CentOS 7中firewall防火牆詳解和配置以及切換爲iptables防火牆

官方文檔介紹地址：

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld1

1、firewall介紹

CentOS 7中防火牆是一個很是的強大的功能，在CentOS 6.5中在iptables防火牆中進行了升級了。

一、官方介紹

The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network 「zones」 to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.

二、什麼是區域Zone：

網絡區域定義了網絡鏈接的可信等級。這是一個 一對多的關係，這意味着一次鏈接能夠僅僅是一個區域的一部分，而一個區域能夠用於不少鏈接。

三、哪一個區域可用?

由firewalld 提供的區域按照從不信任到信任的順序排序。

四、區域的分類?

Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.

The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:

drop 
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block 
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.

public 
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

external 
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

dmz 
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

work 
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home 
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal 
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted 
All network connections are accepted. 
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.

注：具體內容，請參見官方文檔介紹！

2、firewall配置

The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/.

This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations and so on.

注意：如下firewalld 的操做只有重啓以後纔有效：service firewalld restart 重啓

一、系統配置目錄

/usr/lib/firewalld/services

目錄中存放定義好的網絡服務和端口參數，系統參數，不能修改。

二、用戶配置目錄

/etc/firewalld/

三、如何自定義添加端口

用戶能夠經過修改配置文件的方式添加端口，也能夠經過命令的方式添加端口，注意，修改的內容會在/etc/firewalld/ 目錄下的配置文件中還體現。

• 3.一、命令的方式添加端口

firewall-cmd --permanent --add-port=9527/tcp 

參數介紹：

一、firewall-cmd：是Linux提供的操做firewall的一個工具； 二、--permanent：表示設置爲持久； 三、--add-port：標識添加的端口；

另外，firewall中有Zone的概念，能夠將具體的端口制定到具體的zone配置文件中。

例如：添加8010端口

firewall-cmd --zone=public --permanent --add-port=8010/tcp

--zone=public：指定的zone爲public；

添加結果以下：

若是–zone=dmz 這樣設置的話，會在dmz.xml文件中新增一條。

• 3.二、修改配置文件的方式添加端口

<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas.</description> <rule family="ipv4"> <source address="122.10.70.234"/> <port protocol="udp" port="514"/> <accept/> </rule> <rule family="ipv4"> <source address="123.60.255.14"/> <port protocol="tcp" port="10050-10051"/> <accept/> </rule> <rule family="ipv4"> <source address="192.249.87.114"/> 放通指定ip，指定端口、協議 <port protocol="tcp" port="80"/> <accept/> </rule> <rule family="ipv4"> 放通任意ip訪問服務器的9527端口 <port protocol="tcp" port="9527"/> <accept/> </rule> </zone>

 

 

上述的一個配置文件能夠很好的看出：

一、添加須要的規則，開放通源ip爲122.10.70.234，端口514，協議tcp；
二、開放通源ip爲123.60.255.14，端口10050-10051，協議tcp；/三、開放通源ip爲任意，端口9527，協議tcp；

3、firewall經常使用命令

一、重啓、關閉、開啓firewalld.service服務

1、firewalld的基本使用
啓動： systemctl start firewalld
查看狀態： systemctl status firewalld 
中止： systemctl disable firewalld
禁用： systemctl stop firewalld
 
2.systemctl是CentOS7的服務管理工具中主要的工具，它融合以前service和chkconfig的功能於一體。
啓動一個服務：systemctl start firewalld.service
關閉一個服務：systemctl stop firewalld.service
重啓一個服務：systemctl restart firewalld.service
顯示一個服務的狀態：systemctl status firewalld.service
在開機時啓用一個服務：systemctl enable firewalld.service
在開機時禁用一個服務：systemctl disable firewalld.service
查看服務是否開機啓動：systemctl is-enabled firewalld.service
查看已啓動的服務列表：systemctl list-unit-files|grep enabled
查看啓動失敗的服務列表：systemctl --failed

3.配置firewalld-cmd

查看版本： firewall-cmd --version
查看幫助： firewall-cmd --help
顯示狀態： firewall-cmd --state
查看全部打開的端口： firewall-cmd --zone=public --list-ports
更新防火牆規則： firewall-cmd --reload
查看區域信息:  firewall-cmd --get-active-zones
查看指定接口所屬區域： firewall-cmd --get-zone-of-interface=eth0
拒絕全部包：firewall-cmd --panic-on
取消拒絕狀態： firewall-cmd --panic-off
查看是否拒絕： firewall-cmd --query-panic
 
那怎麼開啓一個端口呢
添加
firewall-cmd --zone=public --add-port=80/tcp --permanent    （--permanent永久生效，沒有此參數重啓後失效）
從新載入
firewall-cmd --reload
查看
firewall-cmd --zone= public --query-port=80/tcp
刪除
firewall-cmd --zone= public --remove-port=80/tcp --permanent

二、查看firewall服務狀態

systemctl status firewall

三、查看firewall的狀態

firewall-cmd --state

四、查看防火牆規則

firewall-cmd --list-all 

4、CentOS切換爲iptables防火牆

切換到iptables首先應該關掉默認的firewalld，而後安裝iptables服務。

一、關閉firewall：

service firewalld stop systemctl disable firewalld.service #禁止firewall開機啓動

二、安裝iptables防火牆

yum install iptables-services #安裝

三、編輯iptables防火牆配置

vi /etc/sysconfig/iptables #編輯防火牆配置文件

下邊是一個完整的配置文件：

Firewall configuration written by system-config-firewall

Manual customization of this file is not recommended.

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

:wq! #保存退出

service iptables start #開啓 systemctl enable iptables.service #設置防火牆開機啓動