Linux--火墙管理
2024-06-21 02:54:48
一.火墙的基础知识
火墙是位于内部网和外部网之间的一个屏障,按照系统管理员预先设定好的规则,管理数据的输出。火墙属于系统的第一道防线,目的是为了防止非法用户进入
系统对火墙提供了两种管理方式firewalld及iptables
二.火墙的管理–firewalld
1.firewalld管理模式
firewalld 将配置储存在 /usr/lib/firewalld/ 和 /etc/firewalld/ 中的各种 XML 文件里
firewalld提供图形界面管理(firewall-config)以及命令管理(firewall-cmd)
2.firewalld的图形界面管理
3.firewalld的命令管理firewall-cmd
(1)火墙的开启
注意:使用firewall管理火墙时,为了避免与iptables发生冲突,则需要先关闭iptables服务,再开启firewalld服务
[root@server ~]# systemctl stop iptables ##关闭iptables
[root@server ~]# systemctl mask iptables ##锁定iptables
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@server ~]# systemctl disable iptables ##设置iptables开机不自启
[root@server ~]# systemctl start firewalld ##开启firewalld服务
[root@server ~]# systemctl enable firewalld ##设置其开机自启
[root@server ~]# systemctl status firewalld ##显示其状态
firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)Active: active (running) since Sun 2019-05-19 05:49:28 EDT; 12min agoMain PID: 490 (firewalld)CGroup: /system.slice/firewalld.service└─490 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopidMay 19 05:49:28 server.luck.com systemd[1]: Started firewalld - dynamic fire....
May 19 06:01:59 server.luck.com systemd[1]: Started firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.
(2)火墙中域的查看与设置
[root@server ~]# firewall-cmd --get-zones ##查看所有的域
ROL block dmz drop external home internal public trusted work
[root@server ~]# firewall-cmd --get-default-zone ##查看默认的域
public
[root@server ~]# firewall-cmd --set-default-zone=work ##设置默认的域
success
[root@server ~]# firewall-cmd --get-default-zone
work
[root@server ~]# firewall-cmd --set-default-zone=public
success
[root@server ~]# firewall-cmd --state ##查看火墙的状态
running ##开启为running ;关闭为not running
[root@server ~]# systemctl stop firewalld.service
[root@server ~]# firewall-cmd --state
not running
(3)查看域的火墙策略
[root@server ~]# firewall-cmd --list-all ##查看域的所有火墙策略,未指定则未查看系统默认域的火墙策略
public (default, active)interfaces: eth0sources: services: dhcpv6-client sshports: masquerade: noforward-ports: icmp-blocks: rich rules:
[root@server ~]# firewall-cmd --list-all --zone=public
public (default, active)interfaces: eth0sources: services: dhcpv6-client sshports: masquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --list-all --zone=work ##查看指定域的所有火墙策略
workinterfaces: sources: services: dhcpv6-client ipp-client sshports: masquerade: noforward-ports: icmp-blocks: rich rules:
[root@server ~]# firewall-cmd --list-service --zone=public ##查看指定域的某一项策略(服务)
dhcpv6-client ssh
[root@server ~]# firewall-cmd --list-ports --zone=public ##查看指定域的端口开放策略
[root@server ~]# firewall-cmd --list-all-zones ##查看所有域的火墙策略
ROLinterfaces: sources: 172.25.0.252/32services: ssh vnc-serverports: masquerade: noforward-ports: icmp-blocks: rich rules: blockinterfaces: sources: services: ports: masquerade: noforward-ports: icmp-blocks: rich rules: dmzinterfaces: sources: services: sshports: masquerade: noforward-ports: icmp-blocks: rich rules:
[root@server ~]# firewall-cmd --get-services ##此看看火墙可以添加的所有服务
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
(4)火墙策略的设置
1)添加服务
[root@server ~]# firewall-cmd --add-service=http ##临时添加服务http
success
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0sources: services: dhcpv6-client http ssh ##http添加成功ports: masquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --reload ##重新加载火墙
success
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0sources: services: dhcpv6-client ssh ##临时添加的服务消失ports: masquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --add-service=http --permanent ##永久添加服务
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0sources: services: dhcpv6-client http ssh ##重新加载后永久添加的服务依然有效ports: masquerade: noforward-ports: icmp-blocks: rich rules:
2)添加端口
[root@server ~]# firewall-cmd --add-port=8080/tcp ##临时添加端口8080
success
[root@server ~]# firewall-cmd --add-port=5423/tcp --permanent ##永久添加端口5423
success
