精华内容
下载资源
问答
  • Openwrt修改防火墙规则

    万次阅读 2019-07-08 18:48:09
    本文翻译自 OpenWrt WIKI 防火墙配置/etc/config/firewall openwrt 的防火墙管理...本文主要关注配置文件和其内容,LUCI和UCI是用户抽象,最终也是修改的配置文件。 管理 主要的防火墙配置文件是/etc/config/fi...

    本文翻译自 OpenWrt WIKI

    目录

    防火墙配置 /etc/config/firewall

    管理

    WebUI

    CLI

    配置部分

    Defaults

    Includes

    Redirects

    Zones

    Forwardings

    Rules

    Routing

    IP Sets

    IPv6

    SNAT


    防火墙配置 /etc/config/firewall

    openwrt 的防火墙管理应用fw3有三种配置机制:

    配置文件:

    • /etc/firewall.user
    • /etc/config/firewall

    本文主要关注配置文件和其内容,LUCI和UCI是用户抽象,最终也是修改的配置文件。

    管理

    • 主要的防火墙配置文件是/etc/config/firewall, 编辑该文件修改防火墙设置。
      • 修改之前先备份
      • 一旦修改设置之后,确认无误后,通过/etc/init.d/firwwall reload重载防火墙(使用fw3 reload指令更简单,并且会检查配置文件是否有错误。
    • 任何第一个字符是#的行都不会解析,用作注释
    • UCI在/etc/config/firewall中的防火墙配置包含网络过滤规则的部分合理子集,但并不是全部。
    • 尽可能的使用fw3防火墙UCI配置。有一些场景必须要用iptables,参见Netfilter in OpenWrt

    WebUI

    LuCI是一种很好的观察和修改防火墙配置的机制。

    • 它在Network --> Firewall 并且紧密映射到配置文件部分。
    • 修改防火墙配置它会花费多一些时间,但是它却比配置文件具有更高的组织结构。

    修改参数和重载使用保存&应用按钮.

    • LUCI会移除/etc/config/firewall所有的注释[#]行。

    CLI

    UCI是配置文件的一种低级抽象,其可用远程通过ssh接触。

    uci add firewall rule
    uci set firewall.@rule[-1].target='REJECT'
    uci set firewall.@rule[-1].proto='tcp udp icmp'
    uci set firewall.@rule[-1].src='vpn'
    uci set firewall.@rule[-1].dest='lan'
    uci set firewall.@rule[-1].name='Reject All VPN -> LAN Traffic'
    uci commit firewall
    service firewall restart
    

    这将会假定最后一条规则是VPN --> LAN转发链,所有从VPN来的包都会被拒绝。
    显示防火墙配置:

    # uci show firewall
    firewall.@rule[20]=rule
    firewall.@rule[20].target='REJECT'
    firewall.@rule[20].proto='tcp udp icmp'
    firewall.@rule[20].src='wan'
    firewall.@rule[20].dest='lan'
    firewall.@rule[20].name='Reject All VPN -> LAN Traffic'
    

    UCI用来查看防火墙配置非常方便,但是因为以下几个原因一般不用做来修改配置

    • 必须要熟悉防火墙规则才能使规则数组工作。
    • uci不识别/etc/firewall.user脚本中的内容。
    • uci commit是保存配置所必需的,但是依旧需要调用/etc/init.d/firewall reload去重载新表

    配置部分

    以下是被定义的防火墙配置概览:

    • 路由器的一个最小的配置通常包含一些默认部分,至少有两块(lan和wan)和一个允许从lan到wan的转发。

      • 当不超过两个区域时,转发部分不是必要的,因为可以将该规则设置为该区域的“全局缺省”。

    Defaults

    defaults(默认)节的声明是全局的防火墙设置声明,不属于某一个特定节。

    config defaults
        option  input                 'ACCEPT'
        option  output                'ACCEPT'
        option  forward               'REJECT'
        option  custom_chains         '1'
        option  drop_invalid          '1'
        option  syn_flood             '1'
        option  synflood_burst        '50'
        option  synflood_protect      '1'
        option  tcp_ecn               '1'
        option  tcp_syncookies        '1'
        option  tcp_window_scaling    '1'

