CentOS 7 巨大变动之 firewalld 取代 iptables

转自 http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php?utm_source=tuicool

Fedora 18 introduced firewalld as a replacement for the previous iptables service. Since RHEL7 and Oracle Linux 7 are based on Fedora 19, the switch from iptables service to firewalld is now part of the Enterprise Linux distributions. This article is a rework of the previous Linux Firewall article, bringing it up to date.

Note. You need to distinguish between the iptables service and the iptables command. Although firewalld is a replacement for the firewall management provided by iptables service, it still uses the iptables command for dynamic communication with the kernel packet filter (netfilter). So it is only the iptables service that is replaced, not the iptables command. That can be a confusing distinction at first.

Related articles.

Reverting to the iptables Service

If you are not ready to make the break to firewalld, you can still use the iptables service by issuing the following commands.

# systemctl stop firewalld
# systemctl disable firewalld

# iptables-service

# touch /etc/sysconfig/iptables
# systemctl start iptables
# systemctl enable iptables

# touch /etc/sysconfig/ip6tables
# systemctl start ip6tables
# systemctl enable ip6table

From this point forward, firewall administration will be similar to that described here.

The rest of this article assumes you are going to use firewalld.

Installation

Most installations will include the firewall functionality, but if you need to manually install it, do the following.

# yum install firewalld firewall-config

Make sure the service is started and will auto-start on reboot.

# systemctl start firewalld.service
# systemctl enable firewalld.service

You can check the current status of the service using the following command.

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago
 Main PID: 13246 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─13246 /usr/bin/python /usr/sbin/firewalld --nofork --nopid

Apr 20 14:06:44 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 20 14:06:46 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
#

To disable the firewall, run the following commands.

# systemctl stop firewalld.service
# systemctl disable firewalld.service

firewall-config

The GUI screen to control the firewall is available from the menu.

  • Fedora : System > Administration > Firewall
  • RHEL7/OL7 : Applications > Sundry > Firewall

Alternatively, if can be started from the command line using the firewall-config command. If it is not already present, it can be installed using the following command.

# yum install firewall-config

Once started, the "Configuration:" drop-down allows you to decide if you are modifying currently running settings (Runtime) or those saved for future use (Permanent). You can also configure basic trusted services, such as SSH, FTP and HTTP, by putting a tick in the appropriate checkbox. All changes are applied immediately.

Firewall GUI - Trusted Services

The "Ports" tab allows you to manually open ports that are not covered in the "Trusted Services" section.

Firewall GUI - Other Ports

Remember, changes to the runtime configuration will be lost after the next reboot. If in doubt, make all changes to the permanent configuration and reload the runtime configuration using the "Options > Reload Firewalld" menu option.

firewall-cmd

In addition to the GUI interface, the firewall rules can be amended directly using the firewall-cmd command. The full extent of the firewall configuration is beyond the scope of this article, so instead a few specific examples will be given to allow you to get a feel for it. This article also assumes you have a single network interface and are happy to keep it set to the default zone (public).

The firewall-cmd usage notes are displayed when you use the "-h" or "--help" options.

# firewall-cmd --help

Check the current top-level firewall configuration using the following commands.

# Check firewall state.
firewall-cmd --state

# Check active zones.
firewall-cmd --get-active-zones

# Check current active services.
firewall-cmd --get-service

# Check services that will be active after next reload.
firewall-cmd --get-service --permanent

Lock down and unlock the firewall using the following commands.

# firewall-cmd --panic-on
success
# firewall-cmd --query-panic
yes
# firewall-cmd --panic-off
success
# firewall-cmd --query-panic
no
#

Reload the runtime configuration from the permanent files using the following command.

# firewall-cmd --reload

The firewall comes with predefined services, which are XML files is the "/usr/lib/firewalld/services/" directory.

# ls /usr/lib/firewalld/services/
amanda-client.xml      http.xml         libvirt.xml  pmwebapis.xml     ssh.xml
bacula-client.xml      imaps.xml        mdns.xml     pmwebapi.xml      telnet.xml
bacula.xml             ipp-client.xml   mountd.xml   pop3s.xml         tftp-client.xml
dhcpv6-client.xml      ipp.xml          ms-wbt.xml   postgresql.xml    tftp.xml
dhcpv6.xml             ipsec.xml        mysql.xml    proxy-dhcp.xml    transmission-client.xml
dhcp.xml               kerberos.xml     nfs.xml      radius.xml        vnc-server.xml
dns.xml                kpasswd.xml      ntp.xml      rpc-bind.xml      wbem-https.xml
ftp.xml                ldaps.xml        openvpn.xml  samba-client.xml
high-availability.xml  ldap.xml         pmcd.xml     samba.xml
https.xml              libvirt-tls.xml  pmproxy.xml  smtp.xml
#

You shouldn't edit these. Instead, copy a specific service file to the "/etc/firewalld/services/" directory and editing it there. The firewalld service always uses files in "/etc/firewalld/services/" directory in preference to those in the "/usr/lib/firewalld/services/" directory. Remember to reload the config after making any changes.

