Linux防火墙
SElinux防火墙
SElinux是Linux系统特有的安全机制,一般装完系统后都会手动将它关闭;
查询状态
getenforce
Enforcing:为开启状态,Permissive:为临时关闭状态,Disabled:为关闭状态;
[root@shu-test ~]# getenforce
Enforcing
[root@shu-test ~]#临时关闭
setenforce 0
[root@shu-test ~]# getenforce
Enforcing
[root@shu-test ~]# setenforce 0
[root@shu-test ~]# getenforce
Permissive
[root@shu-test ~]#永久关闭
配置文件/etc/selinux/config,修改SELINUX=enforcing为SELINUX=disabled
重启生效;
[root@shu-test ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@shu-test ~]# vim /etc/selinux/config
[root@shu-test ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@shu-test ~]#重启查询,成功关闭
[root@shu-test ~]# getenforce
Disabled
[root@shu-test ~]#netfilter防火墙
centos6 5版本使用netfilter防火墙,centos7版本使用为firewalld防火墙,都是用iptables工具;
关闭firewalld防火墙、安装iptables工具
systemctl disable firewalld //关闭firewalld服务
systemctl stop firewalld //禁止firewalld开机启动
yum install -y iptables-services //安装iptables-services
systemctl enable iptables //让iptables开机启动
systemctl start iptables //开启iptables查询iptables默认规则
iptables -nvL
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
49 3456 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
15 1170 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 35 packets, 3216 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#-nvL选项表示查看规则,-F表示临时清除当前规则,-n表示不针对ip反解析主机名,-L表示列出,-v表示列出信息更加详细;
必须使用service iptables save 保存才行,防火墙规则保存在/etc/sysconfig/iptables中;
netfilter的5个表
- filter:用于过滤包,是系统预设表,最常用的表;有INPUT、OUTPUT、FORWARD等三个链;
- nat:主要用于网络地址转换;有PREROUTING、OUTPUT、POSTROUTING等三个链;
- mangle:用来给数据包做标记;
- raw:实现不追踪某些数据包;
- security:访问控制MAC列表;
netfilter的5个链
- PREROUTING:数据包进入路由表之前;
- INPUT:通过路由表后目的地为本机;
- FORWARD:通过路由表,目的地部位本机;
- OUTPUT:有本机产生,向外转发;
- POSTROUTING:发送到网卡接口之前;
表与链其他详解
http://www.cnblogs.com/metoy/p/4320813.html
iptables基本语法
-A/-D:增加或删除一条规则;
-I:插入一条规则;
-F:清空规则;
-Z:清空计数,重新开始计数;
-t:清空指定表,后面必须带参数表名,-t nat;
-n:不针对ip反解析主机名;
-v:更加详细的信息;
-L:列出,与-v一起使用;
-p:表示指定协议,可以是tcp、udp、icmp;
--dport:跟-p一起使用,表示指定目标端口;
--sport:跟-p一起使用,表示指定源端口;
-s:表示指定源ip(可以是一个网段)
-d:表示指定目的ip(可以是一个网段)
-j:后面跟动作,其中ACCEPT表示允许包、DROP表示丢掉包、REJECT表示拒绝包;
-i:表示指定网卡(不常用);
清空规则
iptables -F
命令清除
service iptables save
保存到文件,重启生效;
[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 740 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#清空指定表
iptables -t nat
指定清空nat表,-t 参数就是指定表;
iptables -t nat -nvL 清空nat表,并显示规则;
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#清空包以及流量计数器归零
iptables -Z
[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 724 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 664 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#增加规则
-A:增加规则
增加指定源ip以及端口拒绝访问目标ip的某端口
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
将来源ip 192.168.188.1 的1234端口 访问192.168.188.2 的80端口 拒绝掉
[root@shu-test ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 926 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 808 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#插入规则
-I:插入规则
iptables -I INPUT -p tcp --dport 80 -j DROP
将拒绝所有的ip访问本机的80端口
[root@shu-test ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#删除规则
-D:删除
iptables -D INPUT -p tcp --dport 80 -j DROP
删除掉已知道命令的规则
[root@shu-test ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#删除未知命令的规则
iptables -nvL --line-number
显示规则的序列号num
[root@shu-test ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 85 packets, 6000 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.2 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 41 packets, 4400 bytes)
num pkts bytes target prot opt in out source destination
[root@shu-test ~]#iptables -D INPUT 1
删除序列号为1的规则
[root@shu-test ~]# iptables -D INPUT 1
[root@shu-test ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num pkts bytes target prot opt in out source destination
[root@shu-test ~]#保存与备份规则
保存:
service iptables save将规则保存到/etc/sysconfig/iptables
备份:
iptables-save > my.ipt将iptables的规则备份到my.ipt文件中
恢复备份规则
iptables-restore < my.ipt将文件中的规则恢复到iptables中