P.122
■firewalld
【centos6のiptables】
せ6> iptables -L -n -v -t filter
Chain INPUT (policy ACCEPT 1450 packets, 145K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 834 packets, 115K bytes)
pkts bytes target prot opt in out source destination
せ6> iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 53 packets, 9060 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 34 packets, 5580 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
Chain OUTPUT (policy ACCEPT 34 packets, 5580 bytes)
pkts bytes target prot opt in out source destination
せ6> iptables -L -n -v -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
せ6> iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 1519 packets, 151K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1519 packets, 151K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 877 packets, 123K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 877 packets, 123K bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
【centos7のiptables】
せ7> iptables -L -n -v -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
229 23039 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
54 9903 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
54 9903 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
54 9903 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
53 9851 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 183 packets, 19594 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
257 28494 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
22 4049 IN_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
23 4055 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
9 1799 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
54 9903 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
54 9903 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
54 9903 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
せ7> iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 15 packets, 2352 bytes)
pkts bytes target prot opt in out source destination
16 2680 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
16 2680 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
16 2680 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 98 packets, 8471 bytes)
pkts bytes target prot opt in out source destination
129 10845 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 98 packets, 8471 bytes)
pkts bytes target prot opt in out source destination
2 269 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
127 10576 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
127 10576 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
127 10576 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
124 10315 POST_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
2 181 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
1 80 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (3 references)
pkts bytes target prot opt in out source destination
127 10576 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
127 10576 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
127 10576 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
8 1478 PRE_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
8 1202 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (3 references)
pkts bytes target prot opt in out source destination
16 2680 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
16 2680 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
16 2680 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
せ7> iptables -L -n -v -t raw
Chain PREROUTING (policy ACCEPT 335 packets, 37498 bytes)
pkts bytes target prot opt in out source destination
335 37498 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 289 packets, 45378 bytes)
pkts bytes target prot opt in out source destination
289 45378 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
せ7> iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 289 packets, 29559 bytes)
pkts bytes target prot opt in out source destination
360 39686 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
360 39686 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
360 39686 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 289 packets, 29559 bytes)
pkts bytes target prot opt in out source destination
359 39358 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 229 packets, 39106 bytes)
pkts bytes target prot opt in out source destination
303 48006 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 238 packets, 40905 bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
342 55557 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
163 17562 PRE_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
184 19985 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
13 2139 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (3 references)
pkts bytes target prot opt in out source destination
360 39686 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
360 39686 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
360 39686 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
せ7> systemctl list-unit-files --type=service | grep iptables
せ7> ←いないんご
せ7> systemctl list-unit-files --type=service | grep firewalld
firewalld.service enabled
■centos7のiptablesサービスはどこにいる?
・参考までにpostfix.serviceは
せ7> find /etc/systemd/system -name postfix.service
/etc/systemd/system/multi-user.target.wants/postfix.service
/etc/systemd/system/postfix.service
・参考までにfirewalld.serviceは
せ7> find /etc/systemd/system -name firewalld.service
/etc/systemd/system/basic.target.wants/firewalld.service
・iptables.serviceは?
せ7> find /etc/systemd/system -name "*iptables*"
せ7> ←いないんご