10.19 iptables规则备份和恢复 10.20 firewalld的9个zone 10.21 firewalld关于zone的操作 10.22 firewalld关于service的操作...

最新推荐文章于 2018-08-30 14:01:28 发布

转载最新推荐文章于 2018-08-30 14:01:28 发布 · 89 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：https://my.oschina.net/u/3708120/blog/1583681

本文详细介绍了如何在Linux系统中配置Firewalld防火墙，包括切换防火墙为Firewalld、配置不同Zone及其规则、对服务进行管理和自定义端口等关键步骤。

为什么80%的码农都做不了架构师？>>>

10.20 firewalld的9个zone

先执行以下操作切换至firewalld防火墙：

关闭iptables：
[root@cham002 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@cham002 ~]# systemctl stop iptables


开启firewalld：
[root@cham002 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@cham002 ~]# systemctl start firewalld

注：此时防火墙的规则已发生改变，可以使用命令iptables -nvL查看

9种zone：

查看zone类型：

[root@cham002 ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

关于9种zone的解析：

注： 9个zone中内容分别保存着不同的规则！

重新加载firewalld服务

[root@cham002 ~]# systemctl restart firewalld

查看系统默认的zone

[root@cham002 ~]# firewall-cmd --get-default-zone 
public

10.21 firewalld关于zone的操作

设置默认的zone

[root@cham002 ~]# firewall-cmd --set-default-zone=work
success
[root@cham002 ~]# firewall-cmd --get-default-zone 
work

查看指定网卡的zone：

[root@cham002 ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@cham002 ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@cham002 ~]# firewall-cmd --get-zone-of-interface=enslo
no zone

给指定网卡增加zone

方法1：编辑网卡配置文件（复制系统网卡配置文件进行更名）的方法为其添加zone（配置完成后重启网络服务，并重新加载firewalld服务：“systemctl restart firewalld”）。

方法2：

[root@cham002 ~]# firewall-cmd --zone=dmz --add-interface=ens37
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@cham002 ~]# firewall-cmd --get-zone-of-interface=ens37
dmz
[root@cham002 ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@cham002 ~]# firewall-cmd --get-zone-of-interface=lo
public

给指定网卡更改zone

[root@cham002 ~]# firewall-cmd --zone=block --change-interface=ens37
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@cham002 ~]# firewall-cmd --get-zone-of-interface=ens37
block

给指定网卡删除zone

[root@cham002 ~]# firewall-cmd --zone=block --remove-interface=ens37
The interface is under control of NetworkManager, setting zone to default.
success
[root@cham002 ~]# firewall-cmd --get-zone-of-interface=ens37
work

查看系统中所有网卡所在的zone

[root@cham002 ~]# firewall-cmd --get-active-zones
work
  interfaces: ens33 ens37
public
  interfaces: lo

10.22 firewalld关于service的操作

查看系统所有service

[root@cham002 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

查看当前zone下的service

[root@cham002 ~]# firewall-cmd --get-default-zone
work
[root@cham002 ~]# firewall-cmd --list-services
ssh dhcpv6-client

查看指定zone下的service

[root@cham002 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh
[root@cham002 ~]# firewall-cmd --zone=block --list-service

空的

添加一个服务到某个zone下

临时添加（配置文件中不存在，重启会恢复原配置）

[root@cham002 ~]# firewall-cmd --zone=public --add-service=http
success
[root@cham002 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
[root@cham002 ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@cham002 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http ftp

永久添加（即，更改配置文件）

[root@cham002 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@cham002 ~]# ls /etc/firewalld/zones/
public.xml  public.xml.old
[root@cham002 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="ssh"/>
</zone>
[root@cham002 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http ftp

删除zone下某服务

临时删除

[root@cham002 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client http ssh
[root@cham002 ~]# firewall-cmd --zone=public --remove-service=http
success
[root@cham002 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh

永久删除


[root@cham002 ~]# firewall-cmd --zone=public --remove-service=http --permanent
success
[root@cham002 ~]# firewall-cmd --reload
success
[root@cham002 ~]# firewall-cmd --zone=work --list-service
ssh dhcpv6-client ftp

应用

需求：
ftp服务自定义端口1121，需要在work zone下面放行ftp。

方法：

步骤一：复制ftp的配置文件到/etc/firewalld/services/
[root@cham002 ~]# cp /usr/lib/firewalld/services/ftp.xml  /etc/firewalld/services/
步骤二：编辑该文件，将port="21"改为port="1121"
[root@cham002 ~]# vi /etc/firewalld/services/ftp.xml
[root@cham002 ~]# cat /etc/firewalld/services/ftp.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="1121"/>
  <module name="nf_conntrack_ftp"/>
</service>

步骤三：复制workzone的配置文件到/etc/firewalld/zones/
[root@cham002 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

步骤四：编辑该文件，增加“<service name="ftp"/>”
[root@cham002 ~]# vim /etc/firewalld/zones/work.xml
[root@cham002 ~]# cat /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="ftp"/>
</zone>

步骤五：重新加载
[root@cham002 ~]# firewall-cmd --reload
success
[root@cham002 ~]# firewall-cmd --zone=work --list-service
ssh dhcpv6-client ftp

转载于:https://my.oschina.net/u/3708120/blog/1583681