Linux防火墙firewall的使用
Linux防火墙firewall的使用
CentOS 7新的防火墙服务firewalld的基本原理,它有个非常强大的过滤系统,称为 Netfilter,它内置于内核模块中,用于检查穿过系统的每个数据包。
这意味着它可以在到达目的地之前以编程方式检查、修改、拒绝或丢弃任何网络数据包,如传入、传出或转发,从 Centos-7 开始,firewalld 成为管理基于主机的防火墙服务的默认工具,firewalld 的守护进程是从 firewalld 包安装的,它将在操作系统的所有基本安装上可用,但在最小安装上不可用。
使用 FirewallD 优于“iptables”的优点
1.在运行时所做的任何配置更改都不需要重新加载或重新启动 firewalld 服务
2.通过将整个网络流量安排到区域中来简化防火墙管理
3.每个系统可以设置多个防火墙配置以更改网络环境
4.使用 D-Bus 消息系统来交互/维护防火墙设置
在 CentOS 7 或更高版本中,我们仍然可以使用经典的 iptables,如果要使用 iptables,需要停止并禁用 firewalld 服务。同时使用firewalld 和 iptables会使系统混乱,因为它们彼此不兼容。
每个区域都旨在根据指定的标准管理流量。如果没有进行任何修改,默认区域将设置为 public,并且关联的网络接口将附加到 public。
所有预定义的区域规则都存储在两个位置:系统指定的区域规则在“/usr/lib/firewalld/zones/”下,用户指定的区域规则在/etc/firewalld/zones/ 下。如果在系统区域配置文件中进行了任何修改,它将自动到 /etc/firewalld/zones/。
安装firewalld服务
[root@chenby ~]# yum install firewalld -y
[root@chenby ~]# systemctl start firewalld.service
查看服务状态
[root@chenby ~]# firewall-cmd --state
[root@chenby ~]# systemctl status firewalld -l
区域
Firewalld 为不同的目的引入了几个预定义的区域和服务,主要目的之一是更轻松地处理 firewalld 管理。
基于这些区域和服务,我们可以阻止任何形式的系统传入流量,除非它明确允许在区域中使用一些特殊规则。
查看firewalld中的所有可用区域
[root@chenby ~]# firewall-cmd --get-zones
block dmz docker drop external home internal nm-shared public trusted work
[root@chenby ~]#
查看默认区域
[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]#
活动区域和相关网络接口
[root@chenby ~]# firewall-cmd --get-active-zones
docker
interfaces: br-31021b17396b br-53a24802cca1 docker0
public
interfaces: ens18
[root@chenby ~]#
公共区域的规则
[root@chenby ~]# firewall-cmd --list-all --zone="public"
public (active)
target: default
icmp-block-inversion: no
interfaces: ens18
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.250.0/24" accept
[root@chenby ~]#
查看所有可用区域
[root@chenby ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-31021b17396b br-53a24802cca1 docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: ens18
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.250.0/24" accept
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@chenby ~]#
修改默认的区域
[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]#
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --set-default-zone=work
success
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --get-default-zone
work
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --set-default-zone=public
success
[root@chenby ~]#
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]#
[root@chenby ~]#
网口和区域的操作
给指定网卡设置zone
[root@chenby ~]# firewall-cmd --zone=internal --change-interface=enp1s1
查看系统所有网卡所在的zone
[root@chenby ~]# firewall-cmd --get-active-zones
针对网卡删除zone
[root@chenby ~]# firewall-cmd --zone=internal --remove-interface=enp1s1
自定义 zone
[root@chenby ~]# vi /etc/firewalld/zones/cby.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>用于企业领域。</description>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --reload
success
[root@chenby ~]#
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --get-zones
block cby dmz docker drop external home internal nm-shared public trusted work
[root@chenby ~]#
[root@chenby ~]#
服务
查看所有可用的服务
[root@chenby ~]# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-client llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nebula netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut opentelemetry openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps2link ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui syncthing-relay synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server warpinator wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier
[root@chenby ~]#
查看特定区域内的所有可用服务
[root@chenby ~]# firewall-cmd --zone=work --list-services
cockpit dhcpv6-client ssh
[root@chenby ~]#
将现有服务添加到默认区域
[root@chenby ~]# firewall-cmd --add-service=samba
success
[root@chenby ~]#
# 验证
[root@chenby ~]# firewall-cmd --zone=public --list-services
cockpit dhcpv6-client samba ssh
[root@chenby ~]#
永久添加服务
[root@chenby ~]# firewall-cmd --permanent --add-service=ftp
success
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --reload
success
[root@chenby ~]#
将运行时设置迁移到永久设置
[root@chenby ~]# firewall-cmd --runtime-to-permanent
success
[root@chenby ~]#
如何在公共区域为samba服务开放端口
[root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=137/udp
success
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=138/udp
success
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=139/tcp
success
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=445/tcp
success
[root@chenby ~]#
[root@chenby ~]# firewall-cmd --list-ports
137/udp 138/udp 139/tcp 445/tcp
[root@chenby ~]#
设置规则生效时间
秒 (s)、分钟 (m) 或小时 (h) 为单位指定超时。
[root@chenby ~]# firewall-cmd --zone=public --add-service=ftp --timeout=5m
关于
https://www.oiox.cn/index.php/start-page.html
CSDN、GitHub、51CTO、知乎、开源中国、思否、掘金、简书、华为云、阿里云、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客
全网可搜《小陈运维》
文章主要发布于微信公众号