tsukiyumi-azusayumi’s blog

メモ代わりの日記 チラシの裏

今日の覚書 20141020

centos7をインスコしたのでiptablesの様子を見てみたら、チェインが増えてる。

//

iptables-save 

# Generated by iptables-save v1.4.21 on Mon Oct 20 20:38:34 2014

*nat

:PREROUTING ACCEPT [96845:7065385]

:INPUT ACCEPT [14:864]

:OUTPUT ACCEPT [4301:329078]

:POSTROUTING ACCEPT [4301:329078]

:OUTPUT_direct - [0:0]

:POSTROUTING_ZONES - [0:0]

:POSTROUTING_ZONES_SOURCE - [0:0]

:POSTROUTING_direct - [0:0]

:POST_public - [0:0]

:POST_public_allow - [0:0]

:POST_public_deny - [0:0]

:POST_public_log - [0:0]

:PREROUTING_ZONES - [0:0]

:PREROUTING_ZONES_SOURCE - [0:0]

:PREROUTING_direct - [0:0]

:PRE_public - [0:0]

:PRE_public_allow - [0:0]

:PRE_public_deny - [0:0]

:PRE_public_log - [0:0]

-A PREROUTING -j PREROUTING_direct

-A PREROUTING -j PREROUTING_ZONES_SOURCE

-A PREROUTING -j PREROUTING_ZONES

-A OUTPUT -j OUTPUT_direct

-A POSTROUTING -j POSTROUTING_direct

-A POSTROUTING -j POSTROUTING_ZONES_SOURCE

-A POSTROUTING -j POSTROUTING_ZONES

-A POSTROUTING_ZONES -o enp2s0 -g POST_public

-A POSTROUTING_ZONES -g POST_public

-A POST_public -j POST_public_log

-A POST_public -j POST_public_deny

-A POST_public -j POST_public_allow

-A PREROUTING_ZONES -i enp2s0 -g PRE_public

-A PREROUTING_ZONES -g PRE_public

-A PRE_public -j PRE_public_log

-A PRE_public -j PRE_public_deny

-A PRE_public -j PRE_public_allow

COMMIT

# Completed on Mon Oct 20 20:38:34 2014

# Generated by iptables-save v1.4.21 on Mon Oct 20 20:38:34 2014

*mangle

:PREROUTING ACCEPT [168022:97189753]

:INPUT ACCEPT [168005:97187767]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [127286:10643895]

:POSTROUTING ACCEPT [127330:10649269]

:FORWARD_direct - [0:0]

:INPUT_direct - [0:0]

:OUTPUT_direct - [0:0]

:POSTROUTING_direct - [0:0]

:PREROUTING_ZONES - [0:0]

:PREROUTING_ZONES_SOURCE - [0:0]

:PREROUTING_direct - [0:0]

:PRE_public - [0:0]

:PRE_public_allow - [0:0]

:PRE_public_deny - [0:0]

:PRE_public_log - [0:0]

-A PREROUTING -j PREROUTING_direct

-A PREROUTING -j PREROUTING_ZONES_SOURCE

-A PREROUTING -j PREROUTING_ZONES

-A INPUT -j INPUT_direct

-A FORWARD -j FORWARD_direct

-A OUTPUT -j OUTPUT_direct

-A POSTROUTING -j POSTROUTING_direct

-A PREROUTING_ZONES -i enp2s0 -g PRE_public

-A PREROUTING_ZONES -g PRE_public

-A PRE_public -j PRE_public_log

-A PRE_public -j PRE_public_deny

-A PRE_public -j PRE_public_allow

COMMIT

# Completed on Mon Oct 20 20:38:34 2014

# Generated by iptables-save v1.4.21 on Mon Oct 20 20:38:34 2014

*security

:INPUT ACCEPT [71186:90122850]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [127296:10645667]

:FORWARD_direct - [0:0]

:INPUT_direct - [0:0]

:OUTPUT_direct - [0:0]

-A INPUT -j INPUT_direct

-A FORWARD -j FORWARD_direct

-A OUTPUT -j OUTPUT_direct

COMMIT

# Completed on Mon Oct 20 20:38:34 2014

# Generated by iptables-save v1.4.21 on Mon Oct 20 20:38:34 2014

*raw

:PREROUTING ACCEPT [168035:97190465]

:OUTPUT ACCEPT [127301:10646667]

:OUTPUT_direct - [0:0]

:PREROUTING_direct - [0:0]

-A PREROUTING -j PREROUTING_direct

-A OUTPUT -j OUTPUT_direct

COMMIT

# Completed on Mon Oct 20 20:38:34 2014

# Generated by iptables-save v1.4.21 on Mon Oct 20 20:38:34 2014

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [127301:10646991]

:FORWARD_IN_ZONES - [0:0]

:FORWARD_IN_ZONES_SOURCE - [0:0]

:FORWARD_OUT_ZONES - [0:0]

:FORWARD_OUT_ZONES_SOURCE - [0:0]

:FORWARD_direct - [0:0]

:FWDI_public - [0:0]

:FWDI_public_allow - [0:0]

:FWDI_public_deny - [0:0]

:FWDI_public_log - [0:0]

:FWDO_public - [0:0]

:FWDO_public_allow - [0:0]

:FWDO_public_deny - [0:0]

:FWDO_public_log - [0:0]

:INPUT_ZONES - [0:0]

:INPUT_ZONES_SOURCE - [0:0]

:INPUT_direct - [0:0]

:IN_public - [0:0]

:IN_public_allow - [0:0]

:IN_public_deny - [0:0]

:IN_public_log - [0:0]

:OUTPUT_direct - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -j INPUT_direct

-A INPUT -j INPUT_ZONES_SOURCE

-A INPUT -j INPUT_ZONES

-A INPUT -p icmp -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i lo -j ACCEPT

-A FORWARD -j FORWARD_direct

-A FORWARD -j FORWARD_IN_ZONES_SOURCE

-A FORWARD -j FORWARD_IN_ZONES

-A FORWARD -j FORWARD_OUT_ZONES_SOURCE

-A FORWARD -j FORWARD_OUT_ZONES

-A FORWARD -p icmp -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A OUTPUT -j OUTPUT_direct

-A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public

-A FORWARD_IN_ZONES -g FWDI_public

-A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public

-A FORWARD_OUT_ZONES -g FWDO_public

-A FWDI_public -j FWDI_public_log

-A FWDI_public -j FWDI_public_deny

-A FWDI_public -j FWDI_public_allow

-A FWDO_public -j FWDO_public_log

-A FWDO_public -j FWDO_public_deny

-A FWDO_public -j FWDO_public_allow

-A INPUT_ZONES -i enp2s0 -g IN_public

-A INPUT_ZONES -g IN_public

-A IN_public -j IN_public_log

-A IN_public -j IN_public_deny

-A IN_public -j IN_public_allow

-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

COMMIT

# Completed on Mon Oct 20 20:38:34 2014

//

明日から紐解くことにしよう。

 ヒントかも、、

http://www.kakiro-web.com/linux/firewalld.html