Firewall 防火牆

時間 2019-11-16

標籤 firewall 防火牆简体版

原文原文鏈接

firewalld和iptables的關係：centos

firewalld自身並不具有防火牆的功能，而是和iptables同樣須要經過內核的netfilter來實現。
也就是說firewalld和iptables同樣，他們的做用都是用於維護規則，而真正使用規則幹活的是內核的netfilter，
只不過firewalld和iptables的結構以及使用方法不同罷了。服務器

firewalld簡介：
firewalld是centos7的一大特性，最大的好處有兩個：

支持動態更新，不用重啓服務；加入了防火牆的「zone」概念；網絡

firewalld有圖形界面和工具界面
firewalld的字符界面管理工具是 firewall-cmd
firewalld默認配置文件有兩個：/usr/lib/firewalld/ （系統配置，儘可能不要修改）和 /etc/firewalld/ （用戶配置地址）tcp

「zone」概念：
咱們知道每一個zone就是一套規則集，可是有那麼多zone，對於一個具體的請求來講應該使用哪一個zone（哪套規則）來處理呢？
對於一個接受到的請求具體使用哪一個zone，firewalld是經過三種方法來判斷的：工具

一、source，也就是源地址優先級最高ui

二、interface，接收請求的網卡優先級第二this

三、firewalld.conf中配置的默認zone 優先級最低centos7

這三個的優先級按順序依次下降，也就是說若是按照source能夠找到就不會再按interface去查找，若是前兩個都找不到纔會使用第三個。 spa

基於用戶對網絡中設備和通訊所給與的信任程度，防火牆可用於將網絡劃分紅不一樣的區域，區域類型以下：rest

drop（丟棄）
任何接收的網絡數據包都被丟棄，沒有任何回覆。僅能有發送出去的網絡鏈接。
block（限制）
任何接收的網絡鏈接都被 IPv4 的 icmp-host-prohibited 信息和 IPv6 的 icmp6-adm-prohibited 信息所拒絕。
public（公共）
在公共區域內使用，不能相信網絡內的其餘計算機不會對您的計算機形成危害，只能接收通過選取的鏈接。
external（外部）
特別是爲路由器啓用了假裝功能的外部網。您不能信任來自網絡的其餘計算機，
不能相信它們不會對您的計算機形成危害，只能接收通過選擇的鏈接。
dmz（非軍事區）
用於您的非軍事區內的電腦，此區域內可公開訪問，能夠有限地進入您的內部網絡，僅僅接收通過選擇的鏈接。
work（工做）
用於工做區。您能夠基本相信網絡內的其餘電腦不會危害您的電腦。僅僅接收通過選擇的鏈接。
home（家庭）
用於家庭網絡。您能夠基本信任網絡內的其餘計算機不會危害您的計算機。僅僅接收通過選擇的鏈接。
internal（內部）
用於內部網絡。您能夠基本上信任網絡內的其餘計算機不會威脅您的計算機。僅僅接受通過選擇的鏈接。
trusted（信任）
可接受全部的網絡鏈接。

啓動控制命令：

查看防火牆狀態 systemctl status firewalld.service firewall-cmd --state
firewall-cmd --list-all

啓動防火牆 systemctl start firewalld.service 關閉防火牆 systemctl stop firewalld.service 從新啓動防火牆 systemctl restart firewalld.service

狀態查詢:

顯示狀態：              firewall-cmd --state
查看區域信息:            firewall-cmd --get-active-zones

# firewall-cmd --get-active-zones public interfaces: eth0

區域設置:

查看指定網卡所屬區域

firewall-cmd --get-zone-of-interface=eth0

將網卡添加到區域，默認接口都在public

firewall-cmd --zone=public --add-interface=eth0

設置默認接口區域

# firewall-cmd --set-default-zone=public   當即生效無需重啓

端口設置:

查看全部打開的端口： # firewall-cmd --zone=public  --list-ports 新增端口到區域： # firewall-cmd --zone=public  --add-port=8080/tcp        臨時添加，執行後當即生效

# firewall-cmd --zone=public  --add-port=8080/tcp --permanent 永久添加，重載後生效

# firewall--cmd --reload    重載配置文件（不改變以前狀態）


刪除端口到區域：
# firewall-cmd --zone=public  --remove-port=8080/tcp     臨時關掉，執行後當即生效

# firewall-cmd --zone=public  --remove-port=8080/tcp --permanent 永久添刪除，重載後生效

# firewall-cmd --reload    重載配置文件

Usage: firewall-cmd [OPTIONS...]

