关于 iptables 和 nftables 在 CentOS 新版本的使用

2019-07-18 1939点热度 0人点赞

Rhel 于今年发布了 rhel8,里面指出了将使用 nftables 作为主要防火墙。而 CentOS 紧随其后也发布了声明,将提供一样的主要特性。


1 、关于 CentOS 8

Rhel8 于 2019-05-07 发布后,由确切消息证实了软件库产生很多变动。紧随其后的 CentOS 也发布了更新说明,并且开始编译制作 8.0 版本 [ 链接 ]

主要内容有:Kernel 由 3.10 升 4.18,桌面由 X.org 升 wayland,Python 由 2.7 升 3.6,包管理工具由 yum 升 dnf,gcc 由 4.8 升 8.5,git 由 1.8 升 2.18,openssl 由 1.02k 升 1.1.1,防火墙 firewalld 后端由 iptables 升 nftables 并取消,其它相关服务软件更新至 Node.JS 10.14, PHP 7.2, Ruby 2.5, Perl 5.26, SWIG 3.0 MariaDB 10.3, MySQL 8.0, PostgreSQL 10, PostgreSQL 9.6, Redis 5, Apache 2.4, nginx 1.14 [ 链接 ]


2 、关于 CentOS 8 网络配置

由于 CentOS 8 默认使用 firewalld 管理防火墙,只有后端产生了变化。而管理网络接口仍然使用 NetworkManager 所以没有其他变化。

如果想在 Fedora 上尝试使用 nftables ,你需要做如下操作并参考这篇文章 [ 链接 ]

echo "FirewallBackend nftables" >> /etc/firewalld/firewalld.conf

修改后重启 firewalld 服务

systemctl restart firewalld

此时你就可以使用 nftbales 了。(同理,你也可以修改为 iptables 恢复回原来的样子)


3 、使用 nftables

关于如何使用 nftables ,redhat 已经发布了一篇文章,简单的讲解了使用方式 [ 链接 ]


5 、默认的网络配置

这里放出 firewalld 的默认配置(省略其他 zone 的空配置)

# firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources:
  services: dhcpv6-client ssh
  ports: 
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

这里放出 iptables 的默认配置

# iptables -nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  141 15507 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1    48 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    48 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    48 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 99 packets, 12349 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   99 12349 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  ens32  *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      ens32   0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    48 IN_public  all  --  ens32  *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    48 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    48 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    48 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

这里放出 nftables 的默认配置

# nft list ruleset

table inet firewalld {
	chain raw_PREROUTING {
		type filter hook prerouting priority -290; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . iif oif missing drop
		jump raw_PREROUTING_ZONES_SOURCE
		jump raw_PREROUTING_ZONES
	}

	chain raw_PREROUTING_ZONES_SOURCE {
	}

	chain raw_PREROUTING_ZONES {
		iifname "ens32" goto raw_PRE_public
		goto raw_PRE_public
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority -140; policy accept;
		jump mangle_PREROUTING_ZONES_SOURCE
		jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_ZONES_SOURCE {
	}

	chain mangle_PREROUTING_ZONES {
		iifname "ens32" goto mangle_PRE_public
		goto mangle_PRE_public
	}

	chain filter_INPUT {
		type filter hook input priority 10; policy accept;
		ct state established,related accept
		iifname "lo" accept
		jump filter_INPUT_ZONES_SOURCE
		jump filter_INPUT_ZONES
		ct state invalid drop
		reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority 10; policy accept;
		ct state established,related accept
		iifname "lo" accept
		jump filter_FORWARD_IN_ZONES_SOURCE
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES_SOURCE
		jump filter_FORWARD_OUT_ZONES
		ct state invalid drop
		reject with icmpx type admin-prohibited
	}

	chain filter_INPUT_ZONES_SOURCE {
	}

	chain filter_INPUT_ZONES {
		iifname "ens32" goto filter_IN_public
		goto filter_IN_public
	}

	chain filter_FORWARD_IN_ZONES_SOURCE {
	}

	chain filter_FORWARD_IN_ZONES {
		iifname "ens32" goto filter_FWDI_public
		goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES_SOURCE {
	}

	chain filter_FORWARD_OUT_ZONES {
		oifname "ens32" goto filter_FWDO_public
		goto filter_FWDO_public
	}

	chain raw_PRE_public {
		jump raw_PRE_public_log
		jump raw_PRE_public_deny
		jump raw_PRE_public_allow
	}

	chain raw_PRE_public_log {
	}

	chain raw_PRE_public_deny {
	}

	chain raw_PRE_public_allow {
	}

	chain filter_IN_public {
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport ssh ct state new,untracked accept
		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
	}

	chain filter_FWDI_public {
		jump filter_FWDI_public_log
		jump filter_FWDI_public_deny
		jump filter_FWDI_public_allow
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain filter_FWDO_public {
		jump filter_FWDO_public_log
		jump filter_FWDO_public_deny
		jump filter_FWDO_public_allow
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}
}
table ip firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority -90; policy accept;
		jump nat_PREROUTING_ZONES_SOURCE
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES_SOURCE {
	}

	chain nat_PREROUTING_ZONES {
		iifname "ens32" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority 110; policy accept;
		jump nat_POSTROUTING_ZONES_SOURCE
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES_SOURCE {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "ens32" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_PRE_public {
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_POST_public {
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}
}
table ip6 firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority -90; policy accept;
		jump nat_PREROUTING_ZONES_SOURCE
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES_SOURCE {
	}

	chain nat_PREROUTING_ZONES {
		iifname "ens32" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority 110; policy accept;
		jump nat_POSTROUTING_ZONES_SOURCE
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES_SOURCE {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "ens32" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_PRE_public {
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_POST_public {
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}
}


StarryVoid

Have a good time