Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏

29.5. CentOS 7/8 Firewalld

http://www.firewalld.org

29.5.1. 如果你不习惯使用firewalld想用回Iptables

安装iptables

		
# yum install iptables-services

# vim /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
		
		

默认firewall作为防火墙的设置

		
#禁止firewall开机启动

# systemctl disable firewalld.service

#设置防火墙开机启动

# systemctl enable iptables.service 

#停止firewall 

# systemctl stop firewalld.service 

#重启防火墙使配置生效

# systemctl restart iptables.service		
		
		

29.5.2. 安装 firewalld

安装firewalld

		
yum install firewalld	
		
		

firewall-config 图形界面

		
yum install firewall-config			
		
		

启动/停止/启用/禁用

		
# systemctl start firewalld
# systemctl stop firewalld
# systemctl enable firewalld
# systemctl disable firewalld
# systemctl restart firewalld
		
		

查看运行状态

		
[root@localhost ~]# systemctl status firewalld 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-06-04 11:47:00 CST; 5h 16min ago
     Docs: man:firewalld(1)
 Main PID: 2928 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─2928 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jun 04 11:47:00 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 04 11:47:00 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
		
		
		
查看服务是否开机启动:systemctl is-enabled firewalld.service
查看已启动的服务列表:systemctl list-unit-files|grep enabled
查看启动失败的服务列表:systemctl --failed		
		
		

29.5.3. firewalld 配置文件

规则配置文件
			
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
</zone>			
			
			
服务配置文件
			
[root@localhost ~]# ls -1 /usr/lib/firewalld/services/
amanda-client.xml
amanda-k5-client.xml
bacula-client.xml
bacula.xml
bgp.xml
bitcoin-rpc.xml
bitcoin-testnet-rpc.xml
bitcoin-testnet.xml
bitcoin.xml
ceph-mon.xml
ceph.xml
cfengine.xml
condor-collector.xml
ctdb.xml
dhcpv6-client.xml
dhcpv6.xml
dhcp.xml
dns.xml
docker-registry.xml
docker-swarm.xml
dropbox-lansync.xml
elasticsearch.xml
freeipa-ldaps.xml
freeipa-ldap.xml
freeipa-replication.xml
freeipa-trust.xml
ftp.xml
ganglia-client.xml
ganglia-master.xml
git.xml
gre.xml
high-availability.xml
https.xml
http.xml
imaps.xml
imap.xml
ipp-client.xml
ipp.xml
ipsec.xml
ircs.xml
irc.xml
iscsi-target.xml
jenkins.xml
kadmin.xml
kerberos.xml
kibana.xml
klogin.xml
kpasswd.xml
kprop.xml
kshell.xml
ldaps.xml
ldap.xml
libvirt-tls.xml
libvirt.xml
managesieve.xml
mdns.xml
minidlna.xml
mongodb.xml
mosh.xml
mountd.xml
mssql.xml
ms-wbt.xml
murmur.xml
mysql.xml
nfs3.xml
nfs.xml
nmea-0183.xml
nrpe.xml
ntp.xml
openvpn.xml
ovirt-imageio.xml
ovirt-storageconsole.xml
ovirt-vmconsole.xml
pmcd.xml
pmproxy.xml
pmwebapis.xml
pmwebapi.xml
pop3s.xml
pop3.xml
postgresql.xml
privoxy.xml
proxy-dhcp.xml
ptp.xml
pulseaudio.xml
puppetmaster.xml
quassel.xml
radius.xml
redis.xml
RH-Satellite-6.xml
rpc-bind.xml
rsh.xml
rsyncd.xml
samba-client.xml
samba.xml
sane.xml
sips.xml
sip.xml
smtp-submission.xml
smtps.xml
smtp.xml
snmptrap.xml
snmp.xml
spideroak-lansync.xml
squid.xml
ssh.xml
syncthing-gui.xml
syncthing.xml
synergy.xml
syslog-tls.xml
syslog.xml
telnet.xml
tftp-client.xml
tftp.xml
tinc.xml
tor-socks.xml
transmission-client.xml
upnp-client.xml
vdsm.xml
vnc-server.xml
wbem-https.xml
xmpp-bosh.xml
xmpp-client.xml
xmpp-local.xml
xmpp-server.xml
zabbix-agent.xml
zabbix-server.xml			
			
			
区域配置文件
			
[root@localhost ~]# ls -1 /usr/lib/firewalld/zones/
block.xml
dmz.xml
drop.xml
external.xml
home.xml
internal.xml
public.xml
trusted.xml
work.xml			
			
			

29.5.4. firewall-cmd

查看版本号
			
[root@localhost ~]# firewall-cmd --version
0.5.3			
			
			
查看帮助

查看帮助: firewall-cmd --help

			
[root@localhost ~]# firewall-cmd --help			
			
			
显示状态

显示状态: firewall-cmd --state

			
[root@localhost ~]# firewall-cmd --state
running			
			
			
重新载入防火墙规则
			
firewall-cmd --reload			
			
			
持久化

将当前防火墙的规则永久保存

			
[root@localhost ~]# firewall-cmd --runtime-to-permanent
success			
			
			
检查配置正确性
			
[root@localhost ~]# firewall-cmd --check-config 
success			
			
			
日志选项
			
--get-log-denied         # 获取记录被拒绝的日志;
--set-log-denied=<value> # 设置记录被拒绝的日志,只能为 'all','unicast','broadcast','multicast','off' 其中的一个;			
			
