linux系统firewalld火墙优化策略
一、firewalld
防火墙指的是一个由软件和硬件设备组合而成、在内部网和外部网之间、专用网与公共网之间的界面上构造的保护屏障.是一种获取安全性方法的形象说法,它是一种计算机硬件和软件的结合,使Internet与Intranet之间建立起一个安全网关(Security
Gateway),从而保护内部网免受非法用户的侵入,防火墙主要由服务访问规则、验证工具、包过滤和应用网关4个部分组成,防火墙就是一个位于计算机和它所连接的网络之间的软件或硬件。该计算机流入流出的所有网络通信和数据包均要经过此防火墙。在网络中,所谓“防火墙”,是指一种将内部网和公众访问网(如Internet)分开的方法,它实际上是一种隔离技术。防火墙是在两个网络通讯时执行的一种访问控制尺度,它能允许你“同意”的人和数据进入你的网络,同时将你“不同意”的人和数据拒之门外,最大限度地阻止网络中的黑客来访问你的网络。换句话说,如果不通过防火墙,公司内部的人就无法访问Internet,Internet上的人也无法和公司内部的人进行通信。
firewalld和iptables的关系
firewalld自身并不具备防火墙的功能,而是和iptables一样需要通过内核的netfilter来实现,也就是说firewalld和iptables一样,他们的作用都是用于维护规则,而真正使用规则干活的是内核的netfilter,只不过firewalld和iptables的结构以及使用方法不一样罢了。
firewalld的配置模式
firewalld的配置文件以xml格式为主(主配置文件firewalld.conf例外),有两个存储位置
1、/etc/firewalld/ 用户配置文件
2、/usr/lib/firewalld/ 系统配置文件,预置文件
对于一个接受到的请求具体使用哪个zone,firewalld是通过三种方法来判断的:
1、source,也就是源地址 优先级最高
2、interface,接收请求的网卡 优先级第二
3、firewalld.conf中配置的默认zone 优先级最低
[[email protected] ~]# yum install firewall-config -y
[[email protected] ~]# firewall-config
[[email protected] ~]# yum search iptables
[[email protected] ~]# yum list iptables-services.x86_64
开启 firewalld
[[email protected] ~]# systemctl stop iptables.service[[email protected] ~]# systemctl disable iptables.service
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[[email protected] ~]# systemctl start firewalld
[[email protected] ~]# systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
查看火墙
firewall-cmd –state #查看火墙当前生效的域
firewall-cmd –get-active-zones #查看默认的域
firewall-cmd –get-default-zone #查看所有的域
firewall-cmd –get-zones #查看public域里面的信息
firewall-cmd –zone=public –list-all #查看block域里面的信息
firewall-cmd –zone=block –list-all #查看所有域的状态
firewall-cmd –list-all-zones #列出所有域的规则
firewall-cmd –list-all #列出系统当中用名称代表的服务
firewall-cmd –get-services #打开防火墙界面
firewall-config
测试:
[[email protected] ~]# firewall-cmd --staterunning
[[email protected] ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
[[email protected] ~]# firewall-cmd --get-default-zone
public
[[email protected] ~]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --zone=block --list-all
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
修改 firewalld 域
修改默认的域为trusted域
firewall-cmd –set-default-zone=trusted
代表可以接收所有网络访问
[[email protected] ~]# yum install httpd -y
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# echo westos> /var/www/html/index.html
浏览器测试:
172.25.254.102
查看不到,因为firewalld域为public
[[email protected] ~]# systemctl restart network
[[email protected] ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.102 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:20a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:02:0a txqueuelen 1000 (Ethernet)
RX packets 46197 bytes 325308296 (310.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29997 bytes 200042107 (190.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.202 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe03:6514 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:03:65:14 txqueuelen 1000 (Ethernet)
RX packets 10521 bytes 1144837 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 3837 (3.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] ~]# firewall-cmd --set-default-zone=trusted #修改firewalld域为yrusted
success
[[email protected] ~]# firewall-cmd --get-default-zone
trusted
[[email protected] ~]# firewall-cmd --get-active-zone
ROL
sources: 172.25.0.252/32
trusted
interfaces: eth0 eth1
[[email protected] ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openv*n pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[[email protected] ~]# firewall-cmd --list-all
trusted (default, active)
interfaces: eth0 eth1
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
浏览器测试:
172.25.254.102
可以看到
使用命令行配置防火墙
设置域为public:
[[email protected] ~]# firewall-cmd --set-default-zone=public