[root@server ~]# firewall-cmd --reload ##重新加载服务
success
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0sources: services: dhcpv6-client http sshports: 5423/tcp ##临时添加的端口无效,永久添加的依然存在masquerade: noforward-ports: icmp-blocks: rich rules:
3)添加/移除网络接口以及改变网络接口的域
[root@server ~]# ifconfig eth0 ##查看网卡eth0的ip
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.25.4.105 netmask 255.255.255.0 broadcast 172.25.4.255inet6 fe80::5054:ff:fe00:40a prefixlen 64 scopeid 0x20<link>ether 52:54:00:00:04:0a txqueuelen 1000 (Ethernet)RX packets 76 bytes 10612 (10.3 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 57 bytes 8752 (8.5 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@server ~]# ifconfig eth1 ##查看网卡eth1网卡的ip
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.25.4.205 netmask 255.255.255.0 broadcast 172.25.4.255inet6 fe80::5054:ff:fe46:879c prefixlen 64 scopeid 0x20<link>ether 52:54:00:46:87:9c txqueuelen 1000 (Ethernet)RX packets 40 bytes 4985 (4.8 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 29 bytes 3991 (3.8 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@server ~]# firewall-cmd --list-all ##查看默认域的策略
public (default, active)interfaces: eth0 eth1 ##两块网卡均包含在里面sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --remove-interface=eth1 --zone=public ##将网卡eth1从默认域移出
success
[root@server ~]# firewall-cmd --list-all --zone=public
public (default, active)interfaces: eth0sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --add-interface=eth1 --zone=block ##将eth1网卡添加到指定域block中
success
[root@server ~]# firewall-cmd --list-all --zone=block
block interfaces: eth1sources: services: dhcpv6-client ipp-client sshports: masquerade: noforward-ports: icmp-blocks: rich rules:
[root@server ~]# firewall-cmd --change-interface=eth1 --zone=public ##修改网络端口为eth1
success
[root@server ~]# firewall-cmd --list-all --zone=public
public (default, active)interfaces: eth0 eth1 ##修改成功sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --list-all --zone=block
blockinterfaces: sources: services: ports: masquerade: noforward-ports: icmp-blocks: rich rules:
4)添加/移除指定ip通过指定的域访问系统
[root@server ~]# firewall-cmd --list-all ##此时默认域中无ssh服务,则通过外在主机无法连接此主机
public (default, active)interfaces: eth0 eth1sources: services: dhcpv6-client httpports: 5423/tcpmasquerade: noforward-ports: icmp-blocks: rich rules:
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
ssh: connect to host 172.25.4.105 port 22: No route to host
[root@server ~]# firewall-cmd --add-source=172.25.4.250/24 --zone=trusted
success ##将固定ip添加到trusted域中
[root@server ~]# firewall-cmd --list-all --zone=trusted
trustedinterfaces: sources: 172.25.4.250/24 ##添加成功services: ports: masquerade: noforward-ports: icmp-blocks: rich rules:
此时主机通过该域的策略可以通过ssh服务连接此主机
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 07:16:20 2019 from 172.25.4.250
5)重新加载火墙配置
[root@server ~]# firewall-cmd --reload ##重新加载后对正在使用但已经失效的策略会依旧使用
success
[root@server ~]# firewall-cmd --complete-reload ##重新加载后对正在使用但失效的策略会立即停止无法使用
success
6)firewalld策略储存文件
[root@server ~]# cd /etc/firewalld/zones/ ##关于火墙域的策略储存在此目录下的xml文件中
[root@server zones]# ls
public.xml public.xml.old ROL.xml
[root@server zones]# vim public.xml
[root@server zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="dhcpv6-client"/><service name="http"/><service name="ssh"/><port protocol="tcp" port="5423"/>
</zone>
[root@server zones]# cd /usr/lib/firewalld/services/ ##关于火墙服务的所有策略储存在此目录的xml文件中
[root@server services]# ls
amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml
bacula-client.xml ipp.xml nfs.xml samba-client.xml
bacula.xml ipsec.xml ntp.xml samba.xml
dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml
dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml
dhcp.xml ldaps.xml pmproxy.xml telnet.xml
dns.xml ldap.xml pmwebapis.xml tftp-client.xml
ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml
high-availability.xml libvirt.xml pop3s.xml transmission-client.xml
https.xml mdns.xml postgresql.xml vnc-server.xml
http.xml mountd.xml proxy-dhcp.xml wbem-https.xml
imaps.xml ms-wbt.xml radius.xml
注意:对xml文件进行修改同样也可以起到管理火墙策略的作用
7)火墙中端口的转换
在访问某一端口时会将端口直接转到另外一个端口上
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0 eth1sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: noforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --add-forward-port=port=5423:proto=tcp:toport=80
success ##将访问本机5423端口时主动转到80端口上
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0 eth1sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: noforward-ports: port=5423:proto=tcp:toport=80:toaddr=icmp-blocks: rich rules:
[root@server ~]# cd /var/www/html
[root@server html]# ls
[root@server html]# vim index.html
[root@server html]# cat index.html
<h1>平平仄仄</h1>
8)地址的伪装
实验环境:
客户主机ip:1.1.1.111/24 网关:1.1.1.105/24
路由器主机ip:172.25.4.105/24 1.1.1.105/24
目标主机ip:172.25.4.250
路由端的设置
[root@server ~]# firewall-cmd --permanent --add-masquerade ##添加路由端口masquerade
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports: 5423/tcp
masquerade: yes ##添加成功
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
在客户主机端登录目标主机成功,并在目标主机查看登录的主机ip为路由器主机的ip
9)端口的转发
在以上实验中,目标主机认为连接自己的主机为172.25.4.105,并不知道客户主机的存在,所以需要返回数据的时候,会直接数据包发送给172.25.4.105 主机。但是该数据包本来应该是给客户主机1.1.1.111的。
需要设置端口转发,将目标主机访问 172.25.4.105 主机的 端口时候 自动转发到访问客户主机的相应端口。
路由主机端进行设置
[root@server ~]# firewall-cmd --add-forward-port=port=22:proto=tcp:toport=22:toaddr=1.1.1.111
success ##设置将访问本机22端口的数据包大宝转发给1.1.1.111主机
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0 eth1sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: yesforward-ports: port=22:proto=tcp:toport=22:toaddr=1.1.1.111 ##设置成功icmp-blocks: rich rules:
使用目标主机去连接路由主机时自动转至客户主机
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 08:16:13 2019
[root@client ~]# ifconfig ##ip为客户主机的ip
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.1.1.111 netmask 255.255.255.0 broadcast 1.1.1.255inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)RX packets 458 bytes 49409 (48.2 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 474 bytes 43036 (42.0 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 0 (Local Loopback)RX packets 784 bytes 65432 (63.8 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 784 bytes 65432 (63.8 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(5)firewall的高级规则
filter 表:一般的过滤功能,对发送给本机的数据进行过滤处理。
该表中存在三条链:
INPUT :通过路由之后数据包目的地为为本机。
FORWARD :通过路由表之后数据包目的地不为本机。
OUTPUT :由本机产生的,向外进行转发。
nat 表 :用于nat功能(端口转换,地址伪装等)
该表中存在四条链:
INPUT :数据包进入本机,但是目的地不为本机。
PREROUTING :数据包进入路由表之前
POSTOUTING :数据包进入路由表之后,发送到网卡接口之前
OUTPUT :不由本机产生,向外进行转发。
mangle 表 : 备用表
设置filter表的策略
使用设置filter表对数据包进行筛选限制,一般在INPUT 链上进行设置,直接对进入本机的数据包权限进行设置
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0 eth1sources: services: dhcpv6-client http sshports: 5423/tcpmasquerade: yesforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT ##添加规则到filter表的INPUT链第一条,允许172.25.4.250主机访问22端口
success
[root@server ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT
172.25.4.250进行访问成功
[kiosk@foundation4 ~]$ ip addr show br0
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000link/ether b8:2a:72:ba:72:06 brd ff:ff:ff:ff:ff:ffinet 172.25.4.250/24 brd 172.25.4.255 scope global br0valid_lft forever preferred_lft foreverinet 172.25.254.4/24 brd 172.25.254.255 scope global br0valid_lft forever preferred_lft foreverinet6 fe80::cf0:6bff:fe75:a46e/64 scope link valid_lft forever preferred_lft forever
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 07:47:53 2019 from 172.25.4.250
由于在火墙策略中允许ssh服务,并且在高级规则中允许特定的ip固定访问22端口,所以造成的结果是所有同一网段的ip均可以进行连接
将ssh服务从火墙策略中撤销,仅允许特定主机对其进行连接,再次实验
[root@server ~]# firewall-cmd --remove-service=ssh
success
[root@server ~]# firewall-cmd --list-all
public (default, active)interfaces: eth0 eth1sources: services: dhcpv6-client httpports: 5423/tcpmasquerade: yesforward-ports: icmp-blocks: rich rules: [root@server ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT
