Firewalld防火墙
安全 OSI
物理层
数据链路层
网络层
传输层
会话层
表示层
应用层
硬件安全 机柜锁
网络安全 iptables firewalld selinux
服务安全 更新有漏洞的版本 nginx mysql redis
系统安全 没有公网ip,修改ssh默认端口号,禁用root远程登录。
公有云 安全组
第三方软件 硬件防火墙 waf防火墙 防DDOS攻击 漏洞注入 SQL注入
安全狗
知道创宇
牛盾云
1. Firewalld基本概述
RHEL/CentOS 7系统中集成了多款防火墙管理工具,其中Firewalld(Dynamic Firewall Manager of Linux systems, Linux系统的动态防火墙管理器)服务是默认的防火墙配置管理工具,它拥有基于CLI(命令行界面)和基于GUI(图形用户界面)的两种管理方式。
那么相较于传统的Iptables防火墙,Firewalld支持动态更新,并加入了区域zone的概念。简单来说,区域就是Firewalld预先准备了几套防火墙策略集合(策略模板),用户可以根据生产场景的不同而选择合适的策略集合,从而实现防火墙策略之间的快速切换。
firewalld规则配置,从外访问服务器内部如果没有添加规则默认是阻止,从服务器内部访问服务器外部默认是允许的
注意:
一个网卡仅能绑定一个区域,但一个区域可以绑定多个网卡,还可以根据来源的地址设定不同的规则,比如:所有人能访问80端口,但只有公司的ip才可以访问22端口
防火墙使用区域管理
划分不同的区域,制定出不同区域之间的访问控制策略来控制不同程序区域间传送的数据流
| 区域 | 默认规则策略 |
|---|---|
| trusted | 允许所有的数据包流入与流出 |
| home | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关,则允许流量 |
| internal | 等同于home区域 |
| work | 拒绝流入的流量,除非与流出的流量数相关;而如果流量与ssh、ipp-client与dhcpv6-client服务相关,则允许流量 |
| public | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许流量 |
| external | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量,开启地址在转换 |
| dmz | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
| block | 拒绝流入的流量,除非与流出的流量相关 |
| drop | 拒绝流入的流量,除非与流出的流量相关 |
[root@web01 ~]# systemctl start firewalld
[root@web01 ~]# systemctl enable firewalld
#禁用iptables
[root@web01 ~]# systemctl mask iptables
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
[root@web01 ~]# systemctl mask ip6tables
Created symlink from /etc/systemd/system/ip6tables.service to /dev/null.
[root@web01 ~]#
Firewall-cmd命令分类列表
| 参数 | 作用 |
|---|---|
| zone区域相关指令 | |
| --get-default-zone | 查询默认的区域名称 |
| --set-default-zone=<区域名称> | 设置默认的区域,使其永久生效 |
| --get-active-zones | 显示当前正在使用的区域与网卡名称(接口) |
| --get-zones | 显示总共可用的区域 |
| --list-all-zones | 所有详细的信息 |
| --list-all | 显示默认区域的zone |
| --new-zone= --permanent | 新增区域,重启生效 --reload |
| --delete-zone= --permanent | 删除区域,重启生效 --relaod |
| services服务相关指令 | |
| --get-services | 显示预先定义的服务 |
| --add-service=<服务名> | 设置默认区域允许该服务的流量 |
| --remove-service=<服务名> | 设置默认区域不再允许该服务的流量 |
| --list-services | 显示默认区域允许的服务 |
| Port端口相关指令 | |
| --add-port=<端口号/协议> | 设置默认区域允许该端口的流量 |
| **--remove-port=<端口号/协议> | |
| --list-port | 显示默认区域允许的端口 |
| Interface网卡相关指令 | |
| --get-zone-of-interface=<网卡名称> | 查看接口在哪个区域 |
| --add-interface=<网卡名称> | 将源自该网卡的所有流量都导向某个指定区域 |
| --remove-interface=<网卡名称> | 删除接口 |
| --change-interface=<网卡名称> --zone= | 将接口与区域进行关联 |
| 地址源相关命令 | |
| --add-source= | 添加来源地址 |
| --remove-source= | 移除来源地址 |
| 其他相关指令 | |
| --list-all | 显示当前区域的网卡配置参数、资源、端口以及服务等信息 |
| --reload | 让"永久生效"的配置规则立即生效,并覆盖当前的配置规则 |
| --panic-on | 阻断一切网络连接 |
| --panic-off | 恢复网络连接 |
2. 区域管理
#显示所有的zone
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
#详细的显示所有zone的默认规则
[root@web01 ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#显示当前默认的zone
[root@web01 ~]# firewall-cmd --get-default-zone
public
#显示默认区域的规则
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#设置默认的区域
[root@web01 ~]# firewall-cmd --set-default-zone=trusted
success
#查看默认的区域
[root@web01 ~]# firewall-cmd --get-default-zone
trusted
#显示当前活动的区域及接口
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0 eth1
#添加一个新的zone
[root@web01 ~]# firewall-cmd --new-zone=test --permanent
success
#查看所有的zone
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
#重启firewalld的设置规则
[root@web01 ~]# firewall-cmd --reload
success
#查看所有的zone
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public test trusted work
#删除zone
[root@web01 ~]# firewall-cmd --delete-zone=test --permanent
success
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public test trusted work
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
3. 使用Firewalld中各个区域规则结合,当前默认区域拒绝所有的流量,但如果来源IP是10.0.0.0/24网段则允许。
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#移除ssh和dhcp的服务
[root@web01 ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#设置来源ip属于10.0.0.0/24网段的ip允许所有
[root@web01 ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=trusted
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0 eth1
trusted
sources: 10.0.0.0/24
