firewalld 操作实践

Posted 2020-10-09 专注于ICT转型

1、firewalld 从名称上看，模仿的是硬件防火墙的概念，zone. 所有的接口都必须属于某个zone . 在zone内配置规则。

2.  常用的方法是 增加对一个tcp或者udp端口号的允许通过的规则。

    firewall-cmd --add-service icmp --permanent

    firewall-cmd --reload

3.  firewalld进程有时候可能没有启动。需要启动一下对应的进程。

[[email protected] zhou]# firewall-cmd --reload
FirewallD is not running
[[email protected] zhou]# ps -ef | grep firewall
root 2970 2757 0 07:57 pts/0 00:00:00 grep --color=auto firewall
[[email protected] zhou]# systemctl start firewalld
[[email protected] zhou]#
[[email protected] zhou]# ps -ef | grep firewall
root 2983 1 14 07:58 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root 3207 2757 0 07:58 pts/0 00:00:00 grep --color=auto firewall
[[email protected] zhou]#
[[email protected] zhou]#

4. 查看系统所有的zone

[[email protected] zhou]# firewall-cmd --get-zones          ---> 显示所有zone
work drop internal external trusted home dmz public block
[[email protected] zhou]# firewall-cmd --get-default-zone   ---> 显示默认zone
public
[[email protected] zhou]#
[[email protected] zhou]# firewall-cmd --list-all-zones    ---> 显示所有zone的所有规则
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

public (active)
target: default
icmp-block-inversion: no
interfaces: ens33 ens37
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[[email protected] zhou]#

[[email protected] zhou]# firewall-cmd --list-all --zone=public   ---> 显示public zone的所有规则
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[[email protected] zhou]#

5. 获取接口默认所属的zone

[[email protected] zhou]# firewall-cmd --get-zone-of-interface ens33
public
[[email protected] zhou]#
[[email protected] zhou]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:f2:c7:50 brd ff:ff:ff:ff:ff:ff
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:f2:c7:5a brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000
link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000
link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff
[[email protected] zhou]#
[[email protected] zhou]# firewall-cmd --get-zone-of-interface lo
no zone
[[email protected] zhou]#
[[email protected] zhou]# firewall-cmd --get-zone-of-interface ens37
no zone
[[email protected] zhou]#
[[email protected] zhou]#

6. 增加某个服务或者端口号

[[email protected] zhou]# firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public
success
[[email protected] zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[[email protected] zhou]# firewall-cmd --reload
success
[[email protected] zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[[email protected] zhou]#

[[email protected] zhou]# firewall-cmd --remove-service=ssh --zone=public
success
[[email protected] zhou]#
[[email protected] zhou]#

关闭ssh服务，下面的命令输入后，ssh连接就不能再建立，对已有的ssh连接无影响。
[[email protected] zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[[email protected] zhou]#

[[email protected] zhou]# firewall-cmd --permanent --add-port=3306/tcp   ----> 增加tcp端口号3306, 就是mysql服务器的端口号。
success
[[email protected] zhou]# firewall-cmd --reload
success
[[email protected] zhou]#

 

参考：

Firewalld详解

https://zhuanlan.zhihu.com/p/23519454