一.火墙的基础知识
火墙是位于内部网和外部网之间的一个屏障,按照系统管理员预先设定好的规则,管理数据的输出。火墙属于系统的第一道防线,目的是为了防止非法用户进入
系统对火墙提供了两种管理方式firewalld及iptables
二.火墙的管理–firewalld
1.firewalld管理模式
firewalld 将配置储存在 /usr/lib/firewalld/ 和 /etc/firewalld/ 中的各种 XML 文件里
firewalld提供图形界面管理(firewall-config)以及命令管理(firewall-cmd)
2.firewalld的图形界面管理
3.firewalld的命令管理firewall-cmd
(1)火墙的开启
注意:使用firewall管理火墙时,为了避免与iptables发生冲突,则需要先关闭iptables服务,再开启firewalld服务
[root@server ~]# systemctl stop iptables ##关闭iptables
[root@server ~]# systemctl mask iptables ##锁定iptables
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@server ~]# systemctl disable iptables ##设置iptables开机不自启
[root@server ~]# systemctl start firewalld ##开启firewalld服务
[root@server ~]# systemctl enable firewalld ##设置其开机自启
[root@server ~]# systemctl status firewalld ##显示其状态
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sun 2019-05-19 05:49:28 EDT; 12min ago
Main PID: 490 (firewalld)
CGroup: /system.slice/firewalld.service
└─490 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
May 19 05:49:28 server.luck.com systemd[1]: Started firewalld - dynamic fire....
May 19 06:01:59 server.luck.com systemd[1]: Started firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.
(2)火墙中域的查看与设置
[root@server ~]# firewall-cmd --get-zones ##查看所有的域
ROL block dmz drop external home internal public trusted work
[root@server ~]# firewall-cmd --get-default-zone ##查看默认的域
public
[root@server ~]# firewall-cmd --set-default-zone=work ##设置默认的域
success
[root@server ~]# firewall-cmd --get-default-zone
work
[root@server ~]# firewall-cmd --set-default-zone=public
success
[root@server ~]# firewall-cmd --state ##查看火墙的状态
running ##开启为running ;关闭为not running
[root@server ~]# systemctl stop firewalld.service
[root@server ~]# firewall-cmd --state
not running
(3)查看域的火墙策略
[root@server ~]# firewall-cmd --list-all ##查看域的所有火墙策略,未指定则未查看系统默认域的火墙策略
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --list-all --zone=work ##查看指定域的所有火墙策略
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --list-service --zone=public ##查看指定域的某一项策略(服务)
dhcpv6-client ssh
[root@server ~]# firewall-cmd --list-ports --zone=public ##查看指定域的端口开放策略
[root@server ~]# firewall-cmd --list-all-zones ##查看所有域的火墙策略
ROL
interfaces:
sources: 172.25.0.252/32
services: ssh vnc-server
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --get-services ##此看看火墙可以添加的所有服务
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
(4)火墙策略的设置
1)添加服务
[root@server ~]# firewall-cmd --add-service=http ##临时添加服务http
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh ##http添加成功
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --reload ##重新加载火墙
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh ##临时添加的服务消失
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --add-service=http --permanent ##永久添加服务
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh ##重新加载后永久添加的服务依然有效
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
2)添加端口
[root@server ~]# firewall-cmd --add-port=8080/tcp ##临时添加端口8080
success
[root@server ~]# firewall-cmd --add-port=5423/tcp --permanent ##永久添加端口5423
success
[root@server ~]# firewall-cmd --reload ##重新加载服务
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp ##临时添加的端口无效,永久添加的依然存在
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
3)添加/移除网络接口以及改变网络接口的域
[root@server ~]# ifconfig eth0 ##查看网卡eth0的ip
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.4.105 netmask 255.255.255.0 broadcast 172.25.4.255
inet6 fe80::5054:ff:fe00:40a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:04:0a txqueuelen 1000 (Ethernet)
RX packets 76 bytes 10612 (10.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 8752 (8.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server ~]# ifconfig eth1 ##查看网卡eth1网卡的ip
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.4.205 netmask 255.255.255.0 broadcast 172.25.4.255
inet6 fe80::5054:ff:fe46:879c prefixlen 64 scopeid 0x20<link>
ether 52:54:00:46:87:9c txqueuelen 1000 (Ethernet)
RX packets 40 bytes 4985 (4.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29 bytes 3991 (3.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server ~]# firewall-cmd --list-all ##查看默认域的策略
public (default, active)
interfaces: eth0 eth1 ##两块网卡均包含在里面
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --remove-interface=eth1 --zone=public ##将网卡eth1从默认域移出
