Centos7 Firewalld 防火墙
概述
- Centos7以上的发行版都试自带了firewalld防火墙的,firewalld去掉了iptables防火墙。
- iptables的防火墙策略是交由内核层面的netfilter网络过滤器来处理的,而firewalld则是交由内核层面的nftables包过滤框架来处理。
- 相较于iptables防火墙而言,firewalld支持动态更新技术并加入了区域(zone)的概念。
- 简单来说,区域就是firewalld预先准备了几套防火墙策略集合(策略模板),用户可以根据生产场景的不同而选择合适的策略集合,从而实现防火墙策略之间的快速切换。
常用的命令
- systemctl 命令
sudo systemctl start firewalld
sudo systemctl stop firewalld
sudo systemctl restart firewalld
sudo systemctl status firewalld
sudo systemctl enable firewalld
sudo systemctl disable firewalld
- firewall-cmd命令
sudo firewall-cmd --reload
sudo firewall-cmd --complete-reload
sudo firewall-cmd --state
sudo firewall-cmd --check-config
sudo firewall-cmd --list-all
sudo firewall-cmd --list-services
sudo firewall-cmd --list-ports
sudo firewall-cmd --list-protocols
sudo firewall-cmd --list-rich-rules
sudo firewall-cmd --zone=public --list-ports
sudo firewall-cmd --zone=public --query-port=80/tcp
firewall-cmd 说明
- 服务(service)
sudo firewall-cmd [--zone=<zone>] --list-service
sudo firewall-cmd [--zone=<zone>] --add-service=<service name>
sudo firewall-cmd [--zone=<zone>] --remove-service=<service name>
- 端口(port)
sudo firewall-cmd [--zone=<zone>] --add-port=<port>/<protocol> [--timeout=<seconds>]
sudo firewall-cmd [--zone=<zone>] --remove-port=<port>/<protocol> [--timeout=<seconds>]
- 协议(protocol)
sudo firewall-cmd --add-protocol=<protocol>
sudo firewall-cmd --remove-protocol=<protocol>
- 目标(target)
sudo firewall-cmd --permanent --zone=<zone> --get-target
sudo firewall-cmd --permanent --zone=<zone> --set-target=<target>
- 当一个区域处理它的源或接口上的一个包,但是没有处理该包的显式规则,这时区域的目标target决定了该行为。
- default:(默认)不做任何事情。
- ACCEPT:通过这个包。
- REJECT:拒绝这个包,并返回一个拒绝的回复。
- DROP:丢弃这个包,不回复任何信息。
- 富规则(rich-rule)
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" [accept|reject|drop]"
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" protocol value="<protocol>" [accept|reject|drop]"
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" service name="<service name>" [accept|reject|drop]"
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" port protocol="<port protocol>" port="<port>" [accept|reject|drop]"
- 永久保存(重要)
--permanent
实例
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --list-service
sudo firewall-cmd --zone=public --add-service=ssh --timeout=5s
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp
sudo firewall-cmd --zone=public --remove-port=80/tcp --permanent
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" accept"
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.208" protocol value="icmp" accept"
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.208" service name="ssh" accept"
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" port protocol="tcp" port="22" accept"
sudo firewall-cmd --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="22" accept"
sudo firewall-cmd --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="22" reject"
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=192.168.2.1 forward-port port=80 protocol=tcp to-port=6532'
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=192.168.3.50'
sudo firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" accept"
firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="192.168.0.4/24" service name="http" accept"
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=9001