firewalld 操作实践-白红宇

firewalld 操作实践

阅读量：5281 次

发布时间：2019-06-14

本文共 5486 字，大约阅读时间需要 18 分钟。

1、firewalld 从名称上看，模仿的是硬件防火墙的概念，zone. 所有的接口都必须属于某个zone . 在zone内配置规则。

2. 常用的方法是增加对一个tcp或者udp端口号的允许通过的规则。

firewall-cmd --add-service icmp --permanent

firewall-cmd --reload

3. firewalld进程有时候可能没有启动。需要启动一下对应的进程。

[root@localhost zhou]# firewall-cmd --reload

FirewallD is not running

[root@localhost zhou]# ps -ef | grep firewall

root 2970 2757 0 07:57 pts/0 00:00:00 grep --color=auto firewall

[root@localhost zhou]# systemctl start firewalld

[root@localhost zhou]#

[root@localhost zhou]# ps -ef | grep firewall

root 2983 1 14 07:58 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

root 3207 2757 0 07:58 pts/0 00:00:00 grep --color=auto firewall

[root@localhost zhou]#

4. 查看系统所有的zone

[root@localhost zhou]# firewall-cmd --get-zones ---> 显示所有zone

work drop internal external trusted home dmz public block

[root@localhost zhou]# firewall-cmd --get-default-zone ---> 显示默认zone

public

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --list-all-zones ---> 显示所有zone的所有规则

work

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

drop

target: DROP

icmp-block-inversion: no

interfaces:

sources:

services:

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

internal

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client mdns samba-client ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

external

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh

ports:

protocols:

masquerade: yes

forward-ports:

sourceports:

icmp-blocks:

rich rules:

trusted

target: ACCEPT

icmp-block-inversion: no

interfaces:

sources:

services:

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

home

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client mdns samba-client ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

dmz

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33 ens37

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

block

target: %%REJECT%%

icmp-block-inversion: no

interfaces:

sources:

services:

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --list-all --zone=public ---> 显示public zone的所有规则

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

[root@localhost zhou]#

5. 获取接口默认所属的zone

[root@localhost zhou]# firewall-cmd --get-zone-of-interface ens33

public

[root@localhost zhou]#

[root@localhost zhou]# ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000

link/ether 00:0c:29:f2:c7:50 brd ff:ff:ff:ff:ff:ff

3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000

link/ether 00:0c:29:f2:c7:5a brd ff:ff:ff:ff:ff:ff

4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000

link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff

5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000

link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --get-zone-of-interface lo

no zone

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --get-zone-of-interface ens37

no zone

[root@localhost zhou]#

6. 增加某个服务或者端口号

[root@localhost zhou]# firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public

success

[root@localhost zhou]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

[root@localhost zhou]# firewall-cmd --reload

success

[root@localhost zhou]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services: ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --remove-service=ssh --zone=public

success

[root@localhost zhou]#

关闭ssh服务，下面的命令输入后，ssh连接就不能再建立，对已有的ssh连接无影响。

[root@localhost zhou]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services:

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --permanent --add-port=3306/tcp ----> 增加tcp端口号3306, 就是mySQL服务器的端口号。

success

[root@localhost zhou]# firewall-cmd --reload

success

[root@localhost zhou]#

参考：

Firewalld详解

https://zhuanlan.zhihu.com/p/23519454

转载于:https://www.cnblogs.com/zhouhaibing/p/7636208.html

你可能感兴趣的文章

MySQL 字符编码问题详细解释

查看>>

寄Android开发Gradle你需要知道的知识

查看>>

css & input type & search icon

查看>>

C# 强制关闭当前程序进程（完全Kill掉不留痕迹）

查看>>

语音识别中的MFCC的提取原理和MATLAB实现

心得25--JDK新特性9-泛型1-加深介绍

查看>>

安装NVIDIA驱动时禁用自带nouveau驱动

Jenkins+ProGet+Windows Batch搭建全自动的内部包（NuGet）打包和推送及管理平台