知乎专栏 |
安装iptables
# yum install iptables-services # vim /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
默认firewall作为防火墙的设置
#禁止firewall开机启动 # systemctl disable firewalld.service #设置防火墙开机启动 # systemctl enable iptables.service #停止firewall # systemctl stop firewalld.service #重启防火墙使配置生效 # systemctl restart iptables.service
安装firewalld
yum install firewalld
firewall-config 图形界面
yum install firewall-config
启动/停止/启用/禁用
# systemctl start firewalld # systemctl stop firewalld # systemctl enable firewalld # systemctl disable firewalld # systemctl restart firewalld
查看运行状态
[root@localhost ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2019-06-04 11:47:00 CST; 5h 16min ago Docs: man:firewalld(1) Main PID: 2928 (firewalld) CGroup: /system.slice/firewalld.service └─2928 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Jun 04 11:47:00 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... Jun 04 11:47:00 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
查看服务是否开机启动:systemctl is-enabled firewalld.service 查看已启动的服务列表:systemctl list-unit-files|grep enabled 查看启动失败的服务列表:systemctl --failed
[root@localhost ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <port protocol="tcp" port="80"/> </zone>
[root@localhost ~]# ls -1 /usr/lib/firewalld/services/ amanda-client.xml amanda-k5-client.xml bacula-client.xml bacula.xml bgp.xml bitcoin-rpc.xml bitcoin-testnet-rpc.xml bitcoin-testnet.xml bitcoin.xml ceph-mon.xml ceph.xml cfengine.xml condor-collector.xml ctdb.xml dhcpv6-client.xml dhcpv6.xml dhcp.xml dns.xml docker-registry.xml docker-swarm.xml dropbox-lansync.xml elasticsearch.xml freeipa-ldaps.xml freeipa-ldap.xml freeipa-replication.xml freeipa-trust.xml ftp.xml ganglia-client.xml ganglia-master.xml git.xml gre.xml high-availability.xml https.xml http.xml imaps.xml imap.xml ipp-client.xml ipp.xml ipsec.xml ircs.xml irc.xml iscsi-target.xml jenkins.xml kadmin.xml kerberos.xml kibana.xml klogin.xml kpasswd.xml kprop.xml kshell.xml ldaps.xml ldap.xml libvirt-tls.xml libvirt.xml managesieve.xml mdns.xml minidlna.xml mongodb.xml mosh.xml mountd.xml mssql.xml ms-wbt.xml murmur.xml mysql.xml nfs3.xml nfs.xml nmea-0183.xml nrpe.xml ntp.xml openvpn.xml ovirt-imageio.xml ovirt-storageconsole.xml ovirt-vmconsole.xml pmcd.xml pmproxy.xml pmwebapis.xml pmwebapi.xml pop3s.xml pop3.xml postgresql.xml privoxy.xml proxy-dhcp.xml ptp.xml pulseaudio.xml puppetmaster.xml quassel.xml radius.xml redis.xml RH-Satellite-6.xml rpc-bind.xml rsh.xml rsyncd.xml samba-client.xml samba.xml sane.xml sips.xml sip.xml smtp-submission.xml smtps.xml smtp.xml snmptrap.xml snmp.xml spideroak-lansync.xml squid.xml ssh.xml syncthing-gui.xml syncthing.xml synergy.xml syslog-tls.xml syslog.xml telnet.xml tftp-client.xml tftp.xml tinc.xml tor-socks.xml transmission-client.xml upnp-client.xml vdsm.xml vnc-server.xml wbem-https.xml xmpp-bosh.xml xmpp-client.xml xmpp-local.xml xmpp-server.xml zabbix-agent.xml zabbix-server.xml
--get-log-denied # 获取记录被拒绝的日志; --set-log-denied=<value> # 设置记录被拒绝的日志,只能为 'all','unicast','broadcast','multicast','off' 其中的一个;
拒绝所有包:firewall-cmd --panic-on 取消拒绝状态: firewall-cmd --panic-off 查看是否拒绝: firewall-cmd --query-panic
Firewall 能将不同的网络连接归类到不同的信任级别,Zone 提供了以下几个级别
drop: 丢弃所有进入的包,而不给出任何响应 block: 拒绝所有外部发起的连接,允许内部发起的连接 public: 允许指定的进入连接 internal: 范围针对所有互联网用户 external: 对伪装的进入连接,一般用于路由转发 dmz: 允许受限制的进入连接 work: 允许受信任的计算机被限制的进入连接,类似 workgroup home: 类似 homegroup trusted: 信任所有连接
[root@localhost ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@localhost ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@localhost ~]# firewall-cmd --list-interfaces enp0s3 [root@localhost ~]# firewall-cmd --list-interfaces wlp5s0
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eth0 no zone [root@localhost ~]# firewall-cmd --get-zone-of-interface=enp0s3 public
firewall-cmd --add-port=80/tcp --permanent firewall-cmd --reload
开放端口 --zone=public
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent success
--permanent永久生效,没有此参数重启后失效
查看端口,使用 firewall-cmd --zone=public --query-port=80/tcp
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp no
删除端口
firewall-cmd --remove-port=80/tcp --permanent firewall-cmd --reload
public 区域
firewall-cmd --zone=public --remove-port=80/tcp --permanent
--permanent 表示永久生效
将 80 端口的流量转发到 8080 端口
firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080
[root@localhost ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
[root@netkiller ~]# firewall-cmd --add-service=http --permanent success [root@netkiller ~]# firewall-cmd --add-service=https --permanent success
firewall-cmd --zone=dmz --add-service=http --permanent firewall-cmd --zone=dmz --add-service=https --permanent
[root@localhost ~]# firewall-cmd --permanent --add-masquerade success [root@localhost ~]# firewall-cmd --permanent --add-forward-port=port=8443:proto=tcp:toaddr=192.168.49.2:toport=8443 success [root@localhost ~]# firewall-cmd --reload success
使用 --add-rich-rule, --list-rich-rules, --remove-rich-rule 命令来管理富规则
允许来自主机 192.168.0.14 的所有 IPv4 流量。
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'
拒绝来自主机 192.168.1.10 到 22 端口的 IPv4 的 TCP 流量。
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'
允许来自主机 172.16.0.5 到 80 端口的 IPv4 的 TCP 流量,并将流量转发到 6532 端口上。
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=172.16.0.5 forward-port port=80 protocol=tcp to-port=8080'
将主机 172.16.0.2 上 80 端口的 IPv4 流量转发到 8080 端口(需要在区域上激活 masquerade)
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.16.0.2'
列出你目前的丰富规则
firewall-cmd --list-rich-rules