			
拒绝所有包
			
拒绝所有包:firewall-cmd --panic-on
取消拒绝状态: firewall-cmd --panic-off
查看是否拒绝: firewall-cmd --query-panic			
			
			
直接模式
			
firewall-cmd --direct -add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
firewall-cmd --reload			
			
			

29.5.5. 区域

Firewall 能将不同的网络连接归类到不同的信任级别,Zone 提供了以下几个级别

		
drop: 		丢弃所有进入的包,而不给出任何响应
block: 		拒绝所有外部发起的连接,允许内部发起的连接
public: 	允许指定的进入连接
internal: 	范围针对所有互联网用户
external: 	对伪装的进入连接,一般用于路由转发
dmz: 		允许受限制的进入连接
work: 		允许受信任的计算机被限制的进入连接,类似 workgroup
home: 		类似 homegroup
trusted: 	信任所有连接		
		
		
查看区域
			
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work			
			
			
查看默认区域
			
[root@localhost ~]# firewall-cmd --get-default-zone
public			
			
			
设置默认区域
			
firewall-cmd --set-default-zone=inside			
			
			
查看区域对应的网络接口
			
[root@localhost ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3			
			
			
查看指定区域的所有配置
			
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 			
			
			
查看所有区域的配置信息
			
[root@localhost ~]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
			
			
			
删除区域
			
[root@localhost ~]# firewall-cmd --delete-zone=your_zone --permanent			
			
			
区域接口
接口列表
			
[root@localhost ~]# firewall-cmd --list-interfaces
enp0s3		

[root@localhost ~]# firewall-cmd --list-interfaces
wlp5s0
			
				
查询接口所在区域
			
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eth0
no zone
[root@localhost ~]# firewall-cmd --get-zone-of-interface=enp0s3
public			
			
				
设置区域接口
			
firewall-cmd --set-default-zone=dmz
firewall-cmd --zone=dmz --add-interface=eth0			
			
				
更在区域接口
			
firewall-cmd --permanent --zone=internal --change-interface=enp03s			
			
			

29.5.6. 端口操作

查看端口列表
			
firewall-cmd --zone=public --list-ports			
			
			
开放端口
			
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload
			
			

开放端口 --zone=public

			
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
			
			

--permanent永久生效,没有此参数重启后失效

查看端口状态

查看端口,使用 firewall-cmd --zone=public --query-port=80/tcp

			
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp
no			
			
			
禁用端口

删除端口

			
firewall-cmd --remove-port=80/tcp --permanent
firewall-cmd --reload			
			
			

public 区域

			
firewall-cmd --zone=public --remove-port=80/tcp --permanent
			
			

--permanent 表示永久生效

指定端口协议
			
firewall-cmd --zome=public --add-port=5060-5059/udp --permanent			
			
			
端口转发

将 80 端口的流量转发到 8080 端口

			
firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080			
			
			
IP 转发

开启IP伪装

			
firewall-cmd --zone=public --add-masquerade
			
			

将 80 端口转发到 172.16.0.10:8080 主机

			
firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=172.16.0.10
			
			

29.5.7. 服务

查看可用的服务器
			
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server			
			
			
添加服务
			
[root@netkiller ~]# firewall-cmd --add-service=http --permanent
success
[root@netkiller ~]# firewall-cmd --add-service=https --permanent
success			
			
			
指定区域启用服务
			
[root@localhost ~]# firewall-cmd --zone=public --add-service=mysql --permanent
success			
			
			
指定区域禁用服务
			
[root@localhost ~]# firewall-cmd --zone=public --remove-service=mysql --permanent
success			
			
			
指定区域添加服务
			
firewall-cmd --zone=dmz --add-service=http --permanent
firewall-cmd --zone=dmz --add-service=https --permanent			
			
			
查询服务状态
			
[root@localhost ~]# firewall-cmd --query-service mysql
no			
			
			
查看持久化服务

查看重启后所有 Zones 级别中被允许的服务,即永久放行的服务

			
firewall-cmd --get-service --permanent			
			
			

29.5.8. IP 伪装

开启 IP 伪装
			
firewall-cmd --zone=public --add-masquerade
			
			
查看 IP 伪装
			
firewall-cmd --zone=external --query-masquerade			
			
			
关闭 IP 伪装
			
firewall-cmd --zone=public --remove-masquerade			
			
			

29.5.9. 端口转发

		
[root@localhost ~]# firewall-cmd --permanent --add-masquerade
success
[root@localhost ~]# firewall-cmd --permanent --add-forward-port=port=8443:proto=tcp:toaddr=192.168.49.2:toport=8443
success
[root@localhost ~]# firewall-cmd --reload
success		
		
		

29.5.10. 富规则

使用 --add-rich-rule, --list-rich-rules, --remove-rich-rule 命令来管理富规则

允许来自主机 192.168.0.14 的所有 IPv4 流量。

			

sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'			
			
		

拒绝来自主机 192.168.1.10 到 22 端口的 IPv4 的 TCP 流量。

		
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'		
		
		

允许来自主机 172.16.0.5 到 80 端口的 IPv4 的 TCP 流量,并将流量转发到 6532 端口上。

		
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=172.16.0.5 forward-port port=80 protocol=tcp to-port=8080'		
		
		

将主机 172.16.0.2 上 80 端口的 IPv4 流量转发到 8080 端口(需要在区域上激活 masquerade)

		
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.16.0.2'
		
		

列出你目前的丰富规则

		
firewall-cmd --list-rich-rules