RHEL 7中防火墙的配置和使用方法
<p>RHEL7 中使用了firewalld代替了原来的iptables,操作设置和原来有点不同:</p><p><span><strong>查看防火墙状态:systemctl status firewalld</strong></span></p>
<p><span><strong>启动防火墙:systemctl start firewalld</strong></span></p>
<p><span><strong>停止防火墙:systemctl stop firewalld</strong></span></p>
<p>防火墙中的一切都与一个或者多个区域相关联,下面对各个区进行说明:<br></p>
<div class="jb51code">
<div><div id="highlighter_79989" class="syntaxhighlighterxhtml">
<div class="toolbar"><span>?</span></div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
<div class="line number3 index2 alt2">3</div>
<div class="line number4 index3 alt1">4</div>
<div class="line number5 index4 alt2">5</div>
<div class="line number6 index5 alt1">6</div>
<div class="line number7 index6 alt2">7</div>
<div class="line number8 index7 alt1">8</div>
<div class="line number9 index8 alt2">9</div>
<div class="line number10 index9 alt1">10</div>
<div class="line number11 index10 alt2">11</div>
</td>
<td class="code"><div class="container">
<div class="line number1 index0 alt2"><code class="xhtml plain">Zone Description </code></div>
<div class="line number2 index1 alt1"><code class="xhtml plain">-----------------------------------------------------</code></div>
<div class="line number3 index2 alt2"><code class="xhtml plain">drop (immutable) Deny all incoming connections, outgoing ones are accepted. </code></div>
<div class="line number4 index3 alt1"><code class="xhtml plain">block (immutable) Deny all incoming connections, with ICMP host prohibited messages issued. </code></div>
<div class="line number5 index4 alt2"><code class="xhtml plain">trusted (immutable) Allow all network connections </code></div>
<div class="line number6 index5 alt1"><code class="xhtml plain">public Public areas, do not trust other computers</code></div>
<div class="line number7 index6 alt2"><code class="xhtml plain">external For computers with masquerading enabled, protecting a local network </code></div>
<div class="line number8 index7 alt1"><code class="xhtml plain">dmz For computers publicly accessible with restricted access. </code></div>
<div class="line number9 index8 alt2"><code class="xhtml plain">work For trusted work areas </code></div>
<div class="line number10 index9 alt1"><code class="xhtml plain">home For trusted home network connections </code></div>
<div class="line number11 index10 alt2"><code class="xhtml plain">internal For internal network, restrict incoming connections</code></div>
</div></td>
</tr></tbody></table>
</div></div>
<div class="codetool" id="codetool"><div class="code_n"><textarea></textarea></div></div>
</div>
<p><strong>drop(丢弃)<br></strong>任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接。</p>
<p><strong>block(限制)</strong><br>
任何接收的网络连接都被 IPv4 的 icmp-host-prohibited 信息和 IPv6 的 icmp6-adm-prohibited 信息所拒绝。</p>
<p><strong>public(公共)</strong><br>
在公共区域内使用,不能相信网络内的其他计算机不会对您的计算机造成危害,只能接收经过选取的连接。</p>
<p><strong>external(外部)</strong><br>
特别是为路由器启用了伪装功能的外部网。您不能信任来自网络的其他计算,不能相信它们不会对您的计算机造成危害,只能接收经过选择的连接。</p>
<p><strong>dmz(非军事区)</strong><br>
用于您的非军事区内的电脑,此区域内可公开访问,可以有限地进入您的内部网络,仅仅接收经过选择的连接。</p>
<p><strong>work(工作)</strong><br>
用于工作区。您可以基本相信网络内的其他电脑不会危害您的电脑。仅仅接收经过选择的连接。</p>
<p><strong>home(家庭)<br></strong>用于家庭网络。您可以基本信任网络内的其他计算机不会危害您的计算机。仅仅接收经过选择的连接。</p>
<p><strong>internal(内部)</strong><br>
用于内部网络。您可以基本上信任网络内的其他计算机不会威胁您的计算机。仅仅接受经过选择的连接。</p>
<p><strong>trusted(信任)</strong><br>
可接受所有的网络连接。</p>
<p><span><strong>操作防火墙的一些常用命令:</strong></span><br></p>
<p><strong>--显示防火墙状态</strong><br></p>
<p># firewall-cmd --state<br>
