[toc]
Linux防火墙-firewalled
10.20 firewalld的9个zone
1.开启firewalld,前面把firewalld关闭了,现在方向操作
- [ ] systemctl disable iptables
- [ ] systemctl stop iptables
- [ ] systemctl enable firewalld
- [ ] systemctl start firewalld
[root@localhost ~]# systemctl disable iptablesRemoved symlink /etc/systemd/system/basic.target.wants/iptables.service.[root@localhost ~]# systemctl stop iptables[root@localhost ~]# systemctl enable iptablesCreated symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.[root@localhost ~]# systemctl start firewalld
- 用iptables -nvL查看,firewalld自带了许多规则。
3. firewalld默认有9个zone,zone是规则集,zone默认为public
[root@localhost ~]# firewall-cmd --get-zoneswork drop internal external trusted home dmz public block[root@localhost ~]# firewall-cmd --get-default-zonepublic
10.21 firewalld关于zone的操作
1. firewall-cmd --set-default-zone=work //设定默认zone
[root@localhost ~]# systemctl start firewalld//初次使用时需启动[root@localhost ~]# firewall-cmd --set-default-zone=worksuccess[root@localhost ~]# firewall-cmd --get-default-zonework
2. 自动补全的安装包yum install -y bash-completion
3. firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
[root@localhost ~]# firewall-cmd --get-default-zonework[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33work[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37no zone
这里发现ens37并未被指定,需要做这样的一个设置:
[root@localhost ~]# cd /etc/sysconfig/network-scripts/[root@localhost network-scripts]# lsficfg-ens33 ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wirelessifcfg-ens33 ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-globalifcfg-ens33:0 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functionsifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnel
*这里复制一个ens33文件改为ens37且编辑该文件
[root@localhost network-scripts]# cp -r ifcfg-ens33 ifcfg-ens37[root@localhost network-scripts]# lsficfg-ens33 ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnelifcfg-ens33 ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wirelessifcfg-ens33:0 ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-globalifcfg-ens37 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functionsifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6[root@localhost network-scripts]# vim ifcfg-ens37TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens37UUID=3b000477-c3db-4855-b5ba-c73bb1546b3aDEVICE=ens37ONBOOT=yesIPADDR=192.168.100.1NETMASK=255.255.255.0GATEWAY=192.168.72.2DNS1=119.29.29.29DNS2=8.8.8.8~ ~ ~
- 重启firewalld服务,再次查看下ens37
[root@localhost network-scripts]# systemctl restart firewalld[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37no zone
这里不知作何解释????
4.给指定网卡设置zone:firewall-cmd --zone=dmz --add-interface=ens37
[root@localhost network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37success[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37dmz
5.针对网卡更改zone:firewall-cmd --zone=block --change-interface=ens37
[root@localhost network-scripts]# firewall-cmd --zone=block --change-interface=ens37The interface is under control of NetworkManager, setting zone to 'block'.success[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37block
6.针对网卡删除zone:firewall-cmd --zone=block --remove-interface=ens37
[root@localhost network-scripts]# firewall-cmd --zone=block --remove-interface=ens37success[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37block
7.查看系统所有网卡所在的zone
[root@localhost network-scripts]# firewall-cmd --get-active-zoneswork interfaces: ens33public interfaces: lo
| 前期测试时发现总是报错 |
|---|
| row 1 col 1 |
前期测试时发现总是报错,ens37没有有些得到zone的定义,通过查看ifconfig发现ens37网卡地址没了,用ifconfig ens37 192.168.100.1来定义,在用mii-tool ens37查看链接情况,查看在cd /etc/sysconfig/network-scripts,然后ls查看,打开ifcfgens37文件,查看到的其内容,看是否有误,都没发现问题
8. service NetworkManager stop
10.22 firewalld关于service的操作
1.查看所有的service都有哪些:firewall-cmd --get-service或者services都是一样,这是特殊之处
1.1 service的概念,之所以有9种zone,是因为每个zone里面都使用了不同的service,而service是针对一个服务(端口)做的iptables规则
[root@localhost ~]# firewall-cmd --get-serviceRH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server[root@localhost ~]# firewall-cmd --get-servicesRH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
2.firewall-cmd --list-services //查看当前zone下有哪些service
[root@localhost ~]# firewall-cmd --get-default-zonework[root@localhost ~]# firewall-cmd --list-services ssh dhcpv6-client
- 查看work的zone=work的有哪些
[root@localhost ~]# firewall-cmd --zone=public --list-servicedhcpv6-client ssh
3.把http增加到public zone下面:firewall-cmd --zone=public --add-service=http
3.1 每个zone下面都有不同的service,如何查看:firewall-cmd --zone=public --list-service
[root@localhost ~]# firewall-cmd --zone=public --add-service=httpsuccess[root@localhost ~]# firewall-cmd --zone=public --list-servicedhcpv6-client ssh http
4.把http从public zone删除:firewall-cmd --zone=public --remove-service=http
[root@localhost ~]# firewall-cmd --zone=public --remove-service=httpsuccess
5. ls /usr/lib/firewalld/zones/ //zone的配置文件模板
对于每个zone来说,都有自己的配置文件,在/usr/lib/firewalld/zones/目录下的文件
[root@localhost ~]# ls /usr/lib/firewalld/zones/block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
6.firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
6.1--permanent表示永久保存,区别于4中zone里增加的service只在内存中生效,加上permanent后可以修改配置文件.
/etc/firewalld/zones
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanentsuccess[root@localhost ~]# cat /etc/firewalld/zones/public.xmlPublic For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
7.需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
7.1 /usr/lib/firewalld/service/目录下为所有service的模板配置文件,把ftp.xml拷贝出来到系统配置文件/etc/firewalld/service/.
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services[root@localhost ~]# vi /etc/firewalld/services/ftp.xml
7.2 编辑ftp.xml配置文件
7.3 在work zone下面放行,先把work配置模板复制过来
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
7.4 编辑work.xml配置文件,然后重新加载
[root@localhost ~]# firewall-cmd --reloadsuccess
7.5 验证一下work zone里面的service是否有FTP
[root@localhost ~]# firewall-cmd --zone=work --list-servicessh ftp dhcpv6-client