先执行以下操作切换至firewalld防火墙:
关闭iptables:
[root@adai003 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@adai003 ~]# systemctl stop iptables
开启firewalld:
[root@adai003 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@adai003 ~]# systemctl start firewalld
注: 此时防火墙的规则已发生改变,可以使用命令iptables -nvL查看。
[root@adai003 ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
关于9种zone的解析:
注: 9个zone中内容分别保存着不同的规则!
[root@adai003 ~]# firewall-cmd --get-default-zone
public
设置默认的zone:
[root@adai003 ~]# firewall-cmd --set-default-zone=work
success
查看:
[root@adai003 ~]# firewall-cmd --get-default-zone
work
[root@adai003 ~]# firewall-cmd --get-zone-of-interface=ens33
public
[root@adai003 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
可以通过以下两种方法为网卡添加zone:
方法1:
编辑网卡配置文件(复制系统网卡配置文件进行更名)的方法为其添加zone(配置完成后重启网络服务,并重新加载firewalld服务:“systemctl restart firewalld”)。
方法2:
[root@adai003 ~]# firewall-cmd --zone=work --add-interface=ens37
success
[root@adai003 ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@adai003 ~]# firewall-cmd --zone=block --change-interface=ens37
success
[root@adai003 ~]# firewall-cmd --get-zone-of-interface=ens37
block
[root@adai003 ~]# firewall-cmd --zone=bmz --remove-interface=ens37
The interface is under control of NetworkManager, setting zone to default.
success
[root@adai003 ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@adai003 ~]# firewall-cmd --get-active-zones
work
interfaces: ens37
public
interfaces: ens33
[root@adai003 ~]# firewall-cmd --get-services
[root@adai003 ~]# firewall-cmd --list-services
dhcpv6-client ssh
[root@adai003 ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
[root@adai003 ~]# firewall-cmd --zone=public --add-service=http
success
[root@adai003 ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh http
[root@adai003 ~]# firewall-cmd --zone=public --add-service=http --permanent
删除前:
[root@adai003 ~]# firewall-cmd --zone=public --list-service
ftp dhcpv6-client ssh
[root@adai003 ~]# firewall-cmd --zone=public --remove-service=ftp
success
删除后:
[root@adai003 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh
[root@adai003 ~]# firewall-cmd --zone=public --list-service
ftp dhcpv6-client http ssh
[root@adai003 ~]# firewall-cmd --zone=public --remove-service=ftp --permanent
success
[root@adai003 ~]# firewall-cmd --reload
success
[root@adai003 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client http ssh
[root@adai003 ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@adai003 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
说明: public.xml.old相当于一个备份文件,每次编辑public.xml时,系统会自动将原public.xml内容备份到public.xml.old。
[root@adai003 ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
[root@adai003 ~]# ls /usr/lib/firewalld/
icmptypes ipsets services xmlschema zones
注: 每次编辑配置文件后需要重新加载(reload)firewall-cmd才生效。
需求: ftp服务自定义端口1121,需要在work zone下面放行ftp。
方法:
步骤一:复制ftp的配置文件到/etc/firewalld/services/
[root@adai003 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
步骤二:编辑该文件,将port="21"改为port="1121"
[root@adai003 ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
步骤三:复制workzone的配置文件到/etc/firewalld/zones/
[root@adai003 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
步骤四:编辑该文件,增加“<service name="ftp"/>”
[root@adai003 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
步骤五:重新加载
[root@adai003 ~]# firewall-cmd --reload
success
Finished!
(adsbygoogle = window.adsbygoogle || []).push({});