Linux防火牆-firewalled 原

原創 夏 夏爲的Linux 2018-12-02 21:21

[toc]

Linux防火牆-firewalled

10.20 firewalld的9個zone

1.開啓firewalld,前面把firewalld關閉了,現在方向操作

  • [ ] systemctl disable iptables
  • [ ] systemctl stop iptables
  • [ ] systemctl enable firewalld
  • [ ] systemctl start firewalld
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start firewalld
  • 用iptables -nvL查看,firewalld自帶了許多規則。

3. firewalld默認有9個zone,zone是規則集,zone默認爲public

[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
[root@localhost ~]# firewall-cmd --get-default-zone
public

mark

10.21 firewalld關於zone的操作

1. firewall-cmd --set-default-zone=work //設定默認zone

[root@localhost ~]# systemctl start firewalld//初次使用時需啓動
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work

2. 自動補全的安裝包yum install -y bash-completion

3. firewall-cmd --get-zone-of-interface=ens33 //查指定網卡

[root@localhost ~]# firewall-cmd --get-default-zone
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
no zone

這裏發現ens37並未被指定,需要做這樣的一個設置:

[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# ls
ficfg-ens33    ifdown-bnep  ifdown-isdn    ifdown-Team      ifup-bnep  ifup-isdn   ifup-routes    ifup-wireless
ifcfg-ens33    ifdown-eth   ifdown-post    ifdown-TeamPort  ifup-eth   ifup-plip   ifup-sit       init.ipv6-global
ifcfg-ens33:0  ifdown-ib    ifdown-ppp     ifdown-tunnel    ifup-ib    ifup-plusb  ifup-Team      network-functions
ifcfg-lo       ifdown-ippp  ifdown-routes  ifup             ifup-ippp  ifup-post   ifup-TeamPort  network-functions-ipv6
ifdown         ifdown-ipv6  ifdown-sit     ifup-aliases     ifup-ipv6  ifup-ppp    ifup-tunnel

*這裏複製一個ens33文件改爲ens37且編輯該文件

[root@localhost network-scripts]# cp -r ifcfg-ens33 ifcfg-ens37
[root@localhost network-scripts]# ls
ficfg-ens33    ifdown       ifdown-ipv6    ifdown-sit       ifup-aliases  ifup-ipv6   ifup-ppp       ifup-tunnel
ifcfg-ens33    ifdown-bnep  ifdown-isdn    ifdown-Team      ifup-bnep     ifup-isdn   ifup-routes    ifup-wireless
ifcfg-ens33:0  ifdown-eth   ifdown-post    ifdown-TeamPort  ifup-eth      ifup-plip   ifup-sit       init.ipv6-global
ifcfg-ens37    ifdown-ib    ifdown-ppp     ifdown-tunnel    ifup-ib       ifup-plusb  ifup-Team      network-functions
ifcfg-lo       ifdown-ippp  ifdown-routes  ifup             ifup-ippp     ifup-post   ifup-TeamPort  network-functions-ipv6
[root@localhost network-scripts]# vim ifcfg-ens37

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
UUID=3b000477-c3db-4855-b5ba-c73bb1546b3a
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.100.1
NETMASK=255.255.255.0
GATEWAY=192.168.72.2
DNS1=119.29.29.29
DNS2=8.8.8.8
~                                                                                                                                    
~                                                                                                                                    
~
  • 重啓firewalld服務,再次查看下ens37
[root@localhost network-scripts]# systemctl restart firewalld
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
no zone

這裏不知作何解釋????

4.給指定網卡設置zone:firewall-cmd --zone=dmz --add-interface=ens37

[root@localhost network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
dmz

5.針對網卡更改zone:firewall-cmd --zone=block --change-interface=ens37

[root@localhost network-scripts]# firewall-cmd --zone=block --change-interface=ens37
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
block

6.針對網卡刪除zone:firewall-cmd --zone=block --remove-interface=ens37

[root@localhost network-scripts]# firewall-cmd --zone=block --remove-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
block

7.查看系統所有網卡所在的zone

[root@localhost network-scripts]# firewall-cmd --get-active-zones
work
  interfaces: ens33
public
  interfaces: lo
前期測試時發現總是報錯
row 1 col 1

