端口扫描开启防火墙 iptables SELinux

Linux 如何打开端口 - lclc - 博客园 https://www.cnblogs.com/lcword/p/5869522.html

linux如何查看端口相关信息_百度经验 https://jingyan.baidu.com/article/fdbd4277fba4dab89e3f48ab.html

[root@bigdata-server-01 sysconfig]# find / | grep iptables
/usr/sbin/iptables-restore
/usr/sbin/iptables
/usr/sbin/iptables-save
/usr/share/doc/iptables-1.4.21
/usr/share/doc/iptables-1.4.21/COPYING
/usr/share/doc/iptables-1.4.21/INCOMPATIBILITIES
/usr/share/man/man1/iptables-xml.1.gz
/usr/share/man/man8/iptables.8.gz
/usr/share/man/man8/iptables-extensions.8.gz
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/mime/text/x-iptables.xml
/usr/bin/iptables-xml
/etc/sysconfig/iptables-config
/etc/selinux/targeted/active/modules/100/iptables
/etc/selinux/targeted/active/modules/100/iptables/hll
/etc/selinux/targeted/active/modules/100/iptables/cil
/etc/selinux/targeted/active/modules/100/iptables/lang_ext
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/from_repo
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/checksum_data
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/origin_url
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/var_uuid
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/changed_by
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/var_infra
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/from_repo_revision
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/checksum_type
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/reason
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/command_line
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/from_repo_timestamp
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/installed_by
/var/lib/yum/yumdb/i/b65e29d0ee30309c2cf4ba3ab0cce299f698651c-iptables-1.4.21-18.2.el7_4-x86_64/releasever
[root@bigdata-server-01 sysconfig]#

service iptables start/stop

安装

解决CentOS7关闭/开启防火墙出现Unit iptables.service failed to load: No such file or directory. - CSDN博客 http://blog.csdn.net/c233728461/article/details/52679558

# yum install iptables

[root@bigdata-server-01 sysconfig]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@bigdata-server-01 sysconfig]# vim /etc/sysconfig/iptables

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

:set nu

: 11,11 copy 11

复制已有的22端口行，改为5000，为flask准备

重启

iptables

systemctl restart iptables

[root@hadoop3 ~]# find / | grep iptables
/home/data/xl_tmp/C/Users/Administrator.PC-201707311140/Desktop/desk/manual-master.tar/html/tutorial/configure-linux-iptables-firewall.html
/home/data/xl_tmp/C/Users/Administrator.PC-201707311140/Desktop/manual-master.tar/html/tutorial/configure-linux-iptables-firewall.html
/etc/sysconfig/iptables-config
/etc/sysconfig/iptables
/etc/selinux/targeted/modules/active/modules/iptables.pp
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/from_repo
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/reason
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/releasever
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/var_uuid
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/checksum_type
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/checksum_data
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/from_repo_revision
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/from_repo_timestamp
/var/lib/yum/yumdb/i/fb1ea5f54bb511b515a25d6b6de76a796fcf68b2-iptables-1.4.21-16.el7-x86_64/installed_by
/usr/bin/iptables-xml
/usr/sbin/iptables
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/share/doc/iptables-1.4.21
/usr/share/doc/iptables-1.4.21/COPYING
/usr/share/doc/iptables-1.4.21/INCOMPATIBILITIES
/usr/share/man/man1/iptables-xml.1.gz
/usr/share/man/man8/iptables-extensions.8.gz
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables.8.gz
/usr/share/mime/text/x-iptables.xml
[root@hadoop3 ~]#

https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/

iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

There are GUI alternatives to iptables like Firestarter, but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.

Types of Chains

iptables uses three different chains: input, forward, and output.

Input – This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

Forward – This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.

There’s one sure-fire way to check whether or not your system uses/needs the forward chain.

[root@hadoop3 ~]# /usr/sbin/iptables -h
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
[root@hadoop3 ~]#

The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.

Output – This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.

The caveat

Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.

Policy Chain Default Behavior

Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?

To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.

As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.

More times than not, you’ll want your system to accept connections by default. Unless you’ve changed the policy chain rules previously, this setting should already be configured. Either way, here’s the command to accept connections by default:

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

By defaulting to the accept rule, you can then use iptables to deny specific IP addresses or port numbers, while continuing to accept all other connections. We’ll get to those commands in a minute.

If you would rather deny all connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

Connection-specific Responses

With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.

Accept – Allow the connection.

Drop – Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

Reject – Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.

Allowing the connection:

Dropping the connection:

Rejecting the connection:

Allowing or Blocking Specific Connections

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.

Connections from a single IP address

This example shows how to block all connections from the IP address 10.10.10.10.

iptables -A INPUT -s 10.10.10.10 -j DROP

Connections from a range of IP addresses

This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

Connections to a specific port

This example shows how to block SSH connections from 10.10.10.10.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.

This example shows how to block SSH connections from any IP address.

iptables -A INPUT -p tcp --dport ssh -j DROP

Connection States

As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?

That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT

Saving Changes

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:

Ubuntu:

sudo /sbin/iptables-save

Red Hat / CentOS:

/sbin/service iptables save

/etc/init.d/iptables save

Other Commands

List the currently configured iptables rules:

iptables -L

Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.

