一直想寫一篇關於firewalld的部落格,奈何最近事情多也加上一部分家庭的事情,導致沒有閒情雅緻來進行部落格的更新。
0.序言
寫這麼一篇文章的用處是用於加強linux主機的安全,在很多linux部落格文章,一些人上來就哐嘰一下讓吧firewalld功能給關閉,這是一種不負責人的做法,也是一種不安全的做法。實際是需要進行防火牆的關閉或者開通特定埠或者允許特定IP地址的訪問。這裡將圍繞三個方向來進行講解。
- 執行任意網段訪問特定埠或者服務
- 允許特定網路訪問特定埠或者服務
- 拒絕特定埠訪問特定埠或者服務
1.firewalld規則的演示
1.1.常用firewalld的命令
- firewalld命令
# 檢視現有防火牆執行狀態
systemctl status firewalld
# 重啟現有防火牆
systemctl restart firewalld
# 停止防火牆
systemctl stop firewalld
# 開機自啟動防火牆
systemctl enable firewalld
- firewall-cmd命令
# 檢視現有防火牆規則
firewall-cmd --list-all
# 重啟應用現有防火牆策略
firewall-cmd --reload
1.2.預設情況下firewalld的配置
預設情況下,firewalld會把介面放在public區域,文章將按public區域來進行講解
[root@fwd ~]# firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work
[root@fwd ~]#
[root@fwd ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
[root@fwd ~]#
防火牆的策略載入方式是以xml檔案進行的,常規情況檔案會儲存在如下路徑
# 系統預設下的策略xml檔案
/usr/lib/firewalld/zones/public.xml
# 使用者配置後生成的策略xml檔案路徑
/etc/firewalld/zones/public.xml
1.3.配置放行特定埠
透過命令列方式操作
- 例如,放行linux機器中的8080埠,允許任何網段訪問,語法為:firewall-cmd --permanent --add-port=8080/tcp
# 新增放形埠
[root@fwd ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@fwd ~]#
# 應用策略
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]#
# 檢視生效的策略,可以看到埠中放行了8080埠
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@fwd ~]#
透過修改xml檔案方式操作
- 透過vim或者nano檔案編輯器,在xml檔案內新增
,進行8081埠放行
[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="cockpit"/>
<port port="8080" protocol="tcp"/>
<port port="8081" protocol="tcp"/>
<forward/>
</zone>
[root@fwd ~]#
- 應用策略和檢視配置是否生效
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@fwd ~]#
1.4. 拒絕特定網段訪問
此方式為黑名單模式,常用於拒絕特定IP或者網段訪問,例如:拒絕1.1.1.x訪問本機的3306埠。此方式有一個限制條件,需要先全部放行,然後才能進行黑名單規則(即:firewall-cmd --permanent --add-port=3306/tcp)
透過命令列方式操作
- 語法:firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="3306" reject'
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="3306" reject'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
[root@fwd ~]#
透過修改xml檔案方式操作
- 例如在/etc/firewalld/zones/public.xml檔案中新增如下規則,來是1.1.1.4禁止訪問本機的3306埠
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="cockpit"/>
<port port="8080" protocol="tcp"/>
<port port="8081" protocol="tcp"/>
<rule family="ipv4">
<source address="1.1.1.3"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<forward/>
</zone>
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
[root@fwd ~]#
1.5. 允許特定網段訪問
透過命令列方式操作
- 例如在/etc/firewalld/zones/public.xml檔案中新增如下規則,來是1.1.1.3訪問本機的80埠
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="80" accept'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
[root@fwd ~]#
透過修改xml檔案方式操作
- 在xml新增相應的配置檔案
[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="cockpit"/>
<port port="8080" protocol="tcp"/>
<port port="8081" protocol="tcp"/>
<rule family="ipv4">
<source address="1.1.1.3"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<rule family="ipv4">
<source address="1.1.1.3"/>
<port port="80" protocol="tcp"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="80" protocol="tcp"/>
<accept/>
</rule>
<forward/>
</zone>
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]#
2.firewalld高階xml配置
2.1. firewalld的地址集
在策略的時候,如果需要反覆對某一些地址進行編寫策略的時候,會需要很多規則,顯示方面不具備可讀性和操作性,因此需要引入地址組的概念,直接在策略中呼叫地址組,減輕運維難度
firewall-cmd --permanent --new-ipset=<地址組名稱> --type=hash:ip
firewall-cmd --permanent --ipset=<地址組名稱> --add-entry=<IP地址>
# 生成的地址組檔案
/etc/firewalld/ipsets/<地址組名稱>.xml
- 演示操作
[root@fwd ~]# firewall-cmd --permanent --new-ipset=allowlist --type=hash:ip
[root@fwd ~]# firewall-cmd --permanent --ipset=allowlist --add-entry=198.51.100.16
# 檢視地址內的IP資訊
[root@fwd ~]# cat /etc/firewalld/ipsets/allowlist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<entry>198.51.100.16</entry>
</ipset>
[root@fwd ~]#
# 獲取現有地址集名稱
[root@fwd ~]# firewall-cmd --get-ipsets
allowlist
[root@fwd ~]#
- 策略中呼叫地址集
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source ipset="allowlist" port protocol="tcp" port="3389" accept'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.4" port port="80" protocol="tcp" accept
rule family="ipv4" source ipset="allowlist" port port="3389" protocol="tcp" accept
[root@fwd ~]#
2.2. 規則的優先順序
有時候需要設定優先順序,設定先允許後拒絕
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule priority=32760 family="ipv4" source address="1.1.1.5" port protocol="tcp" port="3306" accept'
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule priority=32767 family="ipv4" port protocol="tcp" port="3306" reject'
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.4" port port="80" protocol="tcp" accept
rule family="ipv4" source ipset="allowlist" port port="3389" protocol="tcp" accept
rule priority="32760" family="ipv4" source address="1.1.1.5" port port="3306" protocol="tcp" accept
rule priority="32767" family="ipv4" port port="3306" protocol="tcp" reject
[root@fwd ~]#