Firewalld
防火墙的安全基本概述
在CentOS7系统中集成了多款防火墙管理工具,默认启用的是firewalld(动态防火墙管理器)防火墙管理工具,Firewalld支持CLI(命令行)以及GUI(图形)的两种管理方式。
对于接触Linux较早的人员对Iptables比较熟悉,但由于Iptables的规则比较的麻烦,并且对网络有一定要求,所以学习成本较高。但firewalld的学习对网络并没有那么高的要求,相对iptables来说要简单不少,所以建议刚接触CentOS7系统的人员直接学习Firewalld。
防火墙规则
1.入站
2.出站
10.0.0.100的虚拟机 操作100机器的入栈规则 允许你进入
注意防火墙默认是全部拒绝
防火墙使用区域管理
那么相较于传统的Iptables防火墙,firewalld支持动态更新,并加入了区域zone的概念
简单来说,区域就是firewalld预先准备了几套防火墙策略集合(策略模板),用户可以根据不同的场景选择不同的策略模板,从而实现防火墙策略之间的快速切换
区域选项 | 默认规则策略 |
---|---|
trusted | 允许所有的数据包流入流出 |
home | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关,则允许流量 |
internal | 等同于home区域 |
work | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、ipp-client、dhcpv6-client服务相关,则允许流量 |
public | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许流量 |
external | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
dmz | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
block | 拒绝流入的流量,除非与流出的流量相关 |
drop | 拒绝流入的流量,除非与流出的流量相关 |
-
trusted 如果选了这个区域,你的防火墙会允许所有的流量进入 可以访问我的任何服务,任何端口
-
public 默认的防火墙
-
drop 无论是端口加到drop都会被拒绝
防火墙的基本操作
########################## 区域相关 ##############################
# 获取默认的区域名称
[root@m01 ~]# firewall-cmd --get-default-zone
public
# 设置默认的区域
[root@m01 ~]# firewall-cmd --set-default-zone=drop
success
[root@m01 ~]# firewall-cmd --get-default-zone
drop
# 查看所有的可用区域
[root@m01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# 新增区域(看不到新增区域,是没有重新加载)
# 新增ljy区域
[root@m01 ~]# firewall-cmd --new-zone=ljy --permanent
success
# 重新加载
[root@m01 ~]# firewall-cmd --reload
success
# 重新查看所有区域
[root@m01 ~]# firewall-cmd --get-zones
block dmz drop external home internal ljy public trusted work
# 使用正在使用的区域与网卡
[root@m01 ~]# firewall-cmd --get-active-zones
drop
interfaces: eth1 eth0
# 设置到新创建的防火墙区域
[root@m01 ~]# firewall-cmd --set-default-zone=ljy
success
[root@m01 ~]# firewall-cmd --get-default-zone
ljy
########################## 服务相关 ##############################
# 查看支持的服务名
[root@m01 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
# 临时添加服务入站规则(临时生效 重启防火墙后失效)
[root@m01 ~]# firewall-cmd --add-service=https
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 永久添加服务入站规则(需要重启才会生效)
[root@m01 ~]# firewall-cmd --add-service=https --permanent
success
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 临时删除服务
[root@m01 ~]# firewall-cmd --remove-service=https
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 永久删除服务出站规则
[root@m01 ~]# firewall-cmd --remove-service=https --permanent
success
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 永久添加多个服务入站规则(删除只需要把add替换成remove就可以了)
[root@m01 ~]# firewall-cmd --add-service=https --add-service=http --permanent
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
########################## 端口相关 ##############################
## 防火墙开启端口相关命令
# 临时开启指定的端口(重启失效)
[root@m01 ~]# firewall-cmd --add-port=9100/tcp
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports: 9100/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 永久开启指定的端口(需要重启防火墙)
[root@m01 ~]# firewall-cmd --add-port=9100/tcp --permanent
success
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports: 9100/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 永久删除指定端口(需要重启防火墙)
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports: 9100/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@m01 ~]# firewall-cmd --remove-port=22/tcp --permanent
success
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports: 9100/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 开启范围端口
[root@m01 ~]# firewall-cmd --add-port=1-6379/tcp --permanent
success
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports: 9100/tcp 1-6379/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
防火墙如何添加网卡
# 防火墙添加网卡
# 添加eth0网卡到drop区域
[root@m01 ~]# firewall-cmd --add-interface=eth0 --zone=drop
The interface is under control of NetworkManager, setting zone to 'drop'.
