Centos7 Firewalld防火墙增加删除规则方法

Firewalld 提供了支持网络/防火墙区域(zone)定义网络链接以及接口安全等级的动态防火墙管理工具
Centos 7中防火墙是一个非常的强大的功能了,但对于centos 7中在防火墙中进行了升级了,下面我们一起来详细的看看关于centos 7中防火墙使用方法。

firewalld基本操作


  1. 启动防火墙firewalld
[root@localhost ~]# systemctl start firewalld
  1. 防火墙加入开机自启
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# 
  1. 查看是否加入开机自启
[root@localhost ~]# systemctl is-enabled firewalld
enabled
  1. 查看防火墙firewalld状态
[root@localhost ~]# firewall-cmd --state
running
#或者:
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since 三 2021-04-07 13:32:06 CST; 59s ago
     Docs: man:firewalld(1)
 Main PID: 1731 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1731 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

4月 07 13:32:06 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
4月 07 13:32:06 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
4月 07 13:32:06 localhost.localdomain firewalld[1731]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a futur...ing it now.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# 
  1. 关闭firewall防火墙
[root@localhost ~]# systemctl stop firewalld

firewall常用参数


  1. firewalld中常用的区域名称及策略规则
区域(zone)默认策略规则
trusted允许所有的数据包进出
home拒绝进入的流量,除非与出去的流量相关;而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关,则允许进入
Internal等同于home区域
work拒绝进入的流量,除非与出去的流量相关;而如果流量与ssh、ipp-client与dhcpv6-client服务相关,则允许进入
public拒绝进入的流量,除非与出去的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许进入
external拒绝进入的流量,除非与出去的流量相关;而如果流量与ssh服务相关,则允许进入
dmz拒绝进入的流量,除非与出去的流量相关;而如果流量与ssh服务相关,则允许进入
block拒绝进入的流量,除非与出去的流量相关
drop拒绝进入的流量,除非与出去的流量相关
  1. firewall-cmd命令中的参数以及作用
参数作用
–get-default-zone查访默认的区域名称
–set-default-zone=<区域名称>设置默认的区域,使其永久生效
–get-zones显示可用的区域
–get-services显示预定义的服务
–get-active-zones显示当前正在使用的区域、来源地址和网卡名称
–add-source=将源自此IP或子网的流量导向指定的区域
–remove-source=不再将源自此IP或子网的流量导向这个区域
–add-interface=<网卡名称>将源自该网卡的所有流量都导向某个指定区域
–change-interface=<网卡名称>将某个网卡与区域进行关联
–list-all显示当前区域的网卡配置参数、资源、端口以及服务等信息
–list-all-zones显示所有区域的网卡配置参数、资源、端口以及服务等信息
–add-service=<服务名>设置默认区域允许该服务的流量
–add-port=<端口号/协议>设置默认区域允许该端口的流量
–remove-service=<服务名>设置默认区域不再允许该服务的流量
–remove-port=<端口号/协议>设置默认区域不再允许该端口的流量
–reload让“永久生效”的配置规则立即生效,并覆盖当前的配置规则
–permanent添加这个配置的防火墙策略就可以永久生效
–panic-on开启应急状况模式
–panic-off关闭应急状况模式

firewall防火墙配置手册


  1. 查看所有的可用区域(zone)
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --get-default-zone
public #默认可用区域为 public
  1. 查看指定区域配置
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.25.42.35/24" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.80.208/22" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.65.94/24" port port="3306" protocol="tcp" accept

参数说明:

Target:目标
icmp-block-inversion:ICMP协议类型黑白名单开关(yes/no)
Interfaces:关联的网卡接口
sources:来源,可以是IP地址,也可以是mac地址
services:允许的服务
ports:允许的目标端口,即本地开放的端口
protocols:允许通过的协议
masquerade:是否允许伪装(yes/no),可改写来源IP地址及mac地址
forward-ports:允许转发的端口
source-ports:允许的来源端口
icmp-blocks:可添加ICMP类型,当icmp-block-inversion为no时,这些ICMP类型被拒绝;当icmp-block-inversion为yes时,这些ICMP类型被允许。
rich rules:富规则,即更细致、更详细的防火墙规则策略,它的优先级在所有的防火墙策略中也是最高的。
  1. 防火墙添加规则(在默认区域public内)
[root@localhost ~]# firewall-cmd --zone=public --add-port=1521/tcp --permanent 
success
[root@localhost ~]# firewall-cmd --reload  #使配置生效
success
  1. 查看public区域策略(端口1521已加入)
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 1521/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.25.42.35/24" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.80.208/22" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.65.94/24" port port="3306" protocol="tcp" accept
  1. 删除防火墙端口(1521端口)
[root@localhost ~]# firewall-cmd --zone=public --remove-port=1521/tcp --permanent #删除端口
success
[root@localhost ~]# firewall-cmd --reload #使配置生效
success
[root@localhost ~]# firewall-cmd --zone=public --list-all #查看配置
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.25.42.35/24" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.80.208/22" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.65.94/24" port port="3306" protocol="tcp" accept
  1. 添加详细防火墙规则(rich rule)
[root@localhost ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.25.42.35/32" port protocol="tcp" port="3306" accept"
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.25.42.35/24" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.80.208/22" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.65.94/24" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="172.25.42.35/32" port port="3306" protocol="tcp" accept
  1. 删除详细防火墙规则(rich rule)
[root@localhost ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.25.42.35/24" port port="3306" protocol="tcp" accept"
success
[root@localhost ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.25.42.35/32" port port="3306" protocol="tcp" accept"
success
[root@localhost ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.80.208/22" port port="3306" protocol="tcp" accept"
success
[root@localhost ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.65.94/24" port port="3306" protocol="tcp" accept"
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

版权声明:本文为作者原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

原创文章,作者:老C,如若转载,请注明出处:https://www.code404.icu/213.html

发表评论

登录后才能评论

评论列表(1条)