firewalld
Linux下有几种方式对网卡上的流量进行过滤,一种是firewalld,一种是iptables。
- firewalld是防火墙,可以设置可信任的网络链接可网卡,支持IPv4和IPv6,支持动态的添加规则。
- iptables不仅仅可以当作防火墙使用,它可以对流量设置各种各样的规则,比如端口转发、开放端口等,比firewalld更为强大。
下面就简单记录下firewalld的使用方式。
1. 开启服务
firewalld一般是Linux下的自带服务,可以通过systemctl启动。
首先查看服务状态:
[root@clooker ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
如果是没有开启,则手动启动服务。
[root@clooker ~]# systemctl start firewalld
[root@clooker ~]#
[root@clooker ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2021-10-04 15:04:53 CST; 5s ago
Docs: man:firewalld(1)
Main PID: 4939 (firewalld)
Tasks: 2
Memory: 29.2M
CGroup: /system.slice/firewalld.service
└─4939 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 04 15:04:52 clooker.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 04 15:04:53 clooker.com systemd[1]: Started firewalld - dynamic firewall daemon.
2. 开放某个端口的tcp/udp流量
首先查看端口是否已经被开放
[root@clooker ~]# firewall-cmd --query-port=60091/tcp
no
[root@clooker ~]#
然后开放端口,并设置永久。
[root@clooker ~]# firewall-cmd --add-port=60091/tcp --permanent
success
[root@clooker ~]#
[root@clooker ~]# firewall-cmd --query-port=60091/tcp
no
如上所示,这里一定要注意重新加载防火墙规则,否则是不生效的。
[root@clooker ~]# firewall-cmd --reload
success
[root@clooker ~]# firewall-cmd --query-port=60091/tcp
yes
[root@clooker ~]#
3. 开启某个服务
firewalld不仅仅支持开放特定端口,还可以直接开放某个内置的网络服务,比如ssh。
首先我们查看系统支持的网络服务列表:
[root@clooker ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
[root@clooker ~]#
然后开启某个网络服务,比如
[root@clooker ~]# firewall-cmd --add-service=dns --permanent
success
[root@clooker ~]#
[root@clooker ~]# firewall-cmd --reload
success
[root@clooker ~]#
[root@clooker ~]#
[root@clooker ~]# firewall-cmd --query-service=dns
yes
[root@clooker ~]#
4. 查看防火墙的具体配置文件
Linux下一切内容皆文件,包括服务器状态、网络状态等信息都会写到本地文件中,防火墙的配置也一样写到文件中,具体在:
[root@clooker ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="dns"/>
<port protocol="tcp" port="60091"/>
</zone>
[root@clooker ~]#
5. 取消开放端口和服务
[root@clooker ~]# firewall-cmd --remove-port=60091/tcp --permanent
success
[root@clooker ~]# firewall-cmd --query-port=60091/tcp
yes
[root@clooker ~]# firewall-cmd --reload
success
[root@clooker ~]# firewall-cmd --query-port=60091/tcp
no
[root@clooker ~]#
注意permanent不能省略。
6. 备注
firewalld是采用白名单的方式,仅仅对我们指定的某些服务放行。