Firewalld 3
前言
Firewalld 是一个本地的网络策略管理软件,与 iptables 启相同的作用
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly
从 RHEL7/Centos7 开始,系统默认的防火墙软件从 iptables 替换成了 firewalld
这的确是一个不小的变化,从而让很多以前熟悉 iptables 的运维小伙伴一下子变得无所适从
相对于 iptables, firewalld 的确有一些更先进的管理理念,不过也在挑战传统的运维体验
这里就 firewalld 的简单实例进行一个讲解
参考 A service daemon with D-Bus interface 和 USING FIREWALLS
Tip: 当前最新的版本为 firewalld 0.6.0 release
操作
系统环境
[root@ds1 ~]# hostnamectl
Static hostname: ds1
Icon name: computer-vm
Chassis: vm
Machine ID: fce1d1d9ca0345dca5e300f4ee8f6b0a
Boot ID: bcec9e257f154e0d9f0191c13ce7c1d9
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-862.2.3.el7.x86_64
Architecture: x86-64
[root@ds1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:c9:c7:04 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
valid_lft 74709sec preferred_lft 74709sec
inet6 fe80::5054:ff:fec9:c704/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:fc:bf:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.181/24 brd 192.168.1.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fefc:bf30/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:b3:ae:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.56.181/24 brd 192.168.56.255 scope global noprefixroute eth2
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:feb3:ae0b/64 scope link
valid_lft forever preferred_lft forever
[root@ds1 ~]# 停止服务
[root@ds1 ~]# systemctl stop firewalld.service
[root@ds1 ~]# 启动服务
[root@ds1 ~]# systemctl start firewalld.service
[root@ds1 ~]# 查看状态
[root@ds1 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2018-07-17 16:00:21 UTC; 22s ago
Docs: man:firewalld(1)
Main PID: 4962 (firewalld)
CGroup: /system.slice/firewalld.service
└─4962 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jul 17 16:00:21 ds1 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 17 16:00:21 ds1 systemd[1]: Started firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@ds1 ~]# 也可以通过命令看
[root@ds1 ~]# firewall-cmd --state
running
[root@ds1 ~]# 查看 zone
[root@ds1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@ds1 ~]# 查看 default zone
[root@ds1 ~]# firewall-cmd --get-default-zone
public
[root@ds1 ~]# 查看 active zone
[root@ds1 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0 eth1 eth2
[root@ds1 ~]# 设置 default zone
[root@ds1 ~]# firewall-cmd --set-default-zone=trusted
success
[root@ds1 ~]# firewall-cmd --get-default-zone
trusted
[root@ds1 ~]# 获取接口 zone
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth2
trusted
[root@ds1 ~]# 查看 zone 配置
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#调整接口所在的 zone
[root@ds1 ~]# firewall-cmd --zone=internal --change-interface=eth2
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth2
internal
[root@ds1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth2
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
NM_CONTROLLED=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.56.181
NETMASK=255.255.255.0
DEVICE=eth2
PEERDNS=no
#VAGRANT-END
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System eth2"
UUID=3a73717e-65ab-93e8-b518-24f5af32dc0d
ZONE=internal
[root@ds1 ~]# 获取 service
[root@ds1 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@ds1 ~]#添加 ssh 服务
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#
[root@ds1 ~]# firewall-cmd --add-service=ssh
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# 删除 ssh 服务
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# firewall-cmd --remove-service=ssh
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# 设定规则超时时间
[root@ds1 ~]# firewall-cmd --add-service=ssh --timeout=600
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#600s 后这条规则会自动被清除
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# 指定 zone 添加服务
[root@ds1 ~]# firewall-cmd --list-all --zone=internal
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# firewall-cmd --add-service=http --zone=internal
success
[root@ds1 ~]#
[root@ds1 ~]# firewall-cmd --list-all --zone=internal
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# 打开端口
[root@ds1 ~]# firewall-cmd --zone=internal --add-port=443/tcp
success
[root@ds1 ~]# firewall-cmd --zone=internal --list-all
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client http
ports: 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#端口转发
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth1
trusted
[root@ds1 ~]# firewall-cmd --zone=public --change-interface=eth1
The interface is under control of NetworkManager, setting zone to 'public'.
