[CentOS 7系列]firewalld
阿新 • • 發佈:2017-07-15
firewalld
/* */ ~]# systemctl start firewalld
[[email protected] ~]# firewall-cmd --get-zones ##查看所有zone
work drop internal external trusted home dmz public block
[[email protected] ~]# firewall-cmd --get-default-zone ##查看默認zone
public1、開啟firewalld服務
[[email protected] ~]# systemctl disable iptables Removed symlink /etc/systemd/system/basic.target.wants/iptables.service. [[email protected] ~]# systemctl stop iptables [[email protected] ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [[email protected]
▎man firewalld.zones
Which zones are available?
Here are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.2、firewall-cmd
[[email protected] ~]# firewall-cmd --set-default-zone=work ##設置默認zone success [[email protected] ~]# firewall-cmd --get-default-zone ##查看默認zone work [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33 ##查看接口所在的zone work [[email protected]~]# firewall-cmd --zone=public --add-interface=lo ##針對網卡設置zone success [[email protected] ~]# firewall-cmd --get-zone-of-interface=lo public [[email protected] ~]# firewall-cmd --zone=dmz --change-interface=lo ##針對網卡更改zone success [[email protected] ~]# firewall-cmd --get-zone-of-interface=lo dmz [[email protected] ~]# firewall-cmd --zone=dmz --remove-interface=lo ##針對網卡刪除zone success [[email protected] ~]# firewall-cmd --get-zone-of-interface=lo no zone [[email protected] ~]# firewall-cmd --get-active-zones ##查看系統所有網卡所在的zone work interfaces: ens37 public interfaces: ens33 [[email protected] ~]# firewall-cmd --get-services ##查看所有的services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap free ipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server [[email protected] ~]# firewall-cmd --list-services ##查看當前zone下有哪些service ssh dhcpv6-client [[email protected] ~]# firewall-cmd --zone=public --add-service=http success ##把http增加到public zone [[email protected] ~]# firewall-cmd --list-services --zone=public dhcpv6-client ssh http [[email protected] ~]# firewall-cmd --zone=public --remove-service=http success ##刪除public zone中的http service [[email protected] ~]# firewall-cmd --list-services --zone=public dhcpv6-client ssh [[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent success ##永久操作,在/etc/firewalld/zones目錄下生成配置文件
3、小案例:ftp服務自定義端口1121,需要在work zone下面放行ftp
[[email protected] ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/ [[email protected] ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly avail able, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> ##把21端口更改為1121端口 <module name="nf_conntrack_ftp"/> </service> [[email protected] ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ [[email protected] ~]# vi /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas.You mostly trust the other computers on networks to not harm your computer.Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> ##增加該行 </zone> [[email protected] ~]# firewall-cmd --reload ##重新加載 success [[email protected] ~]# firewall-cmd --zone=work --list-services ssh dhcpv6-client ftp
本文出自 “亂碼時代” 博客,請務必保留此出處http://juispan.blog.51cto.com/943137/1947735
[CentOS 7系列]firewalld