Firewall as a protective barrier between the public and within the network plays a vital role in ensuring data security. RHEL 6 and previous systems are used as a tool to configure iptables firewall policy, but in RHEL7 system, friewalld firewall to replace the iptables firewall. In fact, iptables and firewalld not really a firewall, they are just used to define the firewall policy management tools only. Difference is that iptables will serve configured firewall policies referred netfilter Netfilter kernel level to deal with, but firewalld service is referred to nftables kernel-level packet filtering framework to deal with.
A, iptables
Considering the large number of enterprises still use iptables firewall in a production environment as a management tool, so we should take to master knowledge of iptables, the firewall in learning other knowledge also have reference.
1, strategy and rules
First, the policy entry for processing and filtering the call traffic rules, the rules may be composed of a plurality of chain rule. Firewall will follow the order from top to bottom to read the policy entry configured to match an immediate end to work on after a match is found, and to perform the acts defined in the policy match (ie allowing or blocking). If, after completion of reading all of the defined rules, still no match is found, went to execute the default policy.
In general, the default policy rule, there are two: one is the " pass " (ie release), the other is " blocking " (ie stop). When the firewall default rule is set to "block", it is necessary to set the release of the rules, who otherwise would not come; when the default rule is set to "on", it is necessary to set to block the rules, or who can come in. According to the rules of different functions are also divided into several categories:
- Process the packet (the PREROUTING) prior to routing;
- Processing flows of data packets (the INPUT);
- Processing effluent packets (the OUTPUT);
- Processing the forwarding of data packets (the FORWARD);
- After performing a routing processing of data packets (POSTROUTING).
Generally, enterprises are to incoming packets are processed, the traffic sent from the internal network to the external network is controllable and is generally benign, we used most INPUT chain rules. Light regularly enough, also requires a successful match these traffic rules for further processing, such as ACCEPT (allowing flow through), REJECT (reject flow through), the LOG (log information), the DROP (rejected traffic). Here to explain the difference between the REJECT and DROP, REJECT will respond to a "Your information received, but was refused," while denying traffic information, traffic DROP will be discarded and not direct response.
[root@linuxprobe ~]# ping -c 4 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
From 192.168.10.10 icmp_seq=1 Destination Port Unreachable //流量被拒绝(REJECT)
From 192.168.10.10 icmp_seq=2 Destination Port Unreachable
From 192.168.10.10 icmp_seq=3 Destination Port Unreachable
From 192.168.10.10 icmp_seq=4 Destination Port Unreachable
--- 192.168.10.10 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms
-------------------------------------分割线-----------------------------------------------
[root@linuxprobe ~]# ping -c 4 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) Bytes of Data.
// traffic is discarded (the DROP) or the host is not online
--- 192.168 . 10.10 of ping statistics ---
. 4 packets Transmitted, 0 Received, 100 % Packet Loss, Time 3000ms