关于iptables:怎样使用firewalld与iptables对照版

46次阅读

共计 9761 个字符,预计需要花费 25 分钟才能阅读完成。

How to use (firewald) 与 iptables 对照版

Use (systemctl) to manager (firewalld)

To start,stop,restart (firewalld):

systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld

To check (firewalld) state:

systemctl status firewalld

you can also:

firewall-cmd --state

To make (firewalld) auto start, or not auto start on boot,

systemctl enable firewalld
systemctl disable firewalld

Disableing all traffic in case of emergency / 紧急禁止所有流量

To disable all traffic immediately

firewall-cmd --panic-on

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1  -j REJECT
iptables -t filter -I OUTPUT 1 -J REJECT

To cancel disabling all traffic:

firewall-cmd --panic-off

It’s corresponding (iptables) command is:

iptables -t filter -D INPUT -j REJECT
iptables -t filter -D OUTPUT -j REJECT

To check whether (panic) mode is on or off:

firewall-cmd --query-panic

Use (service)

(service) is a set of port, for example, ‘http’ is 80, ‘https’ is 443. / service 指的是一个或多个端口的汇合,比方 http 是 80 端口,https 是 443 端口。

Check service information

To check services that already allowed:

firewall-cmd --list-services

To get names of all predefined services:

firewall-cmd --get-services

To see the definition of a service, for example ‘ssh’:

firewall-cmd --info-service=ssh

To check whether a service is allowed or not, for example ‘ssh’:

firewall-cmd --query-service=ssh

Allow or disallow a service

To make a service to be allowed, for example ‘ssh’:

firewall-cmd --add-service=ssh

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p tcp --dport 22 -j ACCEPT

To make a service to be not allowed, for example ‘ssh’:

firewall-cmd --remove-service=ssh

It’s corresponding (iptables) command is:

iptables -t filter -D INPUT -p tcp --dport 22 -j ACCEPT

How to define a new service?

Suppose you want to define a new service, contains two ports 100 and 200.
First, add this new service, but with no detail:

firewall-cmd --new-service=MyNewService --permanent

it will create a file /etc/firewalld/services/MyNewService.xml .

You can edit MyNewService.xml, for example:

<?xml version="1.0" encoding="utf-8"?>
<service>
    <port port="9999" protocol="tcp"/>
</service>

you need to restart (firewalld) before you can use your new service:

systemctl restart firewalld

or

firewall-cmd --reload

then check your new service:

firewall-cmd --info-service=MyNewService

Any time later you want to change the definition of your new service, just edit ‘MyNewService.xml’.

If you want to rename your new service, you just need to rename ‘MyNewService.xml’.

To delete your new service:

firewall-cmd --delete-service=MyNewService --permanent

If you want to learn more about how to write the XML file, you can see their help:

man 5 firewalld.service

Permanent change

By default, any change you make by ‘firewall-cmd’ will lost after you reboot your system, to make a change be permanent, you need to add an argument ‘–permanent’, and in many cases this argument is forced. for example:

firewall-cmd --add-service=ssh --permanent

To make the current whole (firewalld) setting be permanent, execute this:

firewall-cmd --runtime-to-permanent

Use prot

To allow incoming traffic whose destination port is 80, and protocol is ‘tcp’:

firewall-cmd --add-port=80/tcp

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p tcp --dport 80 -j ACCEPT

To reject incoming traffic whose destination port is 80, and protocol is ‘tcp’:

firewall-cmd --remove-port=80/tcp

It’s corresponding (iptables) command is:


iptables -t filter -D INPUT -p tcp --dport 80 -j ACCEPT

To check whether a port is allowed or not, for example ’80/tcp’:

firewall-cmd --query-port=80/tcp

Use zone

A (zone) is a set of firewall settings. / zone 是一些防壁设置的汇合。

See zone information

To get the name of all zones:

firewall-cmd --get-zones

To see all zones with detail:

firewall-cmd --list-all-zones

To see a specified zone, for example ‘public’, with detail:

firewall-cmd --list-all --zone=public

or

firewall-cmd --info-zone=public

Change rules for a specifies zone

To change rules for a specified zone, for example ‘public’:

firewall-cmd --zone=public --add-port=80/tcp

this command will generate a new file /etc/firewalld/zones/MyNewZone.xml, you can edit this file directly.

You can execute ‘man 5 firewalld.zone’ to learn how to write XML file for a zone.

Default zone, active zone

System administrators assign a zone to a networking interface in its configurationfiles.
管理员在网卡的设置文件里为网卡指定一个 zone。
If an interface is not assigned to a specific zone, it is assigned to the default zone.
如果一个网卡没有被指派 zone,这个网卡会被调配一个默认的 zone。
After each restart of the firewalld service, firewalld loads the settings for the default zone and makes it active.
每次 firewalld 服务重启后,firewalld 加载默认 zone 的设置,并使默认 zone 成为沉闷 zone。

To see what the default zone is:

firewall-cmd --get-default-zone

To change the default zone, for example make the ‘work’ zone be the default zone:

firewall-cmd --set-default-zone=work

To see active zones and interfaces assigned to them:

firewall-cmd --get-active-zones

To assign an interface to a different zone, for example assign ‘eth0’ to the ‘work’ zone:

firewall-cmd --zone=work --change-interface=eth0

If you want to make this change be permanent:

firewall-cmd --zone=work --change-interface=eth0 --permanent

Zone target

Each zone has a ‘target’, it is a zone’s default behavior, for example, ‘public’ zone’s target is ‘default:

firewall-cmd --info-zone=public

public (active)
    target: default
    icmp-block-inversion: no
    interfaces: wlan0
    ...
    ...

