Linux架构 Firewalld防火墙

Firewalld

防火墙的安全基本概述

在CentOS7系统中集成了多款防火墙管理工具,默认启用的是firewalld(动态防火墙管理器)防火墙管理工具,Firewalld支持CLI(命令行)以及GUI(图形)的两种管理方式。

对于接触Linux较早的人员对Iptables比较熟悉,但由于Iptables的规则比较的麻烦,并且对网络有一定要求,所以学习成本较高。但firewalld的学习对网络并没有那么高的要求,相对iptables来说要简单不少,所以建议刚接触CentOS7系统的人员直接学习Firewalld。

img

防火墙规则

1.入站

2.出站

10.0.0.100的虚拟机 操作100机器的入栈规则 允许你进入

注意防火墙默认是全部拒绝

防火墙使用区域管理

那么相较于传统的Iptables防火墙,firewalld支持动态更新,并加入了区域zone的概念

简单来说,区域就是firewalld预先准备了几套防火墙策略集合(策略模板),用户可以根据不同的场景选择不同的策略模板,从而实现防火墙策略之间的快速切换

img

区域选项 默认规则策略
trusted 允许所有的数据包流入流出
home 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关,则允许流量
internal 等同于home区域
work 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、ipp-client、dhcpv6-client服务相关,则允许流量
public 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许流量
external 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量
dmz 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量
block 拒绝流入的流量,除非与流出的流量相关
drop 拒绝流入的流量,除非与流出的流量相关
  • trusted 如果选了这个区域,你的防火墙会允许所有的流量进入 可以访问我的任何服务,任何端口

  • public 默认的防火墙

  • drop 无论是端口加到drop都会被拒绝

防火墙的基本操作

########################## 区域相关 ##############################
# 获取默认的区域名称
  [root@m01 ~]# firewall-cmd --get-default-zone 
  public

# 设置默认的区域
  [root@m01 ~]# firewall-cmd --set-default-zone=drop
  success
  [root@m01 ~]# firewall-cmd --get-default-zone 
  drop

# 查看所有的可用区域
  [root@m01 ~]# firewall-cmd --get-zones
  block dmz drop external home internal public trusted work

# 新增区域(看不到新增区域,是没有重新加载)
  # 新增ljy区域
  [root@m01 ~]# firewall-cmd --new-zone=ljy --permanent
  success
  # 重新加载
  [root@m01 ~]# firewall-cmd --reload
  success
  # 重新查看所有区域
  [root@m01 ~]# firewall-cmd --get-zones
  block dmz drop external home internal ljy public trusted work
  # 使用正在使用的区域与网卡
  [root@m01 ~]# firewall-cmd --get-active-zones 
  drop
    interfaces: eth1 eth0

# 设置到新创建的防火墙区域
  [root@m01 ~]# firewall-cmd --set-default-zone=ljy
  success
  [root@m01 ~]# firewall-cmd --get-default-zone
  ljy
########################## 服务相关 ##############################
# 查看支持的服务名
  [root@m01 ~]# firewall-cmd --get-services 
  RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

# 临时添加服务入站规则(临时生效 重启防火墙后失效)
  [root@m01 ~]# firewall-cmd --add-service=https
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 永久添加服务入站规则(需要重启才会生效)
  [root@m01 ~]# firewall-cmd --add-service=https --permanent 
  success
  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 临时删除服务
  [root@m01 ~]# firewall-cmd --remove-service=https
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 永久删除服务出站规则
  [root@m01 ~]# firewall-cmd --remove-service=https --permanent 
  success
  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 永久添加多个服务入站规则(删除只需要把add替换成remove就可以了)
  [root@m01 ~]# firewall-cmd --add-service=https --add-service=http --permanent 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 
########################## 端口相关 ##############################
## 防火墙开启端口相关命令
# 临时开启指定的端口(重启失效)
  [root@m01 ~]# firewall-cmd --add-port=9100/tcp
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 9100/tcp
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 永久开启指定的端口(需要重启防火墙)
  [root@m01 ~]# firewall-cmd --add-port=9100/tcp --permanent 
  success
  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 9100/tcp
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 永久删除指定端口(需要重启防火墙)
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 9100/tcp 22/tcp
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

  [root@m01 ~]# firewall-cmd --remove-port=22/tcp --permanent 
  success
  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 9100/tcp
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

# 开启范围端口
  [root@m01 ~]# firewall-cmd --add-port=1-6379/tcp --permanent 
  success
  [root@m01 ~]# firewall-cmd --reload 
  success
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 9100/tcp 1-6379/tcp
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

防火墙如何添加网卡

# 防火墙添加网卡
  # 添加eth0网卡到drop区域
    [root@m01 ~]# firewall-cmd --add-interface=eth0 --zone=drop
    The interface is under control of NetworkManager, setting zone to 'drop'.
    success
  # 查看drop区域的所有规则
    [root@m01 ~]# firewall-cmd --list-all --zone=drop 
    drop (active)
      target: DROP
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: 
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 

查看相关命令

# 查看当前默认区域的所有规则
  [root@m01 ~]# firewall-cmd --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth1 eth0
    sources: 
    services: ssh dhcpv6-client https http
    ports: 9100/tcp 1-6379/tcp
    protocols: 
    masquerade: no
    forward-ports: 
    source-ports: 
    icmp-blocks: 
    rich rules: 

