firewalld的简单用法及了解
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了firewalld的简单用法及了解相关的知识,希望对你有一定的参考价值。
iptables规则备份,把规则保存至文件当中,可以防止规则丢失
查看当前的规则
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
138 16695 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
304 22837 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 177 packets, 15647 bytes)
pkts bytes target prot opt in out source destination 使用iptables-save 对iptables规则进行保存,保存的规则输出到一个文件当中,并查看该文件保存的规则
[[email protected] ~]# iptables-save > /usr/local/src/tmp/siyan.ipt
[[email protected] ~]# cat !$
cat /usr/local/src/tmp/siyan.ipt
# Generated by iptables-save v1.4.21 on Mon Jul 16 14:09:02 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [275:24999]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 16 14:09:02 2018清空当前所有的iptables规则,并查看当前是否还存在iptables规则
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 27 packets, 1860 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 1568 bytes)
pkts bytes target prot opt in out source destination 使用iptables-restore 反向重定向把存储规则的文件内的规则重新写入iptables当中
[[email protected] ~]# iptables-restore < /usr/local/src/tmp/siyan.ipt
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25 1728 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 107 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination如果要想开机启动就加载这些规则的话,需要把规则写入到/etc/sysconfig/iptables文件当中,这样就会开机时加载我们需要的规则了,将备份文件的规则按照格式粘贴到iptables配置文件当中
[[email protected] ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMITfirewalld防火墙zone了解
fiewalld有九个zone,zone是保存规则的规则集
暂停掉iptables防火墙,启用firewalld
[[email protected] ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[[email protected] ~]# systemctl stop iptables
[[email protected] ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[[email protected] ~]# systemctl start firewalld查看firewalld的九个zone规则集名称,查看firewalld默认的规则集(和iptables一样,如:iptables默认为filter表)
[[email protected] ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block 查看九个zone
[[email protected] ~]# firewall-cmd --get-default-zone
public 默认的zonedrop (丢弃),任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接。
block (限制)任何接收的网络连接都被IPv4 的icmp-host-prohibited 信息和IPv6 的icmp6-adm-prohibited信息所拒绝。public (公共)在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取的连接。
external (外部)特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算,不能相信它们不会对你的计算机造成危害,只能接收经过选择的连接。
dmz (非军事区)用于你的非军事区内的电脑,此区域内可公开访问,可以有限地进入你的内部网络,仅仅接收经过选择的连接。
work(工作)用于工作区。你可以基本相信网络内的其他电脑不会危害你的电脑。仅仅接收经过选择的连接。
home (家庭)用于家庭网络。你可以基本信任网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。
internal (内部)用于内部网络。你可以基本上信任网络内的其他计算机不会威胁你的计算机。仅仅接受经过选择的连接。
trusted (信任)可接受所有的网络连接。
firewall修改zone规则集
firewall-cmd --set-default-zone=work //设定默认zone规则集
[[email protected] ~]# firewall-cmd --set-default-zone=work
successfirewall-cmd --get-default-zone 查看默认规则集
[[email protected] ~]# firewall-cmd --get-default-zone
workfirewall-cmd --get-zone-of-interface=ens33 //查指定网卡的zone规则集
[[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33
work如果查询的网卡没有zone规则集的话,那就需要我们指定一下规则集
firewall-cmd --zone=work --add-interface=lo //给指定网卡设置zone
[[email protected] ~]# firewall-cmd --zone=public --add-interface=lo
success
[[email protected] ~]# firewall-cmd --get-zone-of-interface=lo
publicfirewall-cmd --zone =dmz --change- interface=ens33 //对网卡更改zone规则集
[[email protected] ~]# firewall-cmd --zone=dmz --change-interface=ens33
The interface is under control of NetworkManager, setting zone to ‘dmz‘.
success
[[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33
dmzfirewall-cmd -- zone=dmz --remove-interface=ens33 //针对网卡删除zone,删除zone后,会变回默认的zone,使用firewall-cmd --get-active-zones查看所有网卡所在的zone
[[email protected] ~]# firewall-cmd --zone=dmz --remove-interface=ens33
The interface is under control of NetworkManager, setting zone to default.
successfirewall-cmd --get-active-zones //查看系统所有网卡所在的zone
[[email protected] ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
public
interfaces: lofirewall的server操作
service是对所有服务开放的一个规则,services可以放行指定的服务端口,以服务名来指定
firewall-cmd --get-service //列出系统当前所有的service
[[email protected] ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server添加一个服务器的services,相同与iptables内添加一个放行的端口号
[[email protected] ~]# firewall-cmd --zone=public --add-service=http
success查看增加的services
[[email protected] ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http永久增加一个services放行端口,--permannet表示为永久保存该配置,如http没有使用,则不会保存到该配置文件当中
[[email protected] ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[[email protected] ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
~firewall的zone规则都有模板,firewall用模板来创建这些zones规则,模板存放在/usr/lib/firewall/zones下,zone存储位置
[[email protected] ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[[email protected] ~]# ls /usr/lib/firewalld/zones/
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml需求,在work zone下放行自定义的ftp1121端口,拷贝ftp的模板文件到/etc/firewalld/services/目录下,修改port="1121"
[[email protected] ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[[email protected] ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>在work的zone中增加ftp放行的services,拷贝模板work的zone到/etc/firewalld/zones/目录下,新增一行ftp的配置
[[email protected] ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[[email protected] ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="ftp"/>
<service name="dhcpv6-client"/>
</zone>
~ 重新加载zone的配置,并查看新增的ftp的services放行
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --zone=work --list-services
ssh ftp dhcpv6-client以上是关于firewalld的简单用法及了解的主要内容,如果未能解决你的问题,请参考以下文章