success[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
真机浏览器:172.25.254.102 :看不到
添加指定ip为trusted:
success
只有本机和真机可以看到
[[email protected] Desktop]# elinks http://172.25.254.102
修改设备状态:
eth0 eth1
[[email protected] ~]# firewall-cmd --get-zone-of-interface=eth1
public
[[email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
public
[[email protected] ~]# firewall-cmd --change-interface=eth0 --zone=trusted
success
[[email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
trusted
[[email protected] ~]# firewall-cmd --remove-interface=eth0
success
[[email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
no zone
[[email protected] ~]# firewall-cmd --change-interface=eth0 --zone=public
success
[[email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
public
永久添加主机域,重启后不会消失:
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
添加指定服务
[[email protected] ~]# cd /etc/firewalld
[[email protected] firewalld]# lsfirewalld.conf firewalld.conf.old icmptypes lockdown-whitelist.xml services zones
[[email protected] firewalld]# cd zones
[[email protected] zones]# ls
public.xml public.xml.old ROL.xml
[[email protected] zones]# vim public.xml #编辑firewalld规则文件
8 <service name="http"/> #添加http服务
[[email protected] zones]# systemctl restart firewalld
[[email protected] zones]# firewall-cmd --list
usage: see firewall-cmd man page
firewall-cmd: error: ambiguous option: --list could match --list-lockdown-whitelist-contexts, --list-all, --list-lockdown-whitelist-uids, --list-ports, --list-forward-ports, --list-icmp-blocks, --list-interfaces, --list-rich-rules, --list-services, --list-lockdown-whitelist-commands, --list-all-zones, --list-sources, --list-lockdown-whitelist-users
[[email protected] zones]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] zones]# cd /usr/lib/firewalld
[[email protected] firewalld]# ls
icmptypes services zones
[[email protected] firewalld]# cd services
[[email protected] services]# vim http.xml
修改端口:
[[email protected] ~]# firewall-cmd --add-port=8080/tcp --zone=public
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
临时移除防火墙允许服务:
[[email protected] ~]# firewall-cmd --remove-service=sshsuccess
[[email protected] Desktop]# ssh [email protected] #无法连接虚拟机
ssh: connect to host 172.25.254.102 port 22: No route to host
恢复:
[[email protected] ~]# firewall-cmd --add-port=8080/tcp --zone=public
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
永久移除防火墙允许服务:
[[email protected] ~]# firewall-cmd --remove-service=ssh
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --permanent --remove-service=ssh
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --complete-reload
当永久删除firewlld允许的ssh服务时 firewall-cmd –reload 与firewall-cmd –complete-reload 重新加载的区别:
在真机连接到服务主机之后使用 firewall-cmd –reload 重新加载时,不会断开连接,可以进行操作
使用 firewall-cmd –complete-reload 重新加载时,会中断连接,不能进行操作
Direct Rules
三表:filter:访问本机数据,过滤,防火墙(包含input、output、forword)
nat:从本机经过的数据,网络地址转换(包含output、prerouting、postrouting)
mangle:(包含input、output、postrouting、prerouting、forward)
五链:
input:目的地址为本机
output:原地址为本机,向外发送
forward:实现转发
postrouting:数据包进入路由之后
prerouting;数据包进入路由之前三表:
filter:访问本机数据,过滤,防火墙(包含input、output、forword)
nat:从本机经过的数据,网络地址转换(包含output、prerouting、postrouting)
mangle:(包含input、output、postrouting、prerouting、forward)
五链:
input:目的地址为本机
output:原地址为本机,向外发送
forward:实现转发
postrouting:数据包进入路由之后
prerouting;数据包进入路由之前三表:
filter:访问本机数据,过滤,防火墙(包含input、output、forword)
nat:从本机经过的数据,网络地址转换(包含output、prerouting、postrouting)
mangle:(包含input、output、postrouting、prerouting、forward)
五链:
input:目的地址为本机
output:原地址为本机,向外发送
forward:实现转发
postrouting:数据包进入路由之后
prerouting;数据包进入路由之前
当http加入firewalld允许访问的列表里面,所有主机都可以访问,这是不安全的,应该对个别主机设定访问权限,以保证安全
1.允许指定ip访问指定服务
[[email protected] ~]# firewall-cmd --list-all #查看火墙的设定信息
[[email protected] ~]# yum install httpd -y
