firewalld的9个zone
centos7 默认的防火墙工具为firewalld
-
打开firewalld
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld将之前打开的iptables关掉,启动firewalld。可以用iptables查看表的规则。
-
firewalld的9个zone
[root@localhost ~]# firewall-cmd --get-zones #查看是所有zone
block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --get-default-zone #查看默认zone
publicblock dmz drop external home internal public trusted work 是firewalld的9个zone,默认的zone为public。
- firewall的9个zone的区别
firewalld关于zone的操作
-
修改默认的zone
[root@localhost ~]# firewall-cmd --get-default-zone #查看默认zone
public
[root@localhost ~]# firewall-cmd --set-default-zone=work #将默认的zone修改为work
success
[root@localhost ~]# firewall-cmd --get-default-zone #查看默认的zone
work -
查看指定网卡的zone
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33 #查看ens33网卡的zone
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 #查看ens37网卡的zone
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=lo #查看lo的zone
no zone -
给指定网卡增加zone
[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo #给lo网卡指定zone为public
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=lo #查看lo网卡的zone
public -
修改指定网卡的zone
[root@localhost ~]# firewall-cmd --zone=block --change-interface=ens37 #将网卡ens37的zone改成block
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
block -
删除指定网卡的zone
[root@localhost ~]# firewall-cmd --zone=block --remove-interface=ens37 #删除ens37网卡的block zone
The interface is under control of NetworkManager, setting zone to default.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
work删除指定网卡修改的zone之后,它的zone会变回默认的zone
-
查看系统中所有网卡所在的zone
[root@localhost ~]# firewall-cmd --get-active-zones #查看系统中所有网卡所在的zone
work
interfaces: ens33 ens37
public
interfaces: lo
firewalld关于service的操作
service 就是zone下面的一个子单元,可以理解成指定的一个端口。
-
查看所有的servie
[root@localhost ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp open*** ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server -
查看当前zone下的service
[root@localhost ~]# firewall-cmd --list-service
ssh dhcpv6-client -
查看指定zone下的service
[root@localhost ~]# firewall-cmd --zone=public --list-service #指定查看zone=public 下的service
dhcpv6-client ssh -
把服务增加到public的zone下(临时添加)
[root@localhost ~]# firewall-cmd --zone=public --add-service=http #把http服务临时添加到public的zone下
success
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http临时添加的service是在内存中,配置文件中没有,重启之后
-
把服务增加到public的zone下(永久添加,即更改配置文件)
zone的配置文件路径/etc/firewalld/zones/
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http--permanent 将配置写到配置文件中
[root@localhost ~]# ls /etc/firewalld/zones
public.xml public.xml.old每当永久修改完配置文件之后,系统都会将修改之前的配置文件备份一份,后缀名是old。
-
zone的配置文件模板
zone,service配置文件的模板存放路径:
/usr/lib/firewalld/zones
/usr/lib/firewalld/services -
删除zone下的某服务
[root@localhost ~]# firewall-cmd --zone=public --remove-service=http #临时删除
[root@localhost ~]# firewall-cmd --zone=public --remove-service=http --permanent #永久删除 -
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
第一步:复制ftp的配置文件到/etc/firewalld/services/
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
第二步:编辑该文件,将port="21"改为port="1121"
[root@localhost ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>第三步:复制workzone的配置文件到/etc/firewalld/zones/
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
第四步:编辑该文件,增加“<service name="ftp"/>”
[root@localhost ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>第六步:重新加载
[root@localhost ~]# firewall-cmd --reload
success
转载于:https://blog.51cto.com/754599082/2046537
4662
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
