Linux防火牆firewall的使用

CentOS 7新的防火牆服務firewalld的基本原理，它有個非常強大的過濾系統，稱為 Netfilter，它內置於內核模塊中，用於檢查穿過系統的每個數據包。

這意味着它可以在到達目的地之前以編程方式檢查、修改、拒絕或丟棄任何網絡數據包，如傳入、傳出或轉發，從 Centos-7 開始，firewalld 成為管理基於主機的防火牆服務的默認工具，firewalld 的守護進程是從 firewalld 包安裝的，它將在操作系統的所有基本安裝上可用，但在最小安裝上不可用。

使用 FirewallD 優於“iptables”的優點

1.在運行時所做的任何配置更改都不需要重新加載或重新啓動 firewalld 服務
2.通過將整個網絡流量安排到區域中來簡化防火牆管理
3.每個系統可以設置多個防火牆配置以更改網絡環境
4.使用 D-Bus 消息系統來交互/維護防火牆設置

在 CentOS 7 或更高版本中，我們仍然可以使用經典的 iptables，如果要使用 iptables，需要停止並禁用 firewalld 服務。同時使用firewalld 和 iptables會使系統混亂，因為它們彼此不兼容。

每個區域都旨在根據指定的標準管理流量。如果沒有進行任何修改，默認區域將設置為 public，並且關聯的網絡接口將附加到 public。

所有預定義的區域規則都存儲在兩個位置：系統指定的區域規則在“/usr/lib/firewalld/zones/”下，用户指定的區域規則在/etc/firewalld/zones/ 下。如果在系統區域配置文件中進行了任何修改，它將自動到 /etc/firewalld/zones/。

安裝firewalld服務

[root@chenby ~]#  yum install firewalld -y
[root@chenby ~]#  systemctl start firewalld.service

查看服務狀態

[root@chenby ~]#  firewall-cmd --state
[root@chenby ~]#  systemctl status firewalld -l

區域

Firewalld 為不同的目的引入了幾個預定義的區域和服務，主要目的之一是更輕鬆地處理 firewalld 管理。

基於這些區域和服務，我們可以阻止任何形式的系統傳入流量，除非它明確允許在區域中使用一些特殊規則。

查看firewalld中的所有可用區域

[root@chenby ~]# firewall-cmd --get-zones
block dmz docker drop external home internal nm-shared public trusted work
[root@chenby ~]# 

查看默認區域

[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]# 

活動區域和相關網絡接口

[root@chenby ~]# firewall-cmd --get-active-zones
docker
  interfaces: br-31021b17396b br-53a24802cca1 docker0
public
  interfaces: ens18
[root@chenby ~]# 

公共區域的規則

[root@chenby ~]# firewall-cmd --list-all --zone="public"
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.250.0/24" accept
[root@chenby ~]# 

查看所有可用區域

[root@chenby ~]#  firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-31021b17396b br-53a24802cca1 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.250.0/24" accept

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@chenby ~]# 

修改默認的區域

[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]#
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --set-default-zone=work
success
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --get-default-zone
work
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --set-default-zone=public
success
[root@chenby ~]# 
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --get-default-zone
public
[root@chenby ~]# 
[root@chenby ~]# 

網口和區域的操作

給指定網卡設置zone
[root@chenby ~]#  firewall-cmd --zone=internal --change-interface=enp1s1

查看系統所有網卡所在的zone
[root@chenby ~]#  firewall-cmd --get-active-zones

針對網卡刪除zone
[root@chenby ~]#  firewall-cmd --zone=internal --remove-interface=enp1s1

自定義 zone

[root@chenby ~]#  vi /etc/firewalld/zones/cby.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>用於企業領域。</description>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --reload
success
[root@chenby ~]# 
[root@chenby ~]# 
[root@chenby ~]# firewall-cmd --get-zones
block cby dmz docker drop external home internal nm-shared public trusted work
[root@chenby ~]# 
[root@chenby ~]# 

服務

查看所有可用的服務

[root@chenby ~]# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-client llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nebula netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut opentelemetry openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps2link ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui syncthing-relay synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server warpinator wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier
[root@chenby ~]# 

查看特定區域內的所有可用服務

[root@chenby ~]# firewall-cmd --zone=work --list-services
cockpit dhcpv6-client ssh
[root@chenby ~]# 

將現有服務添加到默認區域

[root@chenby ~]# firewall-cmd --add-service=samba
success
[root@chenby ~]# 

# 驗證

[root@chenby ~]# firewall-cmd --zone=public --list-services
cockpit dhcpv6-client samba ssh
[root@chenby ~]# 

永久添加服務

[root@chenby ~]#  firewall-cmd --permanent --add-service=ftp
success
[root@chenby ~]# 

[root@chenby ~]#  firewall-cmd --reload
success
[root@chenby ~]# 

將運行時設置遷移到永久設置

[root@chenby ~]#  firewall-cmd --runtime-to-permanent
success
[root@chenby ~]# 

如何在公共區域為samba服務開放端口

[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=137/udp
success
[root@chenby ~]# 
[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=138/udp
success
[root@chenby ~]# 
[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=139/tcp
success
[root@chenby ~]# 
[root@chenby ~]#  firewall-cmd --permanent --zone=public --add-port=445/tcp
success
[root@chenby ~]# 



[root@chenby ~]#  firewall-cmd --list-ports
137/udp 138/udp 139/tcp 445/tcp
[root@chenby ~]# 

設置規則生效時間

秒 (s)、分鐘 (m) 或小時 (h) 為單位指定超時。

[root@chenby ~]#  firewall-cmd --zone=public --add-service=ftp --timeout=5m

關於

https://www.oiox.cn/

https://www.oiox.cn/index.php/start-page.html

CSDN、GitHub、51CTO、知乎、開源中國、思否、掘金、簡書、華為雲、阿里雲、騰訊雲、嗶哩嗶哩、今日頭條、新浪微博、個人博客

全網可搜《小陳運維》

文章主要發佈於微信公眾號