基于linux下的firewalld服务基础
####################1.防火墙概述##########################################
动态防火墙后台程序 FireWalld提供了一个动态管理的防火墙,用以支持网络的zones,以分配对一个网络及相关连接和界面一定程度的信任;它支持以太网桥,并有分离运行时间和永久行配置选择。
###################2.firewalld域##############################################
home(家庭):用于家庭网络,仅接受dhcpv6-client、ipp-client、mdns、samba-client、ssh服务
internal(内部):用于内部网络,仅接受dhcpv6-client、ipp-client、mdns、samba-client、ssh服务
public(公共):用于公共区域使用,仅接受dhcpv6-client、ssh服务
trusted(信任):接受所有网络连接
work(工作):用于工作区,仅接受dhcpv6-client、ipp-client、ssh服务
block(限制):拒绝所有网络连接
dmz(非军事区):仅接受ssh服务连接
drop(丢弃):任何接收的网络数据包都被丢弃,没有任何回复
external(外部):出去的ipv4网络连接通过此区域伪装和转发,仅接受ssh服务连接
################3.防火墙相关命令#################################################
1.开启防火墙及查看状态
[[email protected] ~]#systemctl start firewalld
[[email protected] ~]#systemctl status firewalld
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: active (running) since Mon 2018-05-07 22:45:47 EDT; 5s ago
Main PID: 32496 (firewalld)
CGroup: /system.slice/firewalld.service
└─32496 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
2.查看火墙状态
[[email protected] ~]# firewall-cmd --state
running
3.查看火墙正在使用的域
[[email protected] ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
4.查看火墙的默认域
[[email protected] ~]# firewall-cmd --get-default-zone
public
5.查看火墙所有的域
[[email protected] ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work
6.查看public域的信息
[[email protected] ~]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
7.查看不同通过火墙的服务
[[email protected] ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openv*n pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
8.修改火墙的默认域
[[email protected] ~]# firewall-cmd --set-default-zone=trusted
success
[[email protected] ~]# firewall-cmd --get-default-zone
trusted
9.火墙的图形化配置工具
[[email protected] ~]# firewall-config
** (firewall-config:1057): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-wRF0eGMIT4: Connection refused
##################4.接口控制#############################################
1.接口访问控制
eth0 = 172.25.254.208
eth1 = 172.25.0.208
[[email protected] ~]# firewall-cmd --permanent --change-interface=eth0 --zone=block
[[email protected] ~]# firewall-cmd --permanent --change-interface=eth1 --zone=public
此时实验(连接/访问/ping均可)
208不通
108正常
2.8080接口
[[email protected] ~]# firewall-cmd --add-port=8080/tcp
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root[email protected] services]# vim /etc/httpd/conf/httpd.conf
[[email protected] services]# systemctl restart httpd.service
[[email protected] services]# firefox
3.实验:禁止主机8连接
[[email protected] ~]# firewall-cmd --add-source=172.25.254.8 --zone=block
success
[[email protected] ~]# ping 172.25.254.108
PING 172.25.254.108 (172.25.254.108) 56(84) bytes of data.
From 172.25.254.108 icmp_seq=1 Destination Host Prohibited
From 172.25.254.108 icmp_seq=2 Destination Host Prohibited
服务端永久变更
[[email protected] ~]# firewall-cmd --permanent --add-source=172.25.254.8 --zone=block
success
[[email protected] ~]# firewall-cmd --reload
success
已连接的8主机不会断开
[[email protected] ~]# ls
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
[[email protected] ~]# firewall-cmd --complete-reload
success
已连接的主机8立即断开,无法操作.
########################5.防火墙访问控制#####################################
内核3个表,5个链
filter:经过本机内核的数据,input,forward,ouput
nat:不经过本机内核的数据,input,ouput,prerouting,postrouting
mangle:所有经过主机上的数据,prerouting,input,forward,ouput,postrouting