本文介绍了Linux防火墙中的SELinux和netfilter,重点讲解了netfilter的5个表和5个链,并详细阐述了iptables的基本语法和常用操作,包括规则的查看、删除和添加。还给出了实例,如指定IP段访问22端口、放行80和21端口,以及禁内网ping的命令。
12、Linux防火墙
12.1、SELinux:Linux系统特有的安全机制;一般都是关闭的;
- 临时关闭selinux:setenforce 0
- 永久关闭:更改配置文件 /etc/selinux/config;把SELINUX=enforcing改成SELINUX=disabled;更改后重启系统生效;
[root@aminglinux ~]# setenforce 0 [root@aminglinux ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
12.2、netfilter
centos7之前使用netfilter防火墙; centos7开始使用firewalld防火墙;
- 关闭firewalld开启netfilter方法;
- systemctl stop firewalld 关闭firewalld服务
- systemctl disable firewalled 禁止开机启动firewalld服务
- yum install -y iptables-services 安装iptables-services,可以使用以前版本的iptables
- systemctl enable iptables 开机启动iptables-services
- systemctl start iptables 启动iptables-services
[root@aminglinux ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@aminglinux ~]# systemctl start iptables [root@aminglinux ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 2004 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 1708 bytes) pkts bytes target prot opt in out source destination
netfilter的5个表
- filter:表用于过滤包;内建有3个链;
- INPUT链:作用于进入本机的包;
- OUTPUT链:作用于本机发出的包;
- FORWARD链:作用于跟本机无关的包;
- nat:表用于网络地址转换;内建3个链;
- PREROUTING链:作用是在包刚刚到达防火墙时改变它的目的地址;
- OUTPUT链:作用是改变本地产生的包的目的地址;
- POSTROUTING链:作用是在包即将离开防火墙时改变其源地址;
- mangle:表主要用于给数据包做标记,然后根据标记去操作相应的包;
- raw:表指定某些端口的包不追踪;
- security:表用于强制访问控制MAC的网络规则;在centos6中没有;
filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7. mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incom‐ ing packets before routing) and OUTPUT (for altering locally-gener‐ ated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). raw: This table is used mainly for configuring exemptions from connec‐ tion tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the fol‐ lowing built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local pro‐ cesses) security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK tar‐ gets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated pack‐ ets before routing), and FORWARD (for altering packets being routed through the box).
netfilter的5个链
- PREROUTING:数据包进入路由表之前;
- INPUT:通过路由表后目的地为本机;
- FORWARDING:通过路由表后,目的地不为本机;
- OUTPUT:由本机产生,向外转发;
- POSTROUTIONG:发送到网卡接口之前;
12.3、iptables基本语法
用法:iptables -t nat -nvL
- -t:后面跟表名;不加-t则打印filter表相关信息;
- -nvL:查看该表规则;(n:表示不针对IP反解析主机名;L:表示列出;v:表示详细列出信息)
- -F:表示把所有规则全部删除;不加-t则清除filter表相关信息;
- -Z: 表示把包以及流量计数器清零;
- service iptables save 保存规则
增加/删除一条规则;
[root@aminglinux ~]# iptables -A INPUT -s 192.168.222.1 -p tcp --sport 1234 -d 192.168.222.2 --dport 80 -j DROP
- -A/-D:表示增加/删除一条规则;放在最后
- -I:表示插入一条规则;相等于-A;区别是放在最前面
- -p:表示指定协议;(tcp、udp、icmp)
- --dport:跟-p一起使用,表示指定目标端口;
- --sport:跟-p一起使用,表示指定源端口;
- -s:表示指定源ip;
- -d:表示指定目的Ip;
- -j:后面跟动作;ACCEPT表示允许包;DROP表示丢包;REJECT表示拒绝包;
- -i:表示指定网卡;
[root@aminglinux ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1168 106K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 24 1608 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 255 22940 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 255 22940 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 255 22940 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 253 22844 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.222.1 192.168.222.2 tcp spt:1234 dpt:80
[root@aminglinux ~]# iptables -D INPUT -s 192.168.222.1 -p tcp --sport 1234 -d 192.168.222.2 --dport 80 -j DROP- 查看规则编号:iptables -nvL --line-numbers
- 删除规则:iptables -D INPUT 8
[root@aminglinux ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 1339 121K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 24 1608 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 275 24817 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 275 24817 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 275 24817 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 7 273 24721 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 8 0 0 DROP tcp -- * * 192.168.222.1 192.168.222.2
[root@aminglinux ~]# iptables -D INPUT 8 [root@aminglinux ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1371 124K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 24 1608 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 275 24817 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 275 24817 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 275 24817 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 273 24721 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
案例:
- $ipt -A INPUT -s 192.168.222.0/24 -p tcp --dport 22 -j ACCEPT 指定IP段访问22端口
- $ipt -A INPUT -p tcp --dport 80 -j ACCEPT 放行80端口
- $ipt -A INPUT -p tcp --dport 21 -j ACCEPT 放行21端口
vim /usr/local/sbin/iptables.sh编辑规则
[root@aminglinux ~]# vim /usr/local/sbin/iptables.sh
#!/bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.222.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPTsh /usr/local/sbin/iptables.sh 执行规则
[root@aminglinux ~]# sh /usr/local/sbin/iptables.sh
iptables -I INPUT -p icmp --icmp-type 8 -j DROP 禁内网ping
[root@aminglinux ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP [root@aminglinux ~]# iptables -D INPUT -p icmp --icmp-type 8 -j DROP
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
