Linux防火牆iptables基本使用方法

iptables是Linux上常用的防火牆軟件，iptables用來過濾網路封包，正確的設定 iptables 規則可以有效提升 Linux 網路安全，網管人員設定開放哪些 IP 與哪些 Port，來阻擋駭客攻擊。

iptables 的設計結構可以分三層， Table -> Chains -> Rules ， iptables 中可以包含多個 Table ，而一個 Table 又可以包含多個 Chain ，一個 Chain 也可以包含多個 Rule 。

• Table ：防火牆規則群組。
• Chain：防火牆規則鏈。
• Rule：防火牆規則。

---

Chains & Tables

iptables 內建有五個 Tables ， 分別是 Filter Table, NAT Table, Mangle Table, Raw Table, Security Table。

Filter Table :

Filter Table 是 iptables 中預設的 table，如果你沒有新增自訂的 Table ，那麼 iptable 會使用 Filter Table 裡的設定來處理網路封包。

Filter Table 預設有三個 Chain : INPUT, OUTPUT, FORWARD， 分別用來處理三種不同的網路封包。

• INPUT chain：處理由外部機器傳過來的封包。
• OUTPUT Chain：處理本機傳出去給別台機器的封包。
• FORWARD Chain：處理外部機器透過本機，要傳給第三方機器的封包，如果你的機器是一台 Router or Proxy，才會存在這種封包。

NAT Table : Network Address Translation

NAT Table 預設有二個 Chain ： PREROUTING, POSTROUTING 。

• PREROUTING chain : 再 Routing 之前轉換封包來源 IP 資訊，例如。
• POSTROUTING chain : 再 Routing 之後轉換封包本機 IP 資訊，例如本機 IP 會寫成 127.0.0.1 ，但是傳送出去後，會轉換回對外開放的 IP 如 10.99.82.1。

 

Rule & Target

iptables 預設有三種 Target ，分別是 ACCEPT, REJECT, LOG 。

• ACCEPT：接受這個封包
• REJECT：拒絕這個封包
• LOG： 記錄下這個封包， Log 寫入檔案 /var/log/message

 

---

如何使用 iptables

使用 iptables 前，前先確定你的系統有安裝以下兩個套件。

• iptables
• iptables-services

CentOS 安裝方式如下：

sudo yum install iptables-services iptables

Debian/Ubuntu執行：

apt-get install iptables

---

iptables 參數

Usage: iptables -[ACD] chain rule-specification [options]
 iptables -I chain [rulenum] rule-specification [options]
 iptables -R chain rulenum rule-specification [options]
 iptables -D chain rulenum [options]
 iptables -[LS] [chain [rulenum]] [options]
 iptables -[FZ] [chain] [options]
 iptables -[NX] chain
 iptables -E old-chain-name new-chain-name
 iptables -P chain target [options]
 iptables -h (print this help information)

Commands:
Either long or short options are allowed.
 --append -A chain Append to chain
 --check -C chain Check for the existence of a rule
 --delete -D chain Delete matching rule from chain
 --delete -D chain rulenum
 Delete rule rulenum (1 = first) from chain
 --insert -I chain [rulenum]
 Insert in chain as rulenum (default 1=first)
 --replace -R chain rulenum
 Replace rule rulenum (1 = first) in chain
 --list -L [chain [rulenum]]
 List the rules in a chain or all chains
 --list-rules -S [chain [rulenum]]
 Print the rules in a chain or all chains
 --flush -F [chain] Delete all rules in chain or all chains
 --zero -Z [chain [rulenum]]
 Zero counters in chain or all chains
 --new -N chain Create a new user-defined chain
 --delete-chain
 -X [chain] Delete a user-defined chain
 --policy -P chain target
 Change policy on chain to target
 --rename-chain
 -E old-chain new-chain
 Change chain name, (moving any references)
Options:
 --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
 --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
 source specification
[!] --destination -d address[/mask][...]
 destination specification
[!] --in-interface -i input name[+]
 network interface name ([+] for wildcard)
 --jump -j target
 target for rule (may load target extension)
 --goto -g chain
 jump to chain with no return
 --match -m match
 extended match (may load extension)
 --numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
 network interface name ([+] for wildcard)
 --table -t table table to manipulate (default: `filter')
 --verbose -v verbose mode
 --wait -w [seconds] maximum wait to acquire xtables lock before give up
 --wait-interval -W [usecs] wait time to try to acquire xtables lock
 default is 1 second
 --line-numbers print line numbers when listing
 --exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
 --modprobe=<command> try to insert modules using this command
 --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

