selinux
临时关闭
[root@linux-01 network-scripts]# setenforce 0
setenforce: SELinux is disabled
永久关闭
[root@linux-01 network-scripts]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
#将SELINUX=enforcing,改为 SELINUX=disabled
# 查询selinux防火墙状态
[root@linux-01 network-scripts]# getenforce
Disabled
netfilter、firewall
contos 5、6使用netfilter 到centos7 时改为firewall 。两个软件均支持iptables 命令 关闭或打开指定端口
centos7下关闭 firewald 开启 netfilter
1.关闭 firewalld
[root@linux-01 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
2.停止服务
[root@linux-01 ~]# systemctl stop firewalld
3. 安装iptables-services
[root@linux-01 ~]# yum install -y iptables-services
开启 iptables服务
[root@linux-01 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@linux-01 ~]# systemctl start iptables
[root@linux-01 ~]#
#iptables服务开启后自带的规则
[root@linux-01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
netfilter 5个表
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets),FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
过滤器:
这是默认表(如果没有通过- t选项)。它包含内置的链输入(包注定本地套接字),向前(正在路由数据包通过盒子)和输出(来自本地数据包)。
NAT:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
这个表是咨询当遇到包创建一个新的连接。:它由三个内置PREROUTING(改变数据包就进来),输出(改变局部产生数据包路由之前),和POSTROUTING)(改变数据包在他们准备出去)。IPv6 NAT内核3.7以来的支持
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
这个表是用来专门包变更。直到内核2.4.17有两个内置链:PREROUTING(改变之前传入的数据包路由)和输出(改变局部产生数据包路由之前)。自内核2.4.18,其他三个内置的连锁店也支持:输入(数据包进入盒本身),向前(改变数据包被定向到盒子),和POSTROUTING)(改变数据包在他们准备出去)。
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
这个表主要用于配置免征连接跟踪结合NOTRACK目标。它注册在netfilter钩子更高的优先级,因此被称为ip_conntrack之前,或任何其他知识产权表。它提供了以下内置链:PREROUTING(数据包到达通过任何网络接口)输出(包所产生的局部流程)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets.
Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter ta?
ble, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides
the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before
routing), and FORWARD (for altering packets being routed through the box).
安全性:
这个表用于强制访问控制(MAC)网络规则,例如SECMARK和CONNSECMARK目标启用的那些规则。
强制访问控制是由Linux安全模块(如SELinux)实现的。安全表在过滤器TA之后调用?
BLE,允许过滤器表中的任意自主访问控制(DAC)规则在MAC规则之前生效。本表提供
以下内置链:INPUT(对于进入盒子本身的包),OUTPUT(用于在以前更改本地生成的包)
路由),并转发(用于更改通过盒子路由的数据包)。
iptables详解 - 永志 - 博客园 https://www.cnblogs.com/metoy/p/4320813.html
iptables语法
1重启iptables
#重启iptables
[root@localhost yum.repos.d]# service iptables restat
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
[root@localhost yum.repos.d]#
2规则保存目录
# 默认规则保存目录
[root@localhost yum.repos.d]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
3 清空规则
[root@localhost etc]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#清空规则
[root@localhost etc]# iptables -F
#已经没规则显示,但规则任然保存在/etc/sysconfig/iptables
[root@localhost etc]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
保存当前规则 到/etc/sysconfig/iptables
root@localhost etc]#service iptables save
查看filter表和nat表的规则
# filter表
[root@localhost etc]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
114 8643 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 77 packets, 9122 bytes)
pkts bytes target prot opt in out source destination
# NAT表规则
[root@localhost etc]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
清空计数器
#清空计数器
pkts 第一列多少个包 bytes 第二列数据量多少字节
114 8643
[root@localhost etc]# iptables -Z; iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
显示规则序列号
[root@localhost etc]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 87 6444 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 62 packets, 8048 bytes)
num pkts bytes target prot opt in out source destination
增加一条规则
# “-A” 增加一条规则 排在最后过滤时最后过滤,若发生与排在前面规则的条件重复时匹配第一条
[root@localhost etc]# iptables -A INPUT -s 192.168.153.1 -p tcp --sport 1234 -d 192.168.153.128 --dport 80 -j DROP
[root@localhost etc]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
424 30700 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.153.1 192.168.153.128 tcp spt:1234 dpt:80
↑↑↑↑↑↑↑↑↑↑ # 此处增加一条规则 ↑↑↑↑↑↑↑↑↑↑
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 25 packets, 4828 bytes)
pkts bytes target prot opt in out source destination
方法2插入规则指定端口
# “-I” 插入一条规则 排在最前过滤式最先过滤
[root@localhost etc]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@localhost etc]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
#↑↑↑↑↑↑↑↑↑ # 此处增加一条规则 ↑↑↑↑↑↑↑↑↑↑
554 39864 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
删除规则
使用规则序列号 删除规则
默认规则 “-P”
INPUT、OUTPUT链在没有规则时 使用默认规则 (policy ACCEPT 21 )
脚本案例
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.96.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
[root@linux-01 ~]# vim /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"# 定义量时使用绝对路径
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT#定义策略
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT# RELATED,ESTABLISHED保持连接状态,目的是使连接更舒畅
$ipt -A INPUT -s 192.168.96.0/24 -p tcp--dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
设置禁ping
使本机能ping 通外部 但不能ping本机
[root@linux-01 ~]# service restart iptables.service
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
[root@linux-01 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP