iptables配置

yum install iptables -y

iptables(选项)(参数)
  -P:定义规则链中的默认策略;
  -t<表>:指定要操纵的表;
  -A:向规则链中添加条目;
  -D:从规则链中删除条目;
  -I:向规则链中插入条目;
  -R:替换规则链中的条目;
  -L:显示规则链中已有的条目;
  -F:清除规则链中已有的条目;
  -Z:清空规则链中的数据包计算器和字节计数器;
  -N:创建新的用户自定义规则链;
  -h:显示帮助信息;
  -p:指定要匹配的数据包协议类型;
  -s:指定要匹配的数据包源ip地址;
  -j<目标>:指定要跳转的目标;
  -i<网络接口>:指定数据包进入本机的网络接口;
  -o<网络接口>:指定数据包要离开本机所使用的网络接口

iptables -t 表名 <-A/I/D/R> 规则链名 [规则号] <-i/o 网卡名> -p 协议名 <-s 源IP/源子网> –sport 源端口 <-d目标IP/目标子网> –dport 目标端口 -j 动作

只允许192.168.121.0/24网段的主机访问22端口,即ssh
  iptables -A INPUT -i ens33 -p tcp -s 192.168.121.0/24 –dport 22 -j ACCEPT
  iptbales -A INPUT -i ens33 -p tcp –dport 22 -j reject

 

只允许192.168.121.0/24网段的主机ping
  iptabls -A INPUT -i ens33 -p icmp -s 192.168.121.0/24 -j ACCEPT
  iptbales -A INPUT -i ens33 -p icmp -j reject

 

命令行添加开放端口:
  iptables -A INPUT -p tcp –dport 80 -j ACCEPT
  iptables -A INPUT -p tcp –dport 22 -j ACCEPT
  iptables -A INPUT -p tcp –dport 3306 -j ACCEPT
  iptables -A INPUT -p tcp –dport 8080 -j ACCEPT

保存输入开放端口:
  /etc/rc.d/init.d/iptables save

vim /etc/sysconfig/iptables
  -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
  –A 参数就看成是添加一条规则
  –p 指定是什么协议,我们常用的tcp 协议,当然也有udp,例如53端口的DNS
  –dport 就是目标端口,当数据从外部进入服务器为目标端口
  –sport 数据从服务器出去,则为数据源端口使用
  –j 就是指定是 ACCEPT -接收 或者 DROP 不接收
  -m tcp 使用tcp扩展模块
  -m state -state
    INVALID:
    ESTABLISHED:
    NEW:
    RELATED:

开机启动/关闭iptbables

  chkconfig iptbales on

  chkconfig iptables off 

  service iptbales start/stop/status/restart

 

firewalld配置

使用firewall-cmd命令操作

[root@Nextcloud ~]# firewall-cmd –get-zones #显示可用区域
trusted home internal work public external dmz block drop

[root@Nextcloud ~]# firewall-cmd –get-default-zone #显示默认使用区域
public

[root@Nextcloud ~]# firewall-cmd –get-active-zones #显示正在使用区域和网卡
public
interfaces: ens33

[root@Nextcloud ~]# firewall-cmd –set-default-zone=trusted #设置默认区域
Warning: ZONE_ALREADY_SET: trusted
success
[root@Nextcloud ~]# firewall-cmd –reload 
success

[root@Nextcloud ~]# firewall-cmd –panic–on#开启防火墙紧急模式
success
[root@Nextcloud ~]# firewall-cmd –panic-off#关闭防火墙紧急模式
success

[root@Nextcloud ~]# firewall-cmd –zone=public –query-service=ssh #查询是否允许ssh服务请求
yes
[root@Nextcloud ~]# firewall-cmd –zone=public –query-service=http
no
[root@Nextcloud ~]# firewall-cmd –zone=public –query-service=https
no

[root@Nextcloud ~]# firewall-cmd –zone=public –add-service=http #设置允许http服务请求
success
[root@Nextcloud ~]# firewall-cmd –zone=public –add-service=https
success
[root@Nextcloud ~]# firewall-cmd –zone=public –add-service=https –permanent#设置永久允许http服务请求
success
[root@Nextcloud ~]# firewall-cmd –zone=public –add-service=http –permanent
success
[root@Nextcloud ~]# firewall-cmd –zone=public –remove-service=https –permanent#设置永久拒绝http服务请求
success
[root@Nextcloud ~]# firewall-cmd –zone=public –remove-service=http –permanent
[root@Nextcloud ~]# firewall-cmd –reload
success

[root@Nextcloud ~]# firewall-cmd –zone=public –add-port=3306/tcp –permanent #设置永久允许访问3306端口
success
[root@Nextcloud ~]# firewall-cmd –zone=public –remove-port=3306/tcp –permanent 设置永久拒绝访问3306端口
success
[root@Nextcloud ~]# firewall-cmd –zone=public –list-ports
3306/tcp

 

流量转发命令:
firewall-cmd –permanent –zone=<区域> –add-forward-port=port=<源端口>:proto=<协议>:toport=<目标端口>:toaddr=<ip地址>

firewall-cmd –permanent –zone=public –add-forward-port=port=1020:proto=tcp:toport=22:toaddr=192.168.121.121

 

富规则:
firewall-cmd –permanent –zone=public –add-rich-rule=”rule family=”ipv4″ source address=192.168.121.0/24 service name=”ssh” reject”

[root@Nextcloud ~]# firewall-cmd –get-services #显示预先定义的服务
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

 

除了iptbale和firewalld防火墙策略设置,还可有服务的访问控制列表

/etc/hosts.allow
/etc/hosts.deny

 

版权声明:本文为chenxiaoweiworkinghard原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/chenxiaoweiworkinghard/p/9745364.html