success
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth1
public
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#
[root@ds1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
NM_CONTROLLED=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.181
NETMASK=255.255.255.0
DEVICE=eth1
PEERDNS=no
#VAGRANT-END
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System eth1"
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
ZONE=public
[root@ds1 ~]# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80
success
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports: port=8888:proto=tcp:toport=80:toaddr=
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# curl localhost:80
ds1
[root@ds1 ~]# curl localhost:8888
curl: (7) Failed connect to localhost:8888; Connection refused
[root@ds1 ~]# 这个时候,从外面访问
wilmos@Nothing:~$ curl 192.168.1.181:8888
ds1
wilmos@Nothing:~$
wilmos@Nothing:~$ curl 192.168.1.181:80
curl: (7) Failed to connect to 192.168.1.181 port 80: No route to host
wilmos@Nothing:~$ 发现可以成功的进行端口转发
DNAT 加上端口映射
这个可以模拟 LVS 的效果
[root@ds1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@ds1 ~]# firewall-cmd --zone=public --add-masquerade
success
[root@ds1 ~]# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
success
[root@ds1 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: yes
forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# 在 rs 上加上默认路由
[root@rs1 ~]# ip route add default via 192.168.56.181 dev eth1
[root@rs1 ~]# 进行访问
wilmos@Nothing:~$ curl 192.168.1.181:80
curl: (7) Failed to connect to 192.168.1.181 port 80: No route to host
wilmos@Nothing:~$ curl 192.168.1.181:8888
rs1
wilmos@Nothing:~$ 查看 icmptypes
[root@ds1 ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[root@ds1 ~]# 拒绝 icmp
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
[root@ds1 ~]# firewall-cmd --zone=public --add-icmp-block=echo-request
success
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
source-ports:
icmp-blocks: echo-request
rich rules:
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
echo-request
[root@ds1 ~]# 客户端验证
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.395 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.426 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.395/0.410/0.426/0.025 ms
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1006ms
wilmos@Nothing:~$解封 icmp
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
source-ports:
icmp-blocks: echo-request
rich rules:
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
echo-request
[root@ds1 ~]# firewall-cmd --zone=public --remove-icmp-block=echo-request
success
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#客户端验证
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1006ms
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.394 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.430 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 0.394/0.412/0.430/0.018 ms
wilmos@Nothing:~$封 IP
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' source address='192.168.1.6' reject"
success
[root@ds1 ~]# firewall-cmd --list-all --zone=publicpublic (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.6" reject
[root@ds1 ~]# firewall-cmd --list-rich-rules --zone=publicrule family="ipv4" source address="192.168.1.6" reject
[root@ds1 ~]# 客户端校验
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.472 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.397/0.434/0.472/0.042 ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^C^]
telnet> quit
Connection closed.
wilmos@Nothing:~$
wilmos@Nothing:~$
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Port Unreachable
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: Connection refused
wilmos@Nothing:~$ 放开特定端口与源
[root@ds1 ~]# firewall-cmd --zone=block --change-interface=eth1
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@ds1 ~]# firewall-cmd --list-all --zone=block
block (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#此时是无法访问的
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.472 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.397/0.434/0.472/0.042 ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^C^]
telnet> quit
Connection closed.
