linux中的firewalld防火墙配置

一直想写一篇关于firewalld的博客，奈何最近事情多也加上一部分家庭的事情，导致没有闲情雅致来进行博客的更新。

0.序言

写这么一篇文章的用处是用于加强linux主机的安全，在很多linux博客文章，一些人上来就哐叽一下让吧firewalld功能给关闭，这是一种不负责人的做法，也是一种不安全的做法。实际是需要进行防火墙的关闭或者开通特定端口或者允许特定IP地址的访问。这里将围绕三个方向来进行讲解。

运行任意网段访问特定端口或者服务
允许特定网络访问特定端口或者服务
拒绝特定端口访问特定端口或者服务

1.firewalld规则的演示

1.1.常用firewalld的命令

firewalld命令

# 查看现有防火墙运行状态
systemctl status firewalld
# 重启现有防火墙
systemctl restart firewalld
# 停止防火墙
systemctl stop firewalld
# 开机自启动防火墙
systemctl enable firewalld

firewall-cmd命令

# 查看现有防火墙规则
firewall-cmd --list-all
# 重启应用现有防火墙策略
firewall-cmd --reload

1.2.默认情况下firewalld的配置

默认情况下，firewalld会把接口放在public区域,文章将按public区域来进行讲解

[root@fwd ~]# firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work
[root@fwd ~]# 
[root@fwd ~]# firewall-cmd --get-active-zones
public
  interfaces: eth0
[root@fwd ~]#

防火墙的策略加载方式是以xml文件进行的，常规情况文件会存储在如下路径

# 系统默认下的策略xml文件
/usr/lib/firewalld/zones/public.xml
# 用户配置后生成的策略xml文件路径
/etc/firewalld/zones/public.xml

1.3.配置放行特定端口

通过命令行方式操作

例如，放行linux机器中的8080端口，允许任何网段访问，语法为：firewall-cmd --permanent --add-port=8080/tcp

# 添加放形端口
[root@fwd ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@fwd ~]# 
# 应用策略
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# 
# 查看生效的策略，可以看到端口中放行了8080端口
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@fwd ~]#

通过修改xml文件方式操作

通过vim或者nano文件编辑器，在xml文件内添加，进行8081端口放行

[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="cockpit"/>
  <port port="8080" protocol="tcp"/>
  <port port="8081" protocol="tcp"/>
  <forward/>
</zone>
[root@fwd ~]#

应用策略和查看配置是否生效

[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 8081/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@fwd ~]#

1.4. 拒绝特定网段访问

此方式为黑名单模式，常用于拒绝特定IP或者网段访问，例如：拒绝1.1.1.x访问本机的3306端口。此方式有一个限制条件，需要先全部放行，然后才能进行黑名单规则（即：firewall-cmd --permanent --add-port=3306/tcp）

通过命令行方式操作

语法：firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="3306" reject'

[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="3306" reject'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 8081/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
[root@fwd ~]#

通过修改xml文件方式操作

例如在/etc/firewalld/zones/public.xml文件中添加如下规则，来是1.1.1.4禁止访问本机的3306端口

  <rule family="ipv4">
    <source address="1.1.1.4"/>
    <port port="3306" protocol="tcp"/>
    <reject/>
  </rule>

[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="cockpit"/>
  <port port="8080" protocol="tcp"/>
  <port port="8081" protocol="tcp"/>
  <rule family="ipv4">
    <source address="1.1.1.3"/>
    <port port="3306" protocol="tcp"/>
    <reject/>
  </rule>
  <rule family="ipv4">
    <source address="1.1.1.4"/>
    <port port="3306" protocol="tcp"/>
    <reject/>
  </rule>
  <forward/>
</zone>
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 8081/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
[root@fwd ~]#

1.5. 允许特定网段访问

通过命令行方式操作

例如在/etc/firewalld/zones/public.xml文件中添加如下规则，来是1.1.1.3访问本机的80端口

[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="80" accept'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 8081/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
[root@fwd ~]#

通过修改xml文件方式操作

在xml添加相应的配置文件

[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="cockpit"/>
  <port port="8080" protocol="tcp"/>
  <port port="8081" protocol="tcp"/>
  <rule family="ipv4">
    <source address="1.1.1.3"/>
    <port port="3306" protocol="tcp"/>
    <reject/>
  </rule>
  <rule family="ipv4">
    <source address="1.1.1.4"/>
    <port port="3306" protocol="tcp"/>
    <reject/>
  </rule>
  <rule family="ipv4">
    <source address="1.1.1.3"/>
    <port port="80" protocol="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="1.1.1.4"/>
    <port port="80" protocol="tcp"/>
    <accept/>
  </rule>
  <forward/>
</zone>
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]#

2.firewalld高级xml配置

2.1. firewalld的地址集

在策略的时候，如果需要反复对某一些地址进行编写策略的时候，会需要很多规则，显示方面不具备可读性和操作性，因此需要引入地址组的概念，直接在策略中调用地址组，减轻运维难度

firewall-cmd --permanent --new-ipset=<地址组名称> --type=hash:ip
firewall-cmd --permanent --ipset=<地址组名称> --add-entry=<IP地址>
# 生成的地址组文件
/etc/firewalld/ipsets/<地址组名称>.xml

演示操作

[root@fwd ~]# firewall-cmd --permanent --new-ipset=allowlist --type=hash:ip
[root@fwd ~]# firewall-cmd --permanent --ipset=allowlist --add-entry=198.51.100.16
# 查看地址内的IP信息
[root@fwd ~]# cat /etc/firewalld/ipsets/allowlist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
  <entry>198.51.100.16</entry>
</ipset>
[root@fwd ~]# 
# 获取现有地址集名称
[root@fwd ~]# firewall-cmd --get-ipsets
allowlist
[root@fwd ~]#

策略中调用地址集

[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source ipset="allowlist" port protocol="tcp" port="3389" accept'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 8081/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.4" port port="80" protocol="tcp" accept
        rule family="ipv4" source ipset="allowlist" port port="3389" protocol="tcp" accept
[root@fwd ~]#

2.2. 规则的优先级

有时候需要设置优先级，设置先允许后拒绝

[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule priority=32760 family="ipv4" source address="1.1.1.5" port protocol="tcp" port="3306" accept'
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule priority=32767 family="ipv4" port protocol="tcp" port="3306" reject' 
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 8081/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
        rule family="ipv4" source address="1.1.1.4" port port="80" protocol="tcp" accept
        rule family="ipv4" source ipset="allowlist" port port="3389" protocol="tcp" accept
        rule priority="32760" family="ipv4" source address="1.1.1.5" port port="3306" protocol="tcp" accept
        rule priority="32767" family="ipv4" port port="3306" protocol="tcp" reject
[root@fwd ~]#

posted @ 2024-05-20 16:23 二乘八是十六阅读(154) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

十六的博客

linux中的firewalld防火墙配置

0.序言

1.firewalld规则的演示

1.1.常用firewalld的命令

1.2.默认情况下firewalld的配置

1.3.配置放行特定端口

通过命令行方式操作

通过修改xml文件方式操作

1.4. 拒绝特定网段访问

通过命令行方式操作

通过修改xml文件方式操作

1.5. 允许特定网段访问

通过命令行方式操作

通过修改xml文件方式操作

2.firewalld高级xml配置

2.1. firewalld的地址集

2.2. 规则的优先级

公告