    Options

    Name Type Required Default Description
    input string no REJECT Set policy for the INPUT chain of the filter table.
    forward string no REJECT Set policy for the FORWARD chain of the filter table.
    output string no REJECT Set policy for the OUTPUT chain of the filter table.
    drop_invalid boolean no 0 Drop invalid packets (e.g. not matching any active connection).
    syn_flood boolean no 0 Enable SYN flood protection (obsoleted by synflood_protect setting).
    synflood_protect boolean no 0 Enable SYN flood protection.
    synflood_rate string no 25 Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.
    synflood_burst string no 50 Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.
    tcp_syncookies boolean no 1 Enable the use of SYN cookies.
    tcp_ecn boolean no 0 Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
    tcp_window_scaling boolean no 1 Enable TCP window scaling.
    accept_redirects boolean no 0 Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
    accept_source_route boolean no 0 Implemented upstream in Linux Kernel. See ip-sysctl.txt.
    custom_chains boolean no 1 Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks.
    disable_ipv6 boolean no 0 Disable IPv6 firewall rules.
    flow_offloading boolean no 0 Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)
    flow_offloading_hw boolean no 0 Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability)
    tcp_reject_code reject_code no 0 Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
    any_reject_code reject_code no 1 Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
    auto-helper bool no FIXME FIXME

    Includes

    可以通过在防火墙配置中指定一个或多个包含部分来包含自定义的防火墙脚本:

    config include
    option path '/etc/firewall.user'

    • 脚本/etc/firewall.user 默认为空.

    Options

    Name Type Required Default Description
    enabled boolean no 1 Allows to disable the corresponding include without having to delete the section
    type string no script Specifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format
    path file name yes /etc/firewall.user Specifies a shell script to execute on boot or firewall restarts
    family string no any Specifies the address family (ipv4ipv6 or any) for which the include is called
    reload boolean no 0 Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

    包含的类型脚本可以包含任意命令,例如高级iptables规则或流量控制所需的tc命令。

    • :!: 由于自定义iptables规则比通用规则更具体,所以必须确保使用-I (insert)而不是-A (append),这样自定义规则就会出现在默认规则之前。

    • :!: 如果规则存在于iptables中,则不会重新添加它。标准的iptables -I或-A将添加一个重复的规则。

    Example

    以下是/etc/firewall.user脚本的示例,该脚本允许CloudFlare.com访问HTTP 80和HTTPS 443端口。 如果您的uhttpd隐藏在CF代理后面,请使用。

    # Replace the ips-v4 with v6 if needed
    for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; doo
      iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
    done

    NOTE: 它使用HTTP获取ip列表,因为要通过https获取wget,我们需要安装ca-certs。这使您容易受到MiTM攻击,但这是可以让你免于互联网黑客的攻击。

    Redirects

    端口转发(DNAT)在 redirect节被定义。端口重定向通常也称为端口转发或虚拟服务器。

    • 与给定规则匹配的指定源区域上的所有传入流量将被定向到指定的内部主机。

    • 端口范围被指定为start:stop,例如6666:6670(类似于iptables语法)。

    Destination NAT

    config redirect
        option  target      'DNAT'
        option  proto       'tcp'
        option  src         'wan'
        option  src_dport   '19900'
        option  dest        'lan'
        option  dest_port   '22'
        option  dest_ip     '192.168.1.1'
        option  name        'Allow Redirect WAN -> LAN (SSH)'

    :!: 如果配置节中没有包含src_dport,则在任意端口上与其他配置选项匹配的包将被转发到该配置节中指定的目标端口。这可能会对在config部分打开的目标端口上运行的应用程序造成安全风险。测试这个问题的一种方法是使用 Gibson Research Corporation的ShieldsUP!服务,并探测路由器上所需的端口。 响应可以是打开,关闭或隐身(丢弃)。 在打开或关闭端口的情况下,数据包到达目标主机,并向后发送确认/回复数据包。隐藏的端口丢弃数据包; 从探测系统(Gibson Research)的角度来看,该系统无法确切地知道那些数据包是否到达目标主机。