success
[root@server ~]# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --add-interface=eth1 --zone=block ##将eth1网卡添加到指定域block中
success
[root@server ~]# firewall-cmd --list-all --zone=block
block
interfaces: eth1
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --change-interface=eth1 --zone=public ##修改网络端口为eth1
success
[root@server ~]# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: eth0 eth1 ##修改成功
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --list-all --zone=block
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
4)添加/移除指定ip通过指定的域访问系统
[root@server ~]# firewall-cmd --list-all ##此时默认域中无ssh服务,则通过外在主机无法连接此主机
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http
ports: 5423/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
ssh: connect to host 172.25.4.105 port 22: No route to host
[root@server ~]# firewall-cmd --add-source=172.25.4.250/24 --zone=trusted
success ##将固定ip添加到trusted域中
[root@server ~]# firewall-cmd --list-all --zone=trusted
trusted
interfaces:
sources: 172.25.4.250/24 ##添加成功
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
此时主机通过该域的策略可以通过ssh服务连接此主机
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 07:16:20 2019 from 172.25.4.250
5)重新加载火墙配置
[root@server ~]# firewall-cmd --reload ##重新加载后对正在使用但已经失效的策略会依旧使用
success
[root@server ~]# firewall-cmd --complete-reload ##重新加载后对正在使用但失效的策略会立即停止无法使用
success
6)firewalld策略储存文件
[root@server ~]# cd /etc/firewalld/zones/ ##关于火墙域的策略储存在此目录下的xml文件中
[root@server zones]# ls
public.xml public.xml.old ROL.xml
[root@server zones]# vim public.xml
[root@server zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
<port protocol="tcp" port="5423"/>
</zone>
[root@server zones]# cd /usr/lib/firewalld/services/ ##关于火墙服务的所有策略储存在此目录的xml文件中
[root@server services]# ls
amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml
bacula-client.xml ipp.xml nfs.xml samba-client.xml
bacula.xml ipsec.xml ntp.xml samba.xml
dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml
dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml
dhcp.xml ldaps.xml pmproxy.xml telnet.xml
dns.xml ldap.xml pmwebapis.xml tftp-client.xml
ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml
high-availability.xml libvirt.xml pop3s.xml transmission-client.xml
https.xml mdns.xml postgresql.xml vnc-server.xml
http.xml mountd.xml proxy-dhcp.xml wbem-https.xml
imaps.xml ms-wbt.xml radius.xml
注意:对xml文件进行修改同样也可以起到管理火墙策略的作用
7)火墙中端口的转换
在访问某一端口时会将端口直接转到另外一个端口上
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --add-forward-port=port=5423:proto=tcp:toport=80
success ##将访问本机5423端口时主动转到80端口上
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: no
forward-ports: port=5423:proto=tcp:toport=80:toaddr=
icmp-blocks:
rich rules:
[root@server ~]# cd /var/www/html
[root@server html]# ls
[root@server html]# vim index.html
[root@server html]# cat index.html
<h1>平平仄仄</h1>
8)地址的伪装
实验环境:
客户主机ip:1.1.1.111/24 网关:1.1.1.105/24
路由器主机ip:172.25.4.105/24 1.1.1.105/24
目标主机ip:172.25.4.250
路由端的设置
[root@server ~]# firewall-cmd --permanent --add-masquerade ##添加路由端口masquerade
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: yes ##添加成功
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
在客户主机端登录目标主机成功,并在目标主机查看登录的主机ip为路由器主机的ip
9)端口的转发
在以上实验中,目标主机认为连接自己的主机为172.25.4.105,并不知道客户主机的存在,所以需要返回数据的时候,会直接数据包发送给172.25.4.105 主机。但是该数据包本来应该是给客户主机1.1.1.111的。
需要设置端口转发,将目标主机访问 172.25.4.105 主机的 端口时候 自动转发到访问客户主机的相应端口。
路由主机端进行设置
[root@server ~]# firewall-cmd --add-forward-port=port=22:proto=tcp:toport=22:toaddr=1.1.1.111
success ##设置将访问本机22端口的数据包大宝转发给1.1.1.111主机
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=1.1.1.111 ##设置成功
icmp-blocks:
rich rules:
使用目标主机去连接路由主机时自动转至客户主机
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 08:16:13 2019
[root@client ~]# ifconfig ##ip为客户主机的ip
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.1.1.111 netmask 255.255.255.0 broadcast 1.1.1.255
inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)
RX packets 458 bytes 49409 (48.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 474 bytes 43036 (42.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 784 bytes 65432 (63.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 784 bytes 65432 (63.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(5)firewall的高级规则
