14.4.3 firewalld
# iptables –P INPUT ACCEPT # yum remove -y iptables # systemctl enable firewalld Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/ → /usr/lib/systemd/system/firewalld.service. # systemctl start firewalld首先將INPUT鏈的默認策略設置為ACCEPT,因為前面的實驗中有將其設置為DROP。在前面介紹的iptables相關的命令,其實也是可以繼續使用的,只不過在Rocky8中不用那么操作,而是有firewalld自己的命令。
# firewall-cmd --get-zones block dmz drop external home internal public trusted work
# firewall-cmd --get-default-zone public
block(限制):任何接收的網絡連接都被 IPv4 的icmp-host-prohibited信息和 IPv6 的icmp6-adm-prohibited信息所拒絕。
# firewall-cmd --set-default-zone=work #設定默認的zone為work success # firewall-cmd --get-zone-of-interface=ens33 #查看指定網卡所在的zone Work # firewall-cmd --zone=public --add-interface=lo #給指定網卡設置zone success # firewall-cmd --zone=dmz --change-interface=lo #針對網卡更改zone success # firewall-cmd --zone=dmz --remove-interface=lo #針對網卡刪除zone Success # firewall-cmd --get-active-zones #查看系統所有網卡所在的zone Work interfaces: ens33
# firewall-cmd --get-service #列出當前系統所有的service RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
# ls /usr/lib/firewalld/services/ amanda-client.xml dhcpv6-client.xml git.xml kpasswd.xml murmur.xml prometheus.xml sip.xml tentacle.xml amanda-k5-client.xml dhcpv6.xml grafana.xml kprop.xml mysql.xml proxy-dhcp.xml slp.xml tftp-client.xml amqps.xml dhcp.xml gre.xml kshell.xml nfs3.xml ptp.xml smtp-submission.xml tftp.xml amqp.xml distcc.xml high-availability.xml ldaps.xml nfs.xml pulseaudio.xml smtps.xml tile38.xml apcupsd.xml dns-over-tls.xml https.xml ldap.xml nmea-0183.xml puppetmaster.xml smtp.xml tinc.xml audit.xml dns.xml http.xml libvirt-tls.xml nrpe.xml quassel.xml snmptrap.xml tor-socks.xml bacula-client.xml docker-registry.xml imaps.xml libvirt.xml ntp.xml radius.xml snmp.xml transmission-client.xml bacula.xml docker-swarm.xml imap.xml lightning-network.xml nut.xml rdp.xml spideroak-lansync.xml upnp-client.xml bb.xml dropbox-lansync.xml ipp-client.xml llmnr.xml openvpn.xml redis-sentinel.xml spotify-sync.xml vdsm.xml bgp.xml elasticsearch.xml ipp.xml managesieve.xml ovirt-imageio.xml redis.xml squid.xml vnc-server.xml bitcoin-rpc.xml etcd-client.xml ipsec.xml matrix.xml ovirt-storageconsole.xml RH-Satellite-6.xml ssdp.xml wbem-https.xml bitcoin-testnet-rpc.xml etcd-server.xml ircs.xml mdns.xml ovirt-vmconsole.xml rpc-bind.xml ssh.xml wbem-http.xml bitcoin-testnet.xml finger.xml irc.xml memcache.xml plex.xml rsh.xml steam-streaming.xml wsmans.xml bitcoin.xml freeipa-4.xml iscsi-target.xml minidlna.xml pmcd.xml rsyncd.xml svdrp.xml wsman.xml bittorrent-lsd.xml freeipa-ldaps.xml isns.xml mongodb.xml pmproxy.xml rtsp.xml svn.xml xdmcp.xml ceph-mon.xml freeipa-ldap.xml jenkins.xml mosh.xml pmwebapis.xml salt-master.xml syncthing-gui.xml xmpp-bosh.xml ceph.xml freeipa-replication.xml kadmin.xml mountd.xml pmwebapi.xml samba-client.xml syncthing.xml xmpp-client.xml cfengine.xml freeipa-trust.xml kdeconnect.xml mqtt-tls.xml pop3s.xml samba-dc.xml synergy.xml xmpp-local.xml cockpit.xml ftp.xml kerberos.xml mqtt.xml pop3.xml samba.xml syslog-tls.xml xmpp-server.xml condor-collector.xml ganglia-client.xml kibana.xml mssql.xml postgresql.xml sane.xml syslog.xml zabbix-agent.xml ctdb.xml ganglia-master.xml klogin.xml ms-wbt.xml privoxy.xml sips.xml telnet.xml zabbix-server.xml
# firewall-cmd --list-services #查看當前zone下有哪些service cockpit dhcpv6-client ssh # firewall-cmd --zone=public --list-services #查看指定zone下有哪些service
# firewall-cmd --zone=public --add-service=http // 把http增加到public zone下面 success # firewall-cmd --zone=public --list-service cockpit dhcpv6-client http ssh
# ls /usr/lib/firewalld/zones/ block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
# firewall-cmd --zone=public --add-service=http --permanent success
下面阿銘舉一個實際的例子,幫助你明白zone和service兩個概念。需求:假如服務器上配置了一個FTP服務,但端口并非默認的21,而是1121,并且需要在work zone下面放行FTP。具體的做法如下:
#?cp?/usr/lib/firewalld/services/ftp.xml?/etc/firewalld/services/? #這個和上面阿銘提到的情況一樣,//?/usr/lib/firewalld/services/目錄下面為所有service的模板配置文件 # vi /etc/firewalld/services/ftp.xml #把里面的21改為1121 # cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ # vi /etc/firewalld/zones/work.xml #在里面增加一行FTP相關的配置,內容如下# firewall-cmd --reload #重新加載 Work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
再來驗證一下work zone里面的service是否有FTP:
# firewall-cmd --zone=work --list-services cockpit dhcpv6-client ftp ssh
# firewall-cmd --set-default-zone=public #將默認zone設置為public # firewall-cmd --zone=public --add-port 1000/tcp --permanent #如果不指定--zone默認就是public,增加tcp的1000端口,增加--permanent是為了讓其永久生效,否則重啟后就失效了 success # firewall-cmd --reload #使其規則生效 # firewall-cmd --list-all #列出當前具體規則,可以看到剛剛增加的1000端口 public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: cockpit dhcpv6-client http ssh ports: 1000/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
# firewall-cmd --add-port 3000-3010/tcp --permanent #3000-3010指定一個范圍 success # firewall-cmd --reload # firewall-cmd --list-all |grep ports #用grep過濾只含有’ports’字符的行 ports: 1000/tcp 3000-3010/tcp forward-ports: source-ports: # firewall-cmd --add-port 80/tcp --add-port 8080/tcp --permanent #如果要增加多個port,那就要寫多個--add-port # firewall-cmd --reload
# firewall-cmd --remove-port 8080/tcp --permanent success # firewall-cmd --reload success # firewall-cmd --list-all |grep ports ports: 1000/tcp 3000-3010/tcp 80/tcp forward-ports: source-ports:
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="" port protocol="tcp" port="6379" accept" success # firewall-cmd --reload success # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: cockpit dhcpv6-client http ssh ports: 1000/tcp 3000-3010/tcp 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="" port port="6379" protocol="tcp" accept # firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="" accept" //放行指定網段 success # firewall-cmd --reload success # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: cockpit dhcpv6-client http ssh ports: 1000/tcp 3000-3010/tcp 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="" port port="6379" protocol="tcp" accept rule family="ipv4" source address="" accept
# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="" accept" success # firewall-cmd --reload