前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >Firewalld 3

Firewalld 3

作者头像
franket
发布2021-08-10 16:20:16
4850
发布2021-08-10 16:20:16
举报
文章被收录于专栏:技术杂记技术杂记

前言

Firewalld 是一个本地的网络策略管理软件,与 iptables 启相同的作用

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly

RHEL7/Centos7 开始,系统默认的防火墙软件从 iptables 替换成了 firewalld

这的确是一个不小的变化,从而让很多以前熟悉 iptables 的运维小伙伴一下子变得无所适从

相对于 iptables, firewalld 的确有一些更先进的管理理念,不过也在挑战传统的运维体验

这里就 firewalld 的简单实例进行一个讲解

参考 A service daemon with D-Bus interfaceUSING FIREWALLS

Documentation

Tip: 当前最新的版本为 firewalld 0.6.0 release


操作

系统环境

代码语言:javascript
复制
[root@ds1 ~]# hostnamectl 
   Static hostname: ds1
         Icon name: computer-vm
           Chassis: vm
        Machine ID: fce1d1d9ca0345dca5e300f4ee8f6b0a
           Boot ID: bcec9e257f154e0d9f0191c13ce7c1d9
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-862.2.3.el7.x86_64
      Architecture: x86-64
[root@ds1 ~]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:c9:c7:04 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
       valid_lft 74709sec preferred_lft 74709sec
    inet6 fe80::5054:ff:fec9:c704/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:fc:bf:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.181/24 brd 192.168.1.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fefc:bf30/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b3:ae:0b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.181/24 brd 192.168.56.255 scope global noprefixroute eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:feb3:ae0b/64 scope link 
       valid_lft forever preferred_lft forever
[root@ds1 ~]# 

停止服务

代码语言:javascript
复制
[root@ds1 ~]# systemctl stop firewalld.service 
[root@ds1 ~]# 

启动服务

代码语言:javascript
复制
[root@ds1 ~]# systemctl start firewalld.service 
[root@ds1 ~]# 

查看状态

代码语言:javascript
复制
[root@ds1 ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-07-17 16:00:21 UTC; 22s ago
     Docs: man:firewalld(1)
 Main PID: 4962 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─4962 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jul 17 16:00:21 ds1 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 17 16:00:21 ds1 systemd[1]: Started firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@ds1 ~]# 

也可以通过命令看

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --state
running
[root@ds1 ~]# 

查看 zone

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@ds1 ~]# 

查看 default zone

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-default-zone 
public
[root@ds1 ~]# 

查看 active zone

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0 eth1 eth2
[root@ds1 ~]# 

设置 default zone

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --set-default-zone=trusted 
success
[root@ds1 ~]# firewall-cmd --get-default-zone 
trusted
[root@ds1 ~]# 

获取接口 zone

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth2
trusted
[root@ds1 ~]# 

查看 zone 配置

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

调整接口所在的 zone

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=internal --change-interface=eth2
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth2
internal
[root@ds1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth2
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
NM_CONTROLLED=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.56.181
NETMASK=255.255.255.0
DEVICE=eth2
PEERDNS=no
#VAGRANT-END
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System eth2"
UUID=3a73717e-65ab-93e8-b518-24f5af32dc0d
ZONE=internal
[root@ds1 ~]# 

获取 service

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@ds1 ~]#

添加 ssh 服务

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 
[root@ds1 ~]# firewall-cmd --add-service=ssh 
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

删除 ssh 服务

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --remove-service=ssh 
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

设定规则超时时间

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --add-service=ssh --timeout=600
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

600s 后这条规则会自动被清除

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

指定 zone 添加服务

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --list-all --zone=internal 
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --add-service=http --zone=internal 
success
[root@ds1 ~]# 
[root@ds1 ~]# firewall-cmd --list-all --zone=internal 
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client http
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

打开端口

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=internal --add-port=443/tcp
success
[root@ds1 ~]# firewall-cmd --zone=internal --list-all
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client http
  ports: 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

端口转发

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth1
trusted
[root@ds1 ~]# firewall-cmd --zone=public --change-interface=eth1
The interface is under control of NetworkManager, setting zone to 'public'.
success
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth1
public
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 
[root@ds1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
NM_CONTROLLED=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.181
NETMASK=255.255.255.0
DEVICE=eth1
PEERDNS=no
#VAGRANT-END
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System eth1"
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
ZONE=public
[root@ds1 ~]# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80
success
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# curl localhost:80
ds1
[root@ds1 ~]# curl localhost:8888
curl: (7) Failed connect to localhost:8888; Connection refused
[root@ds1 ~]# 