filter 表:一般的过滤功能,对发送给本机的数据进行过滤处理。
该表中存在三条链:
INPUT :通过路由之后数据包目的地为为本机。
FORWARD :通过路由表之后数据包目的地不为本机。
OUTPUT :由本机产生的,向外进行转发。
nat 表 :用于nat功能(端口转换,地址伪装等)
该表中存在四条链:
INPUT :数据包进入本机,但是目的地不为本机。
PREROUTING :数据包进入路由表之前
POSTOUTING :数据包进入路由表之后,发送到网卡接口之前
OUTPUT :不由本机产生,向外进行转发。
mangle 表 : 备用表
设置filter表的策略
使用设置filter表对数据包进行筛选限制,一般在INPUT 链上进行设置,直接对进入本机的数据包权限进行设置
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT ##添加规则到filter表的INPUT链第一条,允许172.25.4.250主机访问22端口
success
[root@server ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT
172.25.4.250进行访问成功
[kiosk@foundation4 ~]$ ip addr show br0
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b8:2a:72:ba:72:06 brd ff:ff:ff:ff:ff:ff
inet 172.25.4.250/24 brd 172.25.4.255 scope global br0
valid_lft forever preferred_lft forever
inet 172.25.254.4/24 brd 172.25.254.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::cf0:6bff:fe75:a46e/64 scope link
valid_lft forever preferred_lft forever
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 07:47:53 2019 from 172.25.4.250
由于在火墙策略中允许ssh服务,并且在高级规则中允许特定的ip固定访问22端口,所以造成的结果是所有同一网段的ip均可以进行连接
将ssh服务从火墙策略中撤销,仅允许特定主机对其进行连接,再次实验
[root@server ~]# firewall-cmd --remove-service=ssh
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http
ports: 5423/tcp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT
[root@client ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.4.205 netmask 255.255.255.0 broadcast 172.25.4.255
inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)
RX packets 1198 bytes 121348 (118.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1222 bytes 101618 (99.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@client ~]# ssh root@172.25.4.105 ##其他主机去连接则失败
ssh: connect to host 172.25.4.105 port 22: No route to host
将设置的规则删除,则此规则内的主机无法连接此主机
[root@server ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT
success
[root@server ~]# firewall-cmd --direct --get-all-rules
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
ssh: connect to host 172.25.4.105 port 22: No route to host ##无法连接设置成功
设置除过某主机以外的所有主机均可以对此主机进行连接
[root@server ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 22 ! -s 172.25.4.250 -j ACCEPT
success
[root@server ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 22 '!' -s 172.25.4.250 -j ACCEPT
[kiosk@foundation4 ~]$ ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.4.250 netmask 255.255.255.0 broadcast 172.25.4.255
inet6 fe80::cf0:6bff:fe75:a46e prefixlen 64 scopeid 0x20<link>
ether b8:2a:72:ba:72:06 txqueuelen 1000 (Ethernet)
RX packets 4953 bytes 552324 (539.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7399 bytes 699516 (683.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[kiosk@foundation4 ~]$ ssh root@172.25.4.105 ##172.25.4.250主机连接此主机失败
ssh: connect to host 172.25.4.105 port 22: No route to host
[root@client ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.4.205 netmask 255.255.255.0 broadcast 172.25.4.255
inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)
RX packets 1302 bytes 132683 (129.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1286 bytes 110499 (107.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@client ~]# ssh root@172.25.4.105 ##其他主机连接此主机成功
The authenticity of host '172.25.4.105 (172.25.4.105)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.4.105' (ECDSA) to the list of known hosts.
root@172.25.4.105's password:
Last login: Sun May 19 08:55:30 2019 from 172.25.4.250
三.火墙的管理–iptables
作用
可以对 filter 表 nat 表 中对应链上的规则进行查看 增加 修改 删除等操作
常用命令
iptables
-t ##指定表的名称
-n ##不做解析,默认在做解析
-L ##列出指定表格的策略
-A ##增加策略
-p ##网络协议
–dport ##端口
-s ##数据来源
-j ##动作
ACCEPT ##允许
REJECT ##拒绝
DROP ##丢弃
-N ##增加链
-E ##修改链名称
-X ##删除链
-D ##删除指定策略
-I ##插入
-R ##修改策略
-P ##修改默认策略
1.iptables的开启
[root@server ~]# systemctl unmask iptables.service ##解锁iptables服务
rm '/etc/systemd/system/iptables.service'
[root@server ~]# systemctl start iptables.service ##开启此服务
[root@server ~]# systemctl enable iptables.service ##开机自动启动
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
[root@server ~]# systemctl status iptables.service ##此时状态为开启
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Sun 2019-05-19 11:50:36 EDT; 30s ago
Main PID: 8756 (code=exited, status=0/SUCCESS)
May 19 11:50:36 server.luck.com iptables.init[8756]: iptables: Applying firew...