• -I, –insert chain [rulenum] rule-specification ： -I 代表 insert 的意思，新增一個 rule ，
  • 第一個參數會 chain 的名稱
  • 第二個參數為 rule 的順序，預設值為 1 ，如果你指定為 1 ，那麼新的 rule 會放在列表的最上頭。
  • 範例： sudo iptables -I INPUT 1 -j ACCEPT

• -j, –jump target ：當封包符合這個 rule ，透過 -j 的指示，將這個封包丟到指定的 chain 去決定下一個行為。

我們可以使用指令 ” sudo iptables -N newChain “，來建立一新的 chain 叫 “newChain” ，再透過 -j newChain ，將封包下一步的行為傳到這個新的 chain 來決定，例如下面這個範例，我將 80 port 的所有封包丟給 newChain 來決定要怎麼處理，”newChain” 裡面再指定 “-j REJECT”， REJECT 是一個預設的 Rule Target ，代表拒絕這個封包。

 

清除已有iptables規則

使用 -F 參數可以清除 iptables 所有的 rule 。

sudo iptables -F

 

開放指定的端口

#允許本地回環接口(即本機訪問本機)
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# 允許已建立的或相關連的通行
iptables -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT

#允許所有本機向外的訪問
iptables -A OUTPUT -j ACCEPT

# 允許訪問22 port
iptables -A INPUT -p tcp -dport 22 -j ACCEPT

#允許訪問80 port
iptables -A INPUT -p tcp -dport 80 -j ACCEPT

#允許FTP服務的21和20 port
iptables -A INPUT -p tcp -dport 21 -j ACCEPT
iptables -A INPUT -p tcp -dport 20 -j ACCEPT

1）.用DROP方法

iptables -A INPUT -p tcp -j DROP

2）.用REJECT方法

iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

---

過濾IP

#擋掉某個IP的命令是
iptables -I INPUT -s 123.45.6.7 -j DROP

#封鎖某個網段即從123.0.0.1到123.255.255.254的命令
iptables -I INPUT -s 123.0.0.0/8 -j DROP

#封鎖一個class B 的IP網段即從123.45.0.1到123.45.255.254的命令
iptables -I INPUT -s 124.45.0.0/16 -j DROP

#封鎖一個class C 的IP網段即從123.45.6.1到123.45.6.254的命令是
iptables -I INPUT -s 123.45.6.0/24 -j DROP

---

查看已建立的iptables規則

iptables -L -n

v：顯示詳細信息，包括每條規則的匹配包數量和匹配字節數
x：在 v 的基礎上，禁止自動單位換算（K、M） vps偵探
n：只顯示IP地址和端口號，不將ip解析為域名

---

刪除已添加的iptables規則

將所有iptables以序號標記顯示，執行：

iptables -L -n -line-numbers

上面指令在 centOS 上測試結果：

Bad argument `-line-numbers'
Try `iptables -h' or 'iptables --help' for more information.

刪除INPUT裡序號為8的規則，執行：

iptables -D INPUT 8

---

iptables的開機啟動及規則保存

CentOS上可能會存在安裝好iptables後，iptables並不開機自啟動，可以執行一下：

chkconfig -level 345 iptables on

將其加入開機啟動。

CentOS上可以執行下列指令來儲存規則：

service iptables save

Debian/Ubuntu上iptables是不會保存規則的，請使用 iptables-save 指令可以儲存所有的 chain & rule 。

sudo iptables-save > /etc/iptables.rules

為了重啟服務器後,規則自動載入,我們建立以下文件:

sudo vim /etc/network/if-pre-up.d/iptables#!/bin/bash
iptables-save > /etc/iptables.rules

設定執行權限：

chmod +x /etc/network/if-pre-up.d/iptables

 

在 CentOS:

The /etc/sysconfig/iptables-config file stores information used by the kernel to set up packet filtering services at boot time or whenever the service is started.

