文章目录
一、火墙
1.火墙介绍
1.netfilter
2.iptables
3.iptables|firewalld
2.火墙管理工具切换
在 rhel8 中默认使用的是 firewalld
firewalld----->iptables
dnf install iptables-services -y
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable --now iptables
iptales -------> fiewalld
dnf install firewalld -y
systemctl stop iptables
systemctl disable iptables
systemctl mask iptables
systemctl enable --now firewalld
3. iptables 的使用
#火墙策略的永久保存#
/etc/sysconfig/iptables
##iptables 策略记录文件
永久保存策略
iptales-save > /etc/sysconfig/iptables
service iptables save
4.火墙默认策略
| 默认策略中的 5 条链 | 含义 |
|---|---|
| input | 输入 |
| output输出 | |
| forward | 转发 |
| postrouting | 路由之后 |
| prerouting | 路由之前 |
| 默认的 3 张表 | 含义 |
|---|---|
| filter | 经过本机内核的数据(input output forward) |
| nat | 不经过内核的数据(postrouting,prerouting,input,output) |
| mangle | 当 filter 和 nat 表不够用时使用(input output postrouting,prerouting,) |
| iptables 命令 | 含义 |
|---|---|
| -t | 指定表名称 |
| -n | 不做解析 |
| -L | 查看 |
| -A | 添加策略 |
| -p | 协议 |
| –dport | 目的地端口 |
| -s | 来源 |
| -j | 动作。包括:ACCEPT ##允许;DROP##丢弃;REJECT ##拒绝 |
| SNAT | 源地址转换 |
| DNAT | 目的地地址转换 |
| -N | 新建链 |
| -E | 更改链名称 |
| -X | 删除链 |
| -D | 删除规则 |
| -I | 插入规则 |
| -R | 更改规则 |
| -P | 更改默认规则 |
| 数据包状态 | |
|---|---|
| RELATED | 建立过连接的 |
| ESTABLISHED | 正在连接的 |
| NEW | 新的 |
[root@node2 ~]# dnf insatll iptables-services.x86_64 -y
dnf insatll iptables-services.x86_64 -y
dnf install iptables-services.x86_64 -y
systemctl enable --now iptables.serviceb
systemctl enable --now iptables.service
iptables -nL
iptables -t nat -nL
iptables -t filter -L
iptables -t nat -L
iptables -t mangel -L
iptables -t mangle -L
iptables -nL
iptables -F
iptables -nL
systemctl restart iptables.service
iptables -nL
iptables -F #刷新后要保存
service iptables save #
systemctl restart iptables.service
iptables -nL
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -nL
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -nL
ifconfig enp1s0
iptables -D INPUT 3
iptables -I INPUT -p tcp --dport 22 -j ACCEPT #指定位置插入
iptables -nL
iptables -D INPUT 1
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
iptables -nL
iptables -R INPUT 2 -s 172.25.254.103 -p tcp --dport 22 -j ACCEPT #指定访问用户只有172.25.254.103
iptables -nL
iptables -N westos
iptables -nL
iptables -N westos REDHAT
iptables -E westos REDHAT
iptables -nL
iptables -X REDHAT
iptables -nL
iptables -R INPUT 2 ! -s 172.25.254.103 -p tcp --dport 22 -j ACCEPT#指定访问用户除了172.25.254.103
iptables -nL
iptables -F
iptables -nL
iptables -P INPUT DROP ##更改默认规则为DROP,扔掉
iptables -nL
iptables -P INPUT ACCEPT
iptables -nL
iptables -F #刷新,都没了
service iptables save #刷新后保存,重启后也会被更改
iptables -nL
systemctl restart iptables.service
iptables -nL
注意:%从上到下依次读取,先读到拒绝所有后,下面的允许都不起作用了ping不通,但能ssh链接
%操作
允许http.dns,ssh访问:
[root@node2 ~]# netstat -antlupe | grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 27721 967/sshd
tcp6 0 0 :::22 :::* LISTEN 0 27729 967/sshd
[root@node2 ~]# netstat -antlupe | grep httpd
tcp6 0 0 :::80 :::* LISTEN 0 29899 1183/httpd
[root@node2 ~]# netstat -antlupe | grep dns
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 0 33831 1874/dnsmasq
udp 0 0 192.168.122.1:53 0.0.0.0:* 0 33830 1874/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 0 33827 1874/dnsmasq
[root@node2 ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@node2 ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
[root@node2 ~]# iptables -A INPUT -t tcp --dport 53 -m state --state NEW -j ACCEPT
iptables v1.8.4 (nf_tables): table 'tcp' does not exist
Perhaps iptables or your kernel needs to be upgraded.
[root@node2 ~]# iptables -A INPUT -t tcp --dport 22 -m state --state NEW -j ACCEPT
iptables v1.8.4 (nf_tables): table 'tcp' does not exist
Perhaps iptables or your kernel needs to be upgraded.