    Source NAT

    Masquerade是最常见的SNAT形式,它将流量源从WAN更改为路由器的公共IP。SNAT也可以手工完成:

    config redirect
        option  target      'SNAT'
        option  proto       'icmp'
        option  src         'dmz'
        option  src_ip      '192.168.1.250'
        option  src_dip     '1.2.3.4'
        option  dest        'wan'
        option  name        'SNAT: DMZ ICMP 192.168.1.250 -> 1.2.3.4'

    Options

    Name Type Required Default Description
    name string no string Name of redirect
    src zone name yes for DNATtarget (none) Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is wan.
    src_ip ip address no (none) Match incoming traffic from the specified source ip address.
    src_dip ip address yes for SNATtarget (none) For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address.
    src_mac mac address no (none) Match incoming traffic from the specified mac address.
    src_port port or range no (none) Match incoming traffic originating from the given source port or port range on the client host.
    src_dport port or range no (none) For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNATrewrite the source ports to the given value.
    proto protocol name or number no tcpudp Match incoming traffic using the given protocol.
    dest zone name yes for SNATtarget (none) Specifies the traffic destination zone. Must refer to one of the defined zone names. For DNAT target on Attitude Adjustment, NAT reflection works only if this is equal to lan.
    dest_ip ip address yes for DNATtarget (none) For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address. For DNAT if the dest_ip value matches the local ip addresses of the router, as shown in the ifconfig, then the rule is translated in a DNAT + input 'accept' rule. Otherwise it is a DNAT + forward rule.
    dest_port port or range no (none) For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).
    ipset string no (none) If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark.
    mark string no (none) If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10to match all but mark #16.
    start_date date (yyyy-mm-dd) no (always) If specifed, only match traffic after the given date (inclusive).
    stop_date date (yyyy-mm-dd) no (always) If specified, only match traffic before the given date (inclusive).
    start_time time (hh:mm:ss) no (always) If specified, only match traffic after the given time of day (inclusive).
    stop_time time (hh:mm:ss) no (always) If specified, only match traffic before the given time of day (inclusive).
    weekdays list of weekdays no (always) If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
    monthdays list of dates no (always) If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
    utc_time boolean no 0 Treat all given time values as UTC time instead of local time.
    target string no DNAT NAT target (DNAT or SNAT) to use when generating the rule.
    family string no any Protocol family (ipv4ipv6 or any) to generate iptables rules for.
    reflection boolean no 1 Activate NAT reflection for this redirect - applicable to DNAT targets.
    reflection_src string no internal The source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.
    limit string no (none) Maximum average matching rate; specified as a number, with an optional /second/minute/hour or /daysuffix. Examples: 3/second3/sec or 3/s.
    limit_burst integer no 5 Maximum initial number of packets to match, allowing a short-term average above limit.
    enabled string no 1 or yes Enable the redirect rule or not.
    helper cthelper no FIXME FIXME

    Zones

    zone section groups one or more interfaces and serves as a source or destination for forwardingsrules and redirects.

    config zone
        option  name        'wan'
        option  network     'wan wan6'
        option  input       'REJECT'
        option  output      'ACCEPT'
        option  forward     'REJECT'
        option  masq        '1'
        option  mtu_fix     '1'
    • MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface.
       

    • INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.

    • OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.

    • FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

    Options

    Name Type Required Default Description
    name zone name yes (none) Unique zone name. 11 characters is the maximum working firewall zone name length.
    network list no (none) List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid 'standalone' networks. Use list syntax .
    masq boolean no 0 Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone.
    masq_src list of subnets no 0.0.0.0/0 Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
    masq_dest list of subnets no 0.0.0.0/0 Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
    masq_allow_invalid boolean no 0 Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NATleakage (see commit in firewall3).
    mtu_fix boolean no 0 Enable MSS clamping for outgoing zone traffic.
    input string no DROP Default policy (ACCEPTREJECTDROP) for incoming zone traffic.
    forward string no DROP Default policy (ACCEPTREJECTDROP) for forwarded zone traffic.
    output string no DROP Default policy (ACCEPTREJECTDROP) for outgoing zone traffic.
    family string no any The protocol family (ipv4ipv6 or any) these iptables rules are for.
    log int no 0 Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)
    log_limit string no 10/minute Limits the amount of log messages per interval.
    device list no (none) List of raw network device names attached to this zone, e.g. ppp+ to match any PPP interface.
    subnet list no (none) List of IP subnets attached to this zone.
    extra string no (none) Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead.
    extra_src string no Value of extra Extra arguments passed directly to iptables for source classification rules.
    extra_dest string no Value of extra Extra arguments passed directly to iptables for destination classification rules.
    custom-chains bool no FIXME FIXME
    enabled bool no yes if set to 0, zone is disabled
    auto_helper bool no FIXME FIXME
    helper cthelper no FIXME FIXME