前期測試時發現總是報錯,ens37沒有有些得到zone的定義,通過查看ifconfig發現ens37網卡地址沒了,用ifconfig ens37 192.168.100.1來定義,在用mii-tool ens37查看鏈接情況,查看在cd /etc/sysconfig/network-scripts,然後ls查看,打開ifcfgens37文件,查看到的其內容,看是否有誤,都沒發現問題

8. service NetworkManager stop

mark

10.22 firewalld關於service的操作

1.查看所有的service都有哪些:firewall-cmd --get-service或者services都是一樣,這是特殊之處

1.1 service的概念,之所以有9種zone,是因爲每個zone裏面都使用了不同的service,而service是針對一個服務(端口)做的iptables規則

[root@localhost ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

2.firewall-cmd --list-services //查看當前zone下有哪些service

[root@localhost ~]# firewall-cmd --get-default-zone
work
[root@localhost ~]# firewall-cmd --list-services 
ssh dhcpv6-client
  • 查看work的zone=work的有哪些
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh

3.把http增加到public zone下面:firewall-cmd --zone=public --add-service=http

3.1 每個zone下面都有不同的service,如何查看:firewall-cmd --zone=public --list-service

[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http

4.把http從public zone刪除:firewall-cmd --zone=public --remove-service=http

[root@localhost ~]# firewall-cmd --zone=public --remove-service=http
success

5. ls /usr/lib/firewalld/zones/ //zone的配置文件模板

對於每個zone來說,都有自己的配置文件,在/usr/lib/firewalld/zones/目錄下的文件

[root@localhost ~]#  ls /usr/lib/firewalld/zones/
block.xml  dmz.xml  drop.xml  external.xml  home.xml  internal.xml  public.xml  trusted.xml  work.xml

6.firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之後會在/etc/firewalld/zones目錄下面生成配置文件

6.1--permanent表示永久保存,區別於4中zone裏增加的service只在內存中生效,加上permanent後可以修改配置文件.

/etc/firewalld/zones

[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="ssh"/>
</zone>

7.需求:ftp服務自定義端口1121,需要在work zone下面放行ftp

7.1 /usr/lib/firewalld/service/目錄下爲所有service的模板配置文件,把ftp.xml拷貝出來到系統配置文件/etc/firewalld/service/.

[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[root@localhost ~]# vi /etc/firewalld/services/ftp.xml

7.2 編輯ftp.xml配置文件

mark

7.3 在work zone下面放行,先把work配置模板複製過來

[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

7.4 編輯work.xml配置文件,然後重新加載

mark

[root@localhost ~]# firewall-cmd --reload
success

7.5 驗證一下work zone裏面的service是否有FTP

[root@localhost ~]# firewall-cmd --zone=work --list-service
ssh ftp dhcpv6-client
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Linux 開機(腳本)啓動順序

Uchen 2019-02-24 13:53:20

Linux基本操作命令

wbzjacky 2019-02-24 13:12:38

tar Command Daily Work Summary

海膽階段 2019-02-24 12:58:10

SSH and SCP Daily Work Summary

海膽階段 2019-02-24 12:58:10

Linux積累-安裝與配置Hadoop

lftong 2019-02-23 14:00:30

centos ***

samplelife 2019-02-23 13:57:36

新手學習Linux系統的一點見解

jackieban 2019-02-23 13:57:24

CentOS 6.4下PXE+Kickstart無人值守安裝操作系統

paul8339 2019-02-23 13:56:09

Linux學習之旅 - 第一天

lichen_zt 2019-02-23 13:55:58

Linux I/O重定向以及正則表達式

zhongqijian916 2019-02-23 13:54:50

Linux---facl以及終端

zhongqijian916 2019-02-23 13:54:50

Linux---YUM

zhongqijian916 2019-02-23 13:54:50

Linux---LVM硬盤管理以及LVM的擴展

zhongqijian916 2019-02-23 13:54:50

Linux---LVM補充

zhongqijian916 2019-02-23 13:54:50

iptables的概述及應用(一)

shang61511 2019-02-23 14:04:46