firewalld，iptable

redhat7.0

############ 火墙

Firewalld概述
动态防火墙后台程序 firewalld 提供了一个 动态管理的防火墙,用以支持网络 “zones” ,以分配对一个网络及其相关链接和界面一定程度的信任。它具备对 IP v4 和 IP v6 防火墙设置的支持。它支持以太网桥,并有分离运行时间和永久性配置选择。它还具备一个通向服务或者应用程序以直接增加防火墙规则的接口。
系统提供了图像化的配置工具firewall-config、system-config-firewall, 提供命令行客户端firewall-cmd, 用于配置 firewalld永久性或非永久性运行时间的改变:它依次用 iptables工具与执行数据包筛选的内核中的 Netfilter通信。
Firewalld和iptables service 之间最本质的不同是:
• iptables service 在 /etc/sysconfig/iptables 中储存配置,而 firewalld将配置储存在/usr/lib/firewalld/ 和 /etc/firewalld/ 中的各种XML文件里.
• 使用 iptables service每一个单独更改意味着清除所有旧有的规则和从/etc/sysconfig/iptables里读取所有新的规则,然而使用 firewalld却不会再创建任何新的规则;仅仅运行规则中的不同之处。因此,firewalld可以在运行时间内,改变设置而不丢失现行连接。
• iptables通过控制端口来控制服务，而firewalld则是通过控制协议来控制端口

[root@iscsi-server ~]# yum install -y iptables-services
[root@iscsi-server ~]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: inactive (dead) since Wed 2017-08-16 21:52:24 EDT; 4h 25min ago
Main PID: 464 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/firewalld.service
~~~~~~~
[root@iscsi-server ~]# systemctl mask firewalld.service
ln -s ‘/dev/null’ ‘/etc/systemd/system/firewalld.service’

[root@iscsi-server ~]# systemctl start iptables.service
[root@iscsi-server ~]# systemctl enable iptables.service
ln -s ‘/usr/lib/systemd/system/iptables.service’ ‘/etc/systemd/system/basic.target.wants/iptables.service’
[root@iscsi-server ~]# systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Thu 2017-08-17 02:18:35 EDT; 13s ago
Main PID: 903 (code=exited, status=0/SUCCESS)

Aug 17 02:18:35 iscsi-server.example.com iptables.init[903]: iptables: Applying firewall…]
Aug 17 02:18:35 iscsi-server.example.com systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.

[root@iscsi-server ~]# iptables -L ##列出策略
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@iscsi-server ~]# iptables -nL ##不解析

[root@iscsi-server ~]# iptables -t filter -nL ##指定filter表

[root@iscsi-server ~]# cat /etc/sysconfig/iptables
sample configuration for iptables service

you can edit this manually or use system-config-firewall

please do not ask us to add additional ports/services to this default configuration

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT

[root@iscsi-server ~]# iptables -F ##清空规则链
[root@iscsi-server ~]# service iptables save ##保存当前设置规则，有些策略要重启服务才可以
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@iscsi-server ~]# cat /etc/sysconfig/iptables

Generated by iptables-save v1.4.21 on Thu Aug 17 02:49:37 2017

*filter
:INPUT ACCEPT [117:8668]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:7316]
:L - [0:0]
COMMIT

Completed on Thu Aug 17 02:49:37 2017

[root@iscsi-server ~]# iptables -P INPUT DROP ##设置默认为DROP
[root@iscsi-server ~]# iptables -P INPUT ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -i lo -j ACCEPT
[root@iscsi-server ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
~~~~~
[root@iscsi-server ~]# iptables -A INPUT -j REJECT
[root@iscsi-server ~]# iptables -I INPUT 2 -s 172.25.254.35 -p tcp –dport 22 -j ACCEPT
[root@iscsi-server ~]# iptables -I INPUT 3 -p tcp –dport 80 -j ACCEPT
[root@iscsi-server ~]# iptables -D INPUT 3
[root@iscsi-server ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp – 172.25.254.35 0.0.0.0/0 tcp dpt:22
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ACCEPT all – 172.25.254.235 0.0.0.0/0
[root@iscsi-server ~]# iptables -D INPUT -p tcp –dport 80 -j ACCEPT
[root@iscsi-server ~]# iptables -R INPUT 1 -s 172.25.254.35 -p tcp –dport 80 -j ACCEPT
[root@iscsi-server ~]# iptables -N WESTOS
[root@iscsi-server ~]# iptables -E WESTOS redhat
[root@iscsi-server ~]# iptables -X redhat

[root@iscsi-server ~]# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -i lo -j ACCEPT

[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 22 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 80 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 443 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 20 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 53 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 139 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p tcp –dport 445 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p udp –dport 445 -j ACCEPT
[root@iscsi-server ~]# iptables -A INPUT -m state –state NEW -p udp –dport 139 -j ACCEPT

[root@iscsi-server ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:139
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:445
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:139

[root@iscsi-server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

iptables ftp主动被动模式：

[root@iscsi-server ~]# iptables -I INPUT 3 -m state –state NEW -p tcp –dport 7000 -j ACCEPT
[root@iscsi-server ~]# vim /etc/vsftpd/vsftpd.conf
19 write_enable=YES
20 pasv_max_port=7000
21 pasv_min_port=7000

[root@iscsi-server ~]# iystemctl restart vsftpd.service
[root@iscsi-server ~]# service iptables save