wilmos@Nothing:~$
wilmos@Nothing:~$
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Port Unreachable
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: Connection refused
wilmos@Nothing:~$ 添加规则
[root@ds1 ~]# firewall-cmd --zone=block --add-rich-rule="rule family='ipv4' source address='192.168.1.6' port port=80 protocol=tcp accept"
success
[root@ds1 ~]# firewall-cmd --list-all --zone=block
block (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.6" port port="80" protocol="tcp" accept
[root@ds1 ~]# firewall-cmd --list-rich-rules --zone=block
rule family="ipv4" source address="192.168.1.6" port port="80" protocol="tcp" accept
[root@ds1 ~]#此时客户端已经可以访问 80 端口
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1016ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: No route to host
wilmos@Nothing:~$ curl 192.168.1.181:80
ds1
wilmos@Nothing:~$ 利用 ipset 管理多个 IP
[root@ds1 ~]# firewall-cmd --permanent --new-ipset=iplist --type=hash:ip
success
[root@ds1 ~]# firewall-cmd --permanent --get-ipsets
iplist
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
type: hash:ip
options:
entries:
[root@ds1 ~]#
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --add-entry=192.168.1.6
success
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
type: hash:ip
options:
entries: 192.168.1.6
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --add-entry=192.168.1.5
success
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
type: hash:ip
options:
entries: 192.168.1.6 192.168.1.5
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --get-entries
192.168.1.6
192.168.1.5
[root@ds1 ~]#ipset 的创建要加 --permanent 参数
否则会报错
[root@ds1 ~]# firewall-cmd --list-all --zone=drop drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]#访问不通
wilmos@Nothing:~$ telnet 192.168.1.181
Trying 192.168.1.181...
^C
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
^C
wilmos@Nothing:~$
wilmos@Nothing:~$ curl 192.168.1.181:80
^C
wilmos@Nothing:~$ 添加规则
[root@ds1 ~]# firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" source ipset="iplist" accept'
success
[root@ds1 ~]# firewall-cmd --list-all --zone=drop drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source ipset="iplist" accept
[root@ds1 ~]#于是可以访问了
wilmos@Nothing:~$ curl 192.168.1.181:80
ds1
wilmos@Nothing:~$ ping 192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.403 ms
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.403/0.403/0.403/0.000 ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^]
telnet> quit
Connection closed.
wilmos@Nothing:~$ipset 有很多种组合形式
[root@ds1 ~]# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
[root@ds1 ~]# 查看 zone 详情
[root@ds1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@ds1 ~]# firewall-cmd --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ds1 ~]# firewall-cmd --info-zone=drop
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eth1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source ipset="iplist" accept
[root@ds1 ~]# 查看 service 详情
[root@ds1 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@ds1 ~]# firewall-cmd --info-service=http
http
ports: 80/tcp
protocols:
source-ports:
modules:
destination:
[root@ds1 ~]# 查看 ipset 详情
[root@ds1 ~]# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
[root@ds1 ~]# firewall-cmd --info-ipset=iplist
iplist
type: hash:ip
options:
entries: 192.168.1.6 192.168.1.5
[root@ds1 ~]# 查看 helpers 详情
[root@ds1 ~]# firewall-cmd --get-helpers
Q.931 RAS amanda ftp h323 irc netbios-ns pptp sane sip snmp tftp
[root@ds1 ~]# firewall-cmd --info-helper=ftp
ftp
family:
module: nf_conntrack_ftp
ports: 21/tcp
[root@ds1 ~]# 查看 icmptypes 详情
[root@ds1 ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[root@ds1 ~]# firewall-cmd --info-icmptype=destination-unreachable
destination-unreachable
destination: ipv4 ipv6
[root@ds1 ~]# firewall-cmd --info-icmptype=echo-reply
echo-reply
destination: ipv4 ipv6
[root@ds1 ~]# firewall-cmd --info-icmptype=echo-request
echo-request
destination: ipv4 ipv6
[root@ds1 ~]#总结
firewalld 毕竟是一个更为先进的 firewall 配置软件
对于防火墙的管理有一套更为强大和灵活的管理方法
但是有一定的学习成本,影响简单直接的 iptables 运维体验
但是走出舒适区,进行技能的更新和迭代也是一个合格运维的基础素质
后面有空再讲讲其它的 firewalld 实例,和其它相关知识
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
容器服务
腾讯云容器服务(Tencent Kubernetes Engine, TKE)基于原生 kubernetes 提供以容器为核心的、高度可扩展的高性能容器管理服务,覆盖 Serverless、边缘计算、分布式云等多种业务部署场景,业内首创单个集群兼容多种计算节点的容器资源管理模式。同时产品作为云原生 Finops 领先布道者,主导开源项目Crane,全面助力客户实现资源优化、成本控制。