Linux防火墙firewall的使用

CentOS 7新的防火墙服务firewalld的基本原理,它有个非常强大的过滤系统,称为 Netfilter,它内置于内核模块中,用于检查穿过系统的每个数据包。

这意味着它可以在到达目的地之前以编程方式检查、修改、拒绝或丢弃任何网络数据包,如传入、传出或转发,从 Centos-7 开始,firewalld 成为管理基于主机的防火墙服务的默认工具,firewalld 的守护进程是从 firewalld 包安装的,它将在操作系统的所有基本安装上可用,但在最小安装上不可用。

使用 FirewallD 优于“iptables”的优点

1.在运行时所做的任何配置更改都不需要重新加载或重新启动 firewalld 服务
2.通过将整个网络流量安排到区域中来简化防火墙管理
3.每个系统可以设置多个防火墙配置以更改网络环境
4.使用 D-Bus 消息系统来交互/维护防火墙设置

在 CentOS 7 或更高版本中,我们仍然可以使用经典的 iptables,如果要使用 iptables,需要停止并禁用 firewalld 服务。同时使用firewalld 和 iptables会使系统混乱,因为它们彼此不兼容。

每个区域都旨在根据指定的标准管理流量。如果没有进行任何修改,默认区域将设置为 public,并且关联的网络接口将附加到 public。

所有预定义的区域规则都存储在两个位置:系统指定的区域规则在“/usr/lib/firewalld/zones/”下,用户指定的区域规则在/etc/firewalld/zones/ 下。如果在系统区域配置文件中进行了任何修改,它将自动到 /etc/firewalld/zones/。

安装firewalld服务

[root@chenby ~]#  yum install firewalld -y
[root@chenby ~]#  systemctl start firewalld.service

查看服务状态

[root@chenby ~]#  firewall-cmd --state
[root@chenby ~]#  systemctl status firewalld -l

区域

Firewalld 为不同的目的引入了几个预定义的区域和服务,主要目的之一是更轻松地处理 firewalld 管理。

基于这些区域和服务,我们可以阻止任何形式的系统传入流量,除非它明确允许在区域中使用一些特殊规则。

查看firewalld中的所有可用区域

[root@chenby ~]# firewall-cmd --get-zones
block dmz docker drop external home internal nm-shared public trusted work
[root@chenby ~]# 

查看默认区域

[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]# 

活动区域和相关网络接口

[root@chenby ~]# firewall-cmd --get-active-zones
docker
  interfaces: br-31021b17396b br-53a24802cca1 docker0
public
  interfaces: ens18
[root@chenby ~]# 

公共区域的规则

[root@chenby ~]# firewall-cmd --list-all --zone="public"
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.250.0/24" accept
[root@chenby ~]# 

查看所有可用区域

[root@chenby ~]#  firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-31021b17396b br-53a24802cca1 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.250.0/24" accept

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@chenby ~]# 

修改默认的区域

[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]#
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --set-default-zone=work
success
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --get-default-zone
work
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --set-default-zone=public
success
[root@chenby ~]# 
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]# 
[root@chenby ~]# 

网口和区域的操作

给指定网卡设置zone
[root@chenby ~]#  firewall-cmd --zone=internal --change-interface=enp1s1

查看系统所有网卡所在的zone
[root@chenby ~]#  firewall-cmd --get-active-zones

针对网卡删除zone
[root@chenby ~]#  firewall-cmd --zone=internal --remove-interface=enp1s1

自定义 zone

[root@chenby ~]#  vi /etc/firewalld/zones/cby.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>用于企业领域。</description>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --reload
success
[root@chenby ~]# 
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --get-zones
block cby dmz docker drop external home internal nm-shared public trusted work
[root@chenby ~]# 
[root@chenby ~]# 

服务

查看所有可用的服务

[root@chenby ~]# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-client llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nebula netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut opentelemetry openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps2link ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui syncthing-relay synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server warpinator wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier
[root@chenby ~]# 

查看特定区域内的所有可用服务

[root@chenby ~]# firewall-cmd --zone=work --list-services
cockpit dhcpv6-client ssh
[root@chenby ~]# 

将现有服务添加到默认区域

[root@chenby ~]# firewall-cmd --add-service=samba
success
[root@chenby ~]# 

# 验证

[root@chenby ~]# firewall-cmd --zone=public --list-services
cockpit dhcpv6-client samba ssh
[root@chenby ~]# 

永久添加服务

[root@chenby ~]#  firewall-cmd --permanent --add-service=ftp
success
[root@chenby ~]# 

[root@chenby ~]#  firewall-cmd --reload
success
[root@chenby ~]# 

将运行时设置迁移到永久设置

[root@chenby ~]#  firewall-cmd --runtime-to-permanent
success
[root@chenby ~]# 

如何在公共区域为samba服务开放端口


[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=137/udp
success
[root@chenby ~]# 
[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=138/udp
success
[root@chenby ~]# 
[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=139/tcp
success
[root@chenby ~]# 
[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=445/tcp
success
[root@chenby ~]# 



[root@chenby ~]#  firewall-cmd --list-ports
137/udp 138/udp 139/tcp 445/tcp
[root@chenby ~]# 

设置规则生效时间

秒 (s)、分钟 (m) 或小时 (h) 为单位指定超时。

[root@chenby ~]#  firewall-cmd --zone=public --add-service=ftp --timeout=5m

关于

https://www.oiox.cn/

https://www.oiox.cn/index.php/start-page.html

CSDN、GitHub、51CTO、知乎、开源中国、思否、掘金、简书、华为云、阿里云、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客

全网可搜《小陈运维》

文章主要发布于微信公众号


小陈运维
27 声望9 粉丝