# firewall-cmd --reload

As with the GUI interface, you need to decide if you want to make changes to either the runtime configuration, permanent configuration or both. If you want to set both the runtime and permanent configuration you have two choices. Set them both independently, or set the permanent configuration and reload the firewall.

Add an existing service to a zone.

# # Set runtime and permanent independently.
# firewall-cmd --zone=public --add-service=https
# firewall-cmd --permanent --zone=public --add-service=https

or

# # Set permanent and reload the runtime config.
# firewall-cmd --permanent --zone=public --add-service=https
# firewall-cmd --reload

All subsequent examples will assume you want to amend both the runtime and permanent configuration and will only set the permanent configuration and then reload the runtime configuration.

Once you've amended the default configuration, the "/etc/firewalld/zones/public.xml" file will be created. You can manually amend this file, but you will need to issue a reload for the changes to take effect.

Check the services in a zone.

# firewall-cmd --zone=public --list-services
dhcpv6-client https ss
# firewall-cmd --permanent --zone=public --list-services
dhcpv6-client https ss
#

Remove a service from a zone.

# firewall-cmd --permanent --zone=public --remove-service=https
# firewall-cmd --reload

Open a specific port or range in a zone, check its runtime and permanent configuration, then remove it.

# firewall-cmd --permanent --zone=public --add-port=8080-8081/tcp
# firewall-cmd --reload

# firewall-cmd --zone=public --list-ports
8080-8081/tcp
# firewall-cmd --permanent --zone=public --list-ports
8080-8081/tcp
#

# firewall-cmd --permanent --zone=public --remove-port=8080-8081/tcp
# firewall-cmd --reload

Rich rules allow you to create more complex configurations. The following command allows you to open HTTP access to a specific IP address.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \
    source address="192.168.0.4/24" service name="http" accept"

The "/etc/firewalld/zones/public.xml" file now contains the rich rule.

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks
               to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <rule family="ipv4">
    <source address="192.168.0.4/24"/>
    <service name="http"/>
    <accept/>
  </rule>
</zone>

The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option.

# firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \
    source address="192.168.0.4/24" service name="http" accept"

The following example opens and closes port 8080 for a specific source IP address using a rich rule.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \
     source address="192.168.0.4/24" \
     port protocol="tcp" port="8080" accept"

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks
               to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <rule family="ipv4">
    <source address="192.168.0.4/24"/>
    <port protocol="tcp" port="8080"/>
    <accept/>
  </rule>
</zone>
#

# firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \
     source address="192.168.0.4/24" \
     port protocol="tcp" port="8080" accept"

Backups and Transfers of Firewall Configuration

As all non-default configuration is placed under the "/etc/firewalld/" directory, taking a copy of the contents of this directory and its sub-directories constitutes a backup of the firewall configuration.

Not surprisingly, transferring the contents of this directory will allow you to duplicate the firewall configuration in other servers.

For more information see:

Hope this helps. Regards Tim...



CentOS 7系统中,管理防火墙的首选工具是firewalld,但有时为了特定的应用场景或兼容性,可能需要使用iptables。为此,你需要首先禁用firewalld服务,然后安装并配置iptables。具体步骤如下: 参考资源链接:[CentOS7 Docker防火墙的简单配置教程](https://wenku.csdn.net/doc/64531d63ea0840391e76e582?spm=1055.2569.3001.10343) 1. 禁用并停止firewalld服务,以免与iptables冲突: ```bash systemctl disable firewalld systemctl stop firewalld ``` 2. 安装iptables服务,为接下来的配置做准备: ```bash yum install iptables-services ``` 3. 创建一个iptables配置脚本,用于清除默认规则并设置新的规则。在这个场景中,我们将默认的INPUT链规则设置为DROP,这意味着所有未经明确允许的入站连接都将被拒绝。同时,我们允许所有出站连接,因为 OUTPUT 链设置为 ACCEPT。以下是一个简单的脚本示例: ```bash cat > /usr/local/bin/fired.sh << 'EOF' #!/bin/bash iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # 允许已建立的和相关的连接 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # 允许特定端口的入站流量,例如 Docker 的桥接网络端口 iptables -A INPUT -i docker0 -p tcp --dport 2375 -j ACCEPT # 允许 Docker 容器之间的通信 iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT # 保存规则 service iptables save EOF ``` 4. 使脚本可执行并运行它: ```bash chmod +x /usr/local/bin/fired.sh /usr/local/bin/fired.sh ``` 5. 确保iptables在系统启动时自动加载规则: ```bash systemctl enable iptables systemctl enable ip6tables ``` 通过以上步骤,你就可以在CentOS 7中关闭firewalld并使用iptables来管理Docker容器的网络访问权限。记住,对于每个Docker容器或应用可能需要开放不同的端口,你应在规则中明确指定它们。 为了深入理解iptables的使用和配置,建议阅读《CentOS7 Docker防火墙的简单配置教程》。该教程不仅涵盖了基础知识,还提供了实战技巧,帮助你更好地理解和掌握如何在CentOS 7系统中配置和使用iptables。 参考资源链接:[CentOS7 Docker防火墙的简单配置教程](https://wenku.csdn.net/doc/64531d63ea0840391e76e582?spm=1055.2569.3001.10343)
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值