Linux 防火墙管理

 [root@client ~ 14:08:36]# systemctl status firewalld.service 
 ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
    Active: inactive (dead)
      Docs: man:firewalld(1)
 [root@client ~ 14:18:09]# systemctl enable firewalld.service  --now
 Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
 Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
 ​

查看zone配置

 #etc优先级高
 [root@client ~ 14:18:29]# ls /etc/firewalld/
 firewalld.conf  icmptypes  lockdown-whitelist.xml  zones
 helpers         ipsets     services
 [root@client ~ 14:37:38]# ls /usr/lib/firewalld/
 helpers  icmptypes  ipsets  services  zones
 ​
 [root@client ~ 14:38:46]# cd /usr/lib/firewalld/
 [root@client firewalld 14:46:10]# ls
 helpers  icmptypes  ipsets  services  zones
 [root@client firewalld 14:46:12]# ls zones/
 block.xml  drop.xml      home.xml      public.xml   work.xml
 dmz.xml    external.xml  internal.xml  trusted.xml
 [root@client firewalld 14:46:34]# cat zones/trusted.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="ACCEPT">
   <short>Trusted</short>
   <description>All network connections are accepted.</description>
 </zone>
 [root@client firewalld 14:48:05]# cat zones/block.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="%%REJECT%%">
   <short>Block</short>
   <description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
 </zone>
 [root@client firewalld 14:48:19]# cat zones/drop.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="DROP">
   <short>Drop</short>
   <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
 </zone>
 ​

查看服务配置

 [root@client firewalld 14:49:22]# ls -1 services
 [root@client firewalld 14:49:22]# cat services/http.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>WWW (HTTP)</short>
   <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
   <port protocol="tcp" port="80"/>
 </service>
 ​
 [root@client firewalld 14:49:40]# cat services/https.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>Secure WWW (HTTPS)</short>
   <description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
   <port protocol="tcp" port="443"/>
 </service>
 ​

 [root@client firewalld 14:49:51]# firewall-cmd --get-zones 
 block dmz drop external home internal public trusted work
 [root@client firewalld 14:50:09]# firewall-cmd --get-active-zones 
 public
   interfaces: ens33
 [root@client firewalld 14:50:20]# firewall-cmd --get-default-zone 
 public
 ​

source管理

 # 来源于特定source的数据包交给特定zone处理
 [root@server firewalld 14:59:55]# firewall-cmd --add-source=192.168.1.0/24 --zone=home 
 success
 ​
 # 查看source清单
 [root@server firewalld 15:01:44]# firewall-cmd --list-sources --zone=home
 192.168.1.0/24
 ​
 # 查看source属于哪个zone
 [root@server firewalld 15:02:20]# firewall-cmd --get-zone-of-source=192.168.1.0/24
 home
 ​
 # 查看source是否添加
 [root@server firewalld 15:02:40]# firewall-cmd --query-source=192.168.1.0/24 --zone=home 
 yes
 ​
 # 变更source到其他zone
 [root@server firewalld 15:03:39]# firewall-cmd --change-source=192.168.1.0/24 --zone=public
 success
 ​
 # 删除zone中source
 [root@server firewalld 15:03:59]#  firewall-cmd --remove-source=192.168.1.0/24 --zone=public
 success
 ​

interface管理

 # 查看zone中interface
 [root@server firewalld 15:04:06]# firewall-cmd --list-interfaces
 ens33 ens36
 # 查看interface属于哪个zone
 [root@server firewalld 15:04:53]# firewall-cmd --get-zone-of-interface=ens33
 public
 # 查看interface是否添加
 [root@server firewalld 15:05:32]# firewall-cmd --query-interface=ens33
 yes
 # 将interface变更到其他zone
 [root@server firewalld 15:06:05]#  firewall-cmd --change-interface=ens33 --zone=home
 success
 ​
 # 删除zone中interface
 [root@server firewalld 15:06:24]#  firewall-cmd --remove-interface=ens33 --zone=home
 success
 ​
 # 如果interface不属于任何zone，使用以下命令将interface绑定到特定zone
 [root@server firewalld 15:06:46]# firewall-cmd --add-interface=ens33 --zone=public
 success
 ​

