firewall和iptables介绍
本文主要介绍 CentOS7 中的 firewall 和 iptables。
1 firewall
1.1 what
这里引用 Red Hat 官方文档中对 firewall 的介绍。
A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through.
firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.
firewalld uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.
Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.
1.2 Firewall Stack
1.3 常见用法
1. 使用 systemctl 命令,可实现 firewall 的启动、停止,以及开机自启动的开关,命令样式如下:
systemctl start/stop/enable/disable firewalld
2 iptables
1.1 what
引用 CentOS7 的 man 手册中定义,如下:
iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT.
Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.
1.2 常见用法
说明:为了使用 iptables/ip6tables 来替代 firewalld,需要禁用 firewalld,命令如下:
systemctl disable firewalld
systemctl stop firewalld
1. 使用 systemctl 命令,可实现 iptables/ip6tables 的启动、停止,以及开机自启动的开关,命令样式如下:
systemctl start/stop/enable/disable iptables
3 firewall与iptables的关系
3.1 区别
这里仍然引用 Red Hat 官方文档中对 firewall 与 iptables 区别的介绍。
The essential differences between firewalld and the iptables (and ip6tables) services are:
- The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.
- With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables, while with firewalld there is no recreating of all the rules. Only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being lost.
3.2 联系
Both use iptables tool to talk to the kernel packet filter.
3.3 总结
在 RHEL7 系统中,firewall 取代了 iptables。其实从本文中 firewall 的架构图中能够看到,在 service 层面,两者是平级的,不过 firewall 却还是调用了 iptables 的 command,去执行内核的 netfilter(如3.2节说明的那样),所以要和有人说 firewall 是CentOS7 下管理 iptables 的新命令。
推荐阅读
-
firewall和iptables介绍
-
Kotlin学习(6)-类和对象之类成员介绍
-
【手游逆向】初探Unity3d+il2cpp.so网游修改新手教程篇[内附所有相关工具下载地址和说明介绍】
-
Log4j2介绍和使用 博客分类: java log4j2
-
Log4j2介绍和使用 博客分类: java log4j2
-
session对象的简单介绍和基本使用
-
数字签名介绍和java的实现
-
一些SAP Partners能够通过二次开发实现打通C/4HANA和S/4HANA的方法介绍 C/4HANAS/4HANASAPABAP
-
leetcode哈希表(哈希映射和哈希集合)题型大总结!全面重点的哈希函数介绍!
-
CentOS Linux开启和关闭防火墙命令 博客分类: centos 防火墙iptables