首页 » Linux » 正文

firewalld 防火墙命令(二)

| Linux | | 暂无评论 | 4979 views

firewalld防火墙的一些利用,–permanent表示永久,需要重新加载防火墙配置文件,–add-zone=public表示添加到public区域,如果不选择默认添加到public区域

1、允许vrrp通信(keepalived需要)

firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT

###keepalived的以下配置可以配置vrrp地址
vrrp_mcast_group4 224.100.100.100   #不写默认是224.0.0.18

2、允许某个IP访问

#1、允许访问某个指定端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" port protocol="tcp" port="3306" accept"
#2、允许某个IP访问(白名单)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" accept"

3、禁止某个IP访问

#1、禁止访问某个指定端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" port protocol="tcp" port="3306" reject"
#2、禁止某个IP访问(黑名单)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" reject"

4、转发内网RDP端口

#1、开启Linux的端口转发
[root@Linux191 ~]#  cat /proc/sys/net/ipv4/ip_forward
1
[root@Linux191 ~]# grep net.ipv4.ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@Linux191 ~]# sysctl -p
net.ipv4.conf.all.arp_notify = 1
net.ipv4.conf.default.arp_notify = 1
net.ipv4.conf.eth0.arp_notify = 1
net.ipv4.conf.lo.arp_notify = 1
net.ipv4.ip_forward = 1

#2、开启防火墙的NAT端口转发
firewall-cmd --permanent --zone=public --add-masquerade

#查询是否开启
[root@Linux191 ~]# firewall-cmd --query-masquerade
yes
#禁用NAT端口转发
firewall-cmd --permanent --zone=public --remove-masquerade

#查看启用的防火墙区域和作用的网卡
[root@Linux191 ~]# firewall-cmd --get-active-zones
public
  interfaces: eth0

#3、开放端口
firewall-cmd --permanent --zone=public --add-port=3389/tcp

#4、将端口转发到内网机器rdp端口
firewall-cmd --permanent --zone=public --add-forward-port=port=3389:proto=tcp:toport=3389:toaddr=10.40.200.191

#5、重新加载防火墙配置文件以生效
firewall-cmd --reload

5、管理防火墙

#启动
systemctl start firewalld
#停止
systemctl stop firewalld
#开机启动
systemctl enable firewalld
#查看运行状态
systemctl status firewalld

6、端口管理

#1、开启端口
firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP
#2、移除端口
firewall-cmd --permanent --remove-port=22/TCP
firewall-cmd --permanent --remove-port=53/UDP

7、服务管理

#1、允许服务端口
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
#2、移除开放的服务端口
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --remove-service=http

#查看服务端口默认配置
[root@Linux191 ~]# cat /etc/services |more
# /etc/services:
# $Id: services,v 1.55 2013/04/14 ovasik Exp $
#
# Network services, Internet style
# IANA services version: last updated 2013-04-10
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, most entries here have two entries
# even if the protocol doesn't support UDP operations.
# Updated from RFC 1700, ``Assigned Numbers'' (October 1994).  Not all ports
# are included, only the more common ones.
#
# The latest IANA port assignments can be gotten from
#       http://www.iana.org/assignments/port-numbers
# The Well Known Ports are those from 0 through 1023.
# The Registered Ports are those from 1024 through 49151
# The Dynamic and/or Private Ports are those from 49152 through 65535
#
# Each line describes one service, and is of the form:
#
# service-name  port/protocol  [aliases ...]   [# comment]

tcpmux          1/tcp                           # TCP port service multiplexer
tcpmux          1/udp                           # TCP port service multiplexer
rje             5/tcp                           # Remote Job Entry
rje             5/udp                           # Remote Job Entry
echo            7/tcp
echo            7/udp
discard         9/tcp           sink null
--More--

8、黑白名单

#1、IP白名单
firewall-cmd --permanent --add-source=192.168.1.100
#2、网段白名单
firewall-cmd --permanent --add-source=192.168.1.0/24

#移除
firewall-cmd --permanent --remove-source=192.168.1.100

#富规则
#允许
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
#阻止
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

9、图形化配置防火墙

#需要安装图形化环境
yum install firewall-config -y

10、查看防火墙配置文件

#1、查看配置
firewall-cmd --list-all
#2、直接查看配置文件
#富规则
[root@Linux192 ~]# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">--in-interface eth0 --destination 10.40.200.191 --protocol vrrp -j ACCEPT</rule>
........................................
</direct>

#区域规则
[root@Linux192 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
 ........................................................
</zone>

发表评论