firewalld和iptables的关系、firewalld的配置模式讲解
firewalld和iptables的关系
firewalld自身并不具备防火墙的功能,而是和iptables一样需要通过内核的netfilter来实现,也就是说firewalld和iptables一样,他们的作用都是用于维护规则,而真正使用规则干活的是内核的netfilter,只不过firewalld和iptables的结构以及使用方法不一样罢了。
FirewallD 是 CentOS 7 服务器上默认可用的防火墙管理工具。基本上,它是 iptables 的封装,有图形配置工具firewall-config和命令行工具firewall-cmd。使用 iptables 服务,每次改动都要求刷新旧规则,并且从/etc/sysconfig/iptables读取新规则,然而 firewalld 只应用改动了的不同部分。
firewalld的配置模式
firewalld的配置文件以xml格式为主(主配置文件firewalld.conf例外),他们有两个存储位置
1、/etc/firewalld/ 用户配置文件
2、/usr/lib/firewalld/ 系统配置文件,预置文件
我们知道每个zone就是一套规则集,但是有那么多zone,对于一个具体的请求来说应该使用哪个zone(哪套规则)来处理呢?这个问题至关重要,如果这点不弄明白其他的都是空中楼阁,即使规则设置的再好,不知道怎样用、在哪里用也不行。
对于一个接受到的请求具体使用哪个zone,firewalld是通过三种方法来判断的:
1、source,也就是源地址 优先级最高
2、interface,接收请求的网卡 优先级第二
3、firewalld.conf中配置的默认zone 优先级最低
这三个的优先级按顺序依次降低,也就是说如果按照source可以找到就不会再按interface去查找,如果前两个都找不到才会使用第三个,也就是学生在前面给大家讲过的在firewalld.conf中配置的默认zone。
FirewallD 使用服务(service) 和区域(zone)来代替 iptables 的规则(rule)和链(chain)。
(一)firewall区域:
默认情况下,有以下的区域(zone)可用:
drop – 丢弃所有传入的网络数据包并且无回应,只有传出网络连接可用。block — 拒绝所有传入网络数据包并回应一条主机禁止的 ICMP 消息,只有传出网络连接可用。public — 只接受被选择的传入网络连接,用于公共区域。external — 用于启用了地址伪装的外部网络,只接受选定的传入网络连接。dmz — DMZ 隔离区,外部受限地访问内部网络,只接受选定的传入网络连接。 work — 对于处在你工作区域内的计算机,只接受被选择的传入网络连接。home — 对于处在你家庭区域内的计算机,只接受被选择的传入网络连接。internal — 对于处在你内部网络的计算机,只接受被选择的传入网络连接。trusted — 所有网络连接都接受。
要列出所有可用的区域,运行:
# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
列出默认的区域 :
# firewall-cmd --get-default-zone
public
改变默认的区域 :
# firewall-cmd --set-default-zone=dmz
# firewall-cmd --get-default-zone
dmz
(二)firewall服务:
FirewallD 服务使用 XML 配置文件,记录了 firewalld 服务信息。
列出所有可用的服务:
# firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns
docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability
http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt
libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s
postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client
sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-
socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
XML 配置文件存储在/usr/lib/firewalld/services/和/etc/firewalld/services/ 目录下。
(三)安装firewalld,运行、停止、禁用firewalld:
root执行 # yum install firewalld
启动:# systemctl start firewalld
查看状态:# systemctl status firewalld 或者 firewall-cmd --state
停止:# systemctl disable firewalld
禁用:# systemctl stop firewalld
配置firewalld
查看版本:$ firewall-cmd --version
查看帮助:$ firewall-cmd --help
查看设置:
显示状态:$ firewall-cmd --state
查看区域信息: $ firewall-cmd --get-active-zones
查看指定接口所属区域:$ firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:# firewall-cmd --panic-on
取消拒绝状态:# firewall-cmd --panic-off
查看是否拒绝:$ firewall-cmd --query-panic
更新防火墙规则:# firewall-cmd --reload
# firewall-cmd --complete-reload
两者的区别就是第一个无需断开连接,就是firewalld特性之一动态添加规则,第二个需要断开连接,类似重启服务
将接口添加到区域,默认接口都在public
# firewall-cmd --zone=public --add-interface=eth0
永久生效再加上 --permanent 然后reload防火墙
设置默认接口区域
# firewall-cmd --set-default-zone=public
立即生效无需重启
打开端口(貌似这个才最常用)
查看所有打开的端口:
# firewall-cmd --zone=dmz --list-ports
加入一个端口到区域:
# firewall-cmd --zone=dmz --add-port=8080/tcp
若要永久生效方法同上
打开一个服务,类似于将端口可视化,服务需要在配置文件中添加,/etc/firewalld 目录下有services文件夹,这个不详细说了,详情参考文档
# firewall-cmd --zone=work --add-service=smtp
移除服务
# firewall-cmd --zone=work --remove-service=smtp
测试:[root@iotApp&iagri-44 ~]# echo "hello felix" |nc -l 6666
远程主机:telnetiotApp&iagri-44 6666 返回:
Connected toiotApp&iagri-44
Escape character is '^]'.