General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages

Status Options
--state Return and print firewalld state 防火牆狀態
--reload Reload firewall and keep state information 不改變狀態從新載入防火牆信息（加載前的鏈接信息會保留）
--complete-reload Reload firewall and loose state information 徹底從新加載防火牆信息（加載前的鏈接信息不保留，注意22端口）
--runtime-to-permanent Create permanent from runtime configuration 保存當前配置到配置文件

Permanent Options
--permanent Set an option permanently Usable for options maked with [P] 設置永久可用配置

Zone Options
--get-default-zone Print default zone for connections and interfaces 顯示默認zone
--set-default-zone=<zone> Set default zone 設置默認zone
--get-active-zones Print currently active zones 顯示當前活動的zone
--get-zones Print predefined zones [P] 顯示全部zone
--get-services Print predefined services [P] 顯示全部服務
--get-icmptypes Print predefined icmptypes [P] 顯示全部協議
--get-zone-of-interface=<interface> Print name of the zone the interface is bound to [P] 查看指定端口zone信息
--get-zone-of-source=<source>[/<mask>] Print name of the zone the source[/mask] is bound to [P] 查看指定來源的zone信息
--list-all-zones List everything added for or enabled in all zones [P] 查看全部的zone信息
--new-zone=<zone> Add a new zone [P only] 增長一個zone
--delete-zone=<zone> Delete an existing zone [P only] 刪除一個zone
--zone=<zone> Use this zone to set or query options, else default zone Usable for options maked with [Z]
使用這個zone 設置或查詢不指定則是對默認zone進行設置
--get-target Get the zone target [P] [Z]
--set-target=<target> Set the zone target [P] [Z]

IcmpType Options
--new-icmptype=<icmptype> Add a new icmptype [P only] 增長一個icmp類型
--delete-icmptype=<icmptype> Delete and existing icmptype [P only] 刪除一個icmp類型

Service Options
--new-service=<service> Add a new service [P only] 增長一個服務
--delete-service=<service> Delete and existing service [P only] 刪除一個服務

Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z] 查看默認zone信息
--list-services List services added for a zone [P] [Z] 查看默認zone服務信息
--timeout=<timeval> Enable an option for timeval time, where timeval is 超時選項，時間單位能夠爲 s、m、h 秒、分鐘、小時
a number followed by one of letters 's' or 'm' or 'h'
Usable for options maked with [T]

--add-service=<service> Add a service for a zone [P] [Z] [T] 爲某個zone增長一個新服務
--remove-service=<service> Remove a service from a zone [P] [Z] 爲某個zone刪除一個新服務
--query-service=<service> Return whether service has been added for a zone [P] [Z] zone中某服務是否已添加

--list-ports List ports added for a zone [P] [Z] 列出zone中已添加的端口
--add-port=<portid>[-<portid>]/<protocol> Add the port for a zone [P] [Z] [T] 爲zone添加一個端口端口/協議
--remove-port=<portid>[-<portid>]/<protocol> Remove the port from a zone [P] [Z] 爲zone刪除一個端口端口/協議
--query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for zone [P] [Z] 查詢已增長的端口

--list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z] 列出zone中的icmp模塊
--add-icmp-block=<icmptype> Add an ICMP block for a zone [P] [Z] [T] 爲zone增長一個icmp模塊
--remove-icmp-block=<icmptype> Remove the ICMP block from a zone [P] [Z] 爲zone刪除一個icmp模塊
--query-icmp-block=<icmptype> Return whether an ICMP block has been added for a zone [P] [Z] 查詢zone中的icmp模塊

--list-forward-ports List IPv4 forward ports added for a zone [P] [Z] 查看zone內的端口轉發
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Add the IPv4 forward port for a zone [P] [Z] [T] 爲zone內增長端口轉發

實例：22端口接收的數據轉發到3753端口

firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=10.0.0.1:toport=3753

實例：22端口接收的數據轉發到10.0.0.1服務器的3753端口

--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Remove the IPv4 forward port from a zone [P] [Z] 爲zone內刪除某個端口轉發
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Return whether the IPv4 forward port has been added for a zone [P] [Z] 查詢zone內的端口轉發

--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T] 啓用區域中的IP假裝功能（端口轉發用到此功能）
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z] 禁用區域中的IP假裝
--query-masquerade Return whether IPv4 masquerading has been enabled for a zone [P] [Z] 查詢zone內ip假裝是否生效

--list-rich-rules List rich language rules added for a zone [P] [Z] 列出zone內 rich規則
--add-rich-rule=<rule> Add rich language rule 'rule' for a zone [P] [Z] [T] 向某zone中添加一條rich rule 規則

實例：容許10.0.0.1 10.0.0段全部訪問全部端口

firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1/24 accept"

