一、iptables
1) iptables实验的环境配置:
为了避免防火墙之间互相影响,在作iptables的实验之前,先做一点准备工作:
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl unmask iptables.service
systemctl strt iptables.service
systemctl enable iptables.service
2) iptables火墙策略的读取顺序:
从上往下
3) iptables火墙策略的查看:
vim /etc/sysconfig/iptables ##火墙信息记录文件
小小解说:比如 -A INPUT -p icmp -j ACCEPT
他表示的就是遵从icmp协议的服务是默认允许访问的
最常见的就是:ping
4) iptables的常用参数:
iptables
-L:list ##解析后的列表获取,速度慢
-nL:numeric List ##无解析的列表获取,速度快
-F:flush ##刷新火墙,清空所有策略
-t:table ##查看具体的某张表
-A:append ##追加火墙策略,即添加在火墙的最后面
-I:insert ##插入火墙策略,即添加在火墙的最前面
-R:replace ##替换,也可以理解对符合条件的策略进行修改
##-R: Replace a rule in the selected chain.If the source and/or destination names resolve to multiple addresses, the command will fail.Rules are numbered starting at 1.
-p:--protocol ##协议
##The protocol of the rule or of the packet to check.
-P:--policy
##chain target
-N:--new chain ##自己创建新的链表
-E:--rename chain ##只能修改已经创建的表的名称,系统原有的三张表没有改的资格
-X:--delete-chain ##删除自定义的表
##Delete the optional user-defined chain specified.
个别参数实验展示:
L
[root@localhost Desktop]# iptables -L ##解析后的列表获取,速度慢
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nL
[root@localhost Desktop]# iptables -nL ##无解析的列表获取,速度快
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination