linux防火墙保存报错,29.Linux防火墙-firewalled

本文介绍了如何在Linux中管理firewalld防火墙,包括开启firewalld,关闭iptables,设置默认zone为work,安装自动补全,查看和设置网卡zone,以及管理service。详细步骤涵盖了从查询不同zone到添加、删除和更改zone中的service,同时讲解了如何持久化配置并验证设置效果。
摘要由CSDN通过智能技术生成

[toc]

Linux防火墙-firewalled

10.20 firewalld的9个zone

1.开启firewalld,前面把firewalld关闭了,现在方向操作

[ ] systemctl disable iptables

[ ] systemctl stop iptables

[ ] systemctl enable firewalld

[ ] systemctl start firewalld

[root@localhost ~]# systemctl disable iptables

Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.

[root@localhost ~]# systemctl stop iptables

[root@localhost ~]# systemctl enable iptables

Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

[root@localhost ~]# systemctl start firewalld

用iptables -nvL查看,firewalld自带了许多规则。

3. firewalld默认有9个zone,zone是规则集,zone默认为public

[root@localhost ~]# firewall-cmd --get-zones

work drop internal external trusted home dmz public block

[root@localhost ~]# firewall-cmd --get-default-zone

public

b0Bill7L3a.png?imageslim

10.21 firewalld关于zone的操作

1. firewall-cmd --set-default-zone=work //设定默认zone

[root@localhost ~]# systemctl start firewalld//初次使用时需启动

[root@localhost ~]# firewall-cmd --set-default-zone=work

success

[root@localhost ~]# firewall-cmd --get-default-zone

work

2. 自动补全的安装包yum install -y bash-completion

3. firewall-cmd --get-zone-of-interface=ens33 //查指定网卡

[root@localhost ~]# firewall-cmd --get-default-zone

work

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33

work

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37

no zone

这里发现ens37并未被指定,需要做这样的一个设置:

[root@localhost ~]# cd /etc/sysconfig/network-scripts/

[root@localhost network-scripts]# ls

ficfg-ens33 ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wireless

ifcfg-ens33 ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-global

ifcfg-ens33:0 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functions

ifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6

ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnel

*这里复制一个ens33文件改为ens37且编辑该文件

[root@localhost network-scripts]# cp -r ifcfg-ens33 ifcfg-ens37

[root@localhost network-scripts]# ls

ficfg-ens33 ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnel

ifcfg-ens33 ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wireless

ifcfg-ens33:0 ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-global

ifcfg-ens37 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functions

ifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6

[root@localhost network-scripts]# vim ifcfg-ens37

TYPE=Ethernet

BOOTPROTO=static

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_FAILURE_FATAL=no

IPV6_ADDR_GEN_MODE=stable-privacy

NAME=ens37

UUID=3b000477-c3db-4855-b5ba-c73bb1546b3a

DEVICE=ens37

ONBOOT=yes

IPADDR=192.168.100.1

NETMASK=255.255.255.0

GATEWAY=192.168.72.2

DNS1=119.29.29.29

DNS2=8.8.8.8

~

~

~

重启firewalld服务,再次查看下ens37

[root@localhost network-scripts]# systemctl restart firewalld

[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37

no zone

这里不知作何解释????

4.给指定网卡设置zone:firewall-cmd --zone=dmz --add-interface=ens37

[root@localhost network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37

success

[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37

dmz

5.针对网卡更改zone:firewall-cmd --zone=block --change-interface=ens37

[root@localhost network-scripts]# firewall-cmd --zone=block --change-interface=ens37

The interface is under control of NetworkManager, setting zone to 'block'.

success

[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37

block

6.针对网卡删除zone:firewall-cmd --zone=block --remove-interface=ens37

[root@localhost network-scripts]# firewall-cmd --zone=block --remove-interface=ens37

success

[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37

block

7.查看系统所有网卡所在的zone

[root@localhost network-scripts]# firewall-cmd --get-active-zones

work

interfaces: ens33

public

interfaces: lo

前期测试时发现总是报错

row 1 col 1

row 1 col 2

前期测试时发现总是报错,ens37没有有些得到zone的定义,通过查看ifconfig发现ens37网卡地址没了,用ifconfig ens37 192.168.100.1来定义,在用mii-tool ens37查看链接情况,查看在cd /etc/sysconfig/network-scripts,然后ls查看,打开ifcfgens37文件,查看到的其内容,看是否有误,都没发现问题

8. service NetworkManager stop

CmE00AFEGa.png?imageslim

10.22 firewalld关于service的操作

1.查看所有的service都有哪些:firewall-cmd --get-service或者services都是一样,这是特殊之处

1.1 service的概念,之所以有9种zone,是因为每个zone里面都使用了不同的service,而service是针对一个服务(端口)做的iptables规则

[root@localhost ~]# firewall-cmd --get-service

RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

[root@localhost ~]# firewall-cmd --get-services

RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

2.firewall-cmd --list-services //查看当前zone下有哪些service

[root@localhost ~]# firewall-cmd --get-default-zone

work

[root@localhost ~]# firewall-cmd --list-services

ssh dhcpv6-client

查看work的zone=work的有哪些

[root@localhost ~]# firewall-cmd --zone=public --list-service

dhcpv6-client ssh

3.把http增加到public zone下面:firewall-cmd --zone=public --add-service=http

3.1 每个zone下面都有不同的service,如何查看:firewall-cmd --zone=public --list-service

[root@localhost ~]# firewall-cmd --zone=public --add-service=http

success

[root@localhost ~]# firewall-cmd --zone=public --list-service

dhcpv6-client ssh http

4.把http从public zone删除:firewall-cmd --zone=public --remove-service=http

[root@localhost ~]# firewall-cmd --zone=public --remove-service=http

success

5. ls /usr/lib/firewalld/zones/ //zone的配置文件模板

对于每个zone来说,都有自己的配置文件,在/usr/lib/firewalld/zones/目录下的文件

[root@localhost ~]# ls /usr/lib/firewalld/zones/

block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml

6.firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件

6.1--permanent表示永久保存,区别于4中zone里增加的service只在内存中生效,加上permanent后可以修改配置文件.

/etc/firewalld/zones

[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent

success

[root@localhost ~]# cat /etc/firewalld/zones/public.xml

Public

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

7.需求:ftp服务自定义端口1121,需要在work zone下面放行ftp

7.1 /usr/lib/firewalld/service/目录下为所有service的模板配置文件,把ftp.xml拷贝出来到系统配置文件/etc/firewalld/service/.

[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services

[root@localhost ~]# vi /etc/firewalld/services/ftp.xml

7.2 编辑ftp.xml配置文件

I6HghAkfB5.png?imageslim

7.3 在work zone下面放行,先把work配置模板复制过来

[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

7.4 编辑work.xml配置文件,然后重新加载

JiKHA4A49C.png?imageslim

[root@localhost ~]# firewall-cmd --reload

success

7.5 验证一下work zone里面的service是否有FTP

[root@localhost ~]# firewall-cmd --zone=work --list-service

ssh ftp dhcpv6-client

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值