SElinux防火墙

SElinux是Linux系统特有的安全机制，一般装完系统后都会手动将它关闭；

查询状态

getenforce

Enforcing:为开启状态，Permissive:为临时关闭状态，Disabled:为关闭状态；

[root@shu-test ~]# getenforceEnforcing[root@shu-test ~]#

临时关闭

setenforce 0

[root@shu-test ~]# getenforceEnforcing[root@shu-test ~]# setenforce 0[root@shu-test ~]# getenforcePermissive[root@shu-test ~]#

永久关闭

配置文件/etc/selinux/config,修改SELINUX=enforcing为SELINUX=disabled
重启生效；

[root@shu-test ~]# cat /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# ????enforcing - SELinux security policy is enforced.# ????permissive - SELinux prints warnings instead of enforcing.# ????disabled - No SELinux policy is loaded.SELINUX=enforcing# SELINUXTYPE= can take one of three two values:# ????targeted - Targeted processes are protected,# ????minimum - Modification of targeted policy. Only selected processes are protected.# ????mls - Multi Level Security protection.SELINUXTYPE=targeted[root@shu-test ~]# vim /etc/selinux/config[root@shu-test ~]# cat /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# ????enforcing - SELinux security policy is enforced.# ????permissive - SELinux prints warnings instead of enforcing.# ????disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of three two values:# ????targeted - Targeted processes are protected,# ????minimum - Modification of targeted policy. Only selected processes are protected.# ????mls - Multi Level Security protection.SELINUXTYPE=targeted[root@shu-test ~]#

重启查询，成功关闭

[root@shu-test ~]# getenforceDisabled[root@shu-test ~]#

netfilter防火墙

centos6 5版本使用netfilter防火墙，centos7版本使用为firewalld防火墙，都是用iptables工具；

关闭firewalld防火墙、安装iptables工具

systemctl disable firewalld ???//关闭firewalld服务systemctl stop firewalld ???????//禁止firewalld开机启动yum install -y iptables-services ???//安装iptables-servicessystemctl enable iptables ???????//让iptables开机启动systemctl start iptables ???????????//开启iptables

查询iptables默认规则

iptables -nvL

[root@shu-test ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ???????????49 ?3456 ACCEPT ????all ?-- ?* ?????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ???????????state RELATED,ESTABLISHED ???0 ????0 ACCEPT ????icmp -- ?* ?????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ??????????????0 ????0 ACCEPT ????all ?-- ?lo ????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ??????????????0 ????0 ACCEPT ????tcp ?-- ?* ?????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ???????????state NEW tcp dpt:22 ??15 ?1170 REJECT ????all ?-- ?* ?????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ???????????reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????????0 ????0 REJECT ????all ?-- ?* ?????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ???????????reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 35 packets, 3216 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

-nvL选项表示查看规则，-F表示临时清除当前规则，-n表示不针对ip反解析主机名，-L表示列出，-v表示列出信息更加详细；
必须使用service iptables save 保存才行，防火墙规则保存在/etc/sysconfig/iptables中；

netfilter的5个表

• filter：用于过滤包，是系统预设表，最常用的表；有INPUT、OUTPUT、FORWARD等三个链；
• nat：主要用于网络地址转换；有PREROUTING、OUTPUT、POSTROUTING等三个链；
• mangle：用来给数据包做标记；
• raw：实现不追踪某些数据包；
• security：访问控制MAC列表；

netfilter的5个链

• PREROUTING：数据包进入路由表之前；
• INPUT：通过路由表后目的地为本机；
• FORWARD：通过路由表，目的地部位本机；
• OUTPUT：有本机产生，向外转发；
• POSTROUTING：发送到网卡接口之前；

表与链其他详解
http://www.cnblogs.com/metoy/p/4320813.html

iptables基本语法

-A/-D：增加或删除一条规则；
-I：插入一条规则；
-F：清空规则；
-Z：清空计数，重新开始计数；
-t：清空指定表，后面必须带参数表名，-t nat；
-n：不针对ip反解析主机名；
-v：更加详细的信息；
-L：列出，与-v一起使用；
-p：表示指定协议，可以是tcp、udp、icmp；
--dport：跟-p一起使用，表示指定目标端口；
--sport：跟-p一起使用，表示指定源端口；
-s：表示指定源ip（可以是一个网段）
-d：表示指定目的ip（可以是一个网段）
-j：后面跟动作，其中ACCEPT表示允许包、DROP表示丢掉包、REJECT表示拒绝包；
-i：表示指定网卡（不常用）；

清空规则

iptables -F
命令清除
service iptables save
保存到文件，重启生效；

[root@shu-test ~]# iptables -F[root@shu-test ~]# iptables -nvLChain INPUT (policy ACCEPT 10 packets, 740 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

清空指定表

iptables -t nat
指定清空nat表，-t 参数就是指定表；
iptables -t nat -nvL 清空nat表，并显示规则；

[root@shu-test ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

清空包以及流量计数器归零

iptables -Z

[root@shu-test ~]# iptables -F[root@shu-test ~]# iptables -nvLChain INPUT (policy ACCEPT 10 packets, 724 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 6 packets, 664 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

增加规则

-A：增加规则
增加指定源ip以及端口拒绝访问目标ip的某端口
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP
将来源ip 192.168.188.1 的1234端口 访问192.168.188.2 的80端口 拒绝掉

[root@shu-test ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.2 --dport 80 -j DROP[root@shu-test ~]# iptables -nvLChain INPUT (policy ACCEPT 13 packets, 926 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????????0 ????0 DROP ??????tcp ?-- ?* ?????* ??????192.168.188.1 ???????192.168.188.2 ???????tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 6 packets, 808 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

插入规则

-I：插入规则
iptables -I INPUT -p tcp --dport 80 -j DROP
将拒绝所有的ip访问本机的80端口

[root@shu-test ~]# iptables -I INPUT -p tcp --dport 80 -j DROP[root@shu-test ~]# iptables -nvLChain INPUT (policy ACCEPT 5 packets, 388 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????????0 ????0 DROP ??????tcp ?-- ?* ?????* ??????0.0.0.0/0 ???????????0.0.0.0/0 ???????????tcp dpt:80 ???0 ????0 DROP ??????tcp ?-- ?* ?????* ??????192.168.188.1 ???????192.168.188.2 ???????tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

删除规则

-D：删除
iptables -D INPUT -p tcp --dport 80 -j DROP
删除掉已知道命令的规则

[root@shu-test ~]# iptables -D INPUT -p tcp --dport 80 -j DROP[root@shu-test ~]# iptables -nvLChain INPUT (policy ACCEPT 5 packets, 388 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????????0 ????0 DROP ??????tcp ?-- ?* ?????* ??????192.168.188.1 ???????192.168.188.2 ???????tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

删除未知命令的规则

iptables -nvL --line-number
显示规则的序列号num

[root@shu-test ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 85 packets, 6000 bytes)num ??pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????1 ???????0 ????0 DROP ??????tcp ?-- ?* ?????* ??????192.168.188.1 ???????192.168.188.2 ???????tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num ??pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 41 packets, 4400 bytes)num ??pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

iptables -D INPUT 1
删除序列号为1的规则

[root@shu-test ~]# iptables -D INPUT 1[root@shu-test ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 6 packets, 428 bytes)num ??pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num ??pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)num ??pkts bytes target ????prot opt in ????out ????source ??????????????destination ????????[root@shu-test ~]#

Linux防火墙（SElinux、netfilter）防火墙工具iptables

原文地址：http://blog.51cto.com/shuzonglu/2064720