欢迎光临
我们一直在努力
        找回密码
当前位置:运维那些事 > Linux > 正文

Centos 7 firewalld 的使用

2017-04-28 分类:Linux 阅读(3560) 评论(0)

查看防火墙状态

[root@MyCloudServer ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2017-04-25 13:27:30 CST; 10min ago
 Main PID: 584 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─584 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 25 13:27:30 MyCloudServer systemd[1]: Started firewalld - dynamic firewall daemon.

或:

[root@MyCloudServer ~]# firewall-cmd  --state
running

查看版本

[root@MyCloudServer ~]# firewall-cmd --version
0.3.9

关闭防火墙

[root@MyCloudServer ~]# systemctl stop firewalld

添加端口

[root@MyCloudServer ~]# firewall-cmd --zone=public --add-port=65422/tcp --permanent
success
--permanent 表示永久 --zone=public 指定区域 --add-port 添加端口

添加完之后重新加载下

[root@MyCloudServer ~]# firewall-cmd --reload

然后查看

[root@MyCloudServer ~]# firewall-cmd --zone=public --list-ports
65422/tcp

禁止端口

[root@MyCloudServer ~]# firewall-cmd --permanent --remove-port=80/tcp
success

    [root@MyCloudServer ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 80/tcp 65422/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@MyCloudServer ~]# firewall-cmd --reload
success
    [root@MyCloudServer ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 65422/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

查看区域信息

1.设置默认的区域

firewall-cmd --set-default-zone=public

2.查看支持的区域

[root@MyCloudServer ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

firewalld默认有8个zone:

  • drop 默认丢弃所有包
  • block 拒绝所有外部链接,允许内部发起的连接
  • public 指定外部连接可以进入
  • external 同上,对伪装的进入连接,一般用于路由转发
  • dmz 和硬件防火墙一样,受限制的公共连接可以进入
  • work 工作区,概念和workgroup一样,指定的外部链接允许
  • home 类似家庭组
  • internal 信任所有链接

3.获取活跃的区域

[root@MyCloudServer ~]# firewall-cmd --get-active-zones
public
  interfaces: eth0

过滤规则

  • source: 根据源地址过滤
  • interface: 根据网卡过滤
  • service: 根据服务名过滤
  • port: 根据端口过滤
  • icmp-block: icmp 报文过滤,按照 icmp 类型配置
  • masquerade: ip 地址伪装
  • forward-port: 端口转发
  • rule: 自定义规则

其中,过滤规则的优先级遵循如下顺序

  • source
  • interface
  • firewalld.conf

查看支持的服务

[root@MyCloudServer ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

其系统配置文件都在/usr/lib/firewalld/

[root@hk-server ~]# cd /usr/lib/firewalld/
[root@hk-server firewalld]# ls
icmptypes  services  zones
[root@hk-server firewalld]# cd zones/
[root@hk-server zones]# ls
block.xml  dmz.xml  drop.xml  external.xml  home.xml  internal.xml  public.xml  trusted.xml  work.xml
[root@hk-server zones]# cd ..
[root@hk-server firewalld]# ls
icmptypes  services  zones
[root@hk-server firewalld]# cd services/
[root@hk-server services]# ls
amanda-client.xml      http.xml         libvirt.xml  pmwebapis.xml       smtp.xml
bacula-client.xml      imaps.xml        mdns.xml     pmwebapi.xml        ssh.xml
bacula.xml             ipp-client.xml   mountd.xml   pop3s.xml           telnet.xml
dhcpv6-client.xml      ipp.xml          ms-wbt.xml   postgresql.xml      tftp-client.xml
dhcpv6.xml             ipsec.xml        mysql.xml    proxy-dhcp.xml      tftp.xml
dhcp.xml               kerberos.xml     nfs.xml      radius.xml          transmission-client.xml
dns.xml                kpasswd.xml      ntp.xml      RH-Satellite-6.xml  vnc-server.xml
ftp.xml                ldaps.xml        openvpn.xml  rpc-bind.xml        wbem-https.xml
high-availability.xml  ldap.xml         pmcd.xml     samba-client.xml
https.xml              libvirt-tls.xml  pmproxy.xml  samba.xml
[root@hk-server services]# cd ..
[root@hk-server firewalld]# ls
icmptypes  services  zones
[root@hk-server firewalld]# cd icmptypes/
[root@hk-server icmptypes]# ls
destination-unreachable.xml  parameter-problem.xml     router-solicitation.xml
echo-reply.xml               redirect.xml              source-quench.xml
echo-request.xml             router-advertisement.xml  time-exceeded.xml

用户配置文件都在

[root@hk-server zones]# cd /etc/firewalld/
[root@hk-server firewalld]# ls
firewalld.conf  icmptypes  lockdown-whitelist.xml  services  zones

可以修改配置文件添加或删除端口

[root@hk-server firewalld]# cd zones/
[root@hk-server zones]# ls
public.xml  public.xml.old
[root@hk-server zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="65422"/>
</zone>
[root@hk-server zones]# cat public.xml.old
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="65422"/>
</zone>
赞(0) 打赏
未经允许不得转载:运维那些事 » Centos 7 firewalld 的使用
标签:

相关推荐

评论 抢沙发

取消

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

置顶推荐

热门文章

热门标签

linux(11)nginx(7)织梦模板(4)脚本(3)docker(3)企业(3)wordpress主题(3)防火墙(2)google(2)df(2)vim(2)dd(2)删除(2)find(2)目录(2)elk(2)命令(2)自适应(2)模板(2)网站源码(2)个人博客(2)git(2)echo(2)centos(2)最新版多多淘宝客返利站完整运营版源码分享(2)新增数据返利(2)微信返利(2)APP返利等功能,没有任何的限制,任何域名都可以使用(2)BAOcms 7.7 二次开发本地生活服务团购外卖家政O2O系统钻石版开源版源码无限制(2)微信(2)

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