running</p>
<p><br><strong>--列出当前有几个zone</strong><br>
# firewall-cmd --get-zones<br>
block dmz drop external home internal public trusted work</p>
<p><strong>--取得当前活动的zones</strong><br>
# firewall-cmd --get-active-zones<br>
public<br>
interfaces: ens32 veth4103622</p>
<p><strong>--取得默认的zone</strong><br>
# firewall-cmd --get-default-zone<br>
public</p>
<p><strong>--取得当前支持service</strong><br>
# firewall-cmd --get-service <br>
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt MySQL nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https</p>
<p><strong>--检查下一次重载后将激活的服务。</strong><br>
# firewall-cmd --get-service --permanent<br>
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https</p>
<p><strong>--列出zone public 端口</strong><br>
# firewall-cmd --zone=public --list-ports</p>
<p><strong>--列出zone public当前设置</strong><br>
# firewall-cmd --zone=public --list-all<br>
public (default, active)<br>
interfaces: eno16777736<br>
sources: <br>
services: dhcpv6-client ssh<br>
ports: <br>
masquerade: no<br>
forward-ports: <br>
icmp-blocks: <br>
rich rules:<br><strong>--增加zone public开放http service</strong><br>
# firewall-cmd --zone=public --add-service=http<br>
success<br>
# firewall-cmd --permanent --zone=internal --add-service=http<br>
success</p>
<p><br><strong>--重新加载配置</strong><br>
# firewall-cmd --reload<br>
success</p>
<p><br><strong>--增加zone internal开放443/tcp协议端口</strong><br>
# firewall-cmd --zone=internal --add-port=443/tcp<br>
success</p>
<p><br><strong>--列出zone internal的所有service<br></strong># firewall-cmd --zone=internal --list-services<br>
dhcpv6-client ipp-client mdns samba-client ssh</p>
<p><br><strong>设置黑/白名单</strong><br>
--增加172.28.129.0/24网段到zone trusted(信任)<br>
# firewall-cmd --permanent --zone=trusted --add-source=172.28.129.0/24<br>
success</p>
<p><br><strong>--列出zone truste的白名单</strong><br>
# firewall-cmd --permanent --zone=trusted --list-sources<br>
172.28.129.0/24</p>
<p><br><strong>--活动的zone</strong><br>
# firewall-cmd --get-active-zones<br>
public<br>
interfaces: eno16777736</p>
<p><br><strong>--添加zone truste后重新加载,然后查看--get-active-zones</strong><br>
# firewall-cmd --reload <br>
success<br>
# firewall-cmd --get-active-zones<br>
public<br>
interfaces: ens32 veth4103622<br>
trusted<br>
sources: 172.28.129.0/24</p>
<p><br><strong>--列出zone drop所有规则</strong><br>
# firewall-cmd --zone=drop --list-all<br>
drop<br>
interfaces: <br>
sources: <br>
services: <br>
ports: <br>
masquerade: no<br>
forward-ports: <br>
icmp-blocks: <br>
rich rules:</p>
<p><br><strong>--添加172.28.13.0/24到zone drop</strong><br>
# firewall-cmd --permanent --zone=drop --add-source=172.28.13.0/24<br>
success</p>
<p><br><strong>--添加后需要重新加载</strong><br>
# firewall-cmd --reload<br>
success</p>
<p><br>
# firewall-cmd --zone=drop --list-all<br>
drop<br>
interfaces: <br>
sources: 172.28.13.0/24<br>
services: <br>
ports: <br>
masquerade: no<br>
forward-ports: <br>
icmp-blocks: <br>
rich rules:</p>
<p><br>
# firewall-cmd --reload<br>
success</p>
<p><br><strong>--从zone drop中删除172.28.13.0/24</strong><br>
# firewall-cmd --permanent --zone=drop --remove-source=172.28.13.0/24<br>
success</p>
<p><br><strong>--查看所有的zones规则</strong><br>
# firewall-cmd --list-all-zones</p>
<p><span><strong>最后再提几点:</strong></span></p>
<p>1、很多时候我们需要开放端口或开放某IP访问权限,我们需要先查看我们当前默认的zone是哪个,然后在对应的zone里面添加port和source,这样对外才会有作用。</p>
<p>比如我当前的默认zone是public,我需要开放80端口对外访问,则执行如下命令:</p>
<p># firewall-cmd --zone=public --permanent --add-port=80/tcp<br>
success<br>
# firewall-cmd --reload<br>
success</p>
