搞它!!!Linux--深入介绍firewalld防火墙管理工具
搞它!!!Linux--深入介绍firewalld防火墙管理工具
不吃小白菜
发布于 2020-09-03 10:16:06
发布于 2020-09-03 10:16:06
前言
firewall-cmd是firewalld防火墙自带的字符管理工具,可以用来设置firewalld防火墙的各种规则
firewalld防火墙规则分为两种状态:
一种是runtime,指正在运行生效的状态,在runtime状态添加新的防火墙规则,这些规则会立即生效,但是重新加载防火墙配置或者再重启系统后这些规则将会失效 另一种是permanent,指永久生效的状态,在permanent状态添加新的防火墙规则,这些规则不会马上生效,需要重新加载防火墙配置或者重启系统后生效 在使用firewall-cmd命令管理防火墙时,需要添加为永久生效的规则需在配置规则时添加–permanent选项(否则所有命令都是作用于runtime,运行时配置)
如果让永久生效规则立即覆盖当前规则生效使用,还需要使用firewall-cmd --reload命令重新加载防火墙配置
一、firewalld防火墙维护和状态查询命令
1、firewalld防火墙维护命令
- 防火墙进程操作
[root@localhost ~]# systemctl 选项 firewalld
选项:
stop:关闭
start:开启
restart:重启
status:状态- 防火墙管理操作
- firewalld-cmd命令 支持全部防火墙特性
- 对于状态和查询模式,命令只返回状态,没有其他输出
- –permanent(永久的)参数:携带该参数表示永久配置,否则表示运行时配置
- [–zone=]选项:不懈怠此选项表示针对默认区域操作,否则针对指定区域操作
2、firewalld防火墙状态查询命令
查询firewalld状态
[root@localhost ~]# systemctl status firewalld.service '//查看防火墙状态'
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-12-09 11:45:18 CST; 2h 46min ago
...省略内容
[root@localhost ~]# firewall-cmd --stat '//查看防火墙状态'
running二、firewalld防火墙重载配置命令
1、重新加载firewalld的配置
- firewall-cmd --reload
- [root@localhost ~]# firewall-cmd --reload
success- firewall-cmd --complete-reload
状态信息将会丢失,多用于处理防火墙出现问题时
[root@localhost ~]# firewall-cmd --complete-reload
success- systemctl restart firewalld
[root@localhost ~]# systemctl restart firewalld.service 2、查询预定义信息命令
- 获取预定义信息
- 查看预定义的区域
- [root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work '//默认网络区域'查看预定义的服务
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc ...省略内容查看预定义的ICMP类型
[root@localhost ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-...省略内容三、firewalld区域操作命令
1、firewalld区域操作命令3-1
显示网络连接或接口的默认区域
[root@localhost ~]# firewall-cmd --get-default-zone
public设置网络连接或接口的默认区域为internal
[root@localhost ~]# firewall-cmd --set-default-zone=internal
success显示已激活的所有区域
[root@localhost ~]# firewall-cmd --get-active-zones
internal
interfaces: ens33激活的条件:区域至少关联一个接口或一个源地址/网段
2、firewalld区域操作命令3-2
- 显示ens33接口绑定的区域
- [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
internal- 为ens33接口绑定work区域
- [root@localhost ~]# firewall-cmd --zone=work --add-interface=ens33
The interface is under control of NetworkManager, setting zone to 'work'.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work为work区域更改绑定的网络接口ens33
[root@localhost ~]# firewall-cmd --zone=work --change-interface=ens33
The interface is under control of NetworkManager and already bound to 'work'
The interface is under control of NetworkManager, setting zone to 'work'.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work为work区域删除绑定的网络接口ens33
[root@localhost ~]# firewall-cmd --zone=work --remove-interface=ens33
The interface is under control of NetworkManager, setting zone to default.
