• 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏吧

怎样使用firewalld,与iptables对照版

互联网 diligentman 6天前 5次浏览

How to use (firewald) 与 iptables对照版

Use (systemctl) to manager (firewalld)

To start,stop,restart (firewalld):

systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld

To check (firewalld) state:

systemctl status firewalld

you can also:

firewall-cmd --state

To make (firewalld) auto start, or not auto start on boot,

systemctl enable firewalld
systemctl disable firewalld

Disableing all traffic in case of emergency / 紧急禁止所有流量

To disable all traffic immediately

firewall-cmd --panic-on

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1  -j REJECT
iptables -t filter -I OUTPUT 1 -J REJECT

To cancel disabling all traffic:

firewall-cmd --panic-off

It’s corresponding (iptables) command is:

iptables -t filter -D INPUT -j REJECT
iptables -t filter -D OUTPUT -j REJECT

To check whether (panic) mode is on or off:

firewall-cmd --query-panic

Use (service)

(service) is a set of port, for example, ‘http’ is 80, ‘https’ is 443. / service指的是一个或多个端口的集合,比如http是80端口,https是443端口。

Check service information

To check services that already allowed:

firewall-cmd --list-services

To get names of all predefined services:

firewall-cmd --get-services

To see the definition of a service, for example ‘ssh’:

firewall-cmd --info-service=ssh

To check whether a service is allowed or not, for example ‘ssh’:

firewall-cmd --query-service=ssh

Allow or disallow a service

To make a service to be allowed, for example ‘ssh’:

firewall-cmd --add-service=ssh

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p tcp --dport 22 -j ACCEPT

To make a service to be not allowed, for example ‘ssh’:

firewall-cmd --remove-service=ssh

It’s corresponding (iptables) command is:

iptables -t filter -D INPUT -p tcp --dport 22 -j ACCEPT

How to define a new service?

Suppose you want to define a new service, contains two ports 100 and 200.
First, add this new service, but with no detail:

firewall-cmd --new-service=MyNewService --permanent

it will create a file /etc/firewalld/services/MyNewService.xml .

You can edit MyNewService.xml, for example:

<?xml version="1.0" encoding="utf-8"?>
<service>
    <port port="9999" protocol="tcp"/>
</service>

you need to restart (firewalld) before you can use your new service:

systemctl restart firewalld

or

firewall-cmd --reload

then check your new service:

firewall-cmd --info-service=MyNewService

Any time later you want to change the definition of your new service, just edit ‘MyNewService.xml’.

If you want to rename your new service, you just need to rename ‘MyNewService.xml’.

To delete your new service:

firewall-cmd --delete-service=MyNewService --permanent

If you want to learn more about how to write the XML file, you can see their help:

man 5 firewalld.service

Permanent change

By default, any change you make by ‘firewall-cmd’ will lost after you reboot your system, to make a change be permanent, you need to add an argument ‘–permanent’, and in many cases this argument is forced. for example:

firewall-cmd --add-service=ssh --permanent

To make the current whole (firewalld) setting be permanent, execute this:

firewall-cmd --runtime-to-permanent

Use prot

To allow incoming traffic whose destination port is 80, and protocol is ‘tcp‘:

firewall-cmd --add-port=80/tcp

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p tcp --dport 80 -j ACCEPT

To reject incoming traffic whose destination port is 80, and protocol is ‘tcp’:

firewall-cmd --remove-port=80/tcp

It’s corresponding (iptables) command is:


iptables -t filter -D INPUT -p tcp --dport 80 -j ACCEPT

To check whether a port is allowed or not, for example ’80/tcp’:

firewall-cmd --query-port=80/tcp

Use zone

A (zone) is a set of firewall settings. / zone是一些防壁设置的集合。

See zone information

To get the name of all zones:

firewall-cmd --get-zones

To see all zones with detail:

firewall-cmd --list-all-zones

To see a specified zone, for example ‘public’, with detail:

firewall-cmd --list-all --zone=public

or

firewall-cmd --info-zone=public

Change rules for a specifies zone

To change rules for a specified zone, for example ‘public’:

firewall-cmd --zone=public --add-port=80/tcp

this command will generate a new file /etc/firewalld/zones/MyNewZone.xml, you can edit this file directly.

You can execute ‘man 5 firewalld.zone’ to learn how to write XML file for a zone.

Default zone, active zone

System administrators assign a zone to a networking interface in its configurationfiles.
管理员在网卡的设置文件里为网卡指定一个zone。
If an interface is not assigned to a specific zone, it is assigned to the default zone.
如果一个网卡没有被指派zone,这个网卡会被分配一个默认的zone。
After each restart of the firewalld service, firewalld loads the settings for the default zone and makes it active.
每次firewalld服务重启后,firewalld加载默认zone的设置,并使默认zone成为活跃zone。

To see what the default zone is:

firewall-cmd --get-default-zone

To change the default zone, for example make the ‘work’ zone be the default zone:

firewall-cmd --set-default-zone=work

To see active zones and interfaces assigned to them:

firewall-cmd --get-active-zones

To assign an interface to a different zone, for example assign ‘eth0’ to the ‘work’ zone:

firewall-cmd --zone=work --change-interface=eth0

If you want to make this change be permanent:

firewall-cmd --zone=work --change-interface=eth0 --permanent

Zone target

Each zone has a ‘target’, it is a zone’s default behavior, for example, ‘public’ zone’s target is ‘default:

firewall-cmd --info-zone=public

public (active)
    target: default
    icmp-block-inversion: no
    interfaces: wlan0
    ...
    ...

