/enable/disable iptables

3 firewall与iptables的关系

3.1 区别

这里仍然引用 Red Hat 官方文档中对 firewall 与 iptables 区别的介绍。

The essential differences between firewalld and the iptables (and ip6tables) services are:

  • The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.
  • With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables, while with firewalld there is no recreating of all the rules. Only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being lost.

3.2 联系

Both use iptables tool to talk to the kernel packet filter.

3.3 总结

在 RHEL7 系统中,firewall 取代了 iptables。其实从本文中 firewall 的架构图中能够看到,在 service 层面,两者是平级的,不过 firewall 却还是调用了 iptables 的 command,去执行内核的 netfilter(如3.2节说明的那样),所以要和有人说 firewall 是CentOS7 下管理 iptables 的新命令。