Linux防火墙firewall的使用 CentOS 7新的防火墙服务firewalld的基本原理,它有个非常强大的过滤系统,称为 Netfilter,它内置于内核模块中,用于检查穿过系统的每个数据包。
这意味着它可以在到达目的地之前以编程方式检查、修改、拒绝或丢弃任何网络数据包,如传入、传出或转发,从 Centos-7 开始,firewalld 成为管理基于主机的防火墙服务的默认工具,firewalld 的守护进程是从 firewalld 包安装的,它将在操作系统的所有基本安装上可用,但在最小安装上不可用。
使用 FirewallD 优于“iptables”的优点
1.在运行时所做的任何配置更改都不需要重新加载或重新启动 firewalld 服务
2.通过将整个网络流量安排到区域中来简化防火墙管理
3.每个系统可以设置多个防火墙配置以更改网络环境
4.使用 D-Bus 消息系统来交互/维护防火墙设置
在 CentOS 7 或更高版本中,我们仍然可以使用经典的 iptables,如果要使用 iptables,需要停止并禁用 firewalld 服务。同时使用firewalld 和 iptables会使系统混乱,因为它们彼此不兼容。
每个区域都旨在根据指定的标准管理流量。如果没有进行任何修改,默认区域将设置为 public,并且关联的网络接口将附加到 public。
所有预定义的区域规则都存储在两个位置:系统指定的区域规则在“/usr/lib/firewalld/zones/”下,用户指定的区域规则在/etc/firewalld/zones/ 下。如果在系统区域配置文件中进行了任何修改,它将自动到 /etc/firewalld/zones/。
安装firewalld服务 1 2 [root@chenby ~]# yum install firewalld -y [root@chenby ~]# systemctl start firewalld.service
查看服务状态 1 2 [root@chenby ~]# firewall-cmd --state [root@chenby ~]# systemctl status firewalld -l
区域 Firewalld 为不同的目的引入了几个预定义的区域和服务,主要目的之一是更轻松地处理 firewalld 管理。
基于这些区域和服务,我们可以阻止任何形式的系统传入流量,除非它明确允许在区域中使用一些特殊规则。
查看firewalld中的所有可用区域 1 2 3 [root@chenby ~]# firewall-cmd --get-zones block dmz docker drop external home internal nm-shared public trusted work [root@chenby ~]#
查看默认区域 1 2 3 [root@chenby ~]# firewall-cmd --get-default-zone public [root@chenby ~]#
活动区域和相关网络接口 1 2 3 4 5 6 [root@chenby ~]# firewall-cmd --get-active-zones docker interfaces: br-31021b17396b br-53a24802cca1 docker0 public interfaces: ens18 [root@chenby ~]#
公共区域的规则 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [root@chenby ~]# firewall-cmd --list-all --zone="public" public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.250.0/24" accept [root@chenby ~]#
查看所有可用区域 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 [root@chenby ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: docker (active) target: ACCEPT icmp-block-inversion: no interfaces: br-31021b17396b br-53a24802cca1 docker0 sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.250.0/24" accept trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@chenby ~]#
修改默认的区域 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [root@chenby ~]# firewall-cmd --get-default-zone public [root@chenby ~]# [root@chenby ~]# [root@chenby ~]# firewall-cmd --set-default-zone=work success [root@chenby ~]# [root@chenby ~]# firewall-cmd --get-default-zone work [root@chenby ~]# [root@chenby ~]# firewall-cmd --set-default-zone=public success [root@chenby ~]# [root@chenby ~]# [root@chenby ~]# firewall-cmd --get-default-zone public [root@chenby ~]# [root@chenby ~]#
网口和区域的操作 1 2 3 4 5 6 7 8 给指定网卡设置zone [root@chenby ~]# firewall-cmd --zone=internal --change-interface=enp1s1 查看系统所有网卡所在的zone [root@chenby ~]# firewall-cmd --get-active-zones 针对网卡删除zone [root@chenby ~]# firewall-cmd --zone=internal --remove-interface=enp1s1
自定义 zone 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [root@chenby ~]# vi /etc/firewalld/zones/cby.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>linuxtecksecure</short> <description>用于企业领域。</description> <service name="ssh"/> <port protocol="tcp" port="80"/> <port protocol="tcp" port="22"/> </zone> [root@chenby ~]# [root@chenby ~]# firewall-cmd --reload success [root@chenby ~]# [root@chenby ~]# [root@chenby ~]# firewall-cmd --get-zones block cby dmz docker drop external home internal nm-shared public trusted work [root@chenby ~]# [root@chenby ~]#
服务 查看所有可用的服务 1 2 3 [root@chenby ~]# firewall-cmd --get-services RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-client llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nebula netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut opentelemetry openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps2link ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui syncthing-relay synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server warpinator wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier [root@chenby ~]#
查看特定区域内的所有可用服务 1 2 3 [root@chenby ~]# firewall-cmd --zone=work --list-services cockpit dhcpv6-client ssh [root@chenby ~]#
将现有服务添加到默认区域 1 2 3 4 5 6 7 8 9 10 [root@chenby ~]# firewall-cmd --add-service=samba success [root@chenby ~]# # 验证 [root@chenby ~]# firewall-cmd --zone=public --list-services cockpit dhcpv6-client samba ssh [root@chenby ~]#
永久添加服务 1 2 3 4 5 6 7 [root@chenby ~]# firewall-cmd --permanent --add-service=ftp success [root@chenby ~]# [root@chenby ~]# firewall-cmd --reload success [root@chenby ~]#
将运行时设置迁移到永久设置 1 2 3 [root@chenby ~]# firewall-cmd --runtime-to-permanent success [root@chenby ~]#
如何在公共区域为samba服务开放端口 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=137/udp success [root@chenby ~]# [root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=138/udp success [root@chenby ~]# [root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=139/tcp success [root@chenby ~]# [root@chenby ~]# firewall-cmd --permanent --zone=public --add-port=445/tcp success [root@chenby ~]# [root@chenby ~]# firewall-cmd --list-ports 137/udp 138/udp 139/tcp 445/tcp [root@chenby ~]#
设置规则生效时间 秒 (s)、分钟 (m) 或小时 (h) 为单位指定超时。
1 [root@chenby ~]# firewall-cmd --zone=public --add-service=ftp --timeout=5m
关于
https://www.oiox.cn/
https://www.oiox.cn/index.php/start-page.html
CSDN、GitHub、51CTO、知乎、开源中国、思否、掘金、简书、华为云、阿里云、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客
全网可搜《小陈运维》
文章主要发布于微信公众号
