1
firewalld防火墙介绍
source link: https://blog.51cto.com/lenglingx/8926729
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
systemctl status firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl enable firewalld
systemctl disable firewalld
systemctl is-enabled firewalld
systemctl is-active firewalld
systemctl is-failed firewalld
systemctl reload firewalld
systemctl restart firewalld永久保存和其他常用参数
--permanent 永久生效参数
--state 查看状态
--reload 重新加载(不中断服务)
--complete-reload 重新加载(中断服务)
--runtime-to-permanent 把运行的全部参数存到永久保存里
--check-config 检查永久保存的配置是否有错误
--help 帮助
--version 版本
--panic-on 开启恐慌模式(即拒绝所有包访问)
--panic-off 关闭恐慌模式(即关闭拒绝所有包访问)
--query-panic 查询恐慌模式是否开启(on开启,off)
--get-zones 查看所有预定义区域
--get-services 查看所有预定义服务
--get-icmptypes 查看所有预定义ICMP类型
--get-policies 查看所有预定义的策略
--get-ipsets 查看所有预定义ipset(ip集合)集合
--get-helpers 查看所有预定义Helpers一、firewalld的各种名词介绍和操作
A、zone相关(zone)(区域,或者可以理解为配置模板)
查看所有zone
#firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work查看默认的zone
# firewall-cmd --get-default-zone
public设置默认的zone
# firewall-cmd --set-default-zone=<zone>查看活动的zone
# firewall-cmd --get-active-zone
public
interfaces: enp0s3新增zone
# firewall-cmd --new-zone=qq --permanent删除zone
# firewall-cmd --delete-zone=qq --permanent查看某个zone的信息
# firewall-cmd --info-zone=work
zone(区域)和interface(网卡)进行绑定
firewall-cmd --list-interfaces
#firewall --zone=public --add-interface=eth0B、service相关(service)(服务,可以理解为指定了端口,协议等信息的组合)
查看firewall所有的service
# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jellyfin jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier查看指定某个service的信息
# firewall-cmd --info-service=zabbix-server
zabbix-server
ports: 10051/tcp
protocols:
source-ports:
modules:
destination:
includes:
helpers: 删除一个指定的service信息,一般很少删除吧,一般加上永久
# firewall-cmd ----delete-service=zabbix-server --permanent新建一个service,也一般加上永久保存
# firewall-cmd --new-service=zabbix-server --permanent查看当前使用中的services
# firewall-cmd --list-servicesC、ICMP类型相关(icmptype)(可以理解为网络控制协议的一些预定义处理)
新增一个icmptype
# firewall-cmd --new-icmptype=<icmptype>删除一个icmptype
# firewall-cmd --delete-icmptype=<icmptype>查看一个icmptype
# firewall-cmd --info-icmptype=<icmptype>D、policies策略相关(policies)(可以理解为一个规则的集合)
查看所有的预策略
# firewall-cmd --get-policies
allow-host-ipv6查看所有激活的策略
# firewall-cmd --get-active-policies
allow-host-ipv6
ingress-zones: ANY
egress-zones: HOST查看所有的策略状态
firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
新增一个策略policy
#firewall-cmd --new-policy=<policy>删除一个策略policy
#firewall-cmd --delete-policy=<policy>查看一个策略的信息
#firewall-cmd --info-policy=<policy>设置策略policy
#firewall-cmd --policy=<policy>E、IPSET相关(ipset)(可以理解为一个IP集合)
查看所有的ipset-types
# firewall-cmd --get-ipset-types查看所有的ipset
# firewall-cmd --get-ipsets新增ipset
# firewall-cmd --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
删除ipset
# firewall-cmd --delete-ipset=<ipset>查看一个指定的ipset
# firewall-cmd --info-ipset=<ipset>F、Helper相关(helper)(由模块,协议家族,协议,端口等构成一个辅助工具)
module模块名(字符串,使用/lib/modules/$(uname -r)/kernel/net/netfilter/)
This is one of the netfilter conntrack helper modules. The name starts with nf_conntrack_ and has one or several module aliases that start with nfct-helper-. The nf conntrack helpers are located in the /lib/modules/$(uname -r)/kernel/net/netfilter/ directory.
