linux防火墙之forewalld

管理方式

（1）firewalld-config         图形化

（2）firewalld-cmd             命令行

（3）xml（zone，server） vim

搭建测试环境：

关闭iptables防火墙，开启firewalld防火墙，安装好测试服务（httpd，vsftpd）

[root@localhost ~]# systemctl stop iptables
Failed to stop iptables.service: Unit iptables.service not loaded.
[root@localhost ~]# systemctl start  firewalld
[root@localhost ~]# systemctl status   firewalld
?.firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since 浜.2019-11-29 22:06:39 CST; 3min 54s ago
     Docs: man:firewalld(1)
 Main PID: 1160 (firewalld)
   CGroup: /system.slice/firewalld.service
           ?..1160 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

11?.29 22:06:37 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
11?.29 22:06:39 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
11?.29 22:06:44 localhost.localdomain firewalld[1160]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
11?.29 22:06:44 localhost.localdomain firewalld[1160]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
11?.29 22:06:44 localhost.localdomain firewalld[1160]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
11?.29 22:06:44 localhost.localdomain firewalld[1160]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
11?.29 22:06:44 localhost.localdomain firewalld[1160]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
11?.29 22:06:44 localhost.localdomain firewalld[1160]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.

[root@localhost ~]# yum install vsftpd httpd -y

安装好图像化系统之后，我们

[root@localhost yum.repos.d]# firewall-config

Firewalld

==========================================================

==停用低级别管理工具==
[root@server0 ~]# for i in iptables ip6tables ebtable
> do
> systemctl mask ${i}
> done

==firewalld Zones==
定义信任的等级，默认是从不信任到完全信任
用户可以通过两种方式引导流量进入相应的zone
1.通过--zone=internal --add-source=192.168.0.0/24
2.将网卡与zone绑定

==If the source address of an incoming packet matches a source rule setup for a zone, that packet will be routed through that zone.
==If the incoming interface for a packet matches a filter setup for a zone, that zone will be used.
==Otherwise, the default zone is used. The default zone is not a separate zone; instead, it points to one of the other zones defined on the system.

一个原地址只能匹配一个zone

先源再接口

然后是默认zone

drop
block
dmz
external
public
work
internal
home
trusted

[root@server0 ~]# firewall-cmd --get-zone-of-interface=
eth0 eth1 eth2 lo
[root@server0 ~]# firewall-cmd --get-zone-of-interface=eth0
public
[root@server0 ~]# firewall-cmd --get-zone-of-interface=eth1
no zone
[root@server0 ~]# firewall-cmd --get-zone-of-interface=eth2
no zone


==Managing firewalld==
firewalld can be managed in three ways:

Using the