[root@client ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.25.4.205 netmask 255.255.255.0 broadcast 172.25.4.255inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)RX packets 1198 bytes 121348 (118.5 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 1222 bytes 101618 (99.2 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@client ~]# ssh root@172.25.4.105 ##其他主机去连接则失败
ssh: connect to host 172.25.4.105 port 22: No route to host
将设置的规则删除,则此规则内的主机无法连接此主机
[root@server ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -p tcp --dport 22 -s 172.25.4.250 -j ACCEPT
success
[root@server ~]# firewall-cmd --direct --get-all-rules
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
ssh: connect to host 172.25.4.105 port 22: No route to host ##无法连接设置成功
设置除过某主机以外的所有主机均可以对此主机进行连接
[root@server ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 22 ! -s 172.25.4.250 -j ACCEPT
success
[root@server ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 22 '!' -s 172.25.4.250 -j ACCEPT
[kiosk@foundation4 ~]$ ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.25.4.250 netmask 255.255.255.0 broadcast 172.25.4.255inet6 fe80::cf0:6bff:fe75:a46e prefixlen 64 scopeid 0x20<link>ether b8:2a:72:ba:72:06 txqueuelen 1000 (Ethernet)RX packets 4953 bytes 552324 (539.3 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 7399 bytes 699516 (683.1 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[kiosk@foundation4 ~]$ ssh root@172.25.4.105 ##172.25.4.250主机连接此主机失败
ssh: connect to host 172.25.4.105 port 22: No route to host
[root@client ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.25.4.205 netmask 255.255.255.0 broadcast 172.25.4.255inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)RX packets 1302 bytes 132683 (129.5 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 1286 bytes 110499 (107.9 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@client ~]# ssh root@172.25.4.105 ##其他主机连接此主机成功
The authenticity of host '172.25.4.105 (172.25.4.105)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.4.105' (ECDSA) to the list of known hosts.
root@172.25.4.105's password:
Last login: Sun May 19 08:55:30 2019 from 172.25.4.250
三.火墙的管理–iptables
作用
可以对 filter 表 nat 表 中对应链上的规则进行查看 增加 修改 删除等操作
常用命令
iptables
-t ##指定表的名称
-n ##不做解析,默认在做解析
-L ##列出指定表格的策略
-A ##增加策略
-p ##网络协议
–dport ##端口
-s ##数据来源
-j ##动作
ACCEPT ##允许
REJECT ##拒绝
DROP ##丢弃
-N ##增加链
-E ##修改链名称
-X ##删除链
-D ##删除指定策略
-I ##插入
-R ##修改策略
-P ##修改默认策略
1.iptables的开启
[root@server ~]# systemctl unmask iptables.service ##解锁iptables服务
rm '/etc/systemd/system/iptables.service'
[root@server ~]# systemctl start iptables.service ##开启此服务
[root@server ~]# systemctl enable iptables.service ##开机自动启动
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
[root@server ~]# systemctl status iptables.service ##此时状态为开启
iptables.service - IPv4 firewall with iptablesLoaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)Active: active (exited) since Sun 2019-05-19 11:50:36 EDT; 30s agoMain PID: 8756 (code=exited, status=0/SUCCESS)May 19 11:50:36 server.luck.com iptables.init[8756]: iptables: Applying firew...
May 19 11:50:36 server.luck.com systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@server ~]# systemctl status firewalld.service ##iptables服务开启后,firewalld服务自动关闭
firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)Active: inactive (dead) since Sun 2019-05-19 11:50:37 EDT; 38s agoMain PID: 2971 (code=exited, status=0/SUCCESS)May 19 07:34:17 server.luck.com systemd[1]: Starting firewalld - dynamic fir....
May 19 07:34:18 server.luck.com systemd[1]: Started firewalld - dynamic fire....
May 19 11:50:36 server.luck.com systemd[1]: Stopping firewalld - dynamic fir....
May 19 11:50:37 server.luck.com systemd[1]: Stopped firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.