重開機後，系統會到上面的路徑裡去讀取目前系統的設定值。

上面的檔案裡，有一段文字設定值如下：

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

預設，是不會把使用者在 terminal 裡打的設定，在 service stop 時自動 save setting 到檔案裡，所以上面的path 裡的檔案，預設也是不存在的。

透過 iptables 指令可以查到設定值，但path 裡沒有實體檔案，那 firewall 的設定可能是透過其他 firewall 工具去設定。

 

CentOS Activating the IPTables Service
https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-basic-firewall-activate-iptables.html

The firewall rules are only active if the iptables service is running. To manually start the service, use the following command:

[root@myServer ~] # service iptables restart

To ensure that iptables starts when the system is booted, use the following command:

[root@myServer ~] # chkconfig --level 345 iptables on

The ipchains service is not included in Red Hat Enterprise Linux. However, if ipchains is installed (for example, an upgrade was performed and the system had ipchains previously installed), the ipchains and iptablesservices should not be activated simultaneously. To make sure the ipchains service is disabled and configured not to start at boot time, use the following two commands:

[root@myServer ~] # service ipchains stop
[root@myServer ~] # chkconfig --level 345 ipchains off

 

 

附上基礎規則：

*filter
 :INPUT ACCEPT [106:85568]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [188:168166]
 :RH-Firewall-1-INPUT - [0:0]
 #允許本地回環接口(即運行本機訪問本機)
 -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
 #允許已建立的或相關連的通行
 -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
 #允許所有本機向外的訪問
 -A OUTPUT -j ACCEPT
 #允許PPTP撥號到外網
 -A INPUT -p tcp -m tcp -dport 1723 -j ACCEPT
 #僅特定主機訪問Rsync數據同步服務
 -A INPUT -s 8.8.8.8/32 -p tcp -m tcp -dport 873 -j ACCEPT
 #僅特定主機訪問WDCP管理系統
 -A INPUT -s 6.6.6.6/32 -p tcp -m tcp -dport 8080 -j ACCEPT
 #允許訪問SSH
 -A INPUT -p tcp -m tcp -dport 1622 -j ACCEPT
 #允許訪問FTP
 -A INPUT -p tcp -m tcp -dport 21 -j ACCEPT
 -A INPUT -p tcp -m tcp -dport 20 -j ACCEPT
 #允許訪問網站服務
 -A INPUT -p tcp -m tcp -dport 80 -j ACCEPT
 #禁止所有未經允許的連接
 -A INPUT -p tcp -j DROP
 #注意：如果22端口未加入允許規則，SSH連線接會直接斷開。
 #-A INPUT -j REJECT
 #-A FORWARD -j REJECT
 COMMIT

 

可以使用以下方法直接載入：
1、複製上面的你需要使用到的規則，貼上到iptables.test.rules：

sudo vim /etc/iptables.test.rules

2、把iptables.test.rules裡的規則載入，使之生效：

sudo iptables-restore < /etc/iptables.test.rules

3、查看最新的配置,應該所有的設置都生效了：

sudo iptables -L -n

4、儲存生效的配置，讓系統重啟的時候自動載入配置：

iptables-save > /etc/iptables.rules

---

在RedHat/CentOS 裡除了可以用  iptables 去設防火裝，也可以透過 firewall-cmd：

若要允許遠端連接，請開啟 RHEL 上的防火牆上的 SQL Server 連接埠。 預設 SQL Server 連接埠為 TCP 1433。 如果您使用FirewallD防火牆，您可以使用下列命令：
bash

sudo firewall-cmd --zone=public --add-port=1433/tcp --permanent
sudo firewall-cmd --reload

firewall-cmd 指令用法

Usage: firewall-cmd [OPTIONS...]

