上篇文章介绍了zsh的安装配置:http://note.t4x.org/basic/arch-linux-zshell/,本篇文章将介绍一下Arch下安装配置firewall防火墙(Centos7.X系列,FirewallD默认直接开启的)。
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
[root@Centos6 ~]# chkconfig --list | grep iptables #centos6.x系列 iptables默认是开启的 iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ################################################################################ [root@Centos7 ~]# systemctl list-unit-files | grep firewalld #可以看到centos下firewall是默认开启的 firewalld.service enabled [root@Centos7 ~]# firewall-cmd -V #Centos7.X系统FirewallD版本是0.3.9 0.3.9 ################################################################################ [root@Arch ~]# systemctl list-unit-files | grep firewalld #Arch没有安装,可以pacman -S firewalld安装 firewalld.service disabled [root@Arch ~]# firewall-cmd -V #FirewallD防火墙版本0.3.13 0.3.13 [root@Arch ~]# systemctl start firewalld #开启firewalld防火墙 [root@Arch ~]# firewall-cmd --state #查看FirewallD防火墙状态 running [root@Arch ~]# systemctl enable firewalld #设置firewald开机启动 Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [root@Arch ~]# systemctl list-unit-files | grep firewalld firewalld.service enabled [root@Arch zones]# pwd /usr/lib/firewalld/zones #firewalld默认配置文件 [root@Arch zones]# pwd /etc/firewalld/zones #firewalld系统配置文件 [root@Arch ~]# firewall-cmd --get-zones #firewall支持的区域 block dmz drop external home internal public trusted work [root@Arch ~]# firewall-cmd --get-default-zone #获取默认区域 [root@Arch ~]# firewall-cmd --set-default-zone=public #设置默认区域 [root@Arch ~]# firewall-cmd --zone=public --list-all #区域public支持启用的特性 public (default) interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp masquerade: no forward-ports: icmp-blocks: rich rules: [root@Arch ~]# firewall-cmd --zone=public --add-interface=eno16777736 #将eno16777736 加入public区域 [root@Arch ~]# firewall-cmd --get-zone-of-interface=eno16777736 #查看eno16777736所在区域 [root@Arch ~]# firewall-cmd --zone=public --remove-interface=eno16777736 #将eno16777736接口从public接口中删除 [root@Arch ~]# firewall-cmd --zone=public --list-services #查看public启用那些服务,默认是dhcpv6-client ssh [root@Arch ~]# firewall-cmd --zone=public --add-port=80/tcp #从public区域增加tcp 80 端口 [root@Arch ~]# firewall-cmd --zone=public --remove-port=80/tcp #从public区域删除tcp 80 端口 [root@Arch ~]# firewall-cmd --zone=dmz --remove-service=ssh #dmz区域删除ssh服务 [root@Arch ~]# firewall-cmd --zone=external --remove-service=ssh #dmz区域删除ssh服务 [root@Arch ~]# firewall-cmd --zone=home --remove-service=dhcpv6-client #home区域删除dhcpv6-client服务 [root@Arch ~]# firewall-cmd --zone=work --remove-service=ssh #work区域删除ssh服务 |
临时生效和永久生效:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@Arch zones]# firewall-cmd --zone=work --add-service=ssh success [root@Arch zones]# cat /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> </zone> [root@Arch zones]# firewall-cmd --zone=work --remove-service=ssh #直接生效,renload\restart失效 success [root@Arch zones]# firewall-cmd --permanent --zone=work --add-service=ssh #生效需要restart(reload) firewalld success [root@Arch zones]# cat /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> </zone> [root@Arch zones]# 备注:没有--permanent参数,配置将在firewalld --reload后被恢复,因此建议所有配置均增加 --permanent 参数。 |
配置演示:
|
0 1 2 3 4 5 6 7 8 9 |
[root@Arch /]# ls /sys/class/net/ #我的虚拟机对外接口是eno16777736,真实服务器可能是enp3s1 eth1类似的 eno16777736 lo [root@Arch /]# firewall-cmd --permanent --new-zone=personal #增加一个名字叫做personal的区域 [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-service=ssh #在personal区域增加ssh服务 [root@Arch ~]# firewall-cmd --permanent --zone=public --remove-interface=eno16777736 #区域public中将网卡删除 [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-interface=eno16777736 #将网卡添加到personal区中 [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-port=443/tcp #personal增加tcp 443端口 [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-service=http #personal增加http服务支持 [root@Arch ~]# firewall-cmd --set-default=personal [root@Arch /]# firewall-cmd --reload |
Iptables vs Firewalld:
|
0 1 2 3 4 5 6 7 8 |
[root@Centos6 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT #开启22端口允许通过 [root@Centos6 ~]# iptables -t filter -A INPUT -p tcp --dport 22 ! -s 1.1.1.1/32 -j DROP #源IP不是1.1.1.1的,链接到22端口,数据丢弃 [root@Centos6 /]# iptables -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT #运行ICMP8 类型通过 #################################################################### [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-port=22/tcp #[root@Arch ~]# firewall-cmd --permanent --zone=personal --add-service=ssh [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-rich-rule='rule family="ipv4" source address="1.1.1.1/32" service name="ssh" accept' #firewall-cmd --reload生效 (参考:man firewalld.richlanguage) [root@Arch ~]# firewall-cmd --permanent --zone=personal --add-rich-rule="rule family="ipv4" source address="1.1.1.1/32" port protocol="tcp" port="12345" accept" [root@Centos7 /]# firewall-cmd --permanent --zone=personal --add-icmp-block=echo-request #拒绝icmp访问 [root@Centos7 /]# firewall-cmd --permanent --zone=personal --add-icmp-block=echo-reply |
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
firewall-cmd --zone=personal --add-rich-rule="rule priority="-999" family="ipv4" source address="1.1.1.1/32" accept" firewall-cmd --zone=personal --add-rich-rule="rule priority="-999" family="ipv4" source address="1.1.1.1/32" protocol value=icmp accept" firewall-cmd --zone=personal --add-interface=eth1 firewall-cmd --add-rich-rule="rule priority="-999" family="ipv4" source address="1.1.1.1/32" masquerade" firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -j ACCEPT firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="1.1.1.1/32" port protocol="tcp" port="1-65535" accept" firewall-cmd --zone=personal --add-rich-rule="rule priority="-999" family="ipv4" source address="${2.2.1.1:-1.1.1.1}" accept" firewall-cmd --zone=personal --add-rich-rule="rule priority="-999" family="ipv4" source address="${2.2.1.1:-1.1.1.1}" protocol value=icmp accept" firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="1.1.1.1" accept" firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="${new_dst_ip:-1.1.1.1}" port protocol="udp" port="19993" accept" firewall-cmd --zone=personal --add-forward firewall-cmd --zone=personal --add-masquerade firewall-cmd --zone=personal --add-rich-rule="rule priority="999" family="ipv4" source address="0.0.0.0/0" protocol value=icmp drop" firewall-cmd --zone=personal --add-port="52310-52399/udp" |
参考文档:man firewall-cmd
参考文档:https://fedoraproject.org/wiki/FirewallD/zh-cn
参考文档:https://fedoraproject.org/wiki/Features/FirewalldRichLanguage SourceByrd's Weblog-https://note.t4x.org/basic/arch-linux-firewalld/
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
