防火墙iptables和firewalld
在说防火墙之前,我们需要提到selinux,SELinux 主要作用就是最大限度地减小系统中服务进程可访问的资源,centos7默认selinux是开启状态,需要关闭它。如果是临时关闭,可以使用setenforce 0,如果要永久关闭就需要修改selinux的配置文件/etc/selinux/config,如下图:
centos 6 包含之前的版本上的防火墙是iptables,而centos7上的防火墙是firewalld。平常所说的iptables其实并不是防火墙,它只不过是一个工具罢了,但是这两者都可以使用iptables工具。
在使用iptables工具前,需要进行以下几步操作:
systemctl disable firewalld
systemctl stop firewalld.service
yum install -y iptables-services
systemctl enable iptables.service
systemctl start iptables.service
## 关闭firewalld开机启动 ##
[root@linux-01 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
## 停止firewalld运行 ##
[root@linux-01 ~]# systemctl stop firewalld.service
## 安装iptables-services 工具 ##
[root@linux-01 ~]# yum install -y iptables-services
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 4.9 kB 00:00:00
* base: mirrors.cn99.com
* epel: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.163.com
* updates: mirrors.163.com
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/2): epel/x86_64/updateinfo | 986 kB 00:00:01
(2/2): epel/x86_64/primary_db | 6.7 MB 00:00:01
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-28.el7 将被 安装
--> 解决依赖关系完成
依赖关系解决
===========================================================================================================================
Package 架构 版本 源 大小
===========================================================================================================================
正在安装:
iptables-services x86_64 1.4.21-28.el7 base 52 k
事务概要
===========================================================================================================================
安装 1 软件包
总下载量:52 k
安装大小:26 k
Downloading packages:
iptables-services-1.4.21-28.el7.x86_64.rpm | 52 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : iptables-services-1.4.21-28.el7.x86_64 1/1
验证中 : iptables-services-1.4.21-28.el7.x86_64 1/1
已安装:
iptables-services.x86_64 0:1.4.21-28.el7
完毕!
## 开机启动iptables ##
[root@linux-01 ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
## 启动iptables服务 ##
[root@linux-01 ~]# systemctl start iptables.service
netfilter5表5链介绍
netfilter5表
netfilter的5个表 | 作用 |
---|---|
filter | 表主要用于过滤包,是系统预设的表,该表内建3个链:INPUT、OUTPUT以及FORWARD。INPUT链作用于进入本机的包,OUTPUT链作用于本机送出的包,FORWARD链作用于那些跟本机无关的包。 |
nat | 表主要用于网络地址转换,同样也有3个链,PREROUTING链的作用是在包刚刚到达防火墙时改变它的目的地址,OUTPUT链的作用是改变本地产生的包的目的地址,POSTROUTING链的作用是在包即将离开防火墙时改变其源地址、 |
mangle | 表主要用于给数据包做标记,然后根据标记去操作相应的包。 |
raw | 表可以实现不追踪数据包做标记,默认系统的数据包都会被追踪,但追踪势必消耗一定的资源,所以可以用raw表来指定某些端口的包不被追踪。 |
security | 表在Centos6里是没有的,它用于强制访问控制(MAC)的网络规则。 |
netfilter的5个链
netfilter的5个链 | 作用 |
---|---|
PREROUTING | 数据包进入路由表之前 |
INPUT | 通过路由表后目的地为本机 |
FORWARD | 通过路由表后,目的地不为本机 |
OUTPUT | 由本机产生,向外转发 |
POSTROUTING | 发送到网卡接口之前 |
iptables 命令与用法
参数及含义
参数 | 含义 |
---|---|
-F | 清空iptables规则 |
-I | 插入iptables规则在前 |
-A | 插入iptables规则在后 |
-D | 删除iptables规则 |
-Z | 计数器清零 |
-t | 指定表,如果不指定,默认表是filter表 |
-s | source,表示指定源IP(可以是一个IP段) |
-p | 指定协议,可以是tcp、udp或者icmp |
-d | 表示指定目的IP(可以是一个IP段) |
-j | 后面跟动作,其中ACCEPT表示允许包,DROP表示丢掉包,REJECT表示拒绝包 |
-i | 表示指定网卡 |
–dport | 跟-p一起使用,表示指定目标端口 |
–sport | 跟=p一起使用,表示指定源端口 |
–line-number | 显示规则的行号 |
iptables的用法
1.查看iptables默认规则配置文件 cat /etc/sysconfig/iptables
[root@linux-01 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@linux-01 ~]#
2.查看iptables默认规则:iptables -nvL
[root@local6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 123M packets, 36G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 123M packets, 75G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 122M packets, 155G bytes)
pkts bytes target prot opt in out source destination
[root@local6 ~]#
3.保存iptables规则(当前规则,保存到配置文件)
[root@local6 ~]# service iptables save
4.清空iptables规则:
[root@local6 ~]# iptables -F
5.重启iptables规则
[root@local6 ~]# service iptables restart
6.查看指定表的规则
[root@linux-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@linux-01 ~]#
7.清空表的计数器
[root@linux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
61 4520 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 557 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 44 packets, 4612 bytes)
pkts bytes target prot opt in out source destination
[root@linux-01 ~]# iptables -Z //计数器归零
[root@linux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 428 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source destination
[root@linux-01 ~]#
8.插入一条规则
[root@linux-01 ~]# iptables -A INPUT -s 192.168.141.150 -p tcp --sport 1234 -d 192.168.141.128 --dport 8008 -j DROP
[root@linux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
544 44492 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 1312 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.141.150 192.168.141.128 tcp spt:1234 dpt:8008
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 24 packets, 2232 bytes)
pkts bytes target prot opt in out source destination
[root@linux-01 ~]#
9.删除一条规则
[root@linux-01 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 628 50624 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 5 1640 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 DROP tcp -- * * 192.168.141.150 192.168.141.128 tcp spt:1234 dpt:8008
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 80 packets, 8672 bytes)
num pkts bytes target prot opt in out source destination
[root@linux-01 ~]# iptables -D INPUT 5 // 删除规则
[root@linux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
716 57192 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 DROP tcp -- * * 192.168.141.150 192.168.141.128 tcp spt:1234 dpt:8008
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 20 packets, 2056 bytes)
pkts bytes target prot opt in out source destination
[root@linux-01 ~]#
10.设定默认策略,为指定链设置默认策略,格式如下:
#设置fllter表input链的默认规则为丢弃
[root@linux-01 ~]# iptables -t fllter -P INPUT DROP
11.iptables规则
`iptables filter表小案例
## 设置只有192.168.141.0/24这网段的ip地址可以连接这台机器的22端口,其他地址的80和21端口是 ##
[root@linux-001 ~]# vim iptables.sh
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.141.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
[root@linux-001 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 2060 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.141.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1980 bytes)
pkts bytes target prot opt in out source destination
[root@linux-001 ~]#
## icmp示例,设置其他其他机器无法ping通 ##
[root@linux-001 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@linux-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 684 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 760 bytes)
pkts bytes target prot opt in out source destination
[root@linux-001 ~]#