General Options
 -h, --help Prints a short help text and exists
 -V, --version Print the version string of firewalld
 -q, --quiet Do not print status messages

Status Options
 --state Return and print firewalld state
 --reload Reload firewall and keep state information
 --complete-reload Reload firewall and lose state information
 --runtime-to-permanent
 Create permanent from runtime configuration

Log Denied Options
 --get-log-denied Print the log denied value
 --set-log-denied=<value>
 Set log denied value

Automatic Helpers Options
 --get-automatic-helpers
 Print the automatic helpers value
 --set-automatic-helpers=<value>
 Set automatic helpers value

Permanent Options
 --permanent Set an option permanently
 Usable for options marked with [P]

Zone Options
 --get-default-zone Print default zone for connections and interfaces
 --set-default-zone=<zone>
 Set default zone
 --get-active-zones Print currently active zones
 --get-zones Print predefined zones [P]
 --get-services Print predefined services [P]
 --get-icmptypes Print predefined icmptypes [P]
 --get-zone-of-interface=<interface>
 Print name of the zone the interface is bound to [P]
 --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
 Print name of the zone the source is bound to [P]
 --list-all-zones List everything added for or enabled in all zones [P]
 --new-zone=<zone> Add a new zone [P only]
 --new-zone-from-file=<filename> [--name=<zone>]
 Add a new zone from file with optional name [P only]
 --delete-zone=<zone> Delete an existing zone [P only]
 --load-zone-defaults=<zone>
 Load zone default settings [P only] [Z]
 --zone=<zone> Use this zone to set or query options, else default zone
 Usable for options marked with [Z]
 --get-target Get the zone target [P only] [Z]
 --set-target=<target>
 Set the zone target [P only] [Z]
 --info-zone=<zone> Print information about a zone
 --path-zone=<zone> Print file path of a zone [P only]

IPSet Options
 --get-ipset-types Print the supported ipset types
 --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
 Add a new ipset [P only]
 --new-ipset-from-file=<filename> [--name=<ipset>]
 Add a new ipset from file with optional name [P only]
 --delete-ipset=<ipset>
 Delete an existing ipset [P only]
 --load-ipset-defaults=<ipset>
 Load ipset default settings [P only]
 --info-ipset=<ipset> Print information about an ipset
 --path-ipset=<ipset> Print file path of an ipset [P only]
 --get-ipsets Print predefined ipsets
 --ipset=<ipset> --set-description=<description>
 Set new description to ipset [P only]
 --ipset=<ipset> --get-description
 Print description for ipset [P only]
 --ipset=<ipset> --set-short=<description>
 Set new short description to ipset [P only]
 --ipset=<ipset> --get-short
 Print short description for ipset [P only]
 --ipset=<ipset> --add-entry=<entry>
 Add a new entry to an ipset [P]
 --ipset=<ipset> --remove-entry=<entry>
 Remove an entry from an ipset [P]
 --ipset=<ipset> --query-entry=<entry>
 Return whether ipset has an entry [P]
 --ipset=<ipset> --get-entries
 List entries of an ipset [P]
 --ipset=<ipset> --add-entries-from-file=<entry>
 Add a new entries to an ipset [P]
 --ipset=<ipset> --remove-entries-from-file=<entry>
 Remove entries from an ipset [P]

IcmpType Options
 --new-icmptype=<icmptype>
 Add a new icmptype [P only]
 --new-icmptype-from-file=<filename> [--name=<icmptype>]
 Add a new icmptype from file with optional name [P only]
 --delete-icmptype=<icmptype>
 Delete an existing icmptype [P only]
 --load-icmptype-defaults=<icmptype>
 Load icmptype default settings [P only]
 --info-icmptype=<icmptype>
 Print information about an icmptype
 --path-icmptype=<icmptype>
 Print file path of an icmptype [P only]
 --icmptype=<icmptype> --set-description=<description>
 Set new description to icmptype [P only]
 --icmptype=<icmptype> --get-description
 Print description for icmptype [P only]
 --icmptype=<icmptype> --set-short=<description>
 Set new short description to icmptype [P only]
 --icmptype=<icmptype> --get-short
 Print short description for icmptype [P only]
 --icmptype=<icmptype> --add-destination=<ipv>
 Enable destination for ipv in icmptype [P only]
 --icmptype=<icmptype> --remove-destination=<ipv>
 Disable destination for ipv in icmptype [P only]
 --icmptype=<icmptype> --query-destination=<ipv>
 Return whether destination ipv is enabled in icmptype [P only]
 --icmptype=<icmptype> --get-destinations
 List destinations in icmptype [P only]

