防火墙概述

1防火墙的分类

软件防火墙：数据包的过滤（ip，tcp,udp,icmp ），应用层防火墙(控制ip，行为)
1. centos6 默认是iptables
2. centos7 firewallD(底层是netfilter)

硬件防火墙：主要用来防止ddos攻击

iptables的表和链

4个表

filter nat mangle raw
可以通过执行：man iptables ```

      filter:
           This is the default table (if no -t option is passed). It contains the built-in chains INPUT  (for  packets  destined  to
           local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
       nat:
           This table is consulted when a packet that creates a new connection is encountered.  It consists of three built-ins: PRE‐
           ROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets  before  routing),
           and POSTROUTING (for altering packets as they are about to go out).  IPv6 NAT support is available since kernel 3.7.
       mangle:
           This  table  is  used for specialized packet alteration.  Until kernel 2.4.17 it had two built-in chains: PREROUTING (for
           altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).  Since ker‐
           nel  2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for
           altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
       raw:
           This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.  It
           registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables.  It
           provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT  (for  packets
           generated by local processes)
       security:
           This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSEC‐
           MARK targets.  Mandatory Access Control is implemented by Linux Security Modules such as SELinux.  The security table  is
           called  after  the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect
           before MAC rules.  This table provides the following built-in chains: INPUT (for packets coming  into  the  box  itself),
           OUTPUT  (for  altering  locally-generated packets before routing), and FORWARD (for altering packets being routed through
           the box).

<a name="b9fFL"></a>
### 5个规则链
input output forward<br />prerounting(选择路由的目的地址) postrouting（原地址转换）
<a name="Ot2d5"></a>
## iptables -t filter -L

[root@VM-20-3-centos ~]# iptables -t filter -L # 规则链 Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all — anywhere anywhere
INPUT_direct all — anywhere anywhere
INPUT_ZONES_SOURCE all — anywhere anywhere
INPUT_ZONES all — anywhere anywhere
DROP all — anywhere anywhere ctstate INVALID REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all — anywhere anywhere
FORWARD_direct all — anywhere anywhere
FORWARD_IN_ZONES_SOURCE all — anywhere anywhere
FORWARD_IN_ZONES all — anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all — anywhere anywhere
FORWARD_OUT_ZONES all — anywhere anywhere
DROP all — anywhere anywhere ctstate INVALID REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination
ACCEPT all — anywhere anywhere
OUTPUT_direct all — anywhere anywhere

Chain FORWARD_IN_ZONES (1 references) target prot opt source destination
FWDI_public all — anywhere anywhere [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination
FWDO_public all — anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination

Chain FORWARD_direct (1 references) target prot opt source destination

Chain FWDI_public (1 references) target prot opt source destination
FWDI_public_log all — anywhere anywhere
FWDI_public_deny all — anywhere anywhere
FWDI_public_allow all — anywhere anywhere
ACCEPT icmp — anywhere anywhere

Chain FWDI_public_allow (1 references) target prot opt source destination

Chain FWDI_public_deny (1 references) target prot opt source destination

Chain FWDI_public_log (1 references) target prot opt source destination

Chain FWDO_public (1 references) target prot opt source destination
FWDO_public_log all — anywhere anywhere
FWDO_public_deny all — anywhere anywhere
FWDO_public_allow all — anywhere anywhere

Chain FWDO_public_allow (1 references) target prot opt source destination

Chain FWDO_public_deny (1 references) target prot opt source destination

Chain FWDO_public_log (1 references) target prot opt source destination

Chain INPUT_ZONES (1 references) target prot opt source destination
IN_public all — anywhere anywhere [goto]

Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination

Chain INPUT_direct (1 references) target prot opt source destination

Chain IN_public (1 references) target prot opt source destination
IN_public_log all — anywhere anywhere
IN_public_deny all — anywhere anywhere
IN_public_allow all — anywhere anywhere
ACCEPT icmp — anywhere anywhere

Chain IN_public_allow (1 references) target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED ACCEPT tcp — anywhere anywhere tcp dpt:xfer ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references) target prot opt source destination

Chain IN_public_log (1 references) target prot opt source destination

Chain OUTPUT_direct (1 references) target prot opt source destination

<a name="jAAJb"></a>
## iptables -F 清除所有规则
<a name="aQvrK"></a>
### 如何修改默认规则：iptables -P INPUT ACCEPT
如何控制某一段ip:iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
<a name="gEFeq"></a>
### 为什么对iput 限制而不对output限制：
input是否允许数据进入我们服务器处理，这些请求是需要消耗cpu等资源的，所以我们提前这些数据请求就直接拒绝掉了，<br />output过滤，是在消耗完cpu资源后，返回给用户时候做过滤，这不符合使用习惯<br />复杂的配置：如下说明
<a name="e1drJ"></a>
## ![image.png](https://cdn.nlark.com/yuque/0/2021/png/8418087/1638914763432-05ebbea3-b762-4b4c-a2eb-e0bd64e1bc50.png#clientId=u07d7bfaf-58b4-4&from=paste&height=554&id=u69dc27c0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=554&originWidth=1409&originalType=binary&ratio=1&size=225435&status=done&style=none&taskId=uf5d9814f-e3d1-460f-b2ff-f307f62cdc6&width=1409)