May 19 11:50:36 server.luck.com systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@server ~]# systemctl status firewalld.service ##iptables服务开启后,firewalld服务自动关闭
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: inactive (dead) since Sun 2019-05-19 11:50:37 EDT; 38s ago
Main PID: 2971 (code=exited, status=0/SUCCESS)
May 19 07:34:17 server.luck.com systemd[1]: Starting firewalld - dynamic fir....
May 19 07:34:18 server.luck.com systemd[1]: Started firewalld - dynamic fire....
May 19 11:50:36 server.luck.com systemd[1]: Stopping firewalld - dynamic fir....
May 19 11:50:37 server.luck.com systemd[1]: Stopped firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.
2.查看规则以及保存规则
(1) iptables -t filter -L ##查看filter表的规则,-t 指定表-L查看规则
[root@server ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(2) iptables -t filter -nL ##带地址解析查看表的规则 ,-n:带地址解析
[root@server ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(3) iptables -t filter -F ##清除iptables表中的规则,-F:清除
[root@server ~]# iptables -t filter -F
[root@server ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(4)iptables的保存
1) iptables-save ##保存规则
[root@server ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sun May 19 12:05:46 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun May 19 12:05:46 2019
# Generated by iptables-save v1.4.21 on Sun May 19 12:05:46 2019
*filter
:INPUT ACCEPT [40:2780]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21:2264]
COMMIT
# Completed on Sun May 19 12:05:46 2019
2) iptables-save > /iptables ##将保存的规则指定保存在某一文件中
[root@server ~]# iptables-save > /iptables
[root@server ~]# cat /iptables
# Generated by iptables-save v1.4.21 on Sun May 19 12:06:04 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun May 19 12:06:04 2019
# Generated by iptables-save v1.4.21 on Sun May 19 12:06:04 2019
*filter
:INPUT ACCEPT [69:4808]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36:4048]
COMMIT
# Completed on Sun May 19 12:06:04 2019
3)service iptables save ##默认保存文件在/etc/sysconfig/iptables
[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
3.规则的设定(增加、删除、修改)
1)增加规则
[root@server ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT ##允许22端口访问
[root@server ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP ##对22端口访问不予回应
[root@server ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j REJECT ##拒绝22端口访问
注意:添加的规则按照先后顺序排列,当对同一个目标添加多条规则之后,按照最靠前的规则进行执行,后面的将会无效,以上三条中ACCEPT 生效
2)插入规则
[root@server ~]# iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT ##默认插入到第一条规则
[root@server ~]# iptables -t filter -I INPUT 3 -p tcp --dport 80 -j REJECT ##指定插入第3条规则
3)设置表中的链
[root@server ~]# iptables -N luck ##增加新的链luck
[root@server ~]# iptables -E luck LUCK ##更改链名称
[root@server ~]# iptables -X LUCK ##删除此链
[root@server ~]# iptables -P INPUT DROP ##修改默认链的状态为DROP
[root@server ~]# iptables -P INPUT ACCEPT ##修改默认链的状态为ACCEPT
注意:默认链状态只可以修改为DROP或ACCEPT,不可以修改为REJECT
4)删除及修改某一链中的规则
[root@server ~]# iptables -R INPUT 1 -p tcp --dport 80 -j DROP ##修改链中第一条规则ACCEPT为DROP
[root@server ~]# iptables -D INPUT 1 ##删除链中第一条规则
5)设置只允许特定的访问及已经访问过的可以再次访问
[root@server ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ##允许状态为之前访问过的以及正在访问的可以连接此主机
[root@server ~]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT ##允许访问本机回环接口的新连接访问
[root@server ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT ##允许访问本机22端口的新链接
[root@server ~]# iptables -A INPUT -m state --state NEW -j REJECT ##其余访问均被拒绝
用新的访问去访问本机的80端口则会被拒绝
4.地址的伪装
实验环境:
客户主机ip:1.1.1.111/24 网关:1.1.1.105/24
路由器主机ip:172.25.4.105/24 1.1.1.105/24
目标主机ip:172.25.4.250
路由端的设置
[root@server ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.4.105 ##将经过路由之后输出到eth0的数据包ip转换为172.25.4.105
[root@server ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.4.105
客户端去连接目标主机成功,并且看到的ip为路由服务端主机的ip172.25.4.105
5.目的地地址的转换
[root@server ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT -p tcp --dport 22 --to-dest 1.1.1.111 ##将eth0进入本机的数据包在路由之前转发到ip为1.1.1.111的主机
[root@server ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:1.1.1.111
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.4.105
目标主机去连接172.25.4.105,此时自动转到1.1.1.111的主机
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 09:10:03 2019 from 172.25.4.250
[root@client ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.1.1.111 netmask 255.255.255.0 broadcast 1.1.1.255
inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)
RX packets 437 bytes 44085 (43.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 380 bytes 30460 (29.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 784 bytes 65444 (63.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 784 bytes 65444 (63.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0