Service Options
 --new-service=<service>
 Add a new service [P only]
 --new-service-from-file=<filename> [--name=<service>]
 Add a new service from file with optional name [P only]
 --delete-service=<service>
 Delete an existing service [P only]
 --load-service-defaults=<service>
 Load icmptype default settings [P only]
 --info-service=<service>
 Print information about a service
 --path-service=<service>
 Print file path of a service [P only]
 --service=<service> --set-description=<description>
 Set new description to service [P only]
 --service=<service> --get-description
 Print description for service [P only]
 --service=<service> --set-short=<description>
 Set new short description to service [P only]
 --service=<service> --get-short
 Print short description for service [P only]
 --service=<service> --add-port=<portid>[-<portid>]/<protocol>
 Add a new port to service [P only]
 --service=<service> --remove-port=<portid>[-<portid>]/<protocol>
 Remove a port from service [P only]
 --service=<service> --query-port=<portid>[-<portid>]/<protocol>
 Return whether the port has been added for service [P only]
 --service=<service> --get-ports
 List ports of service [P only]
 --service=<service> --add-protocol=<protocol>
 Add a new protocol to service [P only]
 --service=<service> --remove-protocol=<protocol>
 Remove a protocol from service [P only]
 --service=<service> --query-protocol=<protocol>
 Return whether the protocol has been added for service [P only]
 --service=<service> --get-protocols
 List protocols of service [P only]
 --service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
 Add a new source port to service [P only]
 --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
 Remove a source port from service [P only]
 --service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
 Return whether the source port has been added for service [P only]
 --service=<service> --get-source-ports
 List source ports of service [P only]
 --service=<service> --add-module=<module>
 Add a new module to service [P only]
 --service=<service> --remove-module=<module>
 Remove a module from service [P only]
 --service=<service> --query-module=<module>
 Return whether the module has been added for service [P only]
 --service=<service> --get-modules
 List modules of service [P only]
 --service=<service> --set-destination=<ipv>:<address>[/<mask>]
 Set destination for ipv to address in service [P only]
 --service=<service> --remove-destination=<ipv>
 Disable destination for ipv i service [P only]
 --service=<service> --query-destination=<ipv>:<address>[/<mask>]
 Return whether destination ipv is set for service [P only]
 --service=<service> --get-destinations
 List destinations in service [P only]

