Linux防火墙
Linux防火墙
标签(空格分隔): linux学习知识整理
1、防火墙软件
Linux中有两种防火墙软件,ConterOS7.0以上使用的是firewall,ConterOS7.0以下使用的是iptables,本文将分别介绍两种防火墙软件的使用。
2、Firewall防火墙
-
开启防火墙:
systemctl start firewalld
-
关闭防火墙:
systemctl stop firewalld
-
查看防火墙状态:
systemctl status firewalld
firewall-cmd --state -
设置开机启动:
systemctl enable firewalld
-
禁用开机启动:
systemctl disable firewalld
-
重启防火墙:
firewall-cmd --reload
-
开放端口(修改后需要重启防火墙方可生效):
firewall-cmd --zone=public --add-port=8080/tcp --permanent
-
查看开放的端口:
firewall-cmd --list-ports
-
关闭端口:
firewall-cmd --zone=public --remove-port=8080/tcp --permanent
###设置端口
[aaa@qq.com ~]# firewall-cmd --zone=public --add-port=8080/tcp --permanent
success
###查看端口显示无端口,我们需要重启防火墙
[aaa@qq.com ~]# firewall-cmd --list-ports
###重启防火墙
[aaa@qq.com ~]# systemctl restart firewalld
###查看防火墙端口
[aaa@qq.com ~]# firewall-cmd --list-ports
8080/tcp
###关闭端口
[aaa@qq.com ~]# firewall-cmd --zone=public --remove-port=8080/tcp --permanent
success
###重启防火墙
[aaa@qq.com ~]# systemctl restart firewalld
[aaa@qq.com ~]# firewall-cmd --list-ports
###修改端口后需要重启防火墙才生效
firewall-cmd:是Linux提供的操作firewall的一个工具;
–permanent:表示设置为持久;
–add-port:表示添加的端口;
–zone=public:指定的zone为public;
3、iptables防火墙
- 安装
由于CenterOS7.0以上版本并没有预装Iptables,我们需要自行安装。
-
安装前先关闭firewall防火墙
systemctl stop firewalld
systemctl disable firewalld -
安装iptables:
yum install iptables
-
安装iptables-services:
yum install iptables-services
-
开启防火墙:
[aaa@qq.com ~]# systemctl start iptables.service
[aaa@qq.com ~]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Wed 2019-08-07 03:54:45 EDT; 17s ago
Process: 20945 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 20945 (code=exited, status=0/SUCCESS)
Aug 07 03:54:45 iptables1 systemd[1]: Starting IPv4 firewall with iptables...
Aug 07 03:54:45 iptables1 iptables.init[20945]: iptables: Applying firewall rules: [ OK ]
Aug 07 03:54:45 iptables1 systemd[1]: Started IPv4 firewall with iptables.
- 关闭防火墙:
systemctl stop iptables.service - 查看防火墙状态:
systemctl status iptables.service - 设置开机启动:
systemctl enable iptables.service - 禁用开机启动:
systemctl disable iptables.service - 查看filter表的几条链规则(INPUT链可以看出开放了哪些端口):
iptables -L -n
[aaa@qq.com ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
###默认打开fileter
- 查看NAT表的链规则:
iptables -t nat -L -n
[aaa@qq.com ~]# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 10 packets, 1066 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ens34 * 0.0.0.0/0 192.168.65.5 tcp dpt:80 to:192.168.43.3:80
Chain INPUT (policy ACCEPT 2 packets, 458 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 912 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 20 packets, 1520 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * ens34 192.168.43.0/24 0.0.0.0/0 to:192.168.65.5
- 清除防火墙所有规则:
iptables -F
iptables -X
iptables -Z - 给INPUT链添加规则(开放8080端口):
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT - 查找规则所在行号:
iptables -L INPUT --line-numbers -n
[aaa@qq.com ~]# iptables -t nat -L PREROUTING --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 192.168.65.5 tcp dpt:80 to:192.168.43.3:80
- 根据行号删除过滤规则(关闭8080端口):
iptables -D INPUT 1
###1、地址转换
SNAT源地址转换
iptables -t nat -A POSTROUTING -s 192.168.43.0/24 -o ens34 -j SNAT --to-source 192.168.65.5
DNAT目的地址转换
iptables -t nat -A PREROUTING -i ens34 -d 192.168.65.5 -p tcp --dport 80 -j DNAT --to-destination 192.168.43.3:80
###2、防火墙的备份策略
新开启的防火墙默认配置:
[aaa@qq.com ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
###当关闭防火墙再开启防火墙后,防火墙会按照/etc/sysconfig/iptables里面的策略执行。
当设置好防火墙后,执行如下命令对防火墙进行备份
[aaa@qq.com ~]# iptables-save > /etc/sysconfig/iptables
[aaa@qq.com ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Aug 12 10:09:26 2019
*nat
:PREROUTING ACCEPT [4:304]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5:380]
:POSTROUTING ACCEPT [10:744]
-A PREROUTING -d 192.168.65.5/32 -i ens34 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.43.3:80
-A POSTROUTING -s 192.168.43.0/24 -o ens34 -j SNAT --to-source 192.168.65.5
COMMIT
# Completed on Mon Aug 12 10:09:26 2019
# Generated by iptables-save v1.4.21 on Mon Aug 12 10:09:26 2019
*filter
:INPUT ACCEPT [312:21002]
:FORWARD ACCEPT [28:2172]
:OUTPUT ACCEPT [206:20756]
COMMIT
# Completed on Mon Aug 12 10:09:26 2019
一般我们可以在定时任务里设置备份防火墙规则,将防火墙配置文件放在指定目录,可以检查以前配置过的防火墙是否被人更改。备份和查询如下:
[aaa@qq.com ~]# crontab -e
crontab: installing new crontab
[aaa@qq.com ~]# crontab -l
0 0 * * * /usr/sbin/iptables-save > /tmp/iptables.bak
[aaa@qq.com ~]# md5sum /tmp/iptables.bak
d41d8cd98f00b204e9800998ecf8427e /tmp/iptables.bak
工作中,一般会写一个监控脚本,用于监控防火墙规则是否发生变化,可以将自定义监控脚本至于zabbix中,如果变化输出1,如果不变输出0.
[aaa@qq.com ~]# iptables-restore < /etc/sysconfig/iptables
###恢复防火墙,这里重启防火墙也可以做到。