| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
安裝iptables
# yum install iptables-services # vim /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
預設firewall作為防火牆的設置
#禁止firewall開機啟動 # systemctl disable firewalld.service #設置防火牆開機啟動 # systemctl enable iptables.service #停止firewall # systemctl stop firewalld.service #重啟防火牆使配置生效 # systemctl restart iptables.service
安裝firewalld
yum install firewalld
firewall-config 圖形界面
yum install firewall-config
啟動/停止/啟用/禁用
# systemctl start firewalld # systemctl stop firewalld # systemctl enable firewalld # systemctl disable firewalld # systemctl restart firewalld
查看運行狀態
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-06-04 11:47:00 CST; 5h 16min ago
Docs: man:firewalld(1)
Main PID: 2928 (firewalld)
CGroup: /system.slice/firewalld.service
└─2928 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jun 04 11:47:00 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 04 11:47:00 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
查看服務是否開機啟動:systemctl is-enabled firewalld.service 查看已啟動的服務列表:systemctl list-unit-files|grep enabled 查看啟動失敗的服務列表:systemctl --failed
[root@localhost ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <port protocol="tcp" port="80"/> </zone>
[root@localhost ~]# ls -1 /usr/lib/firewalld/services/ amanda-client.xml amanda-k5-client.xml bacula-client.xml bacula.xml bgp.xml bitcoin-rpc.xml bitcoin-testnet-rpc.xml bitcoin-testnet.xml bitcoin.xml ceph-mon.xml ceph.xml cfengine.xml condor-collector.xml ctdb.xml dhcpv6-client.xml dhcpv6.xml dhcp.xml dns.xml docker-registry.xml docker-swarm.xml dropbox-lansync.xml elasticsearch.xml freeipa-ldaps.xml freeipa-ldap.xml freeipa-replication.xml freeipa-trust.xml ftp.xml ganglia-client.xml ganglia-master.xml git.xml gre.xml high-availability.xml https.xml http.xml imaps.xml imap.xml ipp-client.xml ipp.xml ipsec.xml ircs.xml irc.xml iscsi-target.xml jenkins.xml kadmin.xml kerberos.xml kibana.xml klogin.xml kpasswd.xml kprop.xml kshell.xml ldaps.xml ldap.xml libvirt-tls.xml libvirt.xml managesieve.xml mdns.xml minidlna.xml mongodb.xml mosh.xml mountd.xml mssql.xml ms-wbt.xml murmur.xml mysql.xml nfs3.xml nfs.xml nmea-0183.xml nrpe.xml ntp.xml openvpn.xml ovirt-imageio.xml ovirt-storageconsole.xml ovirt-vmconsole.xml pmcd.xml pmproxy.xml pmwebapis.xml pmwebapi.xml pop3s.xml pop3.xml postgresql.xml privoxy.xml proxy-dhcp.xml ptp.xml pulseaudio.xml puppetmaster.xml quassel.xml radius.xml redis.xml RH-Satellite-6.xml rpc-bind.xml rsh.xml rsyncd.xml samba-client.xml samba.xml sane.xml sips.xml sip.xml smtp-submission.xml smtps.xml smtp.xml snmptrap.xml snmp.xml spideroak-lansync.xml squid.xml ssh.xml syncthing-gui.xml syncthing.xml synergy.xml syslog-tls.xml syslog.xml telnet.xml tftp-client.xml tftp.xml tinc.xml tor-socks.xml transmission-client.xml upnp-client.xml vdsm.xml vnc-server.xml wbem-https.xml xmpp-bosh.xml xmpp-client.xml xmpp-local.xml xmpp-server.xml zabbix-agent.xml zabbix-server.xml
--get-log-denied # 獲取記錄被拒絶的日誌; --set-log-denied=<value> # 設置記錄被拒絶的日誌,只能為 'all','unicast','broadcast','multicast','off' 其中的一個;
拒絶所有包:firewall-cmd --panic-on 取消拒絶狀態: firewall-cmd --panic-off 查看是否拒絶: firewall-cmd --query-panic
Firewall 能將不同的網絡連接歸類到不同的信任級別,Zone 提供了以下幾個級別
drop: 丟棄所有進入的包,而不給出任何響應 block: 拒絶所有外部發起的連接,允許內部發起的連接 public: 允許指定的進入連接 internal: 範圍針對所有互聯網用戶 external: 對偽裝的進入連接,一般用於路由轉發 dmz: 允許受限制的進入連接 work: 允許受信任的計算機被限制的進入連接,類似 workgroup home: 類似 homegroup trusted: 信任所有連接
[root@localhost ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@localhost ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@localhost ~]# firewall-cmd --list-interfaces enp0s3 [root@localhost ~]# firewall-cmd --list-interfaces wlp5s0
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eth0 no zone [root@localhost ~]# firewall-cmd --get-zone-of-interface=enp0s3 public
開放連接埠 firewall-cmd --zone=public --add-port=80/tcp --permanent
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent success
--permanent永久生效,沒有此參數重啟後失效
查看連接埠,使用 firewall-cmd --zone=public --query-port=80/tcp
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp no
刪除連接埠
firewall-cmd --zone=public --remove-port=80/tcp --permanent
--permanent 表示永久生效
將 80 連接埠的流量轉發到 8080 連接埠
firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080
[root@localhost ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
[root@localhost ~]# firewall-cmd --zone=public --add-service=mysql --permanent success
[root@localhost ~]# firewall-cmd --zone=public --remove-service=mysql --permanent success
firewall-cmd --zone=dmz --add-service=http --permanent firewall-cmd --zone=dmz --add-service=https --permanent
使用 --add-rich-rule, --list-rich-rules, --remove-rich-rule 命令來管理富規則
允許來自主機 192.168.0.14 的所有 IPv4 流量。
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'
拒絶來自主機 192.168.1.10 到 22 連接埠的 IPv4 的 TCP 流量。
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'
允許來自主機 172.16.0.5 到 80 連接埠的 IPv4 的 TCP 流量,並將流量轉發到 6532 連接埠上。
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=172.16.0.5 forward-port port=80 protocol=tcp to-port=8080'
將主機 172.16.0.2 上 80 連接埠的 IPv4 流量轉發到 8080 連接埠(需要在區域上激活 masquerade)
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.16.0.2'
列出你目前的豐富規則
firewall-cmd --list-rich-rules