linux——防火墙

fierwalld

firewall-config ##图形管理

permanent ##永久更改
ports 8080 tcp ##添加8080端口

Options —> reload firewall ##刷新&保存

http://172.25.254.1 ##访问失败
http://172.25.254.108:8080 ##访问成功

firewall-cmd –list-all ##查看
ports: 8080/tcp

firewall-cmd –state ##状态
firewall-cmd –get-zones ##列出系统中可以直接使用的域
firewall-cmd –get-default-zone ##查看默认域是哪一个
firewall-cmd –get-active-zones ##当前正在生效的设定
firewall-cmd –set-default-zone=dmz ##dmz设为默认域
firewall-cmd –zone=public –list-all ##列出指定域的策略
firewall-cmd –get-services ##查看所有可以开启的服务
firewall-cmd –list-all-zones ##列出所有域的策略

firewall-cmd –permanent –add-source=172.25.254.8 –zone=trusted ##允许8访问

firewall-cmd –reload
firewall-cmd –permanent –remove-source=172.25.254.8 –zone=trusted ##移除

firewall-cmd –reload

systemctl start httpd
http://172.25.254.1/

firewall-cmd –list-all ##查看
nm-connection-editor ##配置eth1
firewall-cmd –list-all –zone=trusted
firewall-cmd –add-interface=eth0 –zone=trusted
hEast)
firewall-cmd –list-all –zone=trusted
firewall-cmd –add-service=http –zone=trusted
firewall-cmd –list-all –zone=trusted
systemctl start firewalld
firewall-cmd -list-all
firewall-cmd –add-interface=eth1 –zone=trusted
firewall-cmd –list-all –zone=trusted

systemctl start httpd ##开启http服务
firewall-cmd –list-all ##查看开启的服务
firewall-cmd –get-services ##查看所有可以开启的服务
firewall-cmd –add-service=http ##临时打开http
172.25.254.108
systemctl restart firewalld.service ##重启后消失
firewall-cmd –list-all
firewall-cmd –permanent –add-service=http ##永久打开
firewall-cmd –reload
172.25.254.108

vim /etc/httpd/conf/httpd.conf ##更改端口
Listen 8080
systemctl restart httpd
firewall-cmd –permanent –add-port=8080/tcp ##打开端口
firewall-cmd –reload
172.25.254.108:8080

firewall-cmd –add-service=ftp
firewall-cmd –direct –add-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 21 -j REJECT ##只允许8使用22端口否则拒绝,第一条非172.25.254.8不能连接21端口
firewall-cmd –direct –remove-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 21 -j REJECT ##移除

firewall-cmd –direct –add-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 22 -j DROP ##只允许8连接否则等待
firewall-cmd –direct –remove-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 22 -j DROP ##移除

目的地地址转发，路由之前 ##别人连我，转换出去
firewall-cmd –add-masquerade –zone=public
firewall-cmd –list-all
masquerade: yes

firewall-cmd –add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.8
firewall-cmd –list-all
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.8

firewall-cmd –remove-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.8


原地址转换

辅机：
systemctl stop NetworkManager ##停止网络记录
systemctl restart network
nm-c ##配置ip192.168.0.1网关192.168.0.208
systemctl restart network
systemctl start NetworkManager
firewall-cmd –add-masquerade –zone=public
ping 172.25.254.250 #网络通畅

iptables

yum search iptables
yum install iptables-services.x86_64 -y
systemctl stop firewalld.service ##停止火墙
systemctl mask firewalld.service ##冻结火墙

iptables -nL ##查看所有策略

iptables -F ##清空所以策略
iptables -nL ##再次查看
systemctl restart iptables.service ##重启
systemctl status iptables.service ##查看当前状态
iptables -nL ##查看策略发现是临时改动
iptables -F ##再次清空
service iptables save ##保存
systemctl restart iptables.service ##再次重启
iptables -nL ##再次查看

iptables -t filter -nL ##查看filter
iptables -t nat -nL ##查看nat
iptables -t mangle -nL ##查看mangle

iptables 是从上向下读的
iptables -A INPUT -s 172.25.254.XX -p tcp –dport 22 -j ACCEPT ##给指定IP添加策略
iptables -A INPUT -p tcp –dport 22 -j ACCEPT ##添加22端口
iptables -A INPUT -i lo -j ACCEPT ##添加lo回环接口 默认在最后一行
iptables -nL ##查看
iptables -A INPUT -j REJECT ##拒绝其他请求
iptables -nL

iptables -I INPUT 3 -p tcp –dport 80 -j ACCEPT ##在第三行插入
iptables -nL

iptables -R INPUT 3 -p tcp –dport 8080 -j ACCEPT ##修改第3条
iptables -nL
172.25.254.108


iptables -D INPUT 4 ##删除
iptables -nL


yum install vsftpd -y
systemctl start vsftpd
lftp 172.25.254.108

iptables -P INPUT DROP ##INPUT策略修改为丢掉
iptables -nL
Chain INPUT (policy DROP)

lftp 172.25.254.108 ##请求不会回应
lftp 172.25.254.108:~> ls
`ls’ at 0 [Connecting…]

iptables -P INPUT ACCEPT ##默认修改为允许
Chain INPUT (policy ACCEPT)
lftp 172.25.254.108 ##请求会回应
lftp 172.25.254.108:~> ls
drwxr-xr-x 2 0 0 6 Aug 03 2015 pub

iptables -A INPUT -j REJECT ##添加拒绝，请求会回应
iptables -D INPUT 4
iptables -nL

iptables -N wy ##添加链 wy

iptables -nL
iptables -E wy yw ##修改链wy 为yw

iptables -nL

iptables -X yw ##删除链
iptables -nL

火墙策略优化
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -nL
iptables -A INPUT -m state –state NEW -i lo -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 8080 -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -m state –state NEW -j REJECT
iptables -nL

iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to-source 172.25.254.1 ########源地址转换

sysctl -a |grep ip_forward ####开启本机两个网卡之间通信
vim /etc/sysctl.cof
net.ipv4.ip_forward = 1
sysctl -p


iptables -t nat -A PREROUTING -i eth0 -d 172.25.254.1 -j DNAT –to-dest 172.25.85.2 ########目的地址转换 伪装