hello felix
Connection closed by foreign host.
The format or structure of the rich rule commands is as follows:
rule [family="rule family"]
[ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ]
[ destination [NOT] address="address" ]
[ element ]
[ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
[ audit ]
[ action ]
Elements:
The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block, forward-port, and source-port.
service name=service_name
port port=number_or_range protocol=protocol
protocol value=protocol_name_or_ID
icmp-block name=icmptype_name
forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
source-port port=number_or_range protocol=protocol
log [prefix=prefix text] [level=log level] limit value=rate/duration
action:
accept | reject [type=reject type] | drop | mark set="mark[/mask]"
Using the Rich Rule Log Command Example 3:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
Using the Rich Rule Log Command Example 4 :
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
[root@iotApp&iagri-44 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=0.0.0.0/16 accept' --permanent
[root@iotApp&iagri-44 ~]# firewall-cmd --help
Usage: firewall-cmd [OPTIONS...]
General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages
Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and loose state information
--runtime-to-permanent
Create permanent from runtime configuration
Permanent Options
--permanent Set an option permanently
Usable for options maked with [P]
Zone Options
--get-default-zone Print default zone for connections and interfaces
--set-default-zone=
Set default zone
--get-active-zones Print currently active zones
--get-zones Print predefined zones [P]
--get-services Print predefined services [P]
--get-icmptypes Print predefined icmptypes [P]
--get-zone-of-interface=
Print name of the zone the interface is bound to [P]
--get-zone-of-source=[/]
Print name of the zone the source[/mask] is bound to [P]
--list-all-zones List everything added for or enabled in all zones [P]
--new-zone= Add a new zone [P only]
--delete-zone= Delete an existing zone [P only]
--zone= Use this zone to set or query options, else default zone
Usable for options maked with [Z]
--get-target Get the zone target [P] [Z]
--set-target=
Set the zone target [P] [Z]
IcmpType Options
--new-icmptype=
Add a new icmptype [P only]
--delete-icmptype=
Delete and existing icmptype [P only]
Service Options
--new-service=
Add a new service [P only]
--delete-service=
Delete and existing service [P only]
Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z]
--list-services List services added for a zone [P] [Z]
--timeout= Enable an option for timeval time, where timeval is
a number followed by one of letters 's' or 'm' or 'h'
Usable for options maked with [T]
--add-service=
Add a service for a zone [P] [Z] [T]
--remove-service=
Remove a service from a zone [P] [Z]
--query-service=
Return whether service has been added for a zone [P] [Z]
--list-ports List ports added for a zone [P] [Z]
--add-port=[-]/
Add the port for a zone [P] [Z] [T]
--remove-port=[-]/
Remove the port from a zone [P] [Z]
--query-port=[-]/
Return whether the port has been added for zone [P] [Z]
--list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
--add-icmp-block=
Add an ICMP block for a zone [P] [Z] [T]
--remove-icmp-block=
Remove the ICMP block from a zone [P] [Z]
--query-icmp-block=
Return whether an ICMP block has been added for a zone
[P] [Z]
--list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
--add-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=
[/]]
Add the IPv4 forward port for a zone [P] [Z] [T]
--remove-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=
[/]]
Remove the IPv4 forward port from a zone [P] [Z]
--query-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=
[/]]
Return whether the IPv4 forward port has been added for
a zone [P] [Z]
