Linux之防火墙

linux系统防火墙策略

每个版本的linux系统使用的防火墙策略都不同,例如CentOS7的防火墙配置跟之前版本有很大区别,CentOS7这个版本的防火墙默认使用的是firewall,与之前的版本Centos 6.x使用iptables不一样。

centos8查看防火墙策略是firewall还是iptables

先判断是不是iptables
shell命令行输入systemctl status iptables.service:

[root@localhost ~]# systemctl status iptables.service
Unit iptables.service could not be found.

输出表示安装的centos8防火墙策略并不是iptables。接着判断是不是firewall,shell命令行输入systemctl status firewalld.service

[root@localhost ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-18 18:51:35 PDT; 51min ago
     Docs: man:firewalld(1)
 Main PID: 1070 (firewalld)
    Tasks: 2 (limit: 4768)
   Memory: 7.0M
   CGroup: /system.slice/firewalld.service
           └─1070 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

May 18 18:51:34 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 18 18:51:35 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 18 18:51:35 localhost.localdomain firewalld[1070]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Ple>

输出表示安装的centos8防火墙策略是firewall。
并且状态Active为运行中。

firewall防火墙

1、查看firewall服务状态

[root@localhost ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-18 18:51:35 PDT; 51min ago
     Docs: man:firewalld(1)
 Main PID: 1070 (firewalld)
    Tasks: 2 (limit: 4768)
   Memory: 7.0M
   CGroup: /system.slice/firewalld.service
           └─1070 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

出现 Active: active (running)切高亮显示则表示是启动状态。
出现 Active: inactive (dead)灰色表示停止,看单词也行。

2、查看firewall的状态

[root@localhost ~]# firewall-cmd --state
running

3、开启、重启、关闭、firewalld.service服务

  • 开启service firewalld start
     [root@localhost ~]# firewall-cmd --state
     not running
     [root@localhost ~]# service firewalld start
     Redirecting to /bin/systemctl start firewalld.service
     [root@localhost ~]# firewall-cmd --state
     running
     [root@localhost ~]#
  • 重启service firewalld restart
    [root@localhost ~]# service firewalld stop
    Redirecting to /bin/systemctl stop firewalld.service
    [root@localhost ~]# firewall-cmd --state
    not running
    [root@localhost ~]# service firewalld restart
    Redirecting to /bin/systemctl restart firewalld.service
    [root@localhost ~]# firewall-cmd --state
    running
    [root@localhost ~]#
  • 关闭service firewalld stop
     [root@localhost ~]# service firewalld stop
     Redirecting to /bin/systemctl stop firewalld.service
     [root@localhost ~]# firewall-cmd --state
     not running
  • 禁止开机启动防火墙systemctl disable firewalld
    [root@localhost ~]# firewall-cmd --state
    running
    [root@localhost ~]# systemctl disable firewalld
    Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
    Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
    [root@localhost ~]# firewall-cmd --state
    running
    [root@localhost ~]# service firewalld restart
    Redirecting to /bin/systemctl restart firewalld.service
    [root@localhost ~]# firewall-cmd --state
    running
    [root@localhost ~]# firewall-cmd --reload
    success
    [root@localhost ~]# firewall-cmd --state
    running

重启firewall服务,更新firewall规则,防火墙还是开启中,说明service firewalld restart只是禁止开启启动防火墙,但没有关闭防火墙。此时重启系统后:

[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]#
  • 随开机启动防火墙systemctl enable firewalld.service
    [root@localhost ~]# systemctl enable firewalld.service
    Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
    Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
    [root@localhost ~]# firewall-cmd --state
    not running
    [root@localhost ~]# service firewalld restart
    Redirecting to /bin/systemctl restart firewalld.service
    [root@localhost ~]# firewall-cmd --state
    running
    [root@localhost ~]#

4、查看防火墙规则firewall-cmd --list-all

[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]# firewall-cmd --list-all
FirewallD is not running
[root@localhost ~]# service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service
[root@localhost ~]# firewall-cmd --state
running
[root@localhost ~]# firewall-cmd --list-all 
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@localhost ~]#

5、查询、开放、关闭端口

  • 查询端口是否开放firewall-cmd --query-port=8080/tcp
    [root@localhost ~]# firewall-cmd --state
    running
    [root@localhost ~]# firewall-cmd --query-port=8080/tcp
    no
    [root@localhost ~]#
  • 开放8080端口firewall-cmd --permanent --add-port=80/tcp
    [root@localhost ~]# firewall-cmd --query-port=8080/tcp
    no
    [root@localhost ~]# firewall-cmd --permanent --add-port=8080/tcp
    success
    [root@localhost ~]# firewall-cmd --query-port=8080/tcp
    no
    [root@localhost ~]#

重启防火墙后

    [root@localhost ~]# service firewalld restart
     Redirecting to /bin/systemctl restart firewalld.service
    [root@localhost ~]# firewall-cmd --query-port=8080/tcp
    yes
    [root@localhost ~]#

说明:修改配置后要重启防火墙。

  • 移除端口firewall-cmd --permanent --remove-port=8080/tcp
  • 重启防火墙(修改配置后要重启防火墙)firewall-cmd --reload
    [root@localhost ~]# firewall-cmd --permanent --remove-port=8080/tcp
    success
    [root@localhost ~]# firewall-cmd --query-port=8080/tcp
    yes
    [root@localhost ~]# service firewalld restart
    Redirecting to /bin/systemctl restart firewalld.service
    [root@localhost ~]# firewall-cmd --query-port=8080/tcp
    no
    [root@localhost ~]#
  • 永久开放3306端口firewall-cmd --permanent --add-port=3306/tcp
    [root@localhost ~]# firewall-cmd --permanent --add-port=3306/tcp
    success
    [root@localhost ~]# firewall-cmd --query-port=3306/tcp
    no
    [root@localhost ~]# service firewalld restart
    Redirecting to /bin/systemctl restart firewalld.service
    [root@localhost ~]# firewall-cmd --query-port=3306/tcp
    yes
  • 查看开发的全部端口firewall-cmd --list-port
    [root@localhost ~]# firewall-cmd --list-port
    22/tcp 3306/tcp
    [root@localhost ~]#

6、更新防火墙规则

  • firewall-cmd --reload
  • firewall-cmd --complete-reload
    两者的区别就是firewall-cmd --reload无需断开连接,是firewalld特性之一动态添加规则,firewall-cmd --complete-reload需要断开连接,类似重启服务。
[root@localhost ~]# firewall-cmd --list-port
22/tcp 3306/tcp
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-port
22/tcp 3306/tcp
[root@localhost ~]# firewall-cmd --complete-reload
success
[root@localhost ~]# firewall-cmd --list-port
22/tcp 3306/tcp
[root@localhost ~]#

iptables防火墙

  • 查看防火状态
service  iptables status
  • 暂时关闭防火墙
service  iptables stop
  • 永久关闭防火墙
chkconfig iptables off
  • 重启防火墙
service iptables restart

参考文档

[Linux命令] (https://wangchujiang.com/linux-command/)

posted on 2021-05-19 14:26  哑吧  阅读(187)  评论(0编辑  收藏  举报