Rhel 于今年发布了 rhel8,里面指出了将使用 nftables 作为主要防火墙。而 CentOS 紧随其后也发布了声明,将提供一样的主要特性。
1 、关于 CentOS 8
Rhel8 于 2019-05-07 发布后,由确切消息证实了软件库产生很多变动。紧随其后的 CentOS 也发布了更新说明,并且开始编译制作 8.0 版本 [ 链接 ]
主要内容有:Kernel 由 3.10 升 4.18,桌面由 X.org 升 wayland,Python 由 2.7 升 3.6,包管理工具由 yum 升 dnf,gcc 由 4.8 升 8.5,git 由 1.8 升 2.18,openssl 由 1.02k 升 1.1.1,防火墙 firewalld 后端由 iptables 升 nftables 并取消,其它相关服务软件更新至 Node.JS 10.14, PHP 7.2, Ruby 2.5, Perl 5.26, SWIG 3.0 MariaDB 10.3, MySQL 8.0, PostgreSQL 10, PostgreSQL 9.6, Redis 5, Apache 2.4, nginx 1.14 [ 链接 ]
2 、关于 CentOS 8 网络配置
由于 CentOS 8 默认使用 firewalld 管理防火墙,只有后端产生了变化。而管理网络接口仍然使用 NetworkManager 所以没有其他变化。
如果想在 Fedora 上尝试使用 nftables ,你需要做如下操作并参考这篇文章 [ 链接 ]
echo "FirewallBackend nftables" >> /etc/firewalld/firewalld.conf
修改后重启 firewalld 服务
systemctl restart firewalld
此时你就可以使用 nftbales 了。(同理,你也可以修改为 iptables 恢复回原来的样子)
3 、使用 nftables
关于如何使用 nftables ,redhat 已经发布了一篇文章,简单的讲解了使用方式 [ 链接 ]
5 、默认的网络配置
这里放出 firewalld 的默认配置(省略其他 zone 的空配置)
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens32 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
这里放出 iptables 的默认配置
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
141 15507 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 48 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 99 packets, 12349 bytes)
pkts bytes target prot opt in out source destination
99 12349 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens32 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens32 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
1 48 IN_public all -- ens32 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
1 48 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
这里放出 nftables 的默认配置
# nft list ruleset
table inet firewalld {
chain raw_PREROUTING {
type filter hook prerouting priority -290; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
jump raw_PREROUTING_ZONES_SOURCE
jump raw_PREROUTING_ZONES
}
chain raw_PREROUTING_ZONES_SOURCE {
}
chain raw_PREROUTING_ZONES {
iifname "ens32" goto raw_PRE_public
goto raw_PRE_public
}
chain mangle_PREROUTING {
type filter hook prerouting priority -140; policy accept;
jump mangle_PREROUTING_ZONES_SOURCE
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_ZONES_SOURCE {
}
chain mangle_PREROUTING_ZONES {
iifname "ens32" goto mangle_PRE_public
goto mangle_PRE_public
}
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
iifname "lo" accept
jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority 10; policy accept;
ct state established,related accept
iifname "lo" accept
jump filter_FORWARD_IN_ZONES_SOURCE
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES_SOURCE
jump filter_FORWARD_OUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_INPUT_ZONES_SOURCE {
}
chain filter_INPUT_ZONES {
iifname "ens32" goto filter_IN_public
goto filter_IN_public
}
chain filter_FORWARD_IN_ZONES_SOURCE {
}
chain filter_FORWARD_IN_ZONES {
iifname "ens32" goto filter_FWDI_public
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES_SOURCE {
}
chain filter_FORWARD_OUT_ZONES {
oifname "ens32" goto filter_FWDO_public
goto filter_FWDO_public
}
chain raw_PRE_public {
jump raw_PRE_public_log
jump raw_PRE_public_deny
jump raw_PRE_public_allow
}
chain raw_PRE_public_log {
}
chain raw_PRE_public_deny {
}
chain raw_PRE_public_allow {
}
chain filter_IN_public {
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport ssh ct state new,untracked accept
ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
}
chain filter_FWDI_public {
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain mangle_PRE_public {
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain filter_FWDO_public {
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
}
table ip firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES_SOURCE
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES_SOURCE {
}
chain nat_PREROUTING_ZONES {
iifname "ens32" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES_SOURCE
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES_SOURCE {
}
chain nat_POSTROUTING_ZONES {
oifname "ens32" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_POST_public {
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
}
table ip6 firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES_SOURCE
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES_SOURCE {
}
chain nat_PREROUTING_ZONES {
iifname "ens32" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES_SOURCE
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES_SOURCE {
}
chain nat_POSTROUTING_ZONES {
oifname "ens32" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_POST_public {
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
}
