[Overall comparison]

Similarities: Firewalld and Iptables are firewall management programs in Linux, their function is to maintain rules, and the real firewall executor is netfilter in the kernel, but firewalld and iptables structure and use methods are different.

Differences: 1. Iptables can be configured only on the CLI. However, Firewalld provides a graphical interface, which is similar to the operation mode of Windows firewall. 2. Each single change of iptables clears all old rules and reads all new rules, which interrupts services. Other rules are not affected. 3. The iptables configuration file is stored in /etc/sysconfig/iptables. /usr/lib/firewalld/ and /etc/firewalld/ 5. Iptables has no daemons, whereas Firewalld has daemons

[Iptables]

Iptable Working data flow diagram

  1. When network packets arrive, they go through the PREROUTING chain or, if the data destination is to the local machine, through the Input chain, which is: PREROUTING – > Input
  2. If the packet destination is not sent to the local machine, the forward chain is followed by Postrouting. Namely, PREROUTING – > forward – > PostrOUTING
  3. Data packets (actively sent or responded to) sent by the local user process/program/service: Output — > Postrouting

Rules of the chain

Output chain: Filters packets coming from the local machine (that is, the source address is the local machine) forward chain: Prerouting chain: The rules of the chain are applied before routing packets (all incoming packets are processed by the chain first) Apply the chain rules after routing packets (all packets are processed by the chain as they come out)

Rule table

There are four types: RAW, mangle, NAT, and filter. The priorities are raw >mangle > NAT >filter

raw: Prerouting, INPUT, Forward, Output, POSTROUTING NAT: PrerOUTING, input, forward, Output, POSTROUTING NAT: Prerouting, output, POSTROUTING NAT: PrerOUTING, input, forward, Output, POSTROUTING NAT: PrerOUTING, output, POSTROUTING NAT: PrerOUTING, output, POSTROUTING NAT Prerouting, Output, POSTROUTING (INPUT in centos7, not in Centos6) Filter: Which chains can use the rules in the table: INPUT, forward, output

Syntax format of iptables

Iptables [-t table name] command options [chain name] [conditional matching] [-j target action or jump]

# # table name

Raw mangle NAT filter(default if not specified)

## Command options

-d Deletes A rule in the specified chain. You can delete the rule according to the rule number and content. -I Inserts A new rule in the specified chain. -l lists all rules in the specified chain by rule number and content. -e renames user-defined chains. Do not change the chain itself -f empty -n Create a user-defined chain of rules -x Delete user-defined chain of rules in the specified table -p Set the default policy of the specified chain -z clear the byte and packet counters of all chains in all tables -n display the output in digital form -v Viewing detailed information about the rule table -v Viewing version -h Obtaining help

The chain of # #

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

The firewall handles packets in four ways

ACCEPT Allows a packet to be dropped by DROP. No response is given. If necessary, a response is sent to the data sender. LOG logs the LOG information in the /var/log/messages file and passes the packet to the next rule

Iptables Usage and command example

1. Firewalld is used by default in centos7. You can only disable or disable Firewalld

# stop firewalld systemctl stop firewalld systemctl disable firewalld # disable firewalld systemctl mask firewalld Yum install -y iptables-services yum install -y iptables-services Systemctl enable iptables.service # Start the systemctl service systemctl start iptables.service # Start the systemctl service systemctl restart iptables Systemctl status iptables. ServiceCopy the code
  1. Display firewall List
iptables -L
iptables -L -n
iptables -L -n --line-number
Copy the code
  1. Add port access rules (80 and 443 examples, all IP access)
# open80Port (HTTP) iptables -A INPUT -p TCP --dport80Iptables -a INPUT -p TCP --dport443 -j ACCEPT
Copy the code
  1. Open ports in a range
iptables -A INPUT -p tcp --dport 20:1024 -j ACCEPT 
iptables -A OUTPUT -p tcp --sport 20:1024 -j ACCEPT
Copy the code
  1. Open multiple discontinuous ports
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 7001.8001.9001 -j ACCEPT
Copy the code
  1. Open port 22 for 192.168.56.1 and 192.168.56.102
iptables -A INPUT -p tcp -s 192.168. 561..192.168. 56102. --dport 22 -j ACCEPT
Copy the code
  1. Delete rules
Iptables -l -n --line-number iptables -l -n --line-number iptables -l -n --line-number9Rule iptables -d INPUT9
Copy the code
  1. Enable the nic forwarding function for Linux port mapping
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A RH-Firewall- 1-INPUT -m state --state NEW -m tcp -p tcp --dport 8022 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.16860.206.:22
iptables -t nat -A POSTROUTING -s 192.16860.. 0/16 -d 192.16860.206. -p tcp -m tcp --dport 22 -j SNAT --to-source 192.16860.62.
Copy the code
  1. Local port forwarding
iptables -t nat -A PREROUTING -p tcp --dport 8022 -j REDIRECT --to-ports 22
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 8022 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -d localhost -p tcp --dport 8022 -j REDIRECT --to-ports 22
Copy the code
  1. Iptables saves to and restores rules from files
Iptables -save >xxx.txt ## Save the file xxx.txt iptables-restore <xxx.txt ##Copy the code
  1. Port Mapping 1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 18080 -j DNAT --to-destination 192.1671.201.:8080
iptables -t nat -A POSTROUTING -d 192.1671.201. -p tcp --dport 8080 -j SNAT --to-source 192.1671.204.
Copy the code
  1. Port Mapping 2
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 18080 -j DNAT --to-destination 192.16860.133.:8899
iptables -t nat -A POSTROUTING -d 192.16860.133. -p tcp --dport 8899 -j SNAT --to-source 192.168. 562.
Copy the code