success3、firewalld区域操作命令3-3
查询work区域中是否包含接口ens33
[root@localhost ~]# firewall-cmd --zone=work --query-interface=ens33
no显示区域及其规则 显示internal区域的所有规则
[root@localhost ~]# firewall-cmd --zone=internal --list-all
...省略内容显示默认区域的所有规则
[root@localhost ~]# firewall-cmd --list-all
...省略内容4、区域操作命令总结
在这里插入图片描述
四、firewalld服务操作命令
1、操作命令
显示internal区域内允许访问的所有服务
为public区域设置允许访问SMTP服务☆☆☆☆☆☆☆
[root@localhost ~]# firewall-cmd --zone=public --add-service=smtp
success删除internal区域中的SSH服务
[root@localhost ~]# firewall-cmd --zone=internal --remove-service=ssh
success查询internal区域中是否启用了SSH服务
[root@localhost ~]# firewall-cmd --zone=internal --query-service=ssh
no2、操作命令总结
在这里插入图片描述
五、firewalld端口操作命令
1、操作命令
显示internal区域内允许访问的所有端口号
启用internal区域22端口的TCP协议组合
[root@localhost ~]# firewall-cmd --zone=internal --add-port=22/tcp --timeout=5m
success
'//--timeout=5m:表示五分钟后删除该端口,多用于测试'禁用internal区域22端口的TCP协议组合
[root@localhost ~]# firewall-cmd --zone=internal --remove-port=22/tcp
success查询internal区域中是否启用了22端口和TCP协议组合
[root@localhost ~]# firewall-cmd --zone=internal --query-port=22/tcp
no2、操作命令总结
在这里插入图片描述
六、firewalld阻塞ICMP操作命令
1、操作命令
显示work区域内阻塞的所有ICMP类型
[root@localhost ~]# firewall-cmd --zone=work --list-icmp-blocks为work区域设置阻塞echo-reply类型的ICMP
[root@localhost ~]# firewall-cmd --zone=work --add-icmp-block=echo-reply
success删除work区域已阻塞的echo-reply类型的ICMP
[root@localhost ~]# firewall-cmd --zone=work --remove-icmp-block=echo-reply
success查询work区域的echo-request类型的ICMP是否阻塞
[root@localhost ~]# firewall-cmd --zone=work --query-icmp-block=echo-request
no2、操作命令总结
在这里插入图片描述
七:实验小案例
1、环境
VMware软件
centos7虚拟机,作为服务器,IP地址为192.168.197.139
需要安装SSH和Apache服务
centos7虚拟机,作为客户机,IP地址为192.168.197.140
2、实验目标
禁止主机ping服务器 只允许192.168.197.140主机访问Apache服务 只允许192.168.197.141主机访问TCP/22端口
3、实验过程
绑定区域
[root@localhost ~]# firewall-cmd --get-active-zones
public
interfaces: ens33
[root@localhost ~]# firewall-cmd --permanent --zone=work --add-source=192.168.197.140
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --add-source=192.168.197.141
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --get-active-zone
work
sources: 192.168.197.140
internal
sources: 192.168.197.141
public
interfaces: ens33配置服务
'//配置work区域服务'
[root@localhost ~]# firewall-cmd --permanent --zone=work --remove-service=ssh
success
[root@localhost ~]# firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
success
[root@localhost ~]# firewall-cmd --permanent --zone=work --add-service=http
success
[root@localhost ~]# firewall-cmd --permanent --zone=work --list-services
http
'//配置internal区域服务'
[root@localhost ~]# firewall-cmd --zone=internal --list-services
ssh mdns samba-client dhcpv6-client
[root@localhost ~]# firewall-cmd --permanent --zone=internal --remove-service=mdns
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --remove-service=ssh
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --remove-service=samba-client
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --list-service
'//配置public区域服务'
[root@localhost ~]# firewall-cmd --permanent --zone=public --list-services
ssh dhcpv6-client
[root@localhost ~]# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
success
[root@localhost ~]# firewall-cmd --permanent --zone=public --remove-service=ssh
success
[root@localhost ~]# firewall-cmd --permanent --zone=public --list-services配置端口
[root@localhost ~]# firewall-cmd --permanent --zone=internal --list-ports
