Linux notes 6-firewalld firewall

Others 2021-03-29 02:17:53 views: null

Article Directory


RHEL7 has replaced the iptables service with the firewalld service, but the iptables command can still be used to manage the netfilter of the kernel in RHEL7. In fact, iptalbes and firewalld are not real firewalls, they are just tools for defining firewall rules. After the rules are defined, they are handed over to netfilter to read, so as to realize the firewall function.
Firewal is the default firewall management tool in RHEL7. It has runtime configuration and permanent configuration selection, and can support dynamic updates and regional function concepts. Provides a new firewall management command firewall-cmd and a graphical tool firewall-config.

Regional concept and function

The network zone of the firewall defines the trustworthiness level of network interception. We can call different firewalld areas according to different scenarios. Simply put, we have prepared several sets of rule combinations for users in advance. We can choose different rule combinations according to the scenario. The default zone is public. The
list of zone rules is as follows:
Insert picture description here
Insert picture description here

Character management tool

The firewall-cmd command can efficiently configure the firewall. The
firewalld service has two rules and policy configuration records. The currently effective Permanent of RunTime is permanently effective. When the modified record is permanently effective, the firewall-cmd -reload command must be executed to take effect. The command parameters are as follows:
Insert picture description here
Insert picture description here
Operation example:

[root@bogon ~]# firewall-cmd --get-default-zone  --查看当前默认区域
public
[root@bogon ~]# firewall-cmd --get-zone-of-interface=eno16777728
no zone
[root@bogon ~]# firewall-cmd --get-zone-of-interface=ens33 --查看 网卡ens33区域
dmz
[root@bogon ~]# firewall-cmd --zone=public --query-service=ssh //查看public区域是否支持ssh协议
yes
[root@bogon ~]# firewall-cmd --zone=public --query-service=http//查看public区域是否支持http协议
no
[root@bogon ~]# firewall-cmd --set-default-zone=dmz //设置默认规则为 dmz
success
[root@bogon ~]# firewall-cmd --reload //让规则修改永远生效
success
[root@bogon ~]# firewall-cmd --panic-on
success
[root@bogon ~]# 
[root@bogon ~]# firewall-cmd --panic-on  启动应急情况模式,会阻断所有网络连接
success
[root@bogon ~]# firewall-cmd --panic-off  --关闭应急情况模式
success

方法1同时设置运行时和永久性允许https
Last login: Fri Nov 20 00:23:50 2020
[root@bogon ~]# firewall-cmd  --zone=public --add-service=https
success
[root@bogon ~]# firewall-cmd --permanent  --zone=public --add-service=https
success
方法2 同时设置运行时和永久性允许https 先设置永久性 然后 relaod即可
[root@bogon ~]# firewall-cmd --permanent  --zone=public --add-service=https
Warning: ALREADY_ENABLED: https
success
[root@bogon ~]# firewall-cmd --reload
success
--不允许http服务通过public区域
[root@bogon ~]# firewall-cmd --permanent  --zone=public --remove-service=http
Warning: NOT_ENABLED: http
success
[root@bogon ~]# firewall-cmd --reload
success
--允许8080 8081端口流量经过public区域
[root@bogon ~]# firewall-cmd --permanent  --zone=public --add-port=8080-8081/tcp
success
--查看是否生效
[root@bogon ~]# firewall-cmd --zone=public --list-ports
58625/tcp 10020/tcp 59173/tcp 80/tcp 48533/tcp 10020/udp 10030/udp
[root@bogon ~]# firewall-cmd --reload
success
--reload后再次查看是否生效
[root@bogon ~]# firewall-cmd --zone=public --list-ports
58625/tcp 10020/tcp 59173/tcp 80/tcp 48533/tcp 10020/udp 10030/udp 8080-8081/tcp
--将ens33区域修改为external
[root@bogon ~]# firewall-cmd --zone=external --change-interface=ens33
success
[root@bogon ~]# firewall-cmd --get-zone-of-interface=ens33
external
--设置富规则,拒绝192.168.10.0-24网段的ssh服务
--firewalld服务富规则用来设置对服务、端口、协议进行详细的配置,优先级最高  
--(该设置目前报错 日后排查)
[root@bogon ~]# firewall-cmd --permanent --zone=public --add-rich-rule="rule  family="ipv4" sourceaddress="192.168.10.0/24" service name ="ssh"  reject "
Error: INVALID_RULE: internal error in _lexer(): =ssh

Graphical configuration tool

Execute the firewall-config command to see the firewalld firewall graphical tool

Service access control list

TCP_wrappers is an IP-based ACL access control list traffic monitoring program. It formulates rules based on the address of the visiting host and the target service program of the machine. If the allowed rules are matched, the traffic is released, and if the rejected traffic is matched, it is rejected. If there is no match to the default, it will be released.
Allow list: /etc/hosts.allow
Deny list: /etc/hosts.deny
specifies the client rules as follows: Insert picture description here
Insert picture description here
restrict only hosts in the 192.168.10 network segment to access the local httpd service:

[root@bogon ~]# vi /etc/hosts.allow
httpd:192.168.10.
[root@bogon ~]# vi /etc/hosts.deny
httpd:*
~

Guess you like

Origin blog.csdn.net/zhangxm_qz/article/details/109843366
Recommended
Ranking
springcloud + nacos - version selection
tensorflow2.1 MNIST handwritten digit recognition dataset
ACWING58. The minimum number of arrays arranged (the offer to prove safety)
What is the station station
Linux Ubuntu installation common services (7) Elasticsearch
LeetCode | 0994. Rotting Oranges rotten oranges [Python]
Close source line removal console Vue
sql tutorial
Egret 2D(6)--collision detection and text
SpringCloud-Introduction to Zuul
Daily
More
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)
2024-07-18(0)
2024-07-17(0)
2024-07-16(0)
2024-07-15(0)

Code World

© 2018 codetd.com