linux系统中防火墙策略管理工具firewalld
firewalld是什么?
和iptables一样,firewalld也是一种防火墙策略管理工具,用于设定防火墙策略。
和iptables相比,firewalld的显著特征是什么?
firewalld引入了区域的概念。firewalld可以使用CLI命令行和GUI图形用户界面来设定防火墙策略。
区域是什么?
区域就是预先设定好的防火墙策略模版,firewalld可以实现防火墙策略模版的快速切换。
firewalld 命令行(CLI)界面设定防火墙策略,即使用firewall-cmd命令行来设置,firewall-cmd都是使用“长格式”实现防火墙策略的设置
1、如何查询当前默认的区域名称 ?
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone ## 默认的区域为public
public
2、都有哪些可以的区域 ?
[root@PC1linuxprobe test1]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@PC1linuxprobe test1]# firewall-cmd --get-zones | xargs -n 1
block
dmz
drop
external
home
internal
public
trusted
work
3、如何显示当前正在使用的区域及网卡名称
[root@PC1linuxprobe test1]# firewall-cmd --get-active-zones
public
interfaces: eno16777728
4、预先定义的服务有哪些?
[root@PC1linuxprobe test1]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
5、显示当前区域的网卡配置参数、资源、端口及服务信息
[root@PC1linuxprobe test1]# firewall-cmd --list-all public (default, active) interfaces: eno16777728 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
6、显示所有区域的网卡配置参数、资源、端口及服务信息
[root@PC1linuxprobe test1]# firewall-cmd --list-all-zones | wc -l
90
[root@PC1linuxprobe test1]# firewall-cmd --list-all-zones | head
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --list-all-zones | tail
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
7、如何进行区域的切换
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone ## 查看当前区域
public
[root@PC1linuxprobe test1]# firewall-cmd --get-zones ## 显示可用的区域
block dmz drop external home internal public trusted work
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 列出当前区域的网卡、资源、端口、服务等
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --set-default-zone=work ## 切换至work区域
success
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone ## 查看当前区域
work
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 列出当前区域详细信息
work (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --set-default-zone=home ## 切换为home区域
success
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone ## 查看当权区域
home
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 列出当前区域的详细信息
home (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --set-default-zone=public ## 设置为public区域
success
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone
public
8、如何查询网卡在firewalld服务中的区域
[root@PC1linuxprobe test1]# firewall-cmd --get-zone-of-interface=eno16777728
public
9、如何修改网卡在firewalld服务中的区域
[root@PC1linuxprobe test1]# firewall-cmd --get-zone-of-interface=eno16777728
public
[root@PC1linuxprobe test1]# firewall-cmd --zone=home --change-interface=eno16777728 ## 修改为home
success
[root@PC1linuxprobe test1]# firewall-cmd --get-zone-of-interface=eno16777728 ## 查看
home
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone ## 当前默认区域不会改变
public
[root@PC1linuxprobe test1]# firewall-cmd --zone=public --change-interface=eno16777728 ## 修改为public
success
[root@PC1linuxprobe test1]# firewall-cmd --get-zone-of-interface=eno16777728 ## 查看
public
10、应急模式(阻断一切网络连接)
[root@PC1linuxprobe test1]# ifconfig | head -n 3 ## 查看本地主机IP地址
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe20:bf5e prefixlen 64 scopeid 0x20<link>
[root@PC2linuxprobe test2]# ifconfig | head -n 3 ## 另一台虚拟机
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe15:20b6 prefixlen 64 scopeid 0x20<link>
[root@PC2linuxprobe test2]# ping -c 3 192.168.10.10 ## 测试联通性
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.234 ms
64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.208 ms
--- 192.168.10.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.208/0.219/0.234/0.011 ms
[root@PC2linuxprobe test2]# ssh 192.168.10.10 ## 测试远程登录
root@192.168.10.10's password:
Last login: Fri Nov 6 13:27:48 2020 from 192.168.10.20
[root@PC1linuxprobe ~]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe20:bf5e prefixlen 64 scopeid 0x20<link>
[root@PC1linuxprobe ~]# exit
logout
Connection to 192.168.10.10 closed.
开启紧急模式,阻断一切网络连接:
[root@PC1linuxprobe test1]# firewall-cmd --panic-on
success
测试效果:
[root@PC2linuxprobe test2]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe15:20b6 prefixlen 64 scopeid 0x20<link>
[root@PC2linuxprobe test2]# ping -c 3 192.168.10.10 ## 不能联通
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
--- 192.168.10.10 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
[root@PC2linuxprobe test2]# ssh 192.168.10.10 ## 不能远程控制
ssh: connect to host 192.168.10.10 port 22: Connection timed out
关闭紧急模式:
[root@PC1linuxprobe test1]# firewall-cmd --panic-off
success
测试效果:
[root@PC2linuxprobe test2]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe15:20b6 prefixlen 64 scopeid 0x20<link>
[root@PC2linuxprobe test2]# ping -c 3 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.272 ms
64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.235 ms
64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.214 ms
--- 192.168.10.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.214/0.240/0.272/0.027 ms
[root@PC2linuxprobe test2]# ssh 192.168.10.10
root@192.168.10.10's password:
Last login: Fri Nov 6 13:30:08 2020 from 192.168.10.20
[root@PC1linuxprobe ~]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe20:bf5e prefixlen 64 scopeid 0x20<link>
[root@PC1linuxprobe ~]# exit
logout
Connection to 192.168.10.10 closed.