<p>2、使用命令的时候加上 --permanent 是永久生效的意思,在重启防火墙服务后依然生效。否则,只对重启服务之前有效。</p>
<p>3、我们执行的命令,结果其实都体现在具体的配置文件中,其实我们可以直接修改对应的配置文件即可。</p>
<p>以public zone为例,对应的配置文件是/etc/firewalld/zones/public.xml,像我们刚刚添加80端口后,体现在public.xml 中的内容为:<br></p>
<div class="jb51code">
<div><div id="highlighter_980200" class="syntaxhighlighterxhtml">
<div class="toolbar"><span>?</span></div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
<div class="line number3 index2 alt2">3</div>
<div class="line number4 index3 alt1">4</div>
<div class="line number5 index4 alt2">5</div>
<div class="line number6 index5 alt1">6</div>
<div class="line number7 index6 alt2">7</div>
<div class="line number8 index7 alt1">8</div>
<div class="line number9 index8 alt2">9</div>
</td>
<td class="code"><div class="container">
<div class="line number1 index0 alt2"><code class="xhtml plain"># cat public.xml</code></div>
<div class="line number2 index1 alt1">
<code class="xhtml plain"><?</code><code class="xhtml keyword">xml</code> <code class="xhtml color1">version</code><code class="xhtml plain">=</code><code class="xhtml string">"1.0"</code> <code class="xhtml color1">encoding</code><code class="xhtml plain">=</code><code class="xhtml string">"utf-8"</code><code class="xhtml plain">?></code>
</div>
<div class="line number3 index2 alt2">
<code class="xhtml plain"><</code><code class="xhtml keyword">zone</code><code class="xhtml plain">></code>
</div>
<div class="line number4 index3 alt1">
<code class="xhtml spaces"> </code><code class="xhtml plain"><</code><code class="xhtml keyword">short</code><code class="xhtml plain">>Public</</code><code class="xhtml keyword">short</code><code class="xhtml plain">></code>
</div>
<div class="line number5 index4 alt2">
<code class="xhtml spaces"> </code><code class="xhtml plain"><</code><code class="xhtml keyword">description</code><code class="xhtml plain">>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</</code><code class="xhtml keyword">description</code><code class="xhtml plain">></code>
</div>
<div class="line number6 index5 alt1">
<code class="xhtml spaces"> </code><code class="xhtml plain"><</code><code class="xhtml keyword">service</code> <code class="xhtml color1">name</code><code class="xhtml plain">=</code><code class="xhtml string">"dhcpv6-client"</code><code class="xhtml plain">/></code>
</div>
<div class="line number7 index6 alt2">
<code class="xhtml spaces"> </code><code class="xhtml plain"><</code><code class="xhtml keyword">service</code> <code class="xhtml color1">name</code><code class="xhtml plain">=</code><code class="xhtml string">"ssh"</code><code class="xhtml plain">/></code>
</div>
<div class="line number8 index7 alt1">
<code class="xhtml spaces"> </code><code class="xhtml plain"><</code><code class="xhtml keyword">port</code> <code class="xhtml color1">protocol</code><code class="xhtml plain">=</code><code class="xhtml string">"tcp"</code> <code class="xhtml color1">port</code><code class="xhtml plain">=</code><code class="xhtml string">"80"</code><code class="xhtml plain">/></code>
</div>
<div class="line number9 index8 alt2">
<code class="xhtml plain"></</code><code class="xhtml keyword">zone</code><code class="xhtml plain">></code>
</div>
</div></td>
</tr></tbody></table>
</div></div>
<div class="codetool" id="codetool"><div class="code_n"><textarea></textarea></div></div>
</div>
<p>这个大家可自己再进一步了解下配置文件的结构后,进行自行配置,不过记得要在配置后 --reload 或重启 firewall 服务。</p>
<p>以上就是小编为大家带来的RHEL 7中防火墙的配置和使用方法全部内容了,希望大家多多支持~</p>
頁:
[1]