liux7防火墙管理20201209

liux7防火墙管理

概述

Redhat Enterprise Linux7已经默认使用firewalld作为防火墙，其使用方式已经变化。基于iptables的防火墙被默认不启动，但仍然可以继续使用。

RHEL7中有几种防火墙共存：firewalld、iptables、ebtables等，默认使用firewalld作为防火墙，管理工具是firewall-cmd。RHEL7的内核版本是3.10，在此版本的内核里防火墙的包过滤机制是firewalld，使用firewalld来管理netfilter,不过底层调用的命令仍然是iptables等。因为这几种daemon是冲突的，所以建议禁用其他几种服务

一 iptables

CentOS7默认的防火墙不是iptables,而是firewalle.

1.1查看iptables 是否启用

[root@pg12m ~]# systemctl status iptables

Unit iptables.service could not be found.

vi /etc/sysconfig/iptables 文件是空的

 

安装iptables

命令：yum install iptables-services

安装完iptales以后

 

[root@pg12m ~]# cat /etc/sysconfig/iptables

# sample configuration for iptables service

# you can edit this manually or use system-config-firewall

# please do not ask us to add additional ports/services to this default configuration

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

 

[root@pg12m init.d]# systemctl status iptables

● iptables.service - IPv4 firewall with iptables

   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)

   Active: inactive (dead)

 

 

systemctl start iptables.service #启动

systemctl status iptables.service #查看运行状态

systemctl restart iptables.service #重启

systemctl stop iptables.service #停止

systemctl enable iptables.service #设置开机启动

systemctl disable iptables.service #禁止开机启动

 

二 firewalld

开启firewalld防火墙以后，默认就是出局不受控制，入局受控制。

1 查看防火墙状态
systemctl status firewalld

2 开启与关闭防火墙
systemctl stop firewalld
systemctl start firewalld

3 开启启动与关闭防火墙
systemctl disable firewalld

systemctl enable firewalld

 

4 生效写入配置文件

firewall-cmd --reload  

 

5 查看策略

firewall-cmd --list-all

 

6 添加与移除服务

firewall-cmd --permanent --remove-service=dhcpv6-client

success

permanent ##永久

firewall-cmd –permanent --add-service=dhcpv6-client

success

7   firewall-cmd --set-default-zone=drop  不要使用没有弄明白

firewall-cmd --permanent --zone=drop --change-interface=ens32

是拒绝一切吧 没有确认过

使用之前

firewall-cmd --list-all

public (active)

  target: default

使用之后

firewall-cmd --list-all

drop (active)

  target: DROP

2.1 firewall策略实施

开启防火墙以后查看，目前是开启了允许ssh和 dhcpv6-client服务，

firewall-cmd --list-all

  services: ssh dhcpv6-client

 

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.247.1" port protocol="tcp" port="22" accept"

 

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.247.1" port protocol="tcp" port="5432" accept"

 

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.31.100" port protocol="tcp" port="22" accept"

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.31.100" port protocol="tcp" port="22" accept"

 

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.247.0/24" port protocol="tcp" port="22" accept"

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.247.0/24" port protocol="tcp" port="5432" accept"

 

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.247.0/24" port protocol="tcp" port="22" accept"

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.247.0/24" port protocol="tcp" port="5432" accept"

firewall-cmd --permanent --add-port=3306/tcp

firewall-cmd --permanent --remove-port=3306/tcp

 

firewall-cmd --permanent --add-port=443/tcp