11、如何给特定区域增加服务、减少服务
[root@PC1linuxprobe test1]# firewall-cmd --get-default-zone ## 查看系统当前使用的默认区域
public
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 列出当前服务的内容
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --add-service=http ## 增加http服务
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 列出当前的服务,增加了http
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --add-service=https ## 增加https服务
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client http https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --remove-service=http ## 移除http服务
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --remove-service=https ##移除https服务
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
另一种查看服务的方法:
[root@PC1linuxprobe test1]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --query-service=https
no
[root@PC1linuxprobe test1]# firewall-cmd --add-service=https
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --query-service=https
yes
[root@PC1linuxprobe test1]# firewall-cmd --remove-service=https
success
12、firewalld配置的防火墙默认的为运行时模式,系统重启后就失效,如何设置为永久模式?
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 列出当前的服务
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --add-service=https --permanent ## 增加https服务,且设定为永久模式
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 查看服务,并没有立即生效
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --reload ## 重新加载
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## https服务生效
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --remove-service=https --permanent ## 移除https服务,永久模式
success
[root@PC1linuxprobe test1]# firewall-cmd --query-service=https ## 查询该服务,没有立即生效
yes
[root@PC1linuxprobe test1]# firewall-cmd --reload ## 重新加载
success
[root@PC1linuxprobe test1]# firewall-cmd --query-service=https ## 生效
no
13、增加、删除端口
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 查看当前的端口服务
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --add-port=8080 ## 增加端口服务,缺乏协议
bad port (most likely missing protocol), correct syntax is portid[-portid]/protocol
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 查看,果然没有增加
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --add-port=8080/tcp ## 增加端口服务,添加协议
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 查看
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
移除8080端口服务
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 移除前
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@PC1linuxprobe test1]# firewall-cmd --remove-port=8080/tcp ## 移除
success
[root@PC1linuxprobe test1]# firewall-cmd --list-all ## 移除后
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
14、如何实现端口流量的转发
将888端口流量转发至22端口
[root@PC2linuxprobe network-scripts]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe15:20b6 prefixlen 64 scopeid 0x20<link>
[root@PC2linuxprobe network-scripts]# ssh -p 22 192.168.10.10 ## 测试22端口,可以远程登录
root@192.168.10.10's password:
Last login: Fri Nov 6 22:11:06 2020 from 192.168.10.20
[root@PC1linuxprobe ~]# ifconfig | head -n 2
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
[root@PC1linuxprobe ~]# exit
logout
Connection to 192.168.10.10 closed.
[root@PC2linuxprobe network-scripts]# ssh -p 888 192.168.10.10 ## 测试888端口,不可以远程登录
ssh: connect to host 192.168.10.10 port 888: No route to host
设置888端口转发至22端口:
[root@PC1linuxprobe network-scripts]# firewall-cmd --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10 success [root@PC1linuxprobe network-scripts]# firewall-cmd --list-all ## 查看 public (default, active) interfaces: eno16777728 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: port=888:proto=tcp:toport=22:toaddr=192.168.10.10 icmp-blocks: rich rules:
测试:
[root@PC2linuxprobe network-scripts]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe15:20b6 prefixlen 64 scopeid 0x20<link>
[root@PC2linuxprobe network-scripts]# ssh -p 888 192.168.10.10
root@192.168.10.10's password:
Last login: Fri Nov 6 22:11:50 2020 from 192.168.10.20
[root@PC1linuxprobe ~]# ifconfig | head -n 3
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe20:bf5e prefixlen 64 scopeid 0x20<link>
[root@PC1linuxprobe ~]# exit
logout
Connection to 192.168.10.10 closed.
15、设置富规则,拒绝或允许IP
[root@PC1linuxprobe network-scripts]# firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.10.20" service name="ssh" reject"
success
[root@PC1linuxprobe network-scripts]# firewall-cmd --list-all ## 查看设置效果
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports: port=888:proto=tcp:toport=22:toaddr=192.168.10.10
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.10.20" service name="ssh" reject
测试:
[root@PC2linuxprobe network-scripts]# ssh 192.168.10.10
ssh: connect to host 192.168.10.10 port 22: Connection refused
设置为允许:
[root@PC1linuxprobe network-scripts]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports: port=888:proto=tcp:toport=22:toaddr=192.168.10.10
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.10.20" service name="ssh" reject
[root@PC1linuxprobe network-scripts]# firewall-cmd --remove-rich-rule="rule family="ipv4" source address="192.168.10.20" service name="ssh" reject"
success
[root@PC1linuxprobe network-scripts]# firewall-cmd --list-all ## 查看
public (default, active)
interfaces: eno16777728
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports: port=888:proto=tcp:toport=22:toaddr=192.168.10.10
icmp-blocks:
rich rules:
测试:
[root@PC2linuxprobe network-scripts]# ssh 192.168.10.10
root@192.168.10.10's password:
Last login: Fri Nov 6 22:18:25 2020 from 192.168.10.20
[root@PC1linuxprobe ~]# ifconfig | head -n 2
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
[root@PC1linuxprobe ~]# exit
logout
Connection to 192.168.10.10 closed.