success
# 查看drop区域的所有规则
[root@m01 ~]# firewall-cmd --list-all --zone=drop
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
查看相关命令
# 查看当前默认区域的所有规则
[root@m01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http
ports: 9100/tcp 1-6379/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@m01 ~]# firewall-cmd --list-all --zone=drop
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 重新加载防火墙
[root@m01 ~]# firewall-cmd --reload
防火墙区域配置策略
1.为了能正常使用firewalld服务和相关工具去管理防火墙,必须启动firewalld服务,同时关闭以前旧的防火墙相关服务,需要注意firewalld的规则分为两种状态:
runtime运行时: 修改规则马上生效,但如果重启服务则马上失效,测试建议。 permanent持久配置: 修改规则后需要reload重载服务才会生效,生产建议。
public (active) # 当前使用的区域
target: default # 当前默认区域
icmp-block-inversion: no # icmp模块没有开启
interfaces: eth1 # 当前区域监听的网卡
sources: # 来源
services: ssh dhcpv6-client https http # 允许访问的服务
ports: 9100/tcp 1-6379/tcp # 允许访问的端口
protocols: # 允许访问的协议
masquerade: no # IP伪装(只有内网的IP地址的机器可以通过IP伪装上网)
forward-ports: # 端口转发 端口映射80 172.16.1.51:8080
source-ports: # 来源端口 来源于谁
icmp-blocks: # icmp块
rich rules: # 富规则
使用firewalld各个区域规则结合配置,调整默认public区域拒绝所有流量,但如果来源IP是10.0.0.0/24网段则允许
# 移除public区域的所有允许放行的规则
firewall-cmd --remove-service=ssh --remove-service=dhcpv6-client --remove-service=https --remove-service=http
# 将源ip网段加入到trusted中
firewall-cmd --add-source=10.0.0.0/24 --zone=trusted
# 查看trusted所有规则
[root@m01 ~]# firewall-cmd --list-all --zone=trusted
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: 10.0.0.0/24
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
查询public区域是否语序请求ssh https
[root@m01 ~]# firewall-cmd --zone=public --query-service=https
no
# 添加https
[root@m01 ~]# firewall-cmd --add-service=https
success
[root@m01 ~]# firewall-cmd --zone=public --query-service=https
yes
防火墙放行自定义
ll /usr/lib/firewalld/services/sersync.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>sersync</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="874"/>
</service>
# 重新加载防火墙
firewall-cmd --reload
# 添加sersync服务
firewall-cmd --add-service=sersync
# 查看public区域的所有规则
[root@m01 services]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1 eth0
sources:
services: ssh dhcpv6-client https http sersync
ports: 9100/tcp 1-6379/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall端口转发策略
web02 10.0.0.8:8888 --> 10.0.0.7:80
# 端口转发公式
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>
# web01的nginx配置文件
server{
listen 80;
server_name _;
root /code;
index index.html;
}
# web02
firewall-cmd --permanent --zone=public --add-forward-port=port=8888:proto=tcp:toport=80:toaddr=10.0.0.7
# 重新加载
firewall-cmd --reload
# 开启ip伪装
firewall-cmd --add-masquerade
# 浏览器访问
10.0.0.8:8888
防火墙富语言规则策略
firewalld中的富语言规则表示更细致,更详细的防火墙策略配置,他可以针对系统服务、端口号、原地址和目标地址等诸多信息进行更有针对性的策略配置,优先级在所有的防火墙策略中也是最高的,下面为firewalld富语言规则帮助手册
# 富规则套公式
# 针对ipv4 让他加载到ipv4
rule [family]='ipv4/ipv6'
# 来源的IP地址10.0.0.0/255.255.255.0 指定一个IP地址和他的mask子网
source address ="address[/mask]" [invert="Ture"]
# 指定服务名
service name = "service name"
# 指定端口 后面是协议 例port=80 protocol='tcp'
port port="port value" protocol="tcp|udp"
# 你要开哪个协议 例vrrp
protocol value="protocol value"
# 做端口转发
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
# accept 前面的规则都允许放行
# drop 前面的规则都不允许放行,你不能看到我开了端口,反正就是连接不上
# reject 能看到端口但是reject,你能看到我开了端口,但是就是连接不上
accept | reject [type="reject type"] | drop
比如允许10.0.0.1主机能够访问到https服务,允许172.16.1.0/24能访问22端口
[root@web02 ~]# firewall-cmd --remove-service=ssh --remove-service=dhcpv6-client --permanent
success
[root@web02 ~]# firewall-cmd --reload
success
[root@web02 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address='10.0.0.1' service name=http accept'
success
[root@web02 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address='172.16.1.0/24' service name=ssh accept'
success
[root@web02 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports: port=8888:proto=tcp:toport=80:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" accept
#富语言规则相关命令
--add-rich-rule='' #在指定的区域添加一条富语言规则
--remove-rich-rule='' #在指定的区删除一条富语言规则
--query-rich-rule='' #找到规则返回0,找不到返回1
--list-rich-rules #列出指定区里的所有富语言规则