宜蘭縣教育支援平台 會員登入 會員註冊 我的i教書

« 上一篇 | 下一篇 »

參考網站:
CentOS 7 Firewalld 防火牆說明介紹 @ 黃昏的甘蔗 :: 隨意窩 Xuite日誌
小懶蟲的blog~: [CentOS 7] 防火牆設定
How to Configure 'FirewallD' in RHEL/CentOS 7 and Fedora 21
How To Set Up a Firewall Using FirewallD on CentOS 7 | DigitalOcean

在 CentOS 7

# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

# firewall-cmd --get-default-zone
public

# firewall-cmd --get-active-zones
public
  interfaces: ens33 ppp0

# firewall-cmd --set-default-zone=internal
# firewall-cmd --get-default-zone
internal

# firewall-cmd --list-all-zones
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

暫時開放 ftp 服務
# firewall-cmd --add-service=ftp

永久開放 ftp 服務
# firewall-cmd --add-service=ftp --permanent
永久關閉
# firewall-cmd --remove-service=ftp --permanent
success
# firewall-cmd --zone=public --add-service=ftp --permanent
# firewall-cmd --zone=home --add-service=ftp --permanent
# firewall-cmd --zone=public --remove-service=ftp --permanent

重新載入
# firewall-cmd --reload
# firewall-cmd --complete-reload
# 列出設定
# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33 ppp0
  sources:
  services: dhcpv6-client ocserv openvpn
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.1.0/24" service name="http" accept

# firewall-cmd --zone=public --list-services
dhcpv6-client ocserv openvpn

# firewall-cmd --zone=public --add-port=4990-4999/udp --permanent
# firewall-cmd --zone=public --list-ports
4990-4999/udp

限定連線來源 IP 及開放的服務
# firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept" --permanent
# firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" service name="ssh" limit value=10/m accept" --permanent
# firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" service name="http" accept" --permanent
# firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port port=80 accept" --permanent
# firewall-cmd --remove-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port port=80 accept" --permanent

也可以直接去編修 /etc/firewalld/zones/public.xml
# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="openvpn"/>
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <service name="http"/>
    <accept/>
  </rule>
</zone>

重新載入
# firewall-cmd --reload
# firewall-cmd --complete-reload

讓設定生效
# systemctl restart firewalld

檢視設定是否生效
# iptables -L -n | grep 21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW
檢查防火牆狀態
# firewall-cmd --state
running

# systemctl stop firewalld
# firewall-cmd --state
not running


# firewall-cmd --list-all
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ftp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

在 FirewallD 的服務名稱
# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

查詢服務的啟用狀態
# firewall-cmd --query-service ftp
yes
# firewall-cmd --query-service ssh
yes
# firewall-cmd --query-service samba
no
# firewall-cmd --query-service http
no

修改 firewalld 系統內定的服務
將檔案複製到 /etc/firewalld/services 目錄之下
# cp /usr/lib/firewalld/services/openvpn.xml /etc/firewalld/services
將內定使用的 udp 改成 tcp
# sed -i 's/udp/tcp/' /etc/firewalld/services/openvpn.xml


自行加入要開放的 Port
# firewall-cmd --add-port=3128/tcp --permanent
# firewall-cmd --list-all
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ftp ssh
  ports: 3128/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

直接將原本  iptables 使用的規則移植到 firewalld
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp -s "140.111.74.0/24" --dport 161 -j ACCEPT
success
或者直接修改 /etc/firewalld/direct.xml
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
   <rule priority="0" table="nat" ipv="ipv4" chain="POSTROUTING"> -s 192.168.18.0/24 -j MASQUERADE</rule>
   <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT</rule>
   <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-p udp -s 140.111.74.0/24 --dport 161 -j ACCEPT</rule>
</direct>

查看目前的 Direct 規則
# firewall-cmd --direct --get-all-rules
ipv4 nat POSTROUTING 0 -s 192.168.18.0/24 -j MASQUERADE
ipv4 filter INPUT 0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
ipv4 filter INPUT 0 -p udp -s 140.111.74.0/24 --dport 161 -j ACCEPT

NAT
# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.8.0.0/24 -o ppp0 -j MASQUERADE
# firewall-cmd --reload

# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.1.10/24 forward-port port=8080 protocol=tcp to-port=80'

如果真的不習慣使用 firewalld
安裝 iptables-services 套件
# yum install iptables-services
設定開機時啟動 iptables 服務
# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
啟動 iptables 服務
# systemctl start iptables.service

設定開機時不啟動 firewalld 服務
# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
設定取消使用 firewalld 服務
# systemctl mask firewalld.service
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
設定不取消使用 firewalld 服務
# systemctl unmask firewalld.service
Removed symlink /etc/systemd/system/firewalld.service.

更多的 FirewallD 請參考:https://fedoraproject.org/wiki/FirewallD




 
 
 
用LINE傳送

發表迴響

 暱稱 (必填)

 悄悄話

 標題

 個人網頁

 電子郵件

authimage 
 認證碼 (必填)