随笔分类

随笔档案

阅读排行榜

评论排行榜

一、firewall-cmd介绍

1、firewalld保留的策略服务文件在/usr/lib/firewalld/services/目录下

2、通过firwall-cmd命令设置的策略在/etc/firewalld/目录下

通过--get-services查看所有保留服务

[root@localhost ~]# firewall-cmd --get-services 
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network livekit llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
[root@localhost ~]#

查看默认zone已生效服务

[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client livekit ssh

添加默认zone服务

[root@localhost ~]# firewall-cmd --add-service livekit   
success

移除默认zone指定服务

[root@localhost ~]# firewall-cmd --remove-service livekit        
success

自定义一个服务:livekit，服务端口为tcp:3000\tcp:13000\tcp:17880

在/etc/firewalld/services/目录下创建自定义服务文件

[root@localhost ~]# vim /etc/firewalld/services/livekit.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>livekit</short>
  <description>livekit</description>
  <port protocol="tcp" port="3000"/>
  <port protocol="tcp" port="13000"/>
  <port protocol="tcp" port="17880"/>
  <!--<helper name="livekit"/>-->
</service>

重新加载生效

[root@localhost ~]# firewall-cmd --reload

查看服务信息

[root@localhost services]# firewall-cmd --info-service livekit 
livekit
  ports: 3000/tcp 13000/tcp 17880/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
  includes: 
  helpers:

添加自定义服务

[root@localhost services]# firewall-cmd --add-service livekit --permanent   
success

查看已生效服务

[root@localhost services]# firewall-cmd --list-service 
cockpit dhcpv6-client livekit ssh

通过在其他服务器上进行端口访问验证

[hlcc@hlcc ~]$ telnet 172.28.17.122 3000
Trying 172.28.17.122...
Connected to 172.28.17.122.
Escape character is '^]'.

移除服务，在测试

[root@localhost services]# firewall-cmd --remove-service livekit --permanent
success
[root@localhost services]# firewall-cmd --list-service
cockpit dhcpv6-client ssh

Connection closed.
[hlcc@hlcc ~]$ telnet 172.28.17.122 3000
Trying 172.28.17.122...
telnet: connect to address 172.28.17.122: No route to host

自定义IPSET

IP集文件/etc/firewalld/ipsets/：这个目录下创建

可以通过命令行或者直接创建文件方式进行配置

[root@localhost services]# firewall-cmd --new-ipset trusted_ip --type hash:net --permanent
success

配置内网IP地址段或者白名单IP

[root@localhost services]# firewall-cmd --ipset=trusted_ip --add-entry 192.168.0.0/16 --permanent                         
success
[root@localhost services]# firewall-cmd --ipset=trusted_ip --add-entry 172.16.0.0/12 --permanent                         
success
[root@localhost services]# firewall-cmd --ipset=trusted_ip --add-entry 10.0.0.0/8 --permanent                         
success

重新加载reload

[root@localhost services]# firewall-cmd --reload

查看新添加ipset信息

[root@localhost services]# firewall-cmd --info-ipset trusted_ip
trusted_ip
  type: hash:net
  options: 
  entries: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
[root@localhost services]#

删除指定的ipset

firewall-cmd --delete-ipset=trusted_ip --permanent

将内网IP段SET设置到信任区trusted,实现内网访问无限制

[root@localhost services]# firewall-cmd --zone=trusted --add-source ipset:trusted_ip --permanent 
success

重新加载生效

[root@localhost services]# firewall-cmd --reload

查看信任区trusted信息，设置成功

[root@localhost services]# firewall-cmd --zone=trusted --list-all
trusted (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: ipset:trusted_ip
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@localhost services]#

查看firewalld的信任区trusted规则文件

[root@localhost services]# cat /usr/lib/firewalld/zones/trusted.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
</zone>

trusted区，默认是ACCEPT，接受所有数据包

查看当前所有已激活zone规则

[root@localhost ~]# firewall-cmd --get-active-zones 
docker
  interfaces: docker0 br-0505a6a4596b
public
  interfaces: ens18
trusted
  sources: ipset:trusted_ip

trusted区已经激活生效，配置的内网IP段无访问限制。

删除已添加IPSET,并reload生效

[root@localhost ~]# firewall-cmd --zone=drop --remove-source ipset:trusted_ip --permanent 
success

[root@localhost ~]# firewall-cmd --reload

设置黑名单IPSET

创建一个ipset名为black_ip

[root@localhost ~]# firewall-cmd --new-ipset black_ip --type hash:net --permanent
success

给IPSET添加IP或者IP段

[root@localhost ~]# firewall-cmd --ipset=black_ip --add-entry 59.110.11.159 --permanent
success

reload并查看ipset

[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --info-ipset black_ip
black_ip
  type: hash:net
  options: 
  entries: 59.110.11.159
[root@localhost ~]#

将黑名单IPSET设置到DROP区drop,实现黑名单访问控制

[root@localhost ~]# firewall-cmd --zone=drop --add-source ipset:black_ip --permanent
success

reload并查看drop区规则

[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=drop --list-all
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: ipset:black_ip
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@localhost ~]#

配置生效

查看当前所有激活区规则

[root@localhost ~]# firewall-cmd --get-active-zone
docker
  interfaces: docker0 br-0505a6a4596b
drop
  sources: ipset:black_ip
public
  interfaces: ens18
trusted
  sources: ipset:trusted_ip

在59.110.11.159这台服务器上telnet任何端口将无法访问，配置成功

[root@iZ2ze7ukvpkonzby0h3wbfZ ~]# telnet 111.204.226.251 443
Trying 111.204.226.251...

posted on 2024-10-29 14:54 sky_cheng 阅读(133) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· firewalld ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

· Redis.conf 详解

· kali 服务篇-firewalld 学习笔记

· Linux防火墙——Firewalld原理与实战操作

· firewalld防火墙

阅读排行：
· 10年+ .NET Coder 心语 ── 封装的思维：从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源！
· 周边上新：园子的第一款马克杯温暖上架

导航

搜索

常用链接

随笔分类

随笔档案

阅读排行榜

评论排行榜

推荐排行榜

最新评论

一、firewall-cmd介绍

查看默认zone已生效服务

移除默认zone指定服务

重新加载生效

查看服务信息

添加自定义服务

查看已生效服务

自定义IPSET

配置内网IP地址段或者白名单IP

重新加载reload

查看新添加ipset信息

删除指定的ipset

将内网IP段SET设置到信任区trusted,实现内网访问无限制

查看信任区trusted信息，设置成功

查看当前所有已激活zone规则

删除已添加IPSET,并reload生效

设置黑名单IPSET

创建一个ipset名为black_ip

给IPSET添加IP或者IP段

reload并查看ipset

将黑名单IPSET设置到DROP区drop,实现黑名单访问控制

reload并查看drop区规则

查看当前所有激活区规则

在59.110.11.159这台服务器上telnet任何端口将无法访问，配置成功