[root@localhost ~]# firewall-cmd --permanent --zone=internal --add-port=22/tcp
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --list-ports
22/tcp
[root@localhost ~]# 配置ICMP阻塞
'//配置work区域ICMP阻塞'
[root@localhost ~]# firewall-cmd --permanent --zone=work --list-icmp-blocks
[root@localhost ~]# firewall-cmd --permanent --zone=work --add-icmp-block=echo-request
success
[root@localhost ~]# firewall-cmd --permanent --zone=work --list-icmp-blocks
echo-request
'//配置internal区域ICMP阻塞'
[root@localhost ~]# firewall-cmd --permanent --zone=internal --list-icmp-blocks
[root@localhost ~]# firewall-cmd --permanent --zone=internal --add-icmp-block=echo-request
success
[root@localhost ~]# firewall-cmd --permanent --zone=internal --list-icmp-blocks
echo-request
'//配置public区域ICMP阻塞'
[root@localhost ~]# firewall-cmd --permanent --zone=public --list-icmp-blocks
[root@localhost ~]# firewall-cmd --permanent --zone=public --add-icmp-block=echo-request
success
[root@localhost ~]# firewall-cmd --permanent --zone=public --list-icmp-blocks
echo-request重载配置
[root@localhost ~]# firewall-cmd --reload
success安装Apache服务
[root@localhost ~]# yum install httpd -y
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# netstat -ntap | grep 80
tcp 0 36 192.168.197.139:22 192.168.197.1:49466 ESTABLISHED 1580/sshd: root@pts
tcp6 0 0 :::80 :::* LISTEN 3896/4、实验结果
使用客户机ping服务器
'//IP地址192.168.197.140的客户机'
[root@localhost ~]# ping 192.168.197.139
PING 192.168.197.139 (192.168.197.139) 56(84) bytes of data.
From 192.168.197.139 icmp_seq=1 Destination Host Prohibited
From 192.168.197.139 icmp_seq=2 Destination Host Prohibited
From 192.168.197.139 icmp_seq=3 Destination Host Prohibited
^C
--- 192.168.197.139 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2001ms
'//IP地址192.168.197.141的客户机'
[root@localhost ~]# ping 192.168.197.139
PING 192.168.197.139 (192.168.197.139) 56(84) bytes of data.
From 192.168.197.139 icmp_seq=1 Destination Host Prohibited
From 192.168.197.139 icmp_seq=2 Destination Host Prohibited
From 192.168.197.139 icmp_seq=3 Destination Host Prohibited
From 192.168.197.139 icmp_seq=4 Destination Host Prohibited
^C
--- 192.168.197.139 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3001m访问服务器Apache服务 只有192.168.197.140主机能够访问
在这里插入图片描述
在这里插入图片描述
访问服务器TCP/22端口服务
'//IP地址为192.168.197.140的主机'
[root@localhost ~]# ssh 192.168.197.139
ssh: connect to host 192.168.197.139 port 22: No route to host
1
2
3
4
'//IP地址为192.168.197.141的主机'
[root@localhost ~]# ssh 192.168.197.139
The authenticity of host '192.168.197.139 (192.168.197.139)' can't be established.
ECDSA key fingerprint is SHA256:UhiQeQeIoKaH1ogewTdbaZIldXmr3dxKoD0/RN0jhcU.
ECDSA key fingerprint is MD5:95:ac:b8:fe:9e:01:50:3c:56:c9:e3:aa:28:ee:1c:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.197.139' (ECDSA) to the list of known hosts.
root@192.168.197.139's password:
Permission denied, please try again.
root@192.168.197.139's password:
Permission denied, please try again.
root@192.168.197.139's password:
Last failed login: Mon Dec 9 17:40:09 CST 2019 from 192.168.197.141 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Dec 9 16:39:50 2019
[root@localhost ~]# exit
logout
Connection to 192.168.197.139 closed.本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2020-07-31 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读