--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
--query-masquerade Return whether IPv4 masquerading has been enabled for a
zone [P] [Z]
--list-rich-rules List rich language rules added for a zone [P] [Z]
--add-rich-rule=
Add rich language rule 'rule' for a zone [P] [Z] [T]
--remove-rich-rule=
Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=
Return whether a rich language rule 'rule' has been
added for a zone [P] [Z]
Options to Handle Bindings of Interfaces
--list-interfaces List interfaces that are bound to a zone [P] [Z]
--add-interface=
Bind the to a zone [P] [Z]
--change-interface=
Change zone the is bound to [Z]
--query-interface=
Query whether is bound to a zone [P] [Z]
--remove-interface=
Remove binding of from a zone [P] [Z]
Options to Handle Bindings of Sources
--list-sources List sources that are bound to a zone [P] [Z]
--add-source=[/]
Bind [/] to a zone [P] [Z]
--change-source=[/]
Change zone the [/] is bound to [Z]
--query-source=[/]
Query whether [/] is bound to a zone
[P] [Z]
--remove-source=[/]
Remove binding of [/] from a zone [P] [Z]
Direct Options
--direct First option for all direct options
--get-all-chains
Get all chains [P]
--get-chains {ipv4|ipv6|eb}
Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb}
Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb}
Remove the chain from the table [P]
--query-chain {ipv4|ipv6|eb}
Return whether the chain has been added to the table [P]
--get-all-rules
Get all rules [P]
--get-rules {ipv4|ipv6|eb}
Get all rules added to chain in table [P]
--add-rule {ipv4|ipv6|eb}
...
Add rule to chain in table [P]
--remove-rule {ipv4|ipv6|eb}
...
Remove rule with priority from chain in table [P]
--remove-rules {ipv4|ipv6|eb}
Remove rules from chain in table [P]
--query-rule {ipv4|ipv6|eb}
...
Return whether a rule with priority has been added to
chain in table [P]
--passthrough {ipv4|ipv6|eb} ...
Pass a command through (untracked by firewalld)
--get-all-passthroughs
Get all tracked passthrough rules [P]
--get-passthroughs {ipv4|ipv6|eb} ...
Get tracked passthrough rules [P]
--add-passthrough {ipv4|ipv6|eb} ...
Add a new tracked passthrough rule [P]
--remove-passthrough {ipv4|ipv6|eb} ...
Remove a tracked passthrough rule [P]
--query-passthrough {ipv4|ipv6|eb} ...
Return whether the tracked passthrough rule has been
added [P]
Lockdown Options
--lockdown-on Enable lockdown.
--lockdown-off Disable lockdown.
--query-lockdown Query whether lockdown is enabled
Lockdown Whitelist Options
--list-lockdown-whitelist-commands
List all command lines that are on the whitelist [P]
--add-lockdown-whitelist-command=
Add the command to the whitelist [P]
--remove-lockdown-whitelist-command=
Remove the command from the whitelist [P]
--query-lockdown-whitelist-command=
Query whether the command is on the whitelist [P]
--list-lockdown-whitelist-contexts
List all contexts that are on the whitelist [P]
--add-lockdown-whitelist-context=
Add the context context to the whitelist [P]
--remove-lockdown-whitelist-context=
Remove the context from the whitelist [P]
--query-lockdown-whitelist-context=
Query whether the context is on the whitelist [P]
--list-lockdown-whitelist-uids
List all user ids that are on the whitelist [P]
--add-lockdown-whitelist-uid=
Add the user id uid to the whitelist [P]
--remove-lockdown-whitelist-uid=
Remove the user id uid from the whitelist [P]
--query-lockdown-whitelist-uid=
Query whether the user id uid is on the whitelist [P]
--list-lockdown-whitelist-users
List all user names that are on the whitelist [P]
--add-lockdown-whitelist-user=
Add the user name user to the whitelist [P]
--remove-lockdown-whitelist-user=
Remove the user name user from the whitelist [P]
--query-lockdown-whitelist-user=
Query whether the user name user is on the whitelist [P]
Panic Options
--panic-on Enable panic mode
--panic-off Disable panic mode
--query-panic Query whether panic mode is enabled
- 文章
- 推荐
- 热门新闻