iptables -t filter -A INPUT -i eth0 -s 10.0.0.2 -p tcp —dport 80 -j ACCEPT

<a name="piqkH"></a>
## ![image.png](https://cdn.nlark.com/yuque/0/2021/png/8418087/1638914972679-716b6caf-0254-4eaa-a173-f62b0a1ae6d1.png#clientId=u07d7bfaf-58b4-4&from=paste&height=519&id=ube664fae&margin=%5Bobject%20Object%5D&name=image.png&originHeight=519&originWidth=1266&originalType=binary&ratio=1&size=179411&status=done&style=none&taskId=ufde012f9-b0bb-4a56-817c-9981ddeecba&width=1266)
<a name="WOdwT"></a>
## 我们一般单独对某个ip或者端口配置，需要我们经常去看iptables的文档
<a name="zj1fe"></a>
### centos7没有安装：iptables-services的安装
运行以下命令：

yum install iptables-services

[root@VM-20-3-centos ~]# yum install iptables-services #iptables-services的安装 Loaded plugins: fastestmirror, langpacks, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Repository epel is listed more than once in the configuration Loading mirror speeds from cached hostfile Resolving Dependencies —> Running transaction check —-> Package iptables-services.x86_64 0:1.4.21-35.el7 will be installed —> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================

Package Arch Version Repository Size

Installing: iptables-services x86_64 1.4.21-35.el7 os 52 k

Transaction Summary

Install 1 Package

Total download size: 52 k Installed size: 23 k Is this ok [y/d/N]: y Downloading packages: iptables-services-1.4.21-35.el7.x86_64.rpm | 52 kB 00:00:00
Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : iptables-services-1.4.21-35.el7.x86_64 1/1 Verifying : iptables-services-1.4.21-35.el7.x86_64 1/1

Installed: iptables-services.x86_64 0:1.4.21-35.el7

Complete! [root@VM-20-3-centos ~]#

<a name="VCx4l"></a>
## firewalld篇
<a name="S1iw0"></a>
## 查看状态：systemctl status firewalld.service
```shell
[root@VM-20-3-centos ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

启动firewalld

[root@VM-20-3-centos ~]# systemctl start firewalld.service //启动
[root@VM-20-3-centos ~]# systemctl status firewalld.service //查看
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-12-07 05:47:43 CST; 6s ago
     Docs: man:firewalld(1)
 Main PID: 12917 (firewalld)
    Tasks: 2
   Memory: 24.3M
   CGroup: /system.slice/firewalld.service
           └─12917 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Dec 07 05:47:43 VM-20-3-centos systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 07 05:47:43 VM-20-3-centos systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 07 05:47:43 VM-20-3-centos firewalld[12917]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration ...it now.
Hint: Some lines were ellipsized, use -l to show in full.
[root@VM-20-3-centos ~]#

firewall-cmd —list-all

[root@VM-20-3-centos ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

firewall-cmd —get-default-zone

[root@VM-20-3-centos ~]# firewall -cmd --list-interfaces
-bash: firewall: command not found
[root@VM-20-3-centos ~]# firewall-cmd --list-interfaces
[root@VM-20-3-centos ~]# firewall-cmd --list-ports
[root@VM-20-3-centos ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@VM-20-3-centos ~]# firewall-cmd --get-default-zone
public
[root@VM-20-3-centos ~]#

firewall-cmd —add-service=https

[root@VM-20-3-centos ~]# firewall-cmd --add-service=https #添加默认的服务，默认的443的端口开启
success
[root@VM-20-3-centos ~]# firewall-cmd --add-port=81/tcp #添加端口
success
[root@VM-20-3-centos ~]# firewall-cmd --list-service #只是查看服务
dhcpv6-client https ssh
[root@VM-20-3-centos ~]# firewall-cmd --list-all #查看服务和端口
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https ssh
  ports: 81/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@VM-20-3-centos ~]#

添加永久的端口：firewall-cmd —add-port=82/tcp —permanent

firewall-cmd --add-port=82/tcp --permanent #添加永久端口
firewall-cmd --reload #注意reload才会生效

删除firewall-cmd —remove-ports（ or services or interfaces)

[root@VM-20-3-centos ~]# firewall-cmd --get-default-zone
public
[root@VM-20-3-centos ~]# firewall-cmd --get-active-zone
[root@VM-20-3-centos ~]# man firewall-cmd
[root@VM-20-3-centos ~]# firewall-cmd --add-port=8089/tcp
success
[root@VM-20-3-centos ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 82/tcp 8089/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@VM-20-3-centos ~]# firewall-cmd --remove-port=8089/tcp #删除8089端口
success

命令帮助：man firewall-cmd

man firewall-cmd

iptables

telnet是明文传输，不安全，可以通过抓包来获取密码，密码会泄露

ssh

linux用来做远程连接，替代telnet
scp拷贝命令

ftp服务

ftp协议
主动模式和被动模式
vsftp虚拟用户

dns服务介绍

DNS(Domain Name System)域名系统
FQDN
域的分类
查询方式
解析方式
DNS服务的类型

博客专栏

linux操作系统学习总结