family协议家族
family="ipv4|ipv6"ports端口+协议
ports: 10080/udp
新增helper
# firewall-cmd --new-helper=<helper-name>删除helper
# firewall-cmd --delete-helper=<helper-name>查看helper
# firewall-cmd --info-helper=<helper-name>二、firewalld防火墙功能配置(允许通过否)
--list-services基于服务的方式
查看当前所有开启的service
# firewall-cmd --list-services开启一个service服务
# firewall-cmd --add-service=ftp移除一个service服务
# firewall-cmd --remove-service=ftp查询某个service服务
# firewall-cmd --query-service=ftp
--list-protocols基于协议的方式(如果是基于tcp,udp这种应该没有人使用这个来配置防火墙,基本等于没有配置)
查看当前所有开启的protocols
# firewall-cmd --list-services开启一个protocol协议
# firewall-cmd --add-protocol=tcp移除一个protocol协议
# firewall-cmd --remove-protocol=udp查询某个protocol协议
# firewall-cmd --query-protocol=udp
--list-ports基于端口的方式
查看当前所有开启的port端口
# firewall-cmd --list-ports开启一个port端口
# firewall-cmd --add-port=10086/tcp移除一个port端口
# firewall-cmd --remove-port=10086/tcp查询某个port端口
# firewall-cmd --query-port=10086/tcp
--list-source-ports基于源端口的方式
查看当前所有开启的源port端口
# firewall-cmd --list-ports开启一个源port端口
# firewall-cmd --add-source-port=10086/tcp移除一个源port端口
# firewall-cmd --remove-source-port=10086/tcp查询某个源port端口
# firewall-cmd --query-source-port=10086/tcp
--list-sources基于源地址的方式
查看当前所有开启的源地址source
# firewall-cmd --list-sources开启一个源地址source
# firewall-cmd --add-source=192.168.5.4
success移除一个源地址source
# firewall-cmd --remove-source=192.168.5.4
success查询某个源地址source
# firewall-cmd --query-source=192.168.5.4
yes
#firewall-cmd --add-source={192.168.31.230/32,192.168.31.100/32} --permanent --zone=internal --list-icmp-blocks(ICMP协议相关)
--list-icmp-blocks List Internet ICMP type blocks added [P] [Z] [O]
--add-icmp-block=<icmptype>
Add an ICMP block [P] [Z] [O] [T]
--remove-icmp-block=<icmptype>
Remove the ICMP block [P] [Z] [O]
--query-icmp-block=<icmptype>
Return whether an ICMP block has been added [P] [Z] [O]--add-icmp-block-inversion(ICMP协议相关)
--list-forward-ports List IPv4 forward ports added [P] [Z] [O]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Add the IPv4 forward port [P] [Z] [O] [T]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Remove the IPv4 forward port [P] [Z] [O]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Return whether the IPv4 forward port has been added [P] [Z] [O]--list-forward-ports(查看端口转发B)
--list-rich-rules(查看富规则A)
A、富规则相关(rich rules;rule)
富规则列表
#firewall-cmd --list-rich-rules新增一个富规则
#firewall-cmd --add-rich-rule=<rule>删除一个富规则
#firewall-cmd --remove-rich-rule=<rule>查看一个富规则
#firewall-cmd --query-rich-rule=<rule>B、端口转发
端口转发可以将指定地址访问指定的端口时,将流量转发至指定地址的指定端口。转发的目的如果不指定 ip 的话就默认为本机,如果指定了 ip 却没指定端口,则默认使用来源端口。 如果配置好端口转发之后不能用,可以检查下面两个问题:
- 比如我将 80 端口转发至 8080 端口,首先检查本地的 80 端口和目标的 8080 端口是否开放监听了
- 其次检查是否允许伪装 IP,没允许的话要开启伪装 IP
#firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 # 将80端口的流量转发至8080
#firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1 # 将80端口的流量转发至192.168.0.1
#firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # 将80端口的流量转发至192.168.0.1的8080端口- 当我们想把某个端口隐藏起来的时候,就可以在防火墙上阻止那个端口访问,然后再开一个不规则的端口,之后配置防火墙的端口转发,将流量转发过去。
- 端口转发还可以做流量分发,一个防火墙拖着好多台运行着不同服务的机器,然后用防火墙将不同端口的流量转发至不同机器。
查看所有的端口转发
#firewall-cmd --list-forward-ports新增端口转发
#firewall-cmd --add-forward-port=port=<portid>删除端口转发
#firewall-cmd --remove-forward-port=port=<portid>查看具体的某一个端口转发
#firewall-cmd --query-forward-port=port=<portid>三、伪装 IP(masquerade)和转发(forward)
# firewall-cmd --add-masquerade# firewall-cmd --remove-masquerade查询是否开启伪装
# firewall-cmd --query-masquerade注:开启伪装和端口转发,都需要开启linux系统转发功能和
echo "1">/proc/sys/net/ipv4/ip_forward
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p开启防火墙的转发功能
#firewall-cmd --add-forward
#firewall-cmd --remove-forward
#firewall-cmd --query-forward
四、直连,直接操作(--direct)
--get-all-chains
--get-all-rules
--get-all-passthroughs
各种例子集合吧
firewall-cmd –permanent –direct –passthrough ipv4 -t -nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.100.0/24
firewall-cmd –permanent –direct –passthrough ipv4 -t -nat -I POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100五、ingress和egress(暂时不知道这个功能的作用)
暂时不知道这个功能的作用,感觉像是绑定策略到对应的流量输入和输入区域的绑定
firewall-cmd --permanent --policy=ExamplePolicy --add-ingress-zone=HOST
firewall-cmd --permanent --policy=ExamplePolicy --add-egress-zone=ANY --list-ingress-zones
List ingress zones that are bound to a policy [P] [O]
--add-ingress-zone=<zone>
Add the ingress zone to a policy [P] [O]
--remove-ingress-zone=<zone>
Remove the ingress zone from a policy [P] [O]
--query-ingress-zone=<zone>
Query whether the ingress zone has been adedd to a
policy [P] [O]
--list-egress-zones
List egress zones that are bound to a policy [P] [O]
--add-egress-zone=<zone>
Add the egress zone to a policy [P] [O]
--remove-egress-zone=<zone>
Remove the egress zone from a policy [P] [O]
--query-egress-zone=<zone>
Query whether the egress zone has been adedd to a
policy [P] [O]
六、其他命令
查看所有zone的配置
#firewall-cmd --list-all-zone
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:#firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK