一直想写一篇关于firewalld的博客,奈何最近事情多也加上一部分家庭的事情,导致没有闲情雅致来进行博客的更新。
0.序言
写这么一篇文章的用处是用于加强linux主机的安全,在很多linux博客文章,一些人上来就哐叽一下让吧firewalld功能给关闭,这是一种不负责人的做法,也是一种不安全的做法。实际是需要进行防火墙的关闭或者开通特定端口或者允许特定IP地址的访问。这里将围绕三个方向来进行讲解。
- 运行任意网段访问特定端口或者服务
- 允许特定网络访问特定端口或者服务
- 拒绝特定端口访问特定端口或者服务
1.firewalld规则的演示
1.1.常用firewalld的命令
- firewalld命令
# 查看现有防火墙运行状态
systemctl status firewalld
# 重启现有防火墙
systemctl restart firewalld
# 停止防火墙
systemctl stop firewalld
# 开机自启动防火墙
systemctl enable firewalld
- firewall-cmd命令
# 查看现有防火墙规则
firewall-cmd --list-all
# 重启应用现有防火墙策略
firewall-cmd --reload
1.2.默认情况下firewalld的配置
默认情况下,firewalld会把接口放在public区域,文章将按public区域来进行讲解
[root@fwd ~]# firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work
[root@fwd ~]#
[root@fwd ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
[root@fwd ~]#
防火墙的策略加载方式是以xml文件进行的,常规情况文件会存储在如下路径
# 系统默认下的策略xml文件
/usr/lib/firewalld/zones/public.xml
# 用户配置后生成的策略xml文件路径
/etc/firewalld/zones/public.xml
1.3.配置放行特定端口
通过命令行方式操作
- 例如,放行linux机器中的8080端口,允许任何网段访问,语法为:firewall-cmd --permanent --add-port=8080/tcp
# 添加放形端口
[root@fwd ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@fwd ~]#
# 应用策略
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]#
# 查看生效的策略,可以看到端口中放行了8080端口
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@fwd ~]#
通过修改xml文件方式操作
- 通过vim或者nano文件编辑器,在xml文件内添加
,进行8081端口放行
[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="cockpit"/>
<port port="8080" protocol="tcp"/>
<port port="8081" protocol="tcp"/>
<forward/>
</zone>
[root@fwd ~]#
- 应用策略和查看配置是否生效
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@fwd ~]#
1.4. 拒绝特定网段访问
此方式为黑名单模式,常用于拒绝特定IP或者网段访问,例如:拒绝1.1.1.x访问本机的3306端口。此方式有一个限制条件,需要先全部放行,然后才能进行黑名单规则(即:firewall-cmd --permanent --add-port=3306/tcp)
通过命令行方式操作
- 语法:firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="3306" reject'
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="3306" reject'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
[root@fwd ~]#
通过修改xml文件方式操作
- 例如在/etc/firewalld/zones/public.xml文件中添加如下规则,来是1.1.1.4禁止访问本机的3306端口
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="cockpit"/>
<port port="8080" protocol="tcp"/>
<port port="8081" protocol="tcp"/>
<rule family="ipv4">
<source address="1.1.1.3"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<forward/>
</zone>
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
[root@fwd ~]#
1.5. 允许特定网段访问
通过命令行方式操作
- 例如在/etc/firewalld/zones/public.xml文件中添加如下规则,来是1.1.1.3访问本机的80端口
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.1.1.3" port protocol="tcp" port="80" accept'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
[root@fwd ~]#
通过修改xml文件方式操作
- 在xml添加相应的配置文件
[root@fwd ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="cockpit"/>
<port port="8080" protocol="tcp"/>
<port port="8081" protocol="tcp"/>
<rule family="ipv4">
<source address="1.1.1.3"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="3306" protocol="tcp"/>
<reject/>
</rule>
<rule family="ipv4">
<source address="1.1.1.3"/>
<port port="80" protocol="tcp"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="1.1.1.4"/>
<port port="80" protocol="tcp"/>
<accept/>
</rule>
<forward/>
</zone>
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]#
2.firewalld高级xml配置
2.1. firewalld的地址集
在策略的时候,如果需要反复对某一些地址进行编写策略的时候,会需要很多规则,显示方面不具备可读性和操作性,因此需要引入地址组的概念,直接在策略中调用地址组,减轻运维难度
firewall-cmd --permanent --new-ipset=<地址组名称> --type=hash:ip
firewall-cmd --permanent --ipset=<地址组名称> --add-entry=<IP地址>
# 生成的地址组文件
/etc/firewalld/ipsets/<地址组名称>.xml
- 演示操作
[root@fwd ~]# firewall-cmd --permanent --new-ipset=allowlist --type=hash:ip
[root@fwd ~]# firewall-cmd --permanent --ipset=allowlist --add-entry=198.51.100.16
# 查看地址内的IP信息
[root@fwd ~]# cat /etc/firewalld/ipsets/allowlist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<entry>198.51.100.16</entry>
</ipset>
[root@fwd ~]#
# 获取现有地址集名称
[root@fwd ~]# firewall-cmd --get-ipsets
allowlist
[root@fwd ~]#
- 策略中调用地址集
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source ipset="allowlist" port protocol="tcp" port="3389" accept'
success
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.4" port port="80" protocol="tcp" accept
rule family="ipv4" source ipset="allowlist" port port="3389" protocol="tcp" accept
[root@fwd ~]#
2.2. 规则的优先级
有时候需要设置优先级,设置先允许后拒绝
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule priority=32760 family="ipv4" source address="1.1.1.5" port protocol="tcp" port="3306" accept'
[root@fwd ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule priority=32767 family="ipv4" port protocol="tcp" port="3306" reject'
[root@fwd ~]# firewall-cmd --reload
success
[root@fwd ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 8081/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="1.1.1.3" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.3" port port="80" protocol="tcp" accept
rule family="ipv4" source address="1.1.1.4" port port="3306" protocol="tcp" reject
rule family="ipv4" source address="1.1.1.4" port port="80" protocol="tcp" accept
rule family="ipv4" source ipset="allowlist" port port="3389" protocol="tcp" accept
rule priority="32760" family="ipv4" source address="1.1.1.5" port port="3306" protocol="tcp" accept
rule priority="32767" family="ipv4" port port="3306" protocol="tcp" reject
[root@fwd ~]#