2.查看规则以及保存规则
(1) iptables -t filter -L ##查看filter表的规则,-t 指定表-L查看规则
[root@server ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)
target prot opt source destination
(2) iptables -t filter -nL ##带地址解析查看表的规则 ,-n:带地址解析
[root@server ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)
target prot opt source destination
(3) iptables -t filter -F ##清除iptables表中的规则,-F:清除
[root@server ~]# iptables -t filter -F
[root@server ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(4)iptables的保存
1) iptables-save ##保存规则
[root@server ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sun May 19 12:05:46 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun May 19 12:05:46 2019
# Generated by iptables-save v1.4.21 on Sun May 19 12:05:46 2019
*filter
:INPUT ACCEPT [40:2780]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21:2264]
COMMIT
# Completed on Sun May 19 12:05:46 2019
2) iptables-save > /iptables ##将保存的规则指定保存在某一文件中
[root@server ~]# iptables-save > /iptables
[root@server ~]# cat /iptables
# Generated by iptables-save v1.4.21 on Sun May 19 12:06:04 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun May 19 12:06:04 2019
# Generated by iptables-save v1.4.21 on Sun May 19 12:06:04 2019
*filter
:INPUT ACCEPT [69:4808]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36:4048]
COMMIT
# Completed on Sun May 19 12:06:04 2019
3)service iptables save ##默认保存文件在/etc/sysconfig/iptables
[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
3.规则的设定(增加、删除、修改)
1)增加规则
[root@server ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT ##允许22端口访问
[root@server ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP ##对22端口访问不予回应
[root@server ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j REJECT ##拒绝22端口访问
注意:添加的规则按照先后顺序排列,当对同一个目标添加多条规则之后,按照最靠前的规则进行执行,后面的将会无效,以上三条中ACCEPT 生效
2)插入规则
[root@server ~]# iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT ##默认插入到第一条规则
[root@server ~]# iptables -t filter -I INPUT 3 -p tcp --dport 80 -j REJECT ##指定插入第3条规则
3)设置表中的链
[root@server ~]# iptables -N luck ##增加新的链luck
[root@server ~]# iptables -E luck LUCK ##更改链名称
[root@server ~]# iptables -X LUCK ##删除此链
[root@server ~]# iptables -P INPUT DROP ##修改默认链的状态为DROP
[root@server ~]# iptables -P INPUT ACCEPT ##修改默认链的状态为ACCEPT
注意:默认链状态只可以修改为DROP或ACCEPT,不可以修改为REJECT
4)删除及修改某一链中的规则
[root@server ~]# iptables -R INPUT 1 -p tcp --dport 80 -j DROP ##修改链中第一条规则ACCEPT为DROP
[root@server ~]# iptables -D INPUT 1 ##删除链中第一条规则
5)设置只允许特定的访问及已经访问过的可以再次访问
[root@server ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ##允许状态为之前访问过的以及正在访问的可以连接此主机
[root@server ~]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT ##允许访问本机回环接口的新连接访问
[root@server ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT ##允许访问本机22端口的新链接
[root@server ~]# iptables -A INPUT -m state --state NEW -j REJECT ##其余访问均被拒绝
用新的访问去访问本机的80端口则会被拒绝
4.地址的伪装
实验环境:
客户主机ip:1.1.1.111/24 网关:1.1.1.105/24
路由器主机ip:172.25.4.105/24 1.1.1.105/24
目标主机ip:172.25.4.250
路由端的设置
[root@server ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.4.105 ##将经过路由之后输出到eth0的数据包ip转换为172.25.4.105
[root@server ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.4.105
客户端去连接目标主机成功,并且看到的ip为路由服务端主机的ip172.25.4.105
5.目的地地址的转换
[root@server ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT -p tcp --dport 22 --to-dest 1.1.1.111 ##将eth0进入本机的数据包在路由之前转发到ip为1.1.1.111的主机
[root@server ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:1.1.1.111Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.4.105
目标主机去连接172.25.4.105,此时自动转到1.1.1.111的主机
[kiosk@foundation4 ~]$ ssh root@172.25.4.105
root@172.25.4.105's password:
Last login: Sun May 19 09:10:03 2019 from 172.25.4.250
[root@client ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.1.1.111 netmask 255.255.255.0 broadcast 1.1.1.255inet6 fe80::5054:ff:fe00:40b prefixlen 64 scopeid 0x20<link>ether 52:54:00:00:04:0b txqueuelen 1000 (Ethernet)RX packets 437 bytes 44085 (43.0 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 380 bytes 30460 (29.7 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 0 (Local Loopback)RX packets 784 bytes 65444 (63.9 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 784 bytes 65444 (63.9 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Linux--火墙管理相关推荐
- linux的火墙管理
文章目录 linux的火墙管理 1. firewalld 1.1 图形化管理 1.2命令管理 1.2.1 启用 firewalld 1.2.2 关闭 1.3 配置文件 1.4 使用命令行接口配置防火墙 ...
