Linux防火墙(SElinuxnetfilter)防火墙工具iptables

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux防火墙(SElinuxnetfilter)防火墙工具iptables相关的知识,希望对你有一定的参考价值。

Linux防火墙

SElinux防火墙

SElinux是Linux系统特有的安全机制,一般装完系统后都会手动将它关闭;

查询状态

getenforce

Enforcing:为开启状态,Permissive:为临时关闭状态,Disabled:为关闭状态;

[[email protected] ~]# getenforce
Enforcing
[[email protected] ~]#

临时关闭

setenforce 0

[[email protected] ~]# getenforce
Enforcing
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
Permissive
[[email protected] ~]#

永久关闭

配置文件/etc/selinux/config,修改SELINUX=enforcing为SELINUX=disabled
重启生效;

[[email protected] ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[[email protected] ~]# vim /etc/selinux/config
[[email protected] ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[[email protected] ~]#

重启查询,成功关闭

[[email protected] ~]# getenforce
Disabled
[[email protected] ~]#

netfilter防火墙

centos6 5版本使用netfilter防火墙,centos7版本使用为firewalld防火墙,都是用iptables工具;

关闭firewalld防火墙、安装iptables工具

systemctl disable firewalld    //关闭firewalld服务
systemctl stop firewalld        //禁止firewalld开机启动
yum install -y iptables-services    //安装iptables-services
systemctl enable iptables        //让iptables开机启动
systemctl start iptables            //开启iptables

查询iptables默认规则

iptables -nvL

[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   49  3456 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   15  1170 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 35 packets, 3216 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

-nvL选项表示查看规则,-F表示临时清除当前规则,-n表示不针对ip反解析主机名,-L表示列出,-v表示列出信息更加详细;
必须使用service iptables save 保存才行,防火墙规则保存在/etc/sysconfig/iptables中;

netfilter的5个表

  • filter:用于过滤包,是系统预设表,最常用的表;有INPUT、OUTPUT、FORWARD等三个链;
  • nat:主要用于网络地址转换;有PREROUTING、OUTPUT、POSTROUTING等三个链;
  • mangle:用来给数据包做标记;
  • raw:实现不追踪某些数据包;
  • security:访问控制MAC列表;

netfilter的5个链

  • PREROUTING:数据包进入路由表之前;
  • INPUT:通过路由表后目的地为本机;
  • FORWARD:通过路由表,目的地部位本机;
  • OUTPUT:有本机产生,向外转发;
  • POSTROUTING:发送到网卡接口之前;

表与链其他详解
http://www.cnblogs.com/metoy/p/4320813.html

iptables基本语法

-A/-D:增加或删除一条规则;
-I:插入一条规则;
-F:清空规则;
-Z:清空计数,重新开始计数;
-t:清空指定表,后面必须带参数表名,-t nat;
-n:不针对ip反解析主机名;
-v:更加详细的信息;
-L:列出,与-v一起使用;
-p:表示指定协议,可以是tcp、udp、icmp;
--dport:跟-p一起使用,表示指定目标端口;
--sport:跟-p一起使用,表示指定源端口;
-s:表示指定源ip(可以是一个网段)
-d:表示指定目的ip(可以是一个网段)
-j:后面跟动作,其中ACCEPT表示允许包、DROP表示丢掉包、REJECT表示拒绝包;
-i:表示指定网卡(不常用);

清空规则

iptables -F
命令清除
service iptables save
保存到文件,重启生效;

[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 740 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

清空指定表

iptables -t nat
指定清空nat表,-t 参数就是指定表;
iptables -t nat -nvL 清空nat表,并显示规则;

[[email protected] ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

清空包以及流量计数器归零

iptables -Z

[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 724 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 6 packets, 664 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

增加规则

-A:增加规则
增加指定源ip以及端口拒绝访问目标ip的某端口
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
将来源ip 192.168.188.1 的1234端口 访问192.168.188.2 的80端口 拒绝掉

[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 926 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.2        tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 6 packets, 808 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

插入规则

-I:插入规则
iptables -I INPUT -p tcp --dport 80 -j DROP
将拒绝所有的ip访问本机的80端口

[[email protected] ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.2        tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

删除规则

-D:删除
iptables -D INPUT -p tcp --dport 80 -j DROP
删除掉已知道命令的规则

[[email protected] ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.2        tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

删除未知命令的规则

iptables -nvL --line-number
显示规则的序列号num

[[email protected] ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 85 packets, 6000 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.2        tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 41 packets, 4400 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

iptables -D INPUT 1
删除序列号为1的规则

[[email protected] ~]# iptables -D INPUT 1
[[email protected] ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]#

以上是关于Linux防火墙(SElinuxnetfilter)防火墙工具iptables的主要内容,如果未能解决你的问题,请参考以下文章

Linux防火墙的linux 如何查看防火墙是不是开启

linux查看防火墙配置的命令

如何配置linux下的防火墙?

linux 如何查看防火墙是不是开启

在linux里面如何设置防火墙?

如何配置linux下的防火墙?