这个时候,从外面访问

代码语言:javascript
复制
wilmos@Nothing:~$ curl 192.168.1.181:8888
ds1
wilmos@Nothing:~$ 
wilmos@Nothing:~$ curl 192.168.1.181:80
curl: (7) Failed to connect to 192.168.1.181 port 80: No route to host
wilmos@Nothing:~$ 

发现可以成功的进行端口转发

DNAT 加上端口映射

这个可以模拟 LVS 的效果

代码语言:javascript
复制
[root@ds1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@ds1 ~]# firewall-cmd --zone=public --add-masquerade
success
[root@ds1 ~]# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
success
[root@ds1 ~]# cat  /proc/sys/net/ipv4/ip_forward
1
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

在 rs 上加上默认路由

代码语言:javascript
复制
[root@rs1 ~]# ip route add default via 192.168.56.181 dev eth1
[root@rs1 ~]# 

进行访问

代码语言:javascript
复制
wilmos@Nothing:~$ curl 192.168.1.181:80
curl: (7) Failed to connect to 192.168.1.181 port 80: No route to host
wilmos@Nothing:~$ curl 192.168.1.181:8888
rs1
wilmos@Nothing:~$ 

查看 icmptypes

代码语言:javascript
复制
[root@ds1 ~]#  firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[root@ds1 ~]# 

拒绝 icmp

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks

[root@ds1 ~]# firewall-cmd --zone=public --add-icmp-block=echo-request 
success
[root@ds1 ~]#  firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: echo-request
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
echo-request
[root@ds1 ~]# 

客户端验证

代码语言:javascript
复制
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.395 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.426 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.395/0.410/0.426/0.025 ms
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1006ms

wilmos@Nothing:~$

解封 icmp

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: echo-request
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
echo-request
[root@ds1 ~]# firewall-cmd --zone=public --remove-icmp-block=echo-request
success
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks

[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

客户端验证

代码语言:javascript
复制
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1006ms

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.394 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.430 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 0.394/0.412/0.430/0.018 ms
wilmos@Nothing:~$

封 IP

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --zone=public  --add-rich-rule="rule family='ipv4' source address='192.168.1.6' reject"
success
[root@ds1 ~]# firewall-cmd --list-all --zone=publicpublic (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.1.6" reject
[root@ds1 ~]# firewall-cmd  --list-rich-rules --zone=publicrule family="ipv4" source address="192.168.1.6" reject
[root@ds1 ~]# 

客户端校验

代码语言:javascript
复制
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.472 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.397/0.434/0.472/0.042 ms
wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^C^]
telnet> quit
Connection closed.
wilmos@Nothing:~$ 
wilmos@Nothing:~$ 
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Port Unreachable
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: Connection refused
wilmos@Nothing:~$ 

放开特定端口与源

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=block --change-interface=eth1
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@ds1 ~]# firewall-cmd --list-all --zone=block 
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

此时是无法访问的

代码语言:javascript
复制
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.472 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.397/0.434/0.472/0.042 ms
wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^C^]
telnet> quit
Connection closed.
wilmos@Nothing:~$ 
wilmos@Nothing:~$ 
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Port Unreachable
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: Connection refused
wilmos@Nothing:~$ 

添加规则

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=block  --add-rich-rule="rule family='ipv4' source address='192.168.1.6' port port=80  protocol=tcp accept"
success
[root@ds1 ~]# firewall-cmd --list-all --zone=block
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.1.6" port port="80" protocol="tcp" accept
[root@ds1 ~]# firewall-cmd  --list-rich-rules --zone=block
rule family="ipv4" source address="192.168.1.6" port port="80" protocol="tcp" accept
[root@ds1 ~]#

此时客户端已经可以访问 80 端口

代码语言:javascript
复制
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1016ms

wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: No route to host
wilmos@Nothing:~$ curl 192.168.1.181:80
ds1
wilmos@Nothing:~$ 

利用 ipset 管理多个 IP

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --permanent --new-ipset=iplist --type=hash:ip
success
[root@ds1 ~]# firewall-cmd --permanent --get-ipsets
iplist
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 
[root@ds1 ~]#
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --add-entry=192.168.1.6
success
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 192.168.1.6
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --add-entry=192.168.1.5
success
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 192.168.1.6 192.168.1.5
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --get-entries
192.168.1.6
192.168.1.5
[root@ds1 ~]#

ipset 的创建要加 --permanent 参数

否则会报错

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --list-all --zone=drop drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

访问不通

代码语言:javascript
复制
wilmos@Nothing:~$ telnet  192.168.1.181 
Trying 192.168.1.181...