[root@web01 ~]# firewall-cmd --reload #重启服务之后,临时生效的失效
success
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0 eth1
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#拒绝10.0.0.0/24网段的所有服务
[root@web01 ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=drop
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --get-active-zone
drop
sources: 10.0.0.0/24
public
interfaces: eth0 eth1
3. 防火墙服务管理
#添加一个服务
[root@web01 ~]# firewall-cmd --add-service=http
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#移除一个服务
[root@web01 ~]# firewall-cmd --remove-service=dhcpv6-client
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#只显示当前允许的通过的服务
[root@web01 ~]# firewall-cmd --list-services
ssh http
#添加多个服务
[root@web01 ~]# firewall-cmd --add-service={https,mysql,redis}
success
[root@web01 ~]# firewall-cmd --list-services
ssh http https mysql redis
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh http https mysql redis
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#移除多个服务
[root@web01 ~]# firewall-cmd --remove-service={http,https,mysql,redis}
success
[root@web01 ~]# firewall-cmd --list-services
ssh
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#显示所有预定义的服务
[root@web01 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
4. 防火墙端口管理
#添加一个端口
[root@web01 ~]# firewall-cmd --add-port=80/tcp
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#显示所有允许的端口及协议
[root@web01 ~]# firewall-cmd --list-ports
80/tcp
#添加多个端口
[root@web01 ~]# firewall-cmd --add-port={443/tcp,6379/tcp}
success
[root@web01 ~]# firewall-cmd --list-ports
80/tcp 443/tcp 6379/tcp
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp 6379/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --list-ports
80/tcp 443/tcp 6379/tcp
#移除一个端口
[root@web01 ~]# firewall-cmd --remove-port=6379/tcp
success
[root@web01 ~]# firewall-cmd --list-ports
80/tcp 443/tcp
#移除多个端口
[root@web01 ~]# firewall-cmd --remove-port={80/tcp,443/tcp}
success
[root@web01 ~]# firewall-cmd --list-ports
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
5. 接口管理
#查看接口在哪个zone下面
[root@web01 ~]# firewall-cmd --get-zone-of-interface=eth0
public
[root@web01 ~]# firewall-cmd --get-zone-of-interface=eth1
public
#移除eth1接口
[root@web01~]# systemctl stop NetworkManager
[root@web01 ~]# firewall-cmd --remove-interface=eth1
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#添加一个接口
[root@web01 ~]# firewall-cmd --add-interface=eth0
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#查看网卡在哪个zone区
[root@web01 ~]# firewall-cmd --get-zone-of-interface=eth1
no zone
#将接口跟zone进行相关联
[root@web01 ~]# firewall-cmd --change-interface=eth0 --zone=public
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
6. 源地址管理
#禁用一个ip地址的所有访问
[root@web01 ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=drop
success
[root@web01 ~]# firewall-cmd --get-active-zone
drop
sources: 10.0.0.8/32
public
interfaces: eth0
#禁用一个网段
[root@web01 ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=drop
success
[root@web01 ~]# firewall-cmd --get-active-zone
drop
sources: 10.0.0.8/32 10.0.0.0/24
public
interfaces: eth0
#允许一个ip地址访问所有
[root@web01 ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=trusted
success
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0
trusted
sources: 10.0.0.8/32
#移除ip地址
[root@web01 ~]# firewall-cmd --remove-source=10.0.0.8/32 --zone=trusted
success
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0
7. 地址转发
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>
#开启地址映射
[root@web01 ~]# firewall-cmd --add-masquerade
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#将本地的6666端口映射到后端的172.16.1.8的22端口
[root@web01 ~]# firewall-cmd --zone=public --add-forward-port=port=6666:proto=tcp:toport=22:toaddr=172.16.1.8
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: yes
forward-ports: port=6666:proto=tcp:toport=22:toaddr=172.16.1.8
source-ports:
icmp-blocks:
rich rules:
#移除端口映射
[root@web01 ~]# firewall-cmd --remove-forward-port=port=6666:proto=tcp:toport=22:toaddr=172.16.1.8
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#禁用一切网络(慎用)
