firewalld防火墙的一些利用,–permanent表示永久,需要重新加载防火墙配置文件,–add-zone=public表示添加到public区域,如果不选择默认添加到public区域
1、允许vrrp通信(keepalived需要)
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
###keepalived的以下配置可以配置vrrp地址
vrrp_mcast_group4 224.100.100.100 #不写默认是224.0.0.18
2、允许某个IP访问
#1、允许访问某个指定端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" port protocol="tcp" port="3306" accept"
#2、允许某个IP访问(白名单)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" accept"
3、禁止某个IP访问
#1、禁止访问某个指定端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" port protocol="tcp" port="3306" reject"
#2、禁止某个IP访问(黑名单)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.40.200.192" reject"
4、转发内网RDP端口
#1、开启Linux的端口转发
[root@Linux191 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@Linux191 ~]# grep net.ipv4.ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@Linux191 ~]# sysctl -p
net.ipv4.conf.all.arp_notify = 1
net.ipv4.conf.default.arp_notify = 1
net.ipv4.conf.eth0.arp_notify = 1
net.ipv4.conf.lo.arp_notify = 1
net.ipv4.ip_forward = 1
#2、开启防火墙的NAT端口转发
firewall-cmd --permanent --zone=public --add-masquerade
#查询是否开启
[root@Linux191 ~]# firewall-cmd --query-masquerade
yes
#禁用NAT端口转发
firewall-cmd --permanent --zone=public --remove-masquerade
#查看启用的防火墙区域和作用的网卡
[root@Linux191 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
#3、开放端口
firewall-cmd --permanent --zone=public --add-port=3389/tcp
#4、将端口转发到内网机器rdp端口
firewall-cmd --permanent --zone=public --add-forward-port=port=3389:proto=tcp:toport=3389:toaddr=10.40.200.191
#5、重新加载防火墙配置文件以生效
firewall-cmd --reload
5、管理防火墙
#启动
systemctl start firewalld
#停止
systemctl stop firewalld
#开机启动
systemctl enable firewalld
#查看运行状态
systemctl status firewalld
6、端口管理
#1、开启端口
firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP
#2、移除端口
firewall-cmd --permanent --remove-port=22/TCP
firewall-cmd --permanent --remove-port=53/UDP
7、服务管理
#1、允许服务端口
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
#2、移除开放的服务端口
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --remove-service=http
#查看服务端口默认配置
[root@Linux191 ~]# cat /etc/services |more
# /etc/services:
# $Id: services,v 1.55 2013/04/14 ovasik Exp $
#
# Network services, Internet style
# IANA services version: last updated 2013-04-10
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, most entries here have two entries
# even if the protocol doesn't support UDP operations.
# Updated from RFC 1700, ``Assigned Numbers'' (October 1994). Not all ports
# are included, only the more common ones.
#
# The latest IANA port assignments can be gotten from
# http://www.iana.org/assignments/port-numbers
# The Well Known Ports are those from 0 through 1023.
# The Registered Ports are those from 1024 through 49151
# The Dynamic and/or Private Ports are those from 49152 through 65535
#
# Each line describes one service, and is of the form:
#
# service-name port/protocol [aliases ...] [# comment]
tcpmux 1/tcp # TCP port service multiplexer
tcpmux 1/udp # TCP port service multiplexer
rje 5/tcp # Remote Job Entry
rje 5/udp # Remote Job Entry
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
--More--
8、黑白名单
#1、IP白名单
firewall-cmd --permanent --add-source=192.168.1.100
#2、网段白名单
firewall-cmd --permanent --add-source=192.168.1.0/24
#移除
firewall-cmd --permanent --remove-source=192.168.1.100
#富规则
#允许
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
#阻止
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
9、图形化配置防火墙
#需要安装图形化环境
yum install firewall-config -y
10、查看防火墙配置文件
#1、查看配置
firewall-cmd --list-all
#2、直接查看配置文件
#富规则
[root@Linux192 ~]# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">--in-interface eth0 --destination 10.40.200.191 --protocol vrrp -j ACCEPT</rule>
........................................
</direct>
#区域规则
[root@Linux192 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
........................................................
</zone>