[Firewalld]

Basic use of Firewalld

Start: systemctl start firewalld

Disable: systemctl stop Firewalld View the status: systemctl status Firewalld Startup Disable: systemctl disable Firewalld startup Enable: systemctl enable firewalld

Configuration firewalld -cmd

Firewall-cmd –version Help: firewall-cmd –help Display status: firewall-cmd –state View all open ports: Firewall-cmd –zone=public –list-ports Update firewall rules: firewall-cmd –reload Check zone information: Firewall – CMD –get-active-zones Check the zones of an interface: firewall- CMD –get-zone-of-interface=eth0 Firewall -cmd –panic-on To cancel the rejection status: firewall-cmd –panic-off To check whether the rejection is rejected: firewall-cmd –query-panic To check the firewall list: firewall-cmd –list-all

Firewalld command example

  1. Opening a port
# add firewall-cmd --zone=public --add-port=80/ TCP --permanent (--permanent permanent) # reload firewall-cmd --reload # check firewall-cmd --zone=public --query-port=80/ TCP # delete firewall-cmd --zone=public --remove-port=80/tcp --permanent
Copy the code
  1. Open port (open fixed IP access) :
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168. 561." port protocol="tcp" port="1080" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168. 561." port protocol="tcp" port="1080" accept"
Copy the code
  1. Batch Open Ports
firewall-cmd --add-port 30000- 40000./tcp --permanent
firewall-cmd --add-port 30000- 40000./udp --permanent
Copy the code
  1. Configuration file location

Configuration rules in the following file: more/etc/firewalld/zones/public. The XML

  1. CentOS7 system configuration firewalld uses NAT to share the network with Intranet machines
#### Enable NAT forwarding firewall-cmd --permanent --zone=public-- Add-masquerade #### open DNS use53Otherwise, the Intranet server may fail to resolve domain names even though the DNS is correctly configured. firewall-cmd --zone=public --add-port=53/ TCP --permanent #### Restart the firewall systemctl restart firewald. service #### Check whether NAT is allowed to forward firewall-cmd --query-masquerade #### Disable NAT forwarding firewall- CMD --remove-masqueradeCopy the code

After NAT forwarding is enabled, other machines on the LAN can set the default gateway to the IP address of the server on which NAT forwarding is enabled to access the Internet.

  1. How to use CentOS for port forwarding TCP+UDP
Enable NAT (perform this operation once in a lifetime.) Firewall-cmd --add-masquerade --permanent Adds forwarding1.Open TCP port forwarding (native port31002Forwarded to the10.01.2.:3389) is firewall - CMD - add - forward - port port of = =31002:proto=tcp:toport=3389:toaddr=10.01.2. --permanent

2.Enable UDP port forwarding (local port31002Forwarded to the10.01.2.:3389) is firewall - CMD - add - forward - port port of = =31002:proto=udp:toport=3389:toaddr=10.01.2. --permanent

3.Open TCP and UDP ports (open ports31002TCP and UDP) firewall-cmd --add-port31002/tcp --permanent
firewall-cmd --add-port 31002/udp --permanent

4.Reload the application configuration (this step must be performed after the configuration is complete) firewall-cmd --reload The rest operations1.Conf file. Save the file and run the sysctl -p net.ipv4.ip_forward = command1

3.View all mappings firewall-cmd --list-all Indicates the deletion operation1.For example, deleting port forwarding (40000Port forward to10.02.24.the3389TCP forwarding) firewall-cmd --remove-forward-port=port=40000:proto=tcp:toport=3389:toaddr=10.02.24. --permanent
Copy the code