  [root@m01 ~]# firewall-cmd --list-all --zone=drop 
    drop (active)
      target: DROP
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: 
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 

# 重新加载防火墙
  [root@m01 ~]# firewall-cmd --reload

防火墙区域配置策略

1.为了能正常使用firewalld服务和相关工具去管理防火墙,必须启动firewalld服务,同时关闭以前旧的防火墙相关服务,需要注意firewalld的规则分为两种状态:

runtime运行时: 修改规则马上生效,但如果重启服务则马上失效,测试建议。 permanent持久配置: 修改规则后需要reload重载服务才会生效,生产建议。

public (active)                           # 当前使用的区域
  target: default                         # 当前默认区域
  icmp-block-inversion: no                # icmp模块没有开启
  interfaces: eth1                        # 当前区域监听的网卡
  sources:                                # 来源
  services: ssh dhcpv6-client https http  # 允许访问的服务
  ports: 9100/tcp 1-6379/tcp              # 允许访问的端口
  protocols:                              # 允许访问的协议
  masquerade: no                          # IP伪装(只有内网的IP地址的机器可以通过IP伪装上网)
  forward-ports:                          # 端口转发 端口映射80 172.16.1.51:8080
  source-ports:                           # 来源端口 来源于谁
  icmp-blocks:                            # icmp块
  rich rules:                             # 富规则

使用firewalld各个区域规则结合配置,调整默认public区域拒绝所有流量,但如果来源IP是10.0.0.0/24网段则允许

# 移除public区域的所有允许放行的规则
firewall-cmd --remove-service=ssh --remove-service=dhcpv6-client --remove-service=https --remove-service=http

# 将源ip网段加入到trusted中
firewall-cmd --add-source=10.0.0.0/24 --zone=trusted

# 查看trusted所有规则
[root@m01 ~]# firewall-cmd --list-all --zone=trusted 
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 10.0.0.0/24
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

查询public区域是否语序请求ssh https

[root@m01 ~]# firewall-cmd --zone=public --query-service=https
no

# 添加https
[root@m01 ~]# firewall-cmd --add-service=https
success
[root@m01 ~]# firewall-cmd --zone=public --query-service=https
yes

防火墙放行自定义

ll /usr/lib/firewalld/services/sersync.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>sersync</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="874"/>
</service>

# 重新加载防火墙
firewall-cmd --reload 

# 添加sersync服务
firewall-cmd --add-service=sersync

# 查看public区域的所有规则
[root@m01 services]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1 eth0
  sources: 
  services: ssh dhcpv6-client https http sersync
  ports: 9100/tcp 1-6379/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

firewall端口转发策略

web02 10.0.0.8:8888 --> 10.0.0.7:80

# 端口转发公式
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>

# web01的nginx配置文件
server{
        listen 80;
        server_name _;
        root /code;
        index index.html;
}

# web02
firewall-cmd --permanent --zone=public --add-forward-port=port=8888:proto=tcp:toport=80:toaddr=10.0.0.7

# 重新加载
firewall-cmd --reload

# 开启ip伪装
firewall-cmd --add-masquerade 

# 浏览器访问
10.0.0.8:8888

防火墙富语言规则策略

firewalld中的富语言规则表示更细致,更详细的防火墙策略配置,他可以针对系统服务、端口号、原地址和目标地址等诸多信息进行更有针对性的策略配置,优先级在所有的防火墙策略中也是最高的,下面为firewalld富语言规则帮助手册

# 富规则套公式
  # 针对ipv4 让他加载到ipv4
  rule [family]='ipv4/ipv6'

  # 来源的IP地址10.0.0.0/255.255.255.0 指定一个IP地址和他的mask子网
  source address ="address[/mask]" [invert="Ture"]

  # 指定服务名
  service name = "service name"

  # 指定端口 后面是协议 例port=80 protocol='tcp'
  port port="port value" protocol="tcp|udp"

  # 你要开哪个协议 例vrrp
  protocol value="protocol value"

  # 做端口转发
  forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"

  # accept 前面的规则都允许放行
  # drop   前面的规则都不允许放行,你不能看到我开了端口,反正就是连接不上
  # reject 能看到端口但是reject,你能看到我开了端口,但是就是连接不上
  accept | reject [type="reject type"] | drop

比如允许10.0.0.1主机能够访问到https服务,允许172.16.1.0/24能访问22端口

[root@web02 ~]# firewall-cmd --remove-service=ssh --remove-service=dhcpv6-client --permanent 
success

[root@web02 ~]# firewall-cmd --reload
success

[root@web02 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address='10.0.0.1' service name=http accept'
success

[root@web02 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address='172.16.1.0/24' service name=ssh accept'
success

[root@web02 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=10.0.0.7
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1" service name="http" accept
    rule family="ipv4" source address="172.16.1.0/24" service name="ssh" accept

#富语言规则相关命令
--add-rich-rule=''        #在指定的区域添加一条富语言规则
--remove-rich-rule=''     #在指定的区删除一条富语言规则
--query-rich-rule=''      #找到规则返回0,找不到返回1
--list-rich-rules               #列出指定区里的所有富语言规则
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