Linux操作系统中firewall和iptables介绍_linux firewall与iptables-优快云博客

本文介绍了Linux操作系统中firewall和iptables的知识，包括它们的概念、用法及相互关系。特别针对CentOS7系统，详细解释了firewall服务的动态定制特性，以及如何通过iptables进行网络流量过滤。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

本文主要介绍Linux操作系统中firewall和iptables的相关知识。

说明：本文的用法示例是面向CentOS 7操作系统的。

1 firewall

1.1 What

引用Red Hat官方文档中对于firewall的介绍，内容如下：

A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through.

firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

firewalld uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.

1.2 Firewall Stack

1.3 常见用法

1. 使用systemctl命令，可实现firewall的启动、停止，以及控制开机自启动的开关，命令样式如下：

systemctl start/stop/enable/disable firewalld

2 iptables

1.1 What

引用CentOS7的Manual中定义，内容如下：

iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT.

Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a 'target', which may be a jump to a user-defined chain in the same table.

1.2 常见用法

注意：为了使用iptables/ip6tables来替代firewalld，首先需要禁用firewalld，相关命令如下：

systemctl disable firewalld
systemctl stop firewalld

1. 使用systemctl命令，可实现iptables/ip6tables的启动、停止，以及控制开机自启动的开关，命令样式如下：

systemctl start/stop/enable/disable iptables

3 firewall与iptables的关系

3.1 区别

仍然引用Red Hat官方文档中对firewall与iptables区别的介绍，内容如下：

The essential differences between firewalld and the iptables (and ip6tables) services are:

The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.
With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables, while with firewalld there is no recreating of all the rules. Only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being lost.