    Forwardings

    The forwarding sections control the traffic flow between zones, and may enable MSS clamping for specific directions.

    config forwarding
        option  src         'lan'
        option  dest        'wan'
    • Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, two forwardings are required, with src and dest reversed in each.

    Options

    Name Type Required Default Description
    name forward name no (none) Unique forwarding name.
    src zone name yes (none) Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is 'wan'.
    dest zone name yes (none) Specifies the traffic destination zone. Must refer to one of the defined zone names
    mtu_fix boolean no 0 Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to zonesections in 8.09.2+)
    family string no any Protocol family (ipv4ipv6 or any) to generate iptables rules for.
    enabled bool no yes if set to 0, forward is disabled

    :!: The iptables rules generated for this section rely on the state match which needs connection tracking to work.

    • At least one of the src or dest zones needs to have connection tracking enabled through the masq option.

    Rules

    The rule section is used to define basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts.

    config rule
        option  target      'REJECT'
        option  proto       'tcp'
        option  src         'lan'
        option  src_ip      '192.168.1.2'
        option  src_mac     '00:11:22:33:44:55'
        option  src_port    '80'
        option  dest        'wan'
        option  dest_ip     '194.25.2.129'
        option  dest_port   '120'
    • In fw3, the src and dest are tied to the target:

      • If src and dest are given, the rule matches forwarded traffic

      • If only src is given, the rule matches incoming traffic

      • If only dest is given, the rule matches outgoing traffic

      • If neither src nor dest are given, the rule defaults to an outgoing traffic rule
         

    • Port ranges are specified as start:stop, for instance 6666:6670 (similar to the iptables syntax).

    Options

    Name Type Required Default Description
    name string no (none) Name of rule
    src zone name yes (:!: optional since Firewall v2, version 58 and above) (none) Specifies the traffic source zone. Must refer to one of the defined zone names.
    src_ip ip address no (none) Match incoming traffic from the specified source ip address
    src_mac mac address no (none) Match incoming traffic from the specified mac address
    src_port port or range no (none) Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.
    proto protocol name or number no tcpudp Match incoming traffic using the given protocol. Can be one of tcpudptcpudpudpliteicmpespahsctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
    icmp_type list of type names or numbers no any For protocol icmp select specific icmp types to match. Values can be either exact icmp type numbers or type names (see below).
    dest zone name no (none) Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.
    dest_ip ip address no (none) Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule!
    dest_port port or range no (none) Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.
    ipset string no (none) If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'.
    mark mark/mask no (none) If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.
    start_date date (yyyy-mm-dd) no (always) If specifed, only match traffic after the given date (inclusive).
    stop_date date (yyyy-mm-dd) no (always) If specified, only match traffic before the given date (inclusive).
    start_time time (hh:mm:ss) no (always) If specified, only match traffic after the given time of day (inclusive).
    stop_time time (hh:mm:ss) no (always) If specified, only match traffic before the given time of day (inclusive).
    weekdays list of weekdays no (always) If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
    monthdays list of dates no (always) If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
    utc_time boolean no 0 Treat all given time values as UTC time instead of local time.
    target string yes DROP Firewall action (ACCEPTREJECTDROPMARKNOTRACK) for matched traffic
    set_mark mark/mask yes for target MARK (none) Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
    set_xmark Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
    family string no any Protocol family (ipv4ipv6 or any) to generate iptables rules for.
    limit string no (none) Maximum average matching rate; specified as a number, with an optional /second/minute/hour or /day suffix. Examples: 3/minute3/min or 3/m.
    limit_burst integer no 5 Maximum initial number of packets to match, allowing a short-term average above limit
    extra string no (none) Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec.
    enabled boolean no yes Enable or disable rule.
    device string no FIXME FIXME
    direction direction no FIXME FIXME direction_out
    set_helper cthelper no FIXME FIXME
    helper cthelper no FIXME FIXME