To clear all the currently configured rules, you can issue the flush command.

iptables -F

windows 打开关闭防火墙对比

C:\Users\sas>ping 192.168.2.160

正在 Ping 192.168.2.160 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。

192.168.2.160 的 Ping 统计信息:
数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)，

C:\Users\sas>ping 192.168.2.160

正在 Ping 192.168.2.160 具有 32 字节的数据:
来自 192.168.2.160 的回复: 字节=32 时间=1ms TTL=128
来自 192.168.2.160 的回复: 字节=32 时间<1ms TTL=128
来自 192.168.2.160 的回复: 字节=32 时间<1ms TTL=128
来自 192.168.2.160 的回复: 字节=32 时间<1ms TTL=128

192.168.2.160 的 Ping 统计信息:
数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，
往返行程的估计时间(以毫秒为单位):
最短 = 0ms，最长 = 1ms，平均 = 0ms

防火墙已经关闭

但是仍然

逐条检查

启用对远程服务器的访问
https://jingyan.baidu.com/album/8065f87f816f5323312498a1.html?picindex=5

注册表检查

打开注册表

C:\Windows\regedit.exe

计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

AllowRemoteRPC 设为1 允许

计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

检测端口是否被占用 netstat -at

设置3389为远程连接端口

PortNumber d3d 16进制 3389 =13+3*16+13*256 = 3328+61

SELinux_百度百科 https://baike.baidu.com/item/SELinux/8865268?fr=aladdin

【进程只能访问那些在他的任务中所需要文件】

SELinux(Security-Enhanced Linux) 是美国国家安全局（NSA）对于强制访问控制的实现，是 Linux历史上最杰出的新安全子系统。NSA是在Linux社区的帮助下开发了一种访问控制体系，在这种访问控制体系的限制下，进程只能访问那些在他的任务中所需要文件。SELinux 默认安装在 Fedora 和 Red Hat Enterprise Linux 上，也可以作为其他发行版上容易安装的包得到。

SELinux 是 2.6 版本的 Linux 内核中提供的强制访问控制(MAC）系统。对于目前可用的 Linux安全模块来说，SELinux 是功能最全面，而且测试最充分的，它是在 20 年的 MAC 研究基础上建立的。SELinux 在类型强制服务器中合并了多级安全性或一种可选的多类策略，并采用了基于角色的访问控制概念。 [1]

大部分使用 SELinux 的人使用的都是 SELinux 就绪的发行版，例如 Fedora、Red Hat Enterprise Linux (RHEL）、Debian或 Centos。它们都是在内核中启用 SELinux 的，并且提供一个可定制的安全策略，还提供很多用户层的库和工具，它们都可以使用 SELinux 的功能。

SELinux是一种基于域-类型模型（domain-type）的强制访问控制（MAC）安全系统，它由NSA编写并设计成内核模块包含到内核中，相应的某些安全相关的应用也被打了SELinux的补丁，最后还有一个相应的安全策略。任何程序对其资源享有完全的控制权。假设某个程序打算把含有潜在重要信息的文件扔到/tmp目录下，那么在DAC情况下没人能阻止他。SELinux提供了比传统的UNIX权限更好的访问控制。

SELinux系统比起通常的Linux系统来，安全性能要高的多，它通过对于用户，进程权限的最小化，即使受到攻击，进程或者用户权限被夺去，也不会对整个系统造成重大影响。

接下来我来介绍SELinux的一些特点。

对访问的控制彻底化

特点1：MAC(Mandatory Access Control）―――对访问的控制彻底化

对于所有的文件，目录，端口这类的资源的访问，都可以是基于策略设定的，这些策略是由管理员定制的、一般用户是没有权限更改的。

对于进程只赋予最小的权限

特点2：TE （Type Enforcement）――― 对于进程只赋予最小的权限

Te概念在 SELinux里非常的重要。它的特点是对所有的文件都赋予一个叫type的文件类型标签，对于所有的进程也赋予各自的一个叫 domain的标签。Domain标签能够执行的操作也是由access vector在策略里定好的。

我们熟悉的apache服务器，httpd进程只能在httpd_t 里运行，这个httpd_t 的domain能执行的操作，比如能读网页内容文件赋予httpd_sys_content_t，密码文件赋予shadow_t,TCP的80端口赋予 http_port_t等等。如果在access vector里我们不允许 http_t来对http_port_t进行操作的话，Apache启动都启动不了。反过来说，我们只允许80端口，只允许读取被标为 httpd_sys_content_t的文件，httpd_t就不能用别的端口，也不能更改那些被标为httpd_sys_content_t的文件（read only）。

防止权限升级

特点3：domain迁移 ―― 防止权限升级

在用户环境里运行点对点下载软件azureus，你当前的domain是fu_t，但是，你考虑到安全问题，你打算让他在azureus_t里运行，你要是在terminal里用命令启动azureus的话，它的进程的domain就会默认继承你实行的shell的fu_t。

有了domain迁移的话，我们就可以让azureus在我们指定的azureus_t里运行，在安全上面，这种做法更可取，它不会影响到你的fu_t。

下面是domain迁移指示的例子：

domain_auto_trans(fu_t,azureus_exec_t,azureus_t)

意思就是，当在 fu_t domain里，实行了被标为 azureus_exec_t的文件时，domain 从fu_t迁移到 azureus_t。下面是Apache启动的迁移图。注意了，因为从哪一个domain能迁移到httpd_t是在策略里定好了，所以要是我们手动 (/etc/init.d/httpd start）启动apache的话，可能仍然留在sysadm_t里，这样就不能完成正确的迁移。要用run_init命令来手动启动。

对于用户只赋予最小的权限

特点4：RBAC（role base access control) ――――― 对于用户只赋予最小的权限

对于用户来说，被划分成一些ROLE，即使是ROOT用户，你要是不在sysadm_r里，也还是不能实行sysadm_t管理操作的。因为，那些ROLE可以执行那些domain也是在策略里设定的。ROLE也是可以迁移的，但是也只能按策略规定的迁移。

ack with firstBadLink as 192.168.3.103:50010

关闭防火墙

systemctl stop firewalld.service

systemctl disable firewalld.service