解决CubeCloud Centos7系统firewalld不能启动的问题 简单的使用

出现的问题

cubecloud的centos7修改使用了iptables防火墙，但他的firewalld不能启动。注意iptables和firewalld不能同时运行

systemctl disable iptables 禁止开机启动iptablessystemctl stop iptables 关闭iptables

问题1启动报错

systemctl restart firewalldFailed to restart firewalld.service: Unit is masked.

解决办法

systemctlunmaskfirewalld.service

问题2无报错，无法启动

firewall-cmd --statenot running

查看详细信息

systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2017-11-0809:51:17 CST; 36s ago Docs: man:firewalld(1) Process: 2061 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS) Main PID: 2061 (code=exited, status=0/SUCCESS) Nov 0809:51:17 CubeCloud-201763575 systemd[1]: Starting firewalld - dynamic firewall daemon... Nov 0809:51:17 CubeCloud-201763575 firewalld[2061]: ERROR: Exception DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.22"is not allowed to own the service "org.fedoraproject.FirewallD1" d...figuration file Nov 0809:51:17 CubeCloud-201763575 systemd[1]: Started firewalld - dynamic firewall daemon. Hint: Some lines were ellipsized, use -l to show in full.

解决办法新建DBus需要的配置文件

vi /etc/dbus-1/system.d/com.foxbryant.demo.conf<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"><busconfig><policyuser="root"><allowown="com.foxbryant.demo"/><allowsend_destination="com.foxbryant.demo"/><allowsend_interface="com.foxbryant.demo"/></policy><policyuser="foxbryant"><allowown="com.foxbryant.demo"/><allowsend_destination="com.foxbryant.demo"/><allowsend_interface="com.foxbryant.demo"/></policy></busconfig>

问题3无法添加端口

firewall-cmd --zone=public --permanent --add-port=80/tcpsuccessfirewall-cmd --zone=public --list-allpublic target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

解决办法安装iptables

yum -y install iptstatesystemctl disable iptables

问题4status报错

systemctl status firewalldERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'

解决办法重启（可以先不解决，注意先添加ssh的端口）

reboot

简单的使用教程

红帽官方中文教程地址https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls

禁止pingecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all开启pingecho 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

安装firewall

yum install firewalld

服务相关

systemctl disable firewalldsystemctl enable firewalldsystemctl start firewalldsystemctl stop firewalldsystemctl restart firewalldfirewall-cmd --state

查看当前防火墙规则

firewall-cmd --zone=public --list-all

重载防火墙

firewall-cmd --reload

查看当前接口情况

firewall-cmd --get-active-zones

IP伪装端口转发

firewall-cmd --permanent --add-masquerade --zone=externalfirewall-cmd --add-forward-port=port=22:proto=tcp:toport=3753 --permanent --zone=externalfirewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55 --permanent --zone=externalfirewall-cmd --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55 --permanent --zone=external

添加删除http限制并发规则

firewall-cmd --zone=public --add-rich-rule='rule service name="http" limit value="80/s" accept' --permanentfirewall-cmd --zone=public --remove-rich-rule='rule service name="http" limit value="80/s" accept' --permanent

添加删除80端口限制并发规则

firewall-cmd --zone=public --add-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanentfirewall-cmd --zone=public --remove-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent

添加删除tcp端口

firewall-cmd --zone=public --permanent --add-port=80/tcpfirewall-cmd --zone=public --permanent --remove-port=80/tcp

黑名单

firewall-cmd --zone=drop --add-source 192.168.1.1firewall-cmd --zone=drop --remove-source 192.168.1.1firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" drop' --permanentfirewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" drop' --permanent

rule

rule [family="<rule family>"] [ source address="<address>" [invert="True"] ] [ destination address="<address>" [invert="True"] ] [ <element> ] [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ] [ audit ] [ accept|reject|drop ]

port端口既可以是一个独立端口数字，又或者端口范围，例如，5060-5062。协议可以指定为 tcp 或 udp 。命令为以下形式：