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --permanent --add-service=http #永久允许访问http服务
success
[[email protected] ~]# firewall-cmd --reload #刷新
success
[[email protected] ~]# firewall-cmd --list-all #查看已加入
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
在真机和server浏览器:
172.25.254.102
可以看到http测试界面
2、对个别主机设定访问权限
测试:
[[email protected] ~]# firewall-cmd --permanent --remove-service=http #永久禁止访问http服务
success
[[email protected] ~]# firewall-cmd --reload
success
刷新浏览器,两个都不能查看
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
实验:
[[email protected] ~]# iptables -nL #查看filter表信息
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
禁止访问应该设置input
[[email protected] ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 80 -s 172.25.254.202 -j ACCEPT
success
#--direct 添加规则 ipv4 协议方式 filter 表 INPUT 链 -p 链 --dport 目的地 -s 数据来源 -j 动作(REJECT 有回应的拒绝,DROP 拒绝后没有回显,ACCEPT 接收 )
拒绝一般用REJECT
[[email protected] ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 80 -s 172.25.254.202 -j ACCEPT
浏览器测试:
真机无法查看,server可以
端口转发
当别人访问这台主机时,却连接的是另一台主机
测试:
[[email protected] Desktop]$ ssh [email protected] -X
[email protected]'s password:
Last login: Fri Jun 8 21:20:55 2018 from 172.25.254.2
[[email protected] ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.102 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:20a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:02:0a txqueuelen 1000 (Ethernet)
RX packets 27767 bytes 8748266 (8.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1911 bytes 261245 (255.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
实验:
[[email protected] ~]# firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.202
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.202
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --permanent --add-masquerade #永久开启masquerade服务
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.202
icmp-blocks:
rich rules:
测试:
[[email protected] Desktop]$ ssh [email protected]
[email protected]'s password:
Last login: Fri Jun 8 23:02:19 2018 from 172.25.254.102
[[email protected] ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.202 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:20b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:02:0b txqueuelen 1000 (Ethernet)
RX packets 66175 bytes 579744521 (552.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38019 bytes 2666875 (2.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
访问172.25.254.102,却连接的是172.25.254.202这台主机
地址伪装
在添加地址伪装的主机添加两块网卡并设置不同网段的ip
在desktop虚拟机添加另一个网段的ip:
[[email protected] ~]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# ls
ifcfg-eth0 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
ifdown-post ifup-bnep ifup-routes
[[email protected] network-scripts]# cp ifcfg-eth0 ifcfg-eth1
[[email protected] network-scripts]# vim ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=none
IPADDR0=172.25.0.102
NETMASK=255.255.255.0
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
ONBOOT=yes
PERSISTENT_DHCLIENT=1
[[email protected] network-scripts]# systemctl restart network
将server虚拟机ip设置为与desktop虚拟机eth1同网段,网关设置为desktop虚拟机eth1的ip
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
IPADDR0=172.25.0.202
GATEWAY=172.25.0.102
NETMASK=255.255.255.0
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
ONBOOT=yes
PERSISTENT_DHCLIENT=1
[[email protected] ~]# systemctl restart network
在desktop虚拟机:
[[email protected] network-scripts]#firewalld-cmd --permanent --remove-forward-port=port=22:proto=22:toaddr=172.25.254.102
#永久删除伪装的ip端口
[[email protected] network-scripts]# sysctl -a |grep ip_forward
net.ipv4.ip_forward = 0
[[email protected] network-scripts]# vim /etc/sysctl.conf
5 net.ipv4.ip_forward = 1
[[email protected] network-scripts]# sysctl -p #加载文件参数
net.ipv4.ip_forward = 1