Linux防火墻(SElinux、netfilter)防火墻工具iptables
SElinux防火墻
SElinux是Linux系統特有的安全機制,一般裝完系統後都會手動將它關閉;
查詢狀態
getenforce
Enforcing:為開啟狀態,Permissive:為臨時關閉狀態,Disabled:為關閉狀態;
[root@shu-test ~]# getenforce
Enforcing
[root@shu-test ~]#
臨時關閉
setenforce 0
[root@shu-test ~]# getenforce Enforcing [root@shu-test ~]# setenforce 0 [root@shu-test ~]# getenforce Permissive [root@shu-test ~]#
永久關閉
配置文件/etc/selinux/config,修改SELINUX=enforcing為SELINUX=disabled
重啟生效;
[root@shu-test ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@shu-test ~]# vim /etc/selinux/config [root@shu-test ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@shu-test ~]#
重啟查詢,成功關閉
[root@shu-test ~]# getenforce
Disabled
[root@shu-test ~]#
netfilter防火墻
centos6 5版本使用netfilter防火墻,centos7版本使用為firewalld防火墻,都是用iptables工具;
關閉firewalld防火墻、安裝iptables工具
systemctl disable firewalld //關閉firewalld服務 systemctl stop firewalld //禁止firewalld開機啟動 yum install -y iptables-services //安裝iptables-services systemctl enable iptables //讓iptables開機啟動 systemctl start iptables //開啟iptables
查詢iptables默認規則
iptables -nvL
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
49 3456 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
15 1170 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 35 packets, 3216 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
-nvL選項表示查看規則,-F表示臨時清除當前規則,-n表示不針對ip反解析主機名,-L表示列出,-v表示列出信息更加詳細;
必須使用service iptables save 保存才行,防火墻規則保存在/etc/sysconfig/iptables中;
netfilter的5個表
- filter:用於過濾包,是系統預設表,最常用的表;有INPUT、OUTPUT、FORWARD等三個鏈;
- nat:主要用於網絡地址轉換;有PREROUTING、OUTPUT、POSTROUTING等三個鏈;
- mangle:用來給數據包做標記;
- raw:實現不追蹤某些數據包;
- security:訪問控制MAC列表;
netfilter的5個鏈
- PREROUTING:數據包進入路由表之前;
- INPUT:通過路由表後目的地為本機;
- FORWARD:通過路由表,目的地部位本機;
- OUTPUT:有本機產生,向外轉發;
- POSTROUTING:發送到網卡接口之前;
表與鏈其他詳解
http://www.cnblogs.com/metoy/p/4320813.html
iptables基本語法
-A/-D:增加或刪除一條規則;
-I:插入一條規則;
-F:清空規則;
-Z:清空計數,重新開始計數;
-t:清空指定表,後面必須帶參數表名,-t nat;
-n:不針對ip反解析主機名;
-v:更加詳細的信息;
-L:列出,與-v一起使用;
-p:表示指定協議,可以是tcp、udp、icmp;
--dport:跟-p一起使用,表示指定目標端口;
--sport:跟-p一起使用,表示指定源端口;
-s:表示指定源ip(可以是一個網段)
-d:表示指定目的ip(可以是一個網段)
-j:後面跟動作,其中ACCEPT表示允許包、DROP表示丟掉包、REJECT表示拒絕包;
-i:表示指定網卡(不常用);
清空規則
iptables -F
命令清除
service iptables save
保存到文件,重啟生效;
[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 740 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
清空指定表
iptables -t nat
指定清空nat表,-t 參數就是指定表;
iptables -t nat -nvL 清空nat表,並顯示規則;
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
清空包以及流量計數器歸零
iptables -Z
[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 724 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 664 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
增加規則
-A:增加規則
增加指定源ip以及端口拒絕訪問目標ip的某端口
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
將來源ip 192.168.188.1 的1234端口 訪問192.168.188.2 的80端口 拒絕掉
[root@shu-test ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 926 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 808 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
插入規則
-I:插入規則
iptables -I INPUT -p tcp --dport 80 -j DROP
將拒絕所有的ip訪問本機的80端口
[root@shu-test ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
刪除規則
-D:刪除
iptables -D INPUT -p tcp --dport 80 -j DROP
刪除掉已知道命令的規則
[root@shu-test ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#
刪除未知命令的規則
iptables -nvL --line-number
顯示規則的序列號num
[root@shu-test ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 85 packets, 6000 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 41 packets, 4400 bytes)
num pkts bytes target prot opt in out source destination
[root@shu-test ~]#
iptables -D INPUT 1
刪除序列號為1的規則
[root@shu-test ~]# iptables -D INPUT 1
[root@shu-test ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num pkts bytes target prot opt in out source destination
[root@shu-test ~]#
Linux防火墻(SElinux、netfilter)防火墻工具iptables