防火牆策略之firewall

1.關閉iptables並打開firewalld

[root@localhost ~]# systemctl stop iptables                          ##停止iptables

[root@localhost ~]# systemctl mask iptables                         ##凍結iptables不再啓用
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# systemctl enable firewalld
[root@localhost ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since 五 2017-06-02 21:03:09 EDT; 15min ago
 Main PID: 481 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─481 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

6月 02 21:03:09 localhost systemd[1]: Started firewalld - dynamic firewall...n.
6月 02 21:18:02 localhost systemd[1]: Started firewalld - dynamic firewall...n.

Hint: Some lines were ellipsized, use -l to show in full.

2.firewalld常用命令

[root@localhost ~]# firewall-cmd --state                            ##查看firewalld狀態
running
[root@localhost ~]# firewall-cmd --get-active-zones          ##查看當前活動區域
ROL
  sources: 172.25.0.252/32
public
  interfaces: eth0
[root@localhost ~]# firewall-cmd --get-default-zone               ##查看默認區域
public
[root@localhost ~]# firewall-cmd --get-zones                        ##查看所有可用區域
ROL block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --zone=public --list-all         ##列出指定域的所有設置
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
[root@localhost ~]# firewall-cmd --get-services                     ##列出所有預設服務
***這樣將列出 /usr/lib/firewalld/services/ 中的服務器名稱。注意:配置文件是以服務本身命名的service-name. xml***
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

[root@localhost ~]# firewall-cmd --set-default-zone=trusted
success
[root@localhost ~]# firewall-cmd --list-all
trusted (default, active)
  interfaces: eth0 eth1
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@localhost ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@localhost ~]# yum clean all
Loaded plugins: langpacks
Cleaning repos: rhel_dvd
Cleaning up everything
[root@localhost ~]# yum install httpd
[root@localhost ~]# systemctl restart httpd
****測試端用瀏覽器訪問172.25.254.140****

[root@localhost ~]# firewall-cmd --set-default-zone=public
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
    
[root@localhost ~]# firewall-cmd --zone=public --remove-interface=eth0      ##將eth0網卡從public域移除
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
    
[root@localhost ~]# firewall-cmd --zone=trusted --add-interface=eth0       ##將eth0網卡添加到trusted域
success
****測試端瀏覽器不能訪問172.25.255.140，但可以訪問172.25.40.10****

[root@desktop ~]# firewall-cmd --add-masquerade
[root@desktop ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:
    
[root@desktop ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.40.140 masquerade'
success
[root@desktop ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="172.25.40.140" masquerade