centos8用firewalld搭建防火墙
一,firewalld的systemd管理命令
启动:systemctl start firewalld
关闭:systemctl stop firewalld
查看状态:systemctl status firewalld
开机禁用:systemctl disable firewalld
开机启用:systemctl enable firewalld
说明:刘宏缔的架构森林是一个专注架构的博客,
网站:https://blog.imgtouch.com
本文: https://blog.imgtouch.com/index.php/2023/05/15/centos8-yong-firewalld-da-jian-fang-huo-qiang/
对应的源码可以访问这里获取: https://github.com/liuhongdi/
说明:作者:刘宏缔 邮箱: 371125307@qq.com
二,firewall-cmd的通用命令:
1,查看firewall-cmd版本:
[root@localhost liuhongdi]# firewall-cmd --version 0.7.0
2,查看firewall-cmd帮助
[root@localhost liuhongdi]# firewall-cmd --help
3,查看firewalld状态
[root@localhost liuhongdi]# firewall-cmd --state
running
4,更新防火墙的规则
[root@localhost liuhongdi]# firewall-cmd --reload
success
说明:--reload的作用:让“永久生效”的配置规则立即生效,并覆盖当前的配置规则
5,查看firewalld的所有规则:
[root@localhost zones]# firewall-cmd --list-all
三,zone相关命令:
1,得到默认的zone:
[root@localhost liuhongdi]# firewall-cmd --get-default-zone
public
2,得到当前正在使用的zone与网卡名称
[root@localhost liuhongdi]# firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: ens33
3,得到所有可用的zone
[root@localhost liuhongdi]# firewall-cmd --get-zones
block dmz drop external home internal libvirt public trusted work
4,设置默认的zone
[root@localhost liuhongdi]# firewall-cmd --set-default-zone=drop success [root@localhost liuhongdi]# firewall-cmd --get-active-zones drop interfaces: ens33 libvirt interfaces: virbr0
四,services相关命令:
1,列出所有可用的services
[root@localhost liuhongdi]# firewall-cmd --get-services
2,列出当前已放开的services
[root@localhost liuhongdi]# firewall-cmd --list-services
3, 放开一个服务
[root@localhost liuhongdi]# firewall-cmd --add-service=http
4, 关闭一个服务
[root@localhost liuhongdi]# firewall-cmd --remove-service=http --permanent
success
说明:关于permanent参数: 添加--permanent重启后则永久生效,如无--permanent仅临时生效
五,port相关命令:
1,查看所有打开的端口:
[root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 80/tcp 8080/tcp 22/tcp
2,放开一个端口:
[root@localhost liuhongdi]# firewall-cmd --zone=public --add-port=80/tcp --permanent success
3,关闭已放开的端口:
[root@localhost liuhongdi]# firewall-cmd --zone=public --remove-port=80/tcp --permanent success
六,针对permanent参数的验证:
1,添加端口后,如果加了 permanent,不会马上起作用:reload之后会起作用
[root@localhost liuhongdi]# firewall-cmd --zone=public --add-port=80/tcp --permanent success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp [root@localhost liuhongdi]# firewall-cmd --reload success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp 80/tcp
2,删除端口,如果加了 permanent,不会马上起作用,也需要reload
[root@localhost liuhongdi]# firewall-cmd --zone=public --remove-port=80/tcp --permanent success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp 80/tcp [root@localhost liuhongdi]# firewall-cmd --reload success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp
3,如果不加permanent,能马上起作用:
[root@localhost liuhongdi]# firewall-cmd --zone=public --add-port=80/tcp success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp 80/tcp
七,针对ip地址的操作:
1,允许一个ip访问:
[root@localhost liuhongdi]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="43.229.53.61" accept'
2,禁止一个ip访问
[root@localhost liuhongdi]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="43.229.53.61" drop'
说明:drop也可用reject
两者的区别在于drop不会提示拒绝访问而是直接丢弃数据包
3,指定允许一个ip到指定端口的访问
[root@localhost liuhongdi]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="22" accept' success
4,删除一条rich rule
[root@localhost liuhongdi]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="22" accept' success
八,手动添加的防火墙规则位于哪里?
/etc/firewalld/zones/public.xml
说明:可以手动编辑这个保存规则的xml,
然后做reload
九,生产环境中要注意的地方:
如果已添加了http服务,仍然可以添加80 port,
导致要关闭http服务时,也需要关闭80 port,
所以,尽量使用 port,而不要把service和port混用
十,一个生产环境中防火墙的zone文件例子:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are acc epted.</description> <port port="80" protocol="tcp"/> <rule family="ipv4"> <source address="10.0.10.1"/> <accept/> </rule> <rule family="ipv4"> <source address="43.229.53.61"/> <drop/> </rule> </zone>
说明: 1,生产环境中防火墙一定要做基于ip地址的限制,不能允许从公网随便访问
2,需要放开的端口越少越好,最好只放开一个有运行中业务的端口