Target can be ‘default’, ‘ACCEPT’, ‘REJECT’, ‘DROP’.

To change the target of a zone, for example, change ‘public’ zone’s target to ‘DROP’:

firewall-cmd --zone=public --set-target=DROP --permanent

Use source

To accept all traffic that comes from 192.168.1.1:

firewall-cmd --add-source=192.168.1.1

you can also write a network segment:

firewall-cmd --add-source=192.168.1.0/24

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 --source 192.168.1.1 -j ACCEPT
iptables -t filter -I INPUT 1 --source 192.168.1.0/24 -j ACCEPT

To accept all traffic whose source port is 80/tcp:

firewall-cmd --add-source-port=80/tcp

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p tcp --sport 80 -j ACCEPT

To list all sources:

firewall-cmd --list-sources
firewall-cmd --list-source-ports

To remove a source:

firewall-cmd --remove-source=192.168.1.1
firewall-cmd --remove-source-port=80/tcp

Use protocol

To accept all TCP traffic:

firewall-cmd --add-protocol=tcp

It’s corresponding (iptables) command is :

iptables -t filter -I INPUT 1 -p tcp -j ACCEPT

You can refer to /etc/protocols to see all the protocols you can use.

To remove a protocol:

firewall-cmd --remove-protocol=tcp

To check whether a protocol is added or not:

firewall-cmd --query-protocol=tcp

Port forwarding

Redirect a port to another port

The command proto is:

firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp|sctp|dccp:toport=<port-number>

It’s reverse commmand proto is:

firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>

For example, to redirect port 80 to 443:

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443

It’s corresponding (iptables) command is:

iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination :443

To cancel the above command:

firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443

It’s corresponding (iptables) command is:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination :443

To redirect a port to another IP, the command proto is:

firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>

It’s reverse command proto is:

firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>

For example, to redirect port 80 to 192.168.1.1:443

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1

It’s corresponding (iptables) command is:

iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443

To cancel the above command:

firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1

It’s corresponding (iptables) command is:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443

Enable masquerade

firewall-cmd --add-masquerade
firewall-cmd --remove-masquerade

It’s corresponding (iptables) command is:

iptables -t nat -I POSTROUTING 1 -j MASQUERADE
iptables -t nat -D POSTROUTING -j MASQUERADE

ICMP

Why we need to block ICMP?

THe Internet Control Message Protocol (ICMP) is a protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available.
互联网管制音讯协定 (ICMP) 被泛滥网络设备用于发送谬误音讯和操作性信息以批示网络连接故障,比方,某个服务不可用。
ICMP differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
ICMP 协定不同于传输层协定 TCP 和 UDP,因为它不用于零碎间替换数据。
Unfortunately, it is possible to use the ICMP messages, especially echo-request and echo-reply, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld enables blocking the ICMP requests to protect your network information.
然而,ICMP 音讯,尤其是 echo-request 和 echo-reply,可被用于探测你的网络,用于歹意目地。所以,firewalld 容许你禁止 ICMP 申请,爱护你的网络信息。

To list all ICMP types:

firewall-cmd --get-icmptyps

The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request is used:


firewall-cmd --info-icmptype=<icmptype>

To check whether a type of ICMP request is blocked or not:

firewall-cmd --query-icmptype=<icmptype>

To block a type of ICMP request:

firewall-cmd --add-icmp-block=<icmptype>

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p icmp -m icmp --icmp-type=<icmptyoe> -j REJECT

To unblock a type of ICMP request:

firewall-cmd --remove-icmp-block=<icmptype>

It’s corresponding (iptables) command is:

iptables -t filter -D INPUT -p icmp -m icmp --icmp-type=<icmptype> -j REJECT

The (direct) interface

(direct) is a mechanism, makes you write (firewalld) command in a (iptables) manner.
direct 是一种让你用 iptables 格调写 firewalld 命令的机制。

These two commands has the same goal:

iptables -t filter -A INPUT_direct -p tcp --dport 80 -j ACCEPT

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT

Notice, we use ‘INPUT_direct’ in the iptables command, but ‘INPUT’ in firewall-cmd, because firewall-cmd will automatically treat ‘INPUT’ as ‘INPUT_direct’.

The 0 in the firewall-cmd command means priority.

I don’t know how make (firewall-cmd) achieve the same effect that (iptables) can do:make a rule be the 1th rule.
我不晓得怎么让 firewall-cmd 实现和 iptables 一样的成果:让一条规定成为第一条规定。

These two commands have the same goal:

iptables -t filter -D INPUT_direct -p tcp --dport 80 -j ACCEPT

firewall-cmd --direct --remove-rule ipv4 filter INPUT -p 

To list rules using the (direct) interface:

firewall-cmd --direct --get-rules ipv4 filter IN_public_allow

Rich rule

Lockdown

Log dennied packets

firewall-cmd --get-log-denied
firewall-cmd --set-log-denied

然而我不晓得在哪看这个日志,Redhat 文档没有说。我看了 /var/log/firewalld,不是。

正文完
 0