火墙策略设置dnat，snat转换

添加一块网卡,检查内核路由功能是否开启
[root@iscsi-server ~]# sysctl -a | grep forward
[root@iscsi-server ~]# vim /etc/sysctl.conf
5 net.ipv4.ip_forward = 1
[root@iscsi-server ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@iscsi-server network-scripts]# vim ifcfg-eth1
1 DEVICE=eth1
2 BOOTPROTO=none
3 IPADDR=172.25.35.135
4 NETMASK=255.255.255.0
5 ONBOOT=yes
6 TYPE=Ethernet
7 PERSISTENT_DHCLIENT=1
[root@iscsi-server network-scripts]# systemctl restart network

[root@iscsi-client ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
1 DEVICE=eth0
2 BOOTPROTO=none
3 IPADDR=172.25.35.235
4 NETMASK=255.255.255.0
5 ONBOOT=yes
6 TYPE=Ethernet
7 GATEWAY=172.25.35.135

[root@iscsi-server network-scripts]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to-source 172.25.254.135
[root@iscsi-server network-scripts]# iptables -t nat -A PREROUTING -i eth0 -j DNAT –to-dest 172.25.35.235
[root@iscsi-server network-scripts]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all – 0.0.0.0/0 0.0.0.0/0 to:172.25.35.235
~~~~~~~~
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all – 0.0.0.0/0 0.0.0.0/0 to:172.25.254.135

######### firewalld

[root@iscsi-server ~]# systemctl start firewalld.service
[root@iscsi-server ~]# firewall-cmd –list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@iscsi-server ~]# firewall-cmd –get-default-zone
public
[root@iscsi-server ~]# firewall-cmd –get-zones
ROL block dmz drop external home internal public trusted work
[root@iscsi-server ~]# firewall-cmd –set-default-zone=trusted
success
[root@iscsi-server ~]# firewall-cmd –get-default-zone
trusted

[root@iscsi-server ~]# firewall-cmd –add-service=ftp ##临时添加，当服务或系统重启后失效
success
[root@iscsi-server ~]# firewall-cmd –reload ##重新读取配置
success
[root@iscsi-server ~]# firewall-cmd –permanent –add-service=ftp ##永久更改，更改完要重启服务或重读配置文件
success
firewalld的数据存放所在目录：/usr/lib/firewalld/
firewalld的配置文件所在目录：/etc/firewalld/
[root@iscsi-server zones]# vim /etc/firewalld/zones/public.xml
8
[root@iscsi-server zones]# firewall-cmd –reload

[root@iscsi-server zones]# firewall-cmd –permanent –add-port=8080/tcp
success
[root@iscsi-server zones]# firewall-cmd –reload
[root@iscsi-server zones]# firewall-cmd –permanent –remove-port=8080/tcp
[root@iscsi-server zones]# firewall-cmd –permanent –add-source=172.25.254.35 –zone=trusted
success
[root@iscsi-server zones]# firewall-cmd –reload
success
[root@iscsi-server zones]# firewall-cmd –permanent –add-source=172.25.254.0/24 –zone=trusted
[root@iscsi-server zones]# firewall-cmd –permanent –remove-source=172.25.254.0/24 –zone=trusted

[root@iscsi-server zones]# firewall-cmd –permanent –remove-interface=eth1 –zone=public
success
[root@iscsi-server zones]# firewall-cmd –permanent –add-interface=eth1 –zone=trusted
success
[root@iscsi-server zones]# systemctl restart firewalld.service

[root@iscsi-server zones]# firewall-cmd –permanent –remove-service=ssh
success
[root@iscsi-server zones]# firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 ! -s 172.25.254.35 -p tcp –dport 22 -j ACCEPT
success
[root@iscsi-server zones]# firewall-cmd –reload
success
[root@iscsi-server zones]# firewall-cmd –direct –get-all-rules
ipv4 filter INPUT 0 ‘!’ -s 172.25.254.35 -p tcp –dport 22 -j ACCEPT
[root@iscsi-server zones]# firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 ! -s 172.25.254.35 -p tcp –dport 80 -j REJECT
success
[root@iscsi-server zones]# firewall-cmd –direct –get-all-rules
ipv4 filter INPUT 0 ‘!’ -s 172.25.254.35 -p tcp –dport 22 -j ACCEPT
ipv4 filter INPUT 0 ‘!’ -s 172.25.254.35 -p tcp –dport 80 -j REJECT

[root@iscsi-server zones]# firewall-cmd –permanent –add-masquerade
success
[root@iscsi-server zones]# firewall-cmd –reload
success

[root@iscsi-server zones]# firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=172.25.254.135 masquerade’
[root@iscsi-server zones]# firewall-cmd –permanent –remove-interface=eth1 –zone=trusted
success
[root@iscsi-server zones]# firewall-cmd –permanent –add-interface=eth1 –zone=public
success
[root@iscsi-server zones]# systemctl restart firewalld.service
[root@iscsi-server zones]# firewall-cmd –permanent –add-rich-rule=”rule family=ipv4 forward-port port=22 protocol=tcp to-port=22 to-addr=172.25.35.235”
[root@iscsi-server zones]# firewall-cmd –reload
success
[root@iscsi-server zones]# firewall-cmd –list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ftp http
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family=”ipv4” source address=”172.25.254.135” masquerade
rule family=”ipv4” forward-port port=”22” protocol=”tcp” to-port=”22” to-addr=”172.25.35.235”

[root@iscsi-server zones]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@iscsi-server zones]# semanage port -a -t http_port_t -p 6666 tcp