Iptables与Firewalld

1.iptables： 开启防火墙：可以正常使用ssh服务，dns服务, httpd服务，chrony服务， nfs服务

（1）安装iptables-services启动工具。

[root@yangzilin ~]# yum install -y iptables-services

 

（2)关闭firewalld,开启iptables。

[root@yangzilin ~]# systemctl stop firewalld
[root@yangzilin ~]# systemctl start iptables

（3）添加规则：ssh服务端口22，dns服务53，httpd服务80，chrony服务123，nfs服务111。并添加一条拒绝所有。

[root@yangzilin ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

[root@yangzilin ~]# iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p udp --dport 111 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p ip -j REJECT

（4）查看规则表

[root@yangzilin ~]# iptables -vnL --line-numbers

[root@yangzilin ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       33 16462 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5        1   229 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
8        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
10       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
11       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
12       0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 39 packets, 2589 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

2.firewalld： 开启防火墙：可以正常使用ssh服务，dns服务, httpd服务，chrony服务， nfs服务
且实现：访问第一台机器web服务的9090端口，转发到第二台机器的80端口(永久生效)

（1)关闭iptables,开启firewalld：

[root@yangzilin ~]# systemctl stop iptables
[root@yangzilin ~]# systemctl start firewalld

（2） 允许协议访问：ssh，http，dns，chrony，nfs服务：

[root@yangzilin ~]# firewall-cmd --add-service=ssh
success
[root@yangzilin ~]# firewall-cmd --add-service=http
success
[root@yangzilin ~]# firewall-cmd --add-service=dns
success
[root@yangzilin ~]# firewall-cmd --add-port=123/udp
success
[root@yangzilin ~]# firewall-cmd --add-service=nfs
success

（3）查看firewalld服务：

[root@yangzilin ~]# firewall-cmd --list-all
 

[root@yangzilin ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: cockpit dhcpv6-client dns http nfs ssh
  ports: 123/udp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

（4）第一台虚拟机的web服务的9090端口转发到第二台机器的80端口。

[root@yangzilin ~]# firewall-cmd -add-forward-port=port=9090:proto=tcp:toport=80:toaddr=192.168.145.111 --permanent
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: -add-forward-port=port=9090:proto=tcp:toport=80:toaddr=192.168.145.111
[root@yangzilin ~]# firewall-cmd --reload
success