實例：僅容許指定IP10.0.0.1訪問3306端口

firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 port port=3306 protocol=tcp accept"

實例：拒絕10.0.0.1訪問3306端口

firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 port port=9100 protocol=tcp reject"

容許 accept
拒絕 reject
丟棄 drop

--remove-rich-rule=<rule> Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=<rule> Return whether a rich language rule 'rule' has been added for a zone [P] [Z]

Options to Handle Bindings of Interfaces
--list-interfaces List interfaces that are bound to a zone [P] [Z] 列出某zone中綁定的端口
--add-interface=<interface> Bind the <interface> to a zone [P] [Z] 爲某zone 增長一個端口
--change-interface=<interface> Change zone the <interface> is bound to [Z] 修改zone中綁定的端口
--query-interface=<interface> Query whether <interface> is bound to a zone [P] [Z] 查詢zone中綁定的端口
--remove-interface=<interface> Remove binding of <interface> from a zone [P] [Z] 移除zone中綁定的端口

Options to Handle Bindings of Sources
--list-sources List sources that are bound to a zone [P] [Z]
--add-source=<source>[/<mask>] Bind <source>[/<mask>] to a zone [P] [Z]
--change-source=<source>[/<mask>] Change zone the <source>[/<mask>] is bound to [Z]
--query-source=<source>[/<mask>] Query whether <source>[/<mask>] is bound to a zone [P] [Z]
--remove-source=<source>[/<mask>] Remove binding of <source>[/<mask>] from a zone [P] [Z]

Direct Options
--direct First option for all direct options
--get-all-chains Get all chains [P]
--get-chains {ipv4|ipv6|eb} <table> Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb} <table> <chain> Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb} <table> <chain> Remove the chain from the table [P]
--query-chain {ipv4|ipv6|eb} <table> <chain> Return whether the chain has been added to the table [P]
--get-all-rules Get all rules [P]
--get-rules {ipv4|ipv6|eb} <table> <chain> Get all rules added to chain in table [P]
--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Add rule to chain in table [P]
--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Remove rule with priority from chain in table [P]
--remove-rules {ipv4|ipv6|eb} <table> <chain> Remove rules from chain in table [P]
--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Return whether a rule with priority has been added to chain in table [P]
--passthrough {ipv4|ipv6|eb} <arg>... Pass a command through (untracked by firewalld)
--get-all-passthroughs Get all tracked passthrough rules [P]
--get-passthroughs {ipv4|ipv6|eb} <arg>... Get tracked passthrough rules [P]
--add-passthrough {ipv4|ipv6|eb} <arg>... Add a new tracked passthrough rule [P]
--remove-passthrough {ipv4|ipv6|eb} <arg>... Remove a tracked passthrough rule [P]
--query-passthrough {ipv4|ipv6|eb} <arg>... Return whether the tracked passthrough rule has been added [P]

Lockdown Options
--lockdown-on Enable lockdown.
--lockdown-off Disable lockdown.
--query-lockdown Query whether lockdown is enabled

Lockdown Whitelist Options
--list-lockdown-whitelist-commands  List all command lines that are on the whitelist [P]
--add-lockdown-whitelist-command=<command> Add the command to the whitelist [P]
--remove-lockdown-whitelist-command=<command> Remove the command from the whitelist [P]
--query-lockdown-whitelist-command=<command> Query whether the command is on the whitelist [P]
--list-lockdown-whitelist-contexts List all contexts that are on the whitelist [P]
--add-lockdown-whitelist-context=<context> Add the context context to the whitelist [P]
--remove-lockdown-whitelist-context=<context> Remove the context from the whitelist [P]
--query-lockdown-whitelist-context=<context>   Query whether the context is on the whitelist [P]
--list-lockdown-whitelist-uids   List all user ids that are on the whitelist [P]
--add-lockdown-whitelist-uid=<uid> Add the user id uid to the whitelist [P]
--remove-lockdown-whitelist-uid=<uid>   Remove the user id uid from the whitelist [P]
--query-lockdown-whitelist-uid=<uid>   Query whether the user id uid is on the whitelist [P]
--list-lockdown-whitelist-users   List all user names that are on the whitelist [P]
--add-lockdown-whitelist-user=<user>   Add the user name user to the whitelist [P]
--remove-lockdown-whitelist-user=<user>   Remove the user name user from the whitelist [P]
--query-lockdown-whitelist-user=<user> Query whether the user name user is on the whitelist [P]

Panic Options
--panic-on Enable panic mode
--panic-off Disable panic mode
--query-panic Query whether panic mode is enabled

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。