^C
wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...



^C
wilmos@Nothing:~$ 
wilmos@Nothing:~$ curl 192.168.1.181:80



^C
wilmos@Nothing:~$ 

添加规则

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" source ipset="iplist" accept'
success
[root@ds1 ~]# firewall-cmd --list-all --zone=drop drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source ipset="iplist" accept
[root@ds1 ~]#

于是可以访问了

代码语言:javascript
复制
wilmos@Nothing:~$ curl 192.168.1.181:80
ds1
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.403 ms
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.403/0.403/0.403/0.000 ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^]
telnet> quit
Connection closed.
wilmos@Nothing:~$

ipset 有很多种组合形式

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-ipset-types 
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
[root@ds1 ~]# 

查看 zone 详情

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@ds1 ~]# firewall-cmd --info-zone=public
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --info-zone=drop
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source ipset="iplist" accept
[root@ds1 ~]# 

查看 service 详情

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@ds1 ~]# firewall-cmd --info-service=http
http
  ports: 80/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
[root@ds1 ~]# 

查看 ipset 详情

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-ipset-types 
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
[root@ds1 ~]# firewall-cmd --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 192.168.1.6 192.168.1.5
[root@ds1 ~]# 

查看 helpers 详情

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-helpers 
Q.931 RAS amanda ftp h323 irc netbios-ns pptp sane sip snmp tftp
[root@ds1 ~]# firewall-cmd --info-helper=ftp
ftp
  family: 
  module: nf_conntrack_ftp
  ports: 21/tcp
[root@ds1 ~]# 

查看 icmptypes 详情

代码语言:javascript
复制
[root@ds1 ~]# firewall-cmd --get-icmptypes 
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[root@ds1 ~]# firewall-cmd --info-icmptype=destination-unreachable
destination-unreachable
  destination: ipv4 ipv6
[root@ds1 ~]# firewall-cmd --info-icmptype=echo-reply 
echo-reply
  destination: ipv4 ipv6
[root@ds1 ~]# firewall-cmd --info-icmptype=echo-request
echo-request
  destination: ipv4 ipv6
[root@ds1 ~]#

总结

firewalld 毕竟是一个更为先进的 firewall 配置软件

对于防火墙的管理有一套更为强大和灵活的管理方法 

但是有一定的学习成本,影响简单直接的 iptables 运维体验

但是走出舒适区,进行技能的更新和迭代也是一个合格运维的基础素质

后面有空再讲讲其它的 firewalld 实例,和其它相关知识

本文系转载,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文系转载前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 前言
  • 操作
    • 系统环境
      • 停止服务
        • 启动服务
          • 查看状态
            • 查看 zone
              • 查看 default zone
                • 查看 active zone
                  • 设置 default zone
                    • 获取接口 zone
                      • 查看 zone 配置
                        • 调整接口所在的 zone
                          • 获取 service
                            • 添加 ssh 服务
                              • 删除 ssh 服务
                                • 设定规则超时时间
                                  • 指定 zone 添加服务
                                    • 打开端口
                                      • 端口转发
                                        • DNAT 加上端口映射
                                          • 查看 icmptypes
                                            • 拒绝 icmp
                                              • 解封 icmp
                                                • 封 IP
                                                  • 放开特定端口与源
                                                    • 利用 ipset 管理多个 IP
                                                      • 查看 zone 详情
                                                        • 查看 service 详情
                                                          • 查看 ipset 详情
                                                            • 查看 helpers 详情
                                                              • 查看 icmptypes 详情
                                                              • 总结
                                                              相关产品与服务
                                                              容器服务
                                                              腾讯云容器服务(Tencent Kubernetes Engine, TKE)基于原生 kubernetes 提供以容器为核心的、高度可扩展的高性能容器管理服务,覆盖 Serverless、边缘计算、分布式云等多种业务部署场景,业内首创单个集群兼容多种计算节点的容器资源管理模式。同时产品作为云原生 Finops 领先布道者,主导开源项目Crane,全面助力客户实现资源优化、成本控制。
                                                              领券
                                                              问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档