    ICMP Name Types

    address-mask-reply host-redirect pong time-exceeded
    address-mask-request host-unknown port-unreachable timestamp-reply
    any host-unreachable precedence-cutoff timestamp-request
    communication-prohibited ip-header-bad protocol-unreachable TOS-host-redirect
    destination-unreachable network-prohibited redirect TOS-host-unreachable
    echo-reply network-redirect required-option-missing TOS-network-redirect
    echo-request network-unknown router-advertisement TOS-network-unreachable
    fragmentation-needed network-unreachable router-solicitation ttl-exceeded
    host-precedence-violation parameter-problem source-quench ttl-zero-during-reassembly
    host-prohibited ping source-route-failed ttl-zero-during-transit

    Routing

    IP Sets

    fw3 supports referencing or creating ipsets to simplify matching of large address or port lists without the need for creating one rule per item to match.

    • :!: This needs the kmod-ipt-ipset kernel module installed.

    Options

    Name Type Required Default Description
    enabled boolean no 1 Allows to disable the declaration of the ipset without the need to delete the section.
    external string no (none) If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop.
    name string yes if externalis unset 
    no if externalis set
    (none) if externalis unset 
    value of externalif externalis set
    Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.
    family string no ipv4 Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4.
    storage string no varies Specifies the storage method (bitmaphash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip).
    match list of direction/type tuples yes (none) Specifies the matched data types (ipportmacnet or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”).
    iprange IP range yes for storage type bitmapwith datatype ip (none) Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type.
    portrange Port range yes for storage type bitmapwith datatype port (none) Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type.
    netmask integer no 32 If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip.
    maxelem integer no 65536 Limits the number of items that can be added to the set, only applicable to the hash and list storage types.
    hashsize integer no 1024 Specifies the initial hash size of the set, only applicable to the hash storage type.
    timeout integer no 0 Specifies the default timeout for entries added to the set. A value of 0 means no timeout.
    entry setentry no FIXME FIXME
    loadfile string no FIXME FIXME

    Storage / Match Options

    The order of datatype matches is significant

    Family Storage Match Notes
    ipv4 bitmap ip Requires iprange option
    ipv4 bitmap ip mac Requires iprange option
    ipv4 bitmap port Requires portrange option
    any hash ip -
    any hash net -
    any hash ip port -
    any hash net port -
    any hash ip port ip -
    any hash ip port net -
    - list set Meta type to create a set-of-sets

    IPv6

    As described above, the option family is used for distinguishing between IPv4, IPv6 and both protocols. However the family is inferred automatically if IPv6 addresses are used:

    config rule
        option  src         'wan'
        option  src_ip      'fdca:f00:ba3::/64'
        option  target      'ACCEPT'

    Similar, such a rule is detected as IPv4 only:

    config rule
        option  src         'wan'
        option  dest_ip     '88.77.66.55'
        option  target      'REJECT'
    • Rules without IP addresses are automatically added to iptables and ip6tables, unless overridden by the family option.

    • Redirect rules (port forwards) are always IPv4 (for now) since there is no IPv6 DNAT support (yet).