- Linux火墙策略的管理以及火墙的介绍
文章目录 前言 一.火墙介绍以及实验环境设定 1.火墙介绍 2.实验环境设定 3.火墙管理工具的切换 二.firewalld对火墙的管理方式以及设定 1.firewalld基础管理命令 2.火墙中的三 ...
- Linux中的火墙管理
火墙作用 将对系统有威胁的进程阻塞,Linux火墙主要分为firewall和iptables,默认火墙为firewall 火墙的默认策略 默认的五条链 input:输入 output:输出 forwa ...
- Windows内存管理和linux内存管理
windows内存管理 windows 内存管理方式主要分为:页式管理,段式管理,段页式管理. 页式管理的基本原理是将各进程的虚拟空间划分为若干个长度相等的页:页式管理把内存空间按照页的大小划分成片或 ...
- Linux包管理器apt/apt-get发现远程代码执行漏洞
研究人员Max Justicz日前发现了知名Linux包管理器apt/apt-get中的远程代码执行漏洞,该漏洞允许外部进行中间人攻击并获取root权限以执行任何代码.该漏洞已在最新版本apt修复,如 ...
- linux内核时钟管理,Linux时钟管理透彻分析
Linux时钟管理透彻分析.硬件资源越来越庞大和复杂,内核的另一个挑战就是要便捷的管理这些资源.同时,面对如此之多的平台不同的CPU,管理机制需要统一适用,这就需要对资源的管理抽象到更加通用的层次.C ...
- Linux进程管理 (7)实时调度
关键词:RT.preempt_count.RT patch. 除了CFS调度器之外,还包括重要的实时调度器,有两种RR和FIFO调度策略.本章只是一个简单的介绍. 更详细的介绍参考<Linux进 ...
- 万字长文,别再说你不懂Linux内存管理了(合辑),30 张图给你安排的明明白白...
之前写了两篇详细分析 Linux 内存管理的文章,读者好评如潮.但由于是分开两篇来写,而这两篇内容其实是有很强关联的,有读者反馈没有看到另一篇读起来不够不连贯,为方便阅读这次特意把两篇整合在一起,看这 ...
- 别再说你不懂Linux内存管理了,10张图给你安排的明明白白!
来自:后端技术学堂 过去的一周有点魔幻,有印象的有三个新闻:天猫总裁绯闻事件,蘑菇街裁员,不可能打工的周某也放出来了.三件事,两件和互联网行业相关,好像外面的世界很是精彩啊!吃瓜归吃瓜,学习还是不能落 ...
- linux磁盘管理命令 lv,Linux磁盘管理--LVM原理及基本操作
LVM(Logical Volume Manager)逻辑卷管理是Linux磁盘管理中的常用操作, 本文主要描述LVM的基本原理以及对LVM的扩展和缩减的基本操作. LVM实质是过软件方式将多个物理分 ...
最新文章
- java设计模式-适配器模式
- 基础搭建Hadoop大数据处理-编程
- 利用系统提供的崩溃日志解Native层Bug
- Python functool module
- 网络***检查分析---破解安全隐患问题回答
- Oracle 中data与timstamp互转
- jstring转换到C语言所用的char
- 用 Graphviz+pvtrace 可视化函数调用
- POJ 1472 Instant Complexity
- 常见的图结构表示(python)
- wpsa3版面怎么变成a4、排版不变_wpsa4变a3排版打印
- cm-14.1 Android系统启动过程分析(二)-Zygote进程启动过程
- 【托福词汇句子语法】100个句子记完7000托福单词
- 使用EndNote对Word论文的参考文献进行管理
- 明略科技吴明辉:每一次新数据都会带来商业模式的迭代
- Ubuntu下与openvpx相关的目录和文件
- IP协议/地址(IPv4IPv6)概要
- 【如何学习CAN总线测试】——Python+Robot Framework框架实现UDS诊断自动化
- 林业调查规划设计资质怎么办理?
- C++关于float和double的有效位数