service 管理

 [root@server ~ 15:29:31]# yum install -y httpd
 [root@server ~ 15:29:31]# systemctl start httpd
 ​
 # 查看系统中预定义了哪些服务
 [root@server ~ 15:30:02]# firewall-cmd --get-services
 ​
 # 查看放行服务列表
 [root@server ~ 15:30:22]# firewall-cmd --list-services 
 dhcpv6-client ssh
 ​
 # 查看服务是否放行
 [root@server ~ 15:30:52]# firewall-cmd --query-service=http
 no
 ​
 # 删除服务
 [root@server ~ 15:31:18]# firewall-cmd --remove-service=http
 ​

port管理

 # 添加放行端口
 [root@server ~ 15:31:37]# firewall-cmd --add-port=80/tcp
 success
 ​
 # 查看端口放行列表
 [root@server ~ 15:32:35]# firewall-cmd --list-ports 
 80/tcp
 ​
 # 查看端口是否放行
 [root@server ~ 15:32:55]# firewall-cmd --query-port=80/tcp
 yes
 ​
 # 删除端口
 [root@server ~ 15:33:26]# firewall-cmd --remove-port=80/tcp
 success
 ​

放行服务文件示例

• /usr/lib/firewalld/services/http.xml ~

#把 "HTTP 服务规则手册" 从系统的规则库（/usr/lib/firewalld/services/）移动到自己的家目录（~，相当于 "个人抽屉"），移动出去
[root@server ~ 15:33:40]# mv /usr/lib/firewalld/services/http.xml ~

#让保安系统重新 "读一遍所有规则手册"，刷新配置,发现没找到
[root@server ~ 15:36:27]# systemctl reload firewalld.service

#告诉保安："请允许 HTTP 服务的流量通过"，没有手册不能执行
[root@server ~ 15:36:35]# firewall-cmd --add-service=http
Error: INVALID_SERVICE: http

#移动回来
[root@server ~ 15:36:43]# mv http.xml /usr/lib/firewalld/services/http.xml

#重启刷新
[root@server ~ 15:36:55]# systemctl reload firewalld.service
#再次执行
[root@server ~ 15:37:38]# firewall-cmd --add-service=http
success

SNAT实验

[root@client ~ 19:44:53]# nmcli connection modify ens33 ipv4.gateway 10.1.8.10
[root@client ~ 19:44:58]# nmcli connection up ens33 
[root@client ~ 19:45:06]# ip route
#发现没有显示启动
[root@client ~ 19:45:12]# mtr 1.1.1.1

#进入server端
[root@server ~ 19:46:26]# systemctl start firewalld
[root@server ~ 19:48:53]# systemctl status firewalld
[root@server ~ 19:49:01]# firewall-cmd --add-masquerade 
success
[root@server ~ 19:49:02]# firewall-cmd --query-masquerade 
yes
#client端执行成功
[root@client ~ 19:50:19]# mtr 1.1.1.1

DNAT实验

[root@server ~ 19:49:08]# firewall-cmd --add-forward-port=port=1022:proto=tcp:toport=22:toaddr=10.1.8.11
success

#+添加新选项卡
输入  root@10.1.8.10:1022 #10.1.8.10地址显示client端成功

补充实验

[root@server ~ 19:52:49]# firewall-cmd --add-forward-port=port=1080:proto=tcp:toport=80:toaddr=10.1.8.11
success
[root@client ~ 19:50:48]# yum install -y httpd
[root@client ~ 19:55:48]# systemctl start httpd
[root@client ~ 19:55:56]# echo Hello World From Client > /var/www/html/index.html
[root@client ~ 19:55:57]# curl localhost
Hello World From Client

# 回到server端
[root@server ~ 19:52:49]# firewall-cmd --add-forward-port=port=1080:proto=tcp:toport=80:toaddr=10.1.8.11
success

# 此时打开浏览器访问10.1.8.10:1080 就可以访问到网页，显示Hello World From Client