linux中防火墙策略管理工具firewalld
作者:互联网
firewalld拥有命令行界面(CLI)和图形用户界面(GUI)
firewalld中有区域的概念,区域就是防火墙配置策略的模板。
firewalld中常用的区域名称及策略规则:
以下实验主要是命令行界面的常用命令
1、常用的参数表格
2、查看firewalld服务当前所使用的区域
[root@PC1 ~]# firewall-cmd --get-default-zone ## 当前的区域为public public
3、查看eno16777728网卡在firewalld服务中的区域
[root@PC1 network-scripts]# nmcli connection show ## 查看网卡名称 NAME UUID TYPE DEVICE eno16777728 d6f581bd-b571-43bf-bb9c-c37d935855ee 802-3-ethernet eno16777728 [root@PC1 network-scripts]# firewall-cmd --get-zone-of-interface=eno16777728 ## 网卡在firewalld服务中的区域为public public
4、将eno16777728的网卡区域设置为external(模式为permanent)
[root@PC1 network-scripts]# firewall-cmd --permanent --zone=external --change-interface=eno16777728 ## 将网卡在firewalld服务中区域修改为external success [root@PC1 network-scripts]# firewall-cmd --get-zone-of-interface=eno16777728 ## 当前并未生效(因为使用的permanent模式) public [root@PC1 network-scripts]# firewall-cmd --permanent --get-zone-of-interface=eno16777728 external
5、将firewalld服务的当前区域设置为external(运行模式为runtime)
[root@PC1 network-scripts]# firewall-cmd --get-default-zone ## 当前的服务区域为public public [root@PC1 network-scripts]# firewall-cmd --set-default-zone=external ## 设置为external success [root@PC1 network-scripts]# firewall-cmd --get-default-zone ## 修改成功(因为运行模式为runtime) external
6、测试应急模式(192.168.10.10位当前设置的主机, 192.168.10.20为另一台主机)
[root@PC2 ~]# ifconfig | head -n 3 eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe25:bb3e prefixlen 64 scopeid 0x20<link> [root@PC2 ~]# ping -c 3 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. 64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.261 ms 64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.215 ms 64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.195 ms --- 192.168.10.10 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.195/0.223/0.261/0.032 ms
[root@PC1 network-scripts]# firewall-cmd --panic-on ## 开启应急模式 success
[root@PC2 ~]# ping -c 3 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. --- 192.168.10.10 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
[root@PC1 network-scripts]# firewall-cmd --panic-off ## 关闭应急模式 success
[root@PC2 ~]# ping -c 3 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. 64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.291 ms 64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.226 ms 64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.193 ms --- 192.168.10.10 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.193/0.236/0.291/0.044 ms
7、将firewalld服务的区域修改文public
[root@PC1 network-scripts]# firewall-cmd --get-default-zone external [root@PC1 network-scripts]# firewall-cmd --set-default-zone=public success [root@PC1 network-scripts]# firewall-cmd --get-default-zone public
8、查看public区域是否允许请求SSH和HTTPS协议的流量
[root@PC1 network-scripts]# firewall-cmd --zone=public --query-service=ssh yes [root@PC1 network-scripts]# firewall-cmd --zone=public --query-service=https no
9、把firewalld服务中请求HTTPS协议的流量设置为永久允许,并立即生效
[root@PC1 network-scripts]# firewall-cmd --zone=public --add-service=https --permanent success [root@PC1 network-scripts]# firewall-cmd --reload success [root@PC1 network-scripts]# firewall-cmd --zone=public --query-service=https yes
10、将firewalld服务中请求HTTP协议的流量设置为永久拒绝,并立即生效
[root@PC1 network-scripts]# firewall-cmd --zone=public --query-service=http no [root@PC1 network-scripts]# firewall-cmd --zone=public --add-service=http --permanent success [root@PC1 network-scripts]# firewall-cmd --reload success [root@PC1 network-scripts]# firewall-cmd --zone=public --query-service=http yes [root@PC1 network-scripts]# firewall-cmd --zone=public --remove-service=http --permanent success [root@PC1 network-scripts]# firewall-cmd --reload success [root@PC1 network-scripts]# firewall-cmd --zone=public --query-service=http no
11、把在firewalld服务中访问8080和8081端口的流量策略设置为允许,但仅限当前生效
[root@PC1 network-scripts]# firewall-cmd --zone=public --list-ports [root@PC1 network-scripts]# firewall-cmd --zone=public --add-port=8080-8081/tcp success [root@PC1 network-scripts]# firewall-cmd --zone=public --list-ports 8080-8081/tcp
12、把原本访问本机888端口的流量转发到22端口,当前和长期均有效 (22端口为ssh服务的端口)
[root@PC2 ~]# ssh -p 888 192.168.10.10 ssh: connect to host 192.168.10.10 port 888: No route to host [root@PC1 network-scripts]# firewall-cmd --permanent --zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10 success [root@PC1 network-scripts]# firewall-cmd --reload success [root@PC2 ~]# ssh -p 888 192.168.10.10 The authenticity of host '[192.168.10.10]:888 ([192.168.10.10]:888)' can't be established. ECDSA key fingerprint is 0d:69:cb:ad:61:42:f3:f7:7b:93:4b:b4:af:83:4d:8e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.10.10]:888' (ECDSA) to the list of known hosts. root@192.168.10.10's password: Last login: Wed Dec 2 16:39:39 2020 [root@PC1 ~]# ifconfig | head -n 3 eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe66:37f7 prefixlen 64 scopeid 0x20<link> [root@PC1 ~]# exit logout Connection to 192.168.10.10 closed.
13、拒绝192.168.10.0/24网段的所有用户访问本机的ssh服务(firewalld中的富规则)
[root@PC2 ~]# ssh 192.168.10.10 The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. ECDSA key fingerprint is 0d:69:cb:ad:61:42:f3:f7:7b:93:4b:b4:af:83:4d:8e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. root@192.168.10.10's password: Last login: Tue Dec 22 14:18:10 2020 from 192.168.10.20 [root@PC1 ~]# ifconfig | head -n 3 eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe66:37f7 prefixlen 64 scopeid 0x20<link> [root@PC1 ~]# exit logout Connection to 192.168.10.10 closed. [root@PC1 network-scripts]# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.10.0/24" service name="ssh" reject" success [root@PC1 network-scripts]# firewall-cmd --reload success [root@PC2 ~]# ssh 192.168.10.10 ssh: connect to host 192.168.10.10 port 22: Connection refused
以上实验演示了firewalld服务命令行形式的常规的防火墙配置。
标签:cmd,--,PC1,firewalld,192.168,linux,10.10,root,策略管理 来源: https://www.cnblogs.com/liujiaxin2018/p/14172781.html