    SNAT

    FIXME need to find how to use to document this

    Options

    snats.c:23:	FW3_OPT("enabled",             bool,      snat,     enabled),
    snats.c:25:	FW3_OPT("name",                string,    snat,     name),
    snats.c:26:	FW3_OPT("family",              family,    snat,     family),
    snats.c:28:	FW3_OPT("src",                 device,    snat,     src),
    snats.c:29:	FW3_OPT("device",              string,    snat,     device),
    snats.c:31:	FW3_OPT("ipset",               setmatch,  snat,     ipset),
    snats.c:33:	FW3_LIST("proto",              protocol,  snat,     proto),
    snats.c:35:	FW3_OPT("src_ip",              network,   snat,     ip_src),
    snats.c:36:	FW3_OPT("src_port",            port,      snat,     port_src),
    snats.c:38:	FW3_OPT("snat_ip",             network,   snat,     ip_snat),
    snats.c:39:	FW3_OPT("snat_port",           port,      snat,     port_snat),
    snats.c:41:	FW3_OPT("dest_ip",             network,   snat,     ip_dest),
    snats.c:42:	FW3_OPT("dest_port",           port,      snat,     port_dest),
    snats.c:44:	FW3_OPT("extra",               string,    snat,     extra),
    snats.c:46:	FW3_OPT("limit",               limit,     snat,     limit),
    snats.c:47:	FW3_OPT("limit_burst",         int,       snat,     limit.burst),
    snats.c:49:	FW3_OPT("connlimit_ports",     bool,      snat,     connlimit_ports),
    snats.c:51:	FW3_OPT("utc_time",            bool,      snat,     time.utc),
    snats.c:52:	FW3_OPT("start_date",          date,      snat,     time.datestart),
    snats.c:53:	FW3_OPT("stop_date",           date,      snat,     time.datestop),
    snats.c:54:	FW3_OPT("start_time",          time,      snat,     time.timestart),
    snats.c:55:	FW3_OPT("stop_time",           time,      snat,     time.timestop),
    snats.c:56:	FW3_OPT("weekdays",            weekdays,  snat,     time.weekdays),
    snats.c:57:	FW3_OPT("monthdays",           monthdays, snat,     time.monthdays),
    snats.c:59:	FW3_OPT("mark",                mark,      snat,     mark),
    snats.c:61:	FW3_OPT("target",              target,    snat,     target),
    展开全文
  • 主要介绍了Docker高级教程之智能添加与修改防火墙规则,需要的朋友可以参考下
  • 提示 (1)正常情况下,修改 ufw 添加端口后,会自动添加到 iptables ...修改防火墙规则,开放指定端口 iptables -I INPUT -p tcp --dport 端口号 -j ACCEPT 保存防火墙规则 iptables-save 服务器重启,

    提示

    (1)正常情况下,修改 ufw 添加端口后,会自动添加到 iptables

    (2)但有时候页可能因为服务器之前的配置问题,设置 ufw 之后,端口还是没有开放,此时就应该配置一下 iptables

    iptables 安装及使用

    • 安装
    
    sudo apt-get install iptables
    
    
    • 修改防火墙规则,开放指定端口
    
    iptables -I INPUT -p tcp --dport 端口号 -j ACCEPT
    
    
    • 保存防火墙规则
    
    iptables-save
    
    
    • 服务器重启,上述规则可能就没有了,需要对规则进行一下持续化操作
    
    # (1)安装iptables-persistent
    
    sudo apt-get install iptables-persistent
    
    # (2)持久化规则
    
    sudo netfilter-persistent save
    
    sudo netfilter-persistent reload
    
    

    参考

    • 【Ubuntu 通过 iptables 开放指定端口】:https://blog.csdn.net/londa/article/details/112179661
    展开全文
  • 2、修改防火墙规则的话,使用手动修改配置; 3、并且修改时候还得计算来源端口,防止重复端口使用户登陆错误容器; 4、并当容器意外重启,内网ip变化后还得修改规则 那么你可以看看本文了,对你这些痛处都有解决方法...

    如果你有以下痛苦:

    1、使用默认docker0桥接方式;

    2、修改防火墙规则的话,使用手动修改配置;

    3、并且修改时候还得计算来源端口,防止重复端口使用户登陆错误容器;

    4、并当容器意外重启,内网ip变化后还得修改规则

    那么你可以看看本文了,对你这些痛处都有解决方法。

    目前docker容器设置访问规则的话,就2个方法

    1、在docker容器创建的时候,使用-p来设置

    2、在容器运行中,获取容器的ip,然后在宿主机的iptables力通过nat链做dnat设置

    我之前一直使用第2个方法,但随着我docker项目的增加(目前我这里研发使用docker的容器做测试机),防火墙的访问规则设置起来十分麻烦,并且之前规划没有弄好,容器的网络还是默认的docker0桥接方式,这样容器一挂或者异常问题、docker daemon重启,都会导致容器的ip变更,变更后就得修改防火墙策略,十分的麻烦。