[root@node2 ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[root@node2 ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
[root@node2 ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -j REJECT
[root@node2 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
REJECT all -- 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@node2 ~]# service iptables save
%操作完成
二、firewalld
1 firewalld 的开启
systemctl stop iptables
systemctl disable iptables
systemctl mask iptables
systemctl unmask firewalld
systemctl enable --now firewalld
2.关于 firewalld 的域
trusted##接受所有的网络连接
home##用于家庭网络,允许接受 ssh mdns ipp-client samba-client dhcp-client
work##工作网络 ssh ipp-client dhcp-client
public##公共网络 ssh dhcp-client
dmz##军级网络 ssh
block##拒绝所有
drop##丢弃 所有数据全部丢弃无任何回复
internal ##内部网络 ssh mdns ipp-client samba-client dhcp-client
external ##ipv4 网络地址伪装转发 sshd
3.关于 firewalld 的设定原理及数据存储
/etc/firewalld##火墙配置目录
/lib/firewalld##火墙模块目录
4. firewalld 的管理命令
systemctl disable --now iptables.service
systemctl mask iptables
systemctl unmask firewalld
systemctl enable --now firewalld
firewall-cmd --state ##查看火墙状态
firewall-cmd --get-active-zones ##查看当前火墙中生效的域
firewall-cmd --get-default-zone ##查看默认域
firewall-cmd --list-all ##查看默认域中的火墙策略
firewall-cmd --list-all --zone=work ##查看指定域的火墙策略
firewall-cmd --list-all --zone=block
firewall-cmd --list-all --zone=trusted ##设定默认域
cd /etc/firewalld/zones/
ls
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=block
firewall-cmd --get-default-zone
cd ..
ls
vim firewalld.conf
systemctl restart firewalld.service
firewall-cmd --get-default-zone
firewall-cmd --get-services ##查看所有可以设定的服务
cd /lib/firewalld/services/
ls
touch westos.xml
cat http.xml > westos.xml
vim westos.xml
systemctl restart firewalld.service
firewall-cmd --get-services
firewall-cmd --get-services | grep westos
firewall-cmd --list-all
vim /etc/firewalld/zones/public.xml
firewall-cmd --permanent --add-service=httpd
dnf install httpd -y
dnf search httpd
dnf install httpd.x86_64
firewall-cmd --permanent --add-service=httpd
firewall-cmd --permanent --add-service=http
vim /etc/firewalld/zones/public.xml
firewall-cmd --permanent --add-source 172.25.254.3 --zone=trusted ##指定数据来源访问指定
firewall-cmd --reload
firewall-cmd --permanent --remove-source 172.25.254.3 --zone=trusted##删除自定域中的数据来源
firewall-cmd --permanent --remove-interface=enp1s0 --zone=public ##移除服务##删除指定域的网络接口
firewall-cmd --permanent --add-interface=enp1s0 --zone=trusted ##添加指定域的网络接口
firewall-cmd --permanent --change-interface=enp1s0 --zone=trusted #change=remove+add
firewall-cmd --permanent --change-interface=enp1s0 --zone=public ##更改网络接口到指定域
firewall-cmd --list-all
5. firewalld 的高级规则及firewalld 中的 NAT
%在node2中
[root@node2 ~]# firewall-cmd --permanent --direct --get-all-rules
[root@node2 ~]# firewall-cmd --permanent --direct --add-rule ipv
ipv4 ipv6
[root@node2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 172.25.254.3 -p tcp --dport 22 -j REJECT
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter INPUT 1 -s 172.25.254.3 -p tcp --dport 22 -j REJECT
%此时去主机172.25.254.3ssh172.25.254.203会被拒绝
%DNAT,无论谁ssh172.25.254.203时都会调到1.1.1.103中
[root@node2 ~]# firewall-cmd --permanent --direct --get-all-rules
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --permanent --direct --get-all-rules
[root@node2 ~]# firewall-cmd --permanent --add-forward-port=22:proto=tcp:toaddr=1.1.1.103:toport=22
Error: INVALID_FORWARD: invalid forward port arg '22:proto'
[root@node2 ~]# firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toaddr=1.1.1.103:toport=22
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0 enp8s0
sources:
services: cockpit dhcpv6-client dns http mountd nfs rpc-bind samba ssh
ports:
protocols:
masquerade: no
forward-ports: port=22:proto=tcp:toport=22:toaddr=1.1.1.103
source-ports:
icmp-blocks:
rich rules:
%真机中测试
[root@westos_student3 ~]# ssh [email protected]
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Sun Dec 6 15:25:45 2020 from 172.25.254.3
[root@node1 ~]# ifconfig #ip时1.1.1.103
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.1.1.103 netmask 255.255.255.0 broadcast 1.1.1.255
inet6 fe80::5054:ff:fe07:3882 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:07:38:82 txqueuelen 1000 (Ethernet)
RX packets 6996 bytes 623662 (609.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 312 bytes 41318 (40.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
%node2中操作SNAT,在主机链接的1.1.1.103中能够ping 172.25.254.3
[root@node2 ~]# firewall-cmd --permanent --add-masquerade
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0 enp8s0
sources:
services: cockpit dhcpv6-client dns http mountd nfs rpc-bind samba ssh
ports:
protocols:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=1.1.1.103
source-ports:
icmp-blocks:
rich rules:
%在真机链接的1.1.1.103中测试
[root@node1 ~]# ping 172.25.254.3 #能ping通
测试:
