nemreg futolag rhel8 beta-t feldobtam virtualis gepbe, hogy belekukkantsak mikre kellhet keszulni, ugye mar rhel7-ben is firewalld volt a default es ezaltal az ajanlott, ez a resz nem valtozott csak rhel8-ban az is mar az nftables-t hivogatja. Aminek okan ha megszokasbol iptables paranccsal nezzuk meg a szabalyokat azt latjuk nincs semmi betoltve:
[root@rhel8beta ~]# iptables -nvL
Chain INPUT (policy ACCEPT 127 packets, 9965 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 76 packets, 8321 bytes)
pkts bytes target prot opt in out source destination
[root@rhel8beta ~]#
[root@rhel8beta ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@rhel8beta ~]#
[root@rhel8beta ~]# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Pedig ha megnezzuk nft-vel vagy firewalld-cmd -vel akkor latszik hogy letrehozott a firewalld sajat szabalyokat tablakkal, chainekkel stb. amik ra vannak kotve a input, output stb. reszekre csak eltero prioritassal:
[root@rhel8beta ~]# firewall-cmd --state
running
[root@rhel8beta ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@rhel8beta ~]# nft list tables
table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat
table inet firewalld
table ip firewalld
table ip6 firewalld
Amibol ha csak inet firewalld-t megnezzuk:
[root@rhel8beta ~]# nft list table inet firewalld
table inet firewalld {
chain raw_PREROUTING {
type filter hook prerouting priority -290; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
jump raw_PREROUTING_ZONES_SOURCE
jump raw_PREROUTING_ZONES
}
chain raw_PREROUTING_ZONES_SOURCE {
}
chain raw_PREROUTING_ZONES {
iifname "enp0s3" goto raw_PRE_public
goto raw_PRE_public
}
chain mangle_PREROUTING {
type filter hook prerouting priority -140; policy accept;
jump mangle_PREROUTING_ZONES_SOURCE
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_ZONES_SOURCE {
}
chain mangle_PREROUTING_ZONES {
iifname "enp0s3" goto mangle_PRE_public
goto mangle_PRE_public
}
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
iifname "lo" accept
jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority 10; policy accept;
ct state established,related accept
iifname "lo" accept
jump filter_FORWARD_IN_ZONES_SOURCE
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES_SOURCE
jump filter_FORWARD_OUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_INPUT_ZONES_SOURCE {
}
chain filter_INPUT_ZONES {
iifname "enp0s3" goto filter_IN_public
goto filter_IN_public
}
chain filter_FORWARD_IN_ZONES_SOURCE {
}
chain filter_FORWARD_IN_ZONES {
iifname "enp0s3" goto filter_FWDI_public
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES_SOURCE {
}
chain filter_FORWARD_OUT_ZONES {
oifname "enp0s3" goto filter_FWDO_public
goto filter_FWDO_public
}
chain raw_PRE_public {
jump raw_PRE_public_log
jump raw_PRE_public_deny
jump raw_PRE_public_allow
}
chain raw_PRE_public_log {
}
chain raw_PRE_public_deny {
}
chain raw_PRE_public_allow {
}
chain filter_IN_public {
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport ssh ct state new,untracked accept
ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
tcp dport 9090 ct state new,untracked accept
}
chain filter_FWDI_public {
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain mangle_PRE_public {
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain filter_FWDO_public {
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
}
Verziok egyebkent:
[root@rhel8beta ~]# iptables --version
iptables v1.8.0 (nf_tables)
[root@rhel8beta ~]# nft --version
nftables v0.9.0 (Fearless Fosdick)
[root@rhel8beta ~]# uname -a
Linux rhel8beta.localdomain 4.18.0-32.el8.x86_64 #1 SMP Sat Oct 27 19:26:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Ha pl iptables-save-el le akarjuk menteni, esetleg valami regebbi scriptunkben az van akkor is erhet meglepetes, mert nem kepes ra, ellenben a vegen egy komment ott legalabb mar jelzi hogy nem tud mit kezdeni a firewalld tablaval, hasznalj nft-t:
[root@rhel8beta ~]# iptables-save
# Generated by xtables-save v1.8.0 on Sat Apr 20 20:03:32 2019
*filter
:INPUT ACCEPT [1925:115709]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [993:278937]
COMMIT
# Completed on Sat Apr 20 20:03:32 2019
# Generated by xtables-save v1.8.0 on Sat Apr 20 20:03:32 2019
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Apr 20 20:03:32 2019
# Generated by xtables-save v1.8.0 on Sat Apr 20 20:03:32 2019
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Apr 20 20:03:32 2019
# Generated by xtables-save v1.8.0 on Sat Apr 20 20:03:32 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Apr 20 20:03:32 2019
# Generated by xtables-save v1.8.0 on Sat Apr 20 20:03:32 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Apr 20 20:03:32 2019
# Table `firewalld' is incompatible, use 'nft' tool.