[root@web01 ~]# firewall-cmd --panic-on
#找到机房关闭禁用的网络
[root@web01 ~]# firewall-cmd --panic-off
8. 自定义服务名称
#拷贝配置文件
[root@web01 ~]# cp /usr/lib/firewalld/services/http.xml /usr/lib/firewalld/services/oldboy.xml
#编写配置文件
[root@web01 ~]# cat /usr/lib/firewalld/services/oldboy.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (oldboy)</short>
<description>oldboy is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="6379"/>
</service>
#添加这个服务
[root@web01 ~]# firewall-cmd --add-service=oldboy
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client oldboy
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
9. 防火墙富规则策略
Firewalld中的富规则表示更细致、更详细的防火墙策略配置,它可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置, 优先级在所有的防火墙策略中也是最高的。下面为Firewalld富规则帮助手册.
[root@web01 ~]# man firewalld.richlanguage #富规则的man帮助
rule
[source]
[destination]
service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
[log]
[audit]
[accept|reject|drop|mark]
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
destination address="address[/mask]" invert="True"
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
accept | reject [type="reject type"] | drop
#富规则相关命令
--add-rich-rule='<RULE>' #在指定的区添加一条富规则
--remove-rich-rule='<RULE>' #在指定的区删除一条富规则
--query-rich-rule='<RULE>' #找到规则返回0 ,找不到返回1
--list-rich-rules #列出指定区里的所有富规则
1. 比如允许10.0.0.1主机能够访问http服务,允许172.16.1.0/24能访问6379端口
[root@web01 ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
[root@web01 ~]#
[root@web01 ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port=6379 protocol=tcp accept'
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="6379" protocol="tcp" accept
#显示所有的富规则
[root@web01 ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="6379" protocol="tcp" accept
#删除一条富规则
[root@web01 ~]# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="172.16.1.0/24" port port="6379" protocol="tcp" accept'
success
#返回yes说明规则存在且生效
[root@web01 ~]# firewall-cmd --zone=public --query-rich-rule='rule family="ipv4" source address="10.0.0.1/32" service name="http" accept'
yes
[root@web01 ~]# firewall-cmd --zone=public --query-rich-rule='rule family="ipv4" source address="172.16.1.0/24" port port="6379" protocol="tcp" accept'
no
2. 默认public区域对外开放所有人能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器
[root@web01 ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ssh drop'
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
3. 使Firewalld允许所有人能访问http,https服务,但只有10.0.0.1主机可以访问ssh服务
[root@web01 ~]# firewall-cmd --add-service={http,https}
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --zone=public --remove-service=ssh
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
4. 当用户来源IP地址是10.0.0.1主机,则将用户请求的5555端口转发至后端172.16.1.8的22端口
[root@web01 ~]# firewall-cmd --add-masquerade
success
[root@web01 ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol=tcp to-port=22 to-addr=172.16.1.8'
success
10. 防火墙的备份
[root@web01 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]#
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --zone=public --remove-service=http --permanent
success
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#备份配置文件
#只保存永久添加的规则
[root@web01 ~]# ll /etc/firewalld/zones/public.xml #公共区的配置文件
[root@web01 ~]# ll /etc/firewalld/zones/ #区域的配置规则文件都在这个区中
11. Firewalld实现内部上网
#内网主机ip配置
[root@web02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.1.8
NETMASK=255.255.255.0
GATEWAY=172.16.1.7
#配置dns
[root@web02 ~]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 223.5.5.5
nameserver 223.6.6.6
#重启eth1,关闭eth0
[root@web02 ~]# ifdown eth0
[root@web02 ~]# ifdown eth1 && ifup eth1
#服务端开启地址转换
[root@web01 ~]# firewall-cmd --add-masquerade --permanent
success
#配置端口转发
firewall-cmd --zone=public --add-forward-port=port=6666:proto=tcp:toport=22:toaddr=172.16.1.8
[root@web01 ~]# firewall-cmd --reload
success
#测试上网
[root@web02 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=28.5 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=127 time=28.0 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=127 time=28.5 ms
ssh 10.0.0.31 6666