Options to Adapt and Query Zones
 --list-all List everything added for or enabled in a zone [P] [Z]
 --list-services List services added for a zone [P] [Z]
 --timeout=<timeval> Enable an option for timeval time, where timeval is
 a number followed by one of letters 's' or 'm' or 'h'
 Usable for options marked with [T]
 --set-description=<description>
 Set new description to zone [P only] [Z]
 --get-description Print description for zone [P only] [Z]
 --set-short=<description>
 Set new short description to zone [P only] [Z]
 --get-short Print short description for zone [P only] [Z]
 --add-service=<service>
 Add a service for a zone [P] [Z] [T]
 --remove-service=<service>
 Remove a service from a zone [P] [Z]
 --query-service=<service>
 Return whether service has been added for a zone [P] [Z]
 --list-ports List ports added for a zone [P] [Z]
 --add-port=<portid>[-<portid>]/<protocol>
 Add the port for a zone [P] [Z] [T]
 --remove-port=<portid>[-<portid>]/<protocol>
 Remove the port from a zone [P] [Z]
 --query-port=<portid>[-<portid>]/<protocol>
 Return whether the port has been added for zone [P] [Z]
 --list-protocols List protocols added for a zone [P] [Z]
 --add-protocol=<protocol>
 Add the protocol for a zone [P] [Z] [T]
 --remove-protocol=<protocol>
 Remove the protocol from a zone [P] [Z]
 --query-protocol=<protocol>
 Return whether the protocol has been added for zone [P] [Z]
 --list-source-ports List source ports added for a zone [P] [Z]
 --add-source-port=<portid>[-<portid>]/<protocol>
 Add the source port for a zone [P] [Z] [T]
 --remove-source-port=<portid>[-<portid>]/<protocol>
 Remove the source port from a zone [P] [Z]
 --query-source-port=<portid>[-<portid>]/<protocol>
 Return whether the source port has been added for zone [P] [Z]
 --list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
 --add-icmp-block=<icmptype>
 Add an ICMP block for a zone [P] [Z] [T]
 --remove-icmp-block=<icmptype>
 Remove the ICMP block from a zone [P] [Z]
 --query-icmp-block=<icmptype>
 Return whether an ICMP block has been added for a zone
 [P] [Z]
 --add-icmp-block-inversion
 Enable inversion of icmp blocks for a zone [P] [Z]
 --remove-icmp-block-inversion
 Disable inversion of icmp blocks for a zone [P] [Z]
 --query-icmp-block-inversion
 Return whether inversion of icmp blocks has been enabled
 for a zone [P] [Z]
 --list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
 --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
 Add the IPv4 forward port for a zone [P] [Z] [T]
 --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
 Remove the IPv4 forward port from a zone [P] [Z]
 --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
 Return whether the IPv4 forward port has been added for
 a zone [P] [Z]
 --add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
 --remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
 --query-masquerade Return whether IPv4 masquerading has been enabled for a
 zone [P] [Z]
 --list-rich-rules List rich language rules added for a zone [P] [Z]
 --add-rich-rule=<rule>
 Add rich language rule 'rule' for a zone [P] [Z] [T]
 --remove-rich-rule=<rule>
 Remove rich language rule 'rule' from a zone [P] [Z]
 --query-rich-rule=<rule>
 Return whether a rich language rule 'rule' has been
 added for a zone [P] [Z]

Options to Handle Bindings of Interfaces
 --list-interfaces List interfaces that are bound to a zone [P] [Z]
 --add-interface=<interface>
 Bind the <interface> to a zone [P] [Z]
 --change-interface=<interface>
 Change zone the <interface> is bound to [Z]
 --query-interface=<interface>
 Query whether <interface> is bound to a zone [P] [Z]
 --remove-interface=<interface>
 Remove binding of <interface> from a zone [P] [Z]

Options to Handle Bindings of Sources
 --list-sources List sources that are bound to a zone [P] [Z]
 --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
 Bind the source to a zone [P] [Z]
 --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
 Change zone the source is bound to [Z]
 --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
 Query whether the source is bound to a zone [P] [Z]
 --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
 Remove binding of the source from a zone [P] [Z]

Helper Options
 --new-helper=<helper> --module=<module> [--family=<family>]
 Add a new helper [P only]
 --new-helper-from-file=<filename> [--name=<helper>]
 Add a new helper from file with optional name [P only]
 --delete-helper=<helper>
 Delete an existing helper [P only]
 --load-helper-defaults=<helper>
 Load helper default settings [P only]
 --info-helper=<helper> Print information about an helper
 --path-helper=<helper> Print file path of an helper [P only]
 --get-helpers Print predefined helpers
 --helper=<helper> --set-description=<description>
 Set new description to helper [P only]
 --helper=<helper> --get-description
 Print description for helper [P only]
 --helper=<helper> --set-short=<description>
 Set new short description to helper [P only]
 --helper=<helper> --get-short
 Print short description for helper [P only]
 --helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
 Add a new port to helper [P only]
 --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
 Remove a port from helper [P only]
 --helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
 Return whether the port has been added for helper [P only]
 --helper=<helper> --get-ports
 List ports of helper [P only]
 --helper=<helper> --set-module=<module>
 Set module to helper [P only]
 --helper=<helper> --get-module
 Get module from helper [P only]
 --helper=<helper> --set-family={ipv4|ipv6|}
 Set family for helper [P only]
 --helper=<helper> --get-family
 Get module from helper [P only]

Direct Options
 --direct First option for all direct options
 --get-all-chains
 Get all chains [P]
 --get-chains {ipv4|ipv6|eb} <table>
 Get all chains added to the table [P]
 --add-chain {ipv4|ipv6|eb} <table> <chain>
 Add a new chain to the table [P]
 --remove-chain {ipv4|ipv6|eb} <table> <chain>
 Remove the chain from the table [P]
 --query-chain {ipv4|ipv6|eb} <table> <chain>
 Return whether the chain has been added to the table [P]
 --get-all-rules
 Get all rules [P]
 --get-rules {ipv4|ipv6|eb} <table> <chain>
 Get all rules added to chain in table [P]
 --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
 Add rule to chain in table [P]
 --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
 Remove rule with priority from chain in table [P]
 --remove-rules {ipv4|ipv6|eb} <table> <chain>
 Remove rules from chain in table [P]
 --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
 Return whether a rule with priority has been added to
 chain in table [P]
 --passthrough {ipv4|ipv6|eb} <arg>...
 Pass a command through (untracked by firewalld)
 --get-all-passthroughs
 Get all tracked passthrough rules [P]
 --get-passthroughs {ipv4|ipv6|eb} <arg>...
 Get tracked passthrough rules [P]
 --add-passthrough {ipv4|ipv6|eb} <arg>...
 Add a new tracked passthrough rule [P]
 --remove-passthrough {ipv4|ipv6|eb} <arg>...
 Remove a tracked passthrough rule [P]
 --query-passthrough {ipv4|ipv6|eb} <arg>...
 Return whether the tracked passthrough rule has been
 added [P]

Lockdown Options
 --lockdown-on Enable lockdown.
 --lockdown-off Disable lockdown.
 --query-lockdown Query whether lockdown is enabled

Lockdown Whitelist Options
 --list-lockdown-whitelist-commands
 List all command lines that are on the whitelist [P]
 --add-lockdown-whitelist-command=<command>
 Add the command to the whitelist [P]
 --remove-lockdown-whitelist-command=<command>
 Remove the command from the whitelist [P]
 --query-lockdown-whitelist-command=<command>
 Query whether the command is on the whitelist [P]
 --list-lockdown-whitelist-contexts
 List all contexts that are on the whitelist [P]
 --add-lockdown-whitelist-context=<context>
 Add the context context to the whitelist [P]
 --remove-lockdown-whitelist-context=<context>
 Remove the context from the whitelist [P]
 --query-lockdown-whitelist-context=<context>
 Query whether the context is on the whitelist [P]
 --list-lockdown-whitelist-uids
 List all user ids that are on the whitelist [P]
 --add-lockdown-whitelist-uid=<uid>
 Add the user id uid to the whitelist [P]
 --remove-lockdown-whitelist-uid=<uid>
 Remove the user id uid from the whitelist [P]
 --query-lockdown-whitelist-uid=<uid>
 Query whether the user id uid is on the whitelist [P]
 --list-lockdown-whitelist-users
 List all user names that are on the whitelist [P]
 --add-lockdown-whitelist-user=<user>
 Add the user name user to the whitelist [P]
 --remove-lockdown-whitelist-user=<user>
 Remove the user name user from the whitelist [P]
 --query-lockdown-whitelist-user=<user>
 Query whether the user name user is on the whitelist [P]

Panic Options
 --panic-on Enable panic mode
 --panic-off Disable panic mode
 --query-panic Query whether panic mode is enabled

 

 

相關文章：

第九章、防火牆與 NAT 伺服器
http://linux.vbird.org/linux_server/0250simple_firewall.php

iptables 設定入門
http://s2.naes.tn.edu.tw/~kv/iptables.htm

Linux iptables 防火牆設定
https://www.puritys.me/docs-blog/article-321-Linux-iptables-%E9%98%B2%E7%81%AB%E7%89%86%E8%A8%AD%E5%AE%9A.html

MacOS X Firewall
http://stackoverflow.max-everyday.com/2017/09/macos-x-firewall/