    为了解决这个问题,我开发了2个程序,1个是持久化固定容器ip(地址http://dl528888.blog.51cto.com/2382721/1616527),另外一个是智能防火墙,下面是关于智能防火墙功能的介绍。

    一、介绍

    1、编写语言

    python

    2、运行环境

    容器需要使用我之前写的持久化固定ip方式来创建

    需要额外安装的python模块

    etcd

    docker

    nmap

    3、基本宿主机防火墙(包含filter链与nat链)

    默认在/root/firewall里有个基础的宿主机防火墙,里面包含filter链与nat链,我的防火墙程序先获取这个文件,然后在从etcd里获取各容器的防火墙结合后是新的规则,如下面是我的

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    [root@docker-test3 firewall]# cat /root/firewall/iptables_base.txt
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1:83]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i em1 -j ACCEPT
    -A INPUT -i ovs1 -j ACCEPT
    #forllow is room network
    -A INPUT -s 117.121.x.0/24 






     本文转自 reinxu 51CTO博客,原文链接:http://blog.51cto.com/dl528888/1619631,如需转载请自行联系原作者
    展开全文
  • 今天试着外网打开tomcat,发现不行,就去调试了一下,发现了防火墙规则问题,记录一下。(我的服务器是WIN10) 控制面板-Windows 防火墙-高级设置(左侧菜单栏)-入站规则(同左侧)- 新建规则(选完入站后在右侧...

    今天试着外网打开tomcat,发现不行,就去调试了一下,发现了防火墙的规则问题,记录一下。(我的服务器是WIN10)

    控制面板-Windows 防火墙-高级设置(左侧菜单栏)-入站规则(同左侧)- 新建规则(选完入站后在右侧)

    然后跟着提示走就可以了。




    展开全文
  • Linux服务器安装mysql服务之后,此时外部是不能通过3306端口访问的,其原因之一就是服务器的防火墙配置问题,解决方法如下: 切换到存放配置的目录,编辑防火墙配置文件 cd /etc/sysconfig sudo vim iptables 找到...
  • 防火墙规则

    2018-06-28 13:34:17
    TopNSD SECURITY DAY04 案例1:iptables基本管理 案例2:filter过滤和转发控制 案例3:防火墙扩展规则 案例4:配置SNAT实现共享上网 ...查看防火墙规则 追加、插入防火墙规则 删除、清空防火墙规则 1...
  • 指定序号前添加防火墙规则,即在指定的drop丢包处理规则前添加规则 重新查看防火墙规则 一、问题背景 背景:公司安全部门检测到公司的hadoop集群中存在Yarn的未授权漏洞,即8080、8088端口外网可以访问的问题,...
  • firewalld防火墙规则

    万次阅读 2017-08-18 21:07:10
    基于iptables的防火墙被默认不启动,但仍然可以继续使用.RHRE7中有几种防火墙共存:firewalld,iptables,ebtables等,默认使用firewalld作为防火墙,管理工具是firewall-cmd.RHEL7的内核版本是3.10,在此版本的内核...
  • iptables Linux系统的防火墙:IP信息包过滤系统,它实际上...位于/sbin/iptables,用来管理防火墙规则的工具 称为Linux防火墙的“用户态”的防火墙管理体系 是一种用来管理Linux防火墙的命令程序,他它使插入,修改和删
  • 防火墙的分类 包过滤型防火墙 工作在OSI参考模型的网络层 它根据数据包头源地址、目的地址、端口号和协议类型 等标志确定是否允许数据包通过 代理型防火墙 主要工作在OSI的应用层 代理服务在确认客户端连接...
  • ESXi防火墙规则配置

    千次阅读 2020-04-04 21:02:44
    考虑配置防火墙规则是否有害是毫无意义的,因为每个管理员都需要对网络进行微调来分配访问权限。所以,你应该知道所有你可以使用的工具。 点击阅读原文 通过vSphere Client配置防火墙规则 这种方法非常简单,即使是...
  • 一键修改远程桌面默认3389端口+添加防火墙例外,无需手动改防火墙,解除漏洞引起的安全隐患,仅需双击运行后重启电脑即可!无其他繁琐步骤。
  • VC代码添加防火墙规则