Target can be ‘default’, ‘ACCEPT’, ‘REJECT’, ‘DROP’.

To change the target of a zone, for example, change ‘public’ zone’s target to ‘DROP’:

firewall-cmd --zone=public --set-target=DROP --permanent

Use source

To accept all traffic that comes from 192.168.1.1:

firewall-cmd --add-source=192.168.1.1

you can also write a network segment:

firewall-cmd --add-source=192.168.1.0/24

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 --source 192.168.1.1 -j ACCEPT
iptables -t filter -I INPUT 1 --source 192.168.1.0/24 -j ACCEPT

To accept all traffic whose source port is 80/tcp:

firewall-cmd --add-source-port=80/tcp

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p tcp --sport 80 -j ACCEPT

To list all sources:

firewall-cmd --list-sources
firewall-cmd --list-source-ports

To remove a source:

firewall-cmd --remove-source=192.168.1.1
firewall-cmd --remove-source-port=80/tcp

Use protocol

To accept all TCP traffic:

firewall-cmd --add-protocol=tcp

It’s corresponding (iptables) command is :

iptables -t filter -I INPUT 1 -p tcp -j ACCEPT

You can refer to /etc/protocols to see all the protocols you can use.

To remove a protocol:

firewall-cmd --remove-protocol=tcp

To check whether a protocol is added or not:

firewall-cmd --query-protocol=tcp

Port forwarding

Redirect a port to another port

The command proto is:

firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp|sctp|dccp:toport=<port-number>

It’s reverse commmand proto is:

firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>

For example, to redirect port 80 to 443:

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443

It’s corresponding (iptables) command is:

iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination :443

To cancel the above command:

firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443

It’s corresponding (iptables) command is:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination :443

To redirect a port to another IP, the command proto is:

firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>

It’s reverse command proto is:

firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>

For example, to redirect port 80 to 192.168.1.1:443

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1

It’s corresponding (iptables) command is:

iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443

To cancel the above command:

firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1

It’s corresponding (iptables) command is:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443

Enable masquerade

firewall-cmd --add-masquerade
firewall-cmd --remove-masquerade

It’s corresponding (iptables) command is:

iptables -t nat -I POSTROUTING 1 -j MASQUERADE
iptables -t nat -D POSTROUTING -j MASQUERADE

ICMP

Why we need to block ICMP?

THe Internet Control Message Protocol (ICMP) is a protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available.
互联网控制消息协议(ICMP)被众多网络设备用于发送错误消息和操作性信息以指示网络连接故障,比如,某个服务不可用。
ICMP differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
ICMP协议不同于传输层协议TCP和UDP,因为它不用于系统间交换数据。
Unfortunately, it is possible to use the ICMP messages, especially echo-request and echo-reply, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld enables blocking the ICMP requests to protect your network information.
但是,ICMP消息,尤其是echo-request和echo-reply,可被用于探测你的网络,用于恶意目地。所以,firewalld允许你禁止ICMP请求,保护你的网络信息。

To list all ICMP types:

firewall-cmd --get-icmptyps

The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request is used:


firewall-cmd --info-icmptype=<icmptype>

To check whether a type of ICMP request is blocked or not:

firewall-cmd --query-icmptype=<icmptype>

To block a type of ICMP request:

firewall-cmd --add-icmp-block=<icmptype>

It’s corresponding (iptables) command is:

iptables -t filter -I INPUT 1 -p icmp -m icmp --icmp-type=<icmptyoe> -j REJECT

To unblock a type of ICMP request:

firewall-cmd --remove-icmp-block=<icmptype>

It’s corresponding (iptables) command is:

iptables -t filter -D INPUT -p icmp -m icmp --icmp-type=<icmptype> -j REJECT

The (direct) interface

(direct) is a mechanism, makes you write (firewalld) command in a (iptables) manner.
direct是一种让你用iptables风格写firewalld命令的机制。

These two commands has the same goal:

iptables -t filter -A INPUT_direct -p tcp --dport 80 -j ACCEPT

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT

Notice, we use ‘INPUT_direct’ in the iptables command, but ‘INPUT’ in firewall-cmd, because firewall-cmd will automatically treat ‘INPUT’ as ‘INPUT_direct’.

The 0 in the firewall-cmd command means priority.

I don’t know how make (firewall-cmd) achieve the same effect that (iptables) can do:make a rule be the 1th rule.
我不知道怎样让firewall-cmd实现和iptables一样的效果:让一条规则成为第一条规则。

These two commands have the same goal:

iptables -t filter -D INPUT_direct -p tcp --dport 80 -j ACCEPT

firewall-cmd --direct --remove-rule ipv4 filter INPUT -p 

To list rules using the (direct) interface:

firewall-cmd --direct --get-rules ipv4 filter IN_public_allow

Rich rule

Lockdown

Log dennied packets

firewall-cmd --get-log-denied
firewall-cmd --set-log-denied

但是我不知道在哪看这个日志,Redhat文档没有说。我看了/var/log/firewalld,不是。


程序员灯塔
转载请注明原文链接:怎样使用firewalld,与iptables对照版
喜欢 (0)