    千次阅读 2018-05-20 15:12:06
    一、VC代码添加防火墙规则(调用netsh命令)BOOL DealExecCmd(CString strCommandLine) { USES_CONVERSION; STARTUPINFO StartInfo; memset(&StartInfo, '\0', sizeof(StartInfo)); StartInfo.cb ...
  • Linux防火墙规则

    2019-07-12 17:34:09
    :会检查所有通过信息的IP地址,并按照系统管理员所给定的包过滤规则进行过滤,包过滤是一种基于内置Linux内核在路由功能之上的防火墙类型,其防火墙工作在网络层 应用级网关 :代理服务器有一个高速缓存,存储用户经常...
  • centos防火墙规则设置

    2021-06-23 16:45:37
    centos防火墙规则设置 开启防火墙设置并设置开机自启动模式 systemctl start firewalld systemctl enable firewalld 查看防火墙状态 [root@ecs-kunpeng ~]# systemctl status firewalld ● firewalld.service - ...
  • iptables防火墙规则

    2020-03-27 22:39:07
    linux防火墙@[TOC](linux防火墙) 一、iptables介绍:iptables是Linux中对网络数据包进行处理的一个功能组件,就相当于防火墙,可以对经过的数据包进行...**开机自检补**保存iptables规则 一、iptables介绍: ipta...
  • 数据包过滤的匹配流程4.1 规则表之间的匹配顺序4.2 规则链之间的顺序4.3 规则链内部各条防火墙规则之间的顺序二、编写防火墙规则1.安装iptables2.基本语法3.常用的控制类型4.常用的管理选项4.1 添加新的规则4.2 查看...
  • 配置防火墙规则 查看原有80端口规则的序号(即输出结果中第1列的数字) service iptbles status | grep 80 80端口指定IP访问:指定192.168.78.11访问 iptables -R INPUT 1 -s192.168.78.11 -ptcp --dport 80 -...
  • 防火墙规则脚本

    2018-12-25 21:27:00
    ##清空防火墙规则 $ipt -F ##定义进来的数据全部拒绝,出去和转发的数据则允许 $ipt -P INPUT DROP $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT ##定义连接后的边缘数据连接(注:此条规则不写进来,会...
  • centos7 防火墙规则

    2020-07-30 17:49:34
    1、查看firewall服务状态 systemctl status firewalld 2、查看firewall的状态 firewall-cmd --state ...4、查看防火墙规则 firewall-cmd --list-all 5、查询、开放、关闭端口 #查询端口是否开放 f
  • 高级防火墙规则-Direct Rules

    千次阅读 2018-12-10 22:21:26
    一.Direct Rules概述 ...直接端口模式适用于服务或者程序,以便于在运行时间内增加特定的防火墙规则。直接端口模式添加的规则优先应用 二.常用命令 1.查看防火墙上设置的规则 firewall-cmd --direct ...
  • 局域网内ping不通,防火墙规则更改

    万次阅读 2018-03-12 13:39:29
    控制面板——系统和安全——windows防火墙——高级设置—— 入站规则——文件和打印机共享(回享请求-ICMPv4-In)(开启)——属性 1. “远程IP地址”选择“任何IP地址” 2. “高级”页面的“配置文件”同时...
  • iptables设置防火墙规则防伪码:学而不思则罔,思而不学则殆!前言:大家都知道Michael Rash这个人吧!世界级的安全技术专家,以防火墙、***检测系统等方面的造诣享誉安全界。所以可以看出防火墙的重要性!下面为...
  • Iptables防火墙规则使用梳理

    千次阅读 2017-02-07 14:14:04
    Iptables防火墙规则使用梳理   iptables是组成Linux平台下的包过滤防火墙,与大多数的Linux软件一样,这个包过滤防火墙是免费的,它可以代替昂贵的商业防火墙解决方案,完成封包过滤、封包重定向和网络地址...
  • iptables防火墙规则添加与删除的实例教程 时间:2016-02-05 13:15:58来源:网络 导读:有关iptables防火墙规则添加与删除方法,iptables -nvL查看当前防火墙规则,删除iptables防火墙规则,linux下清空所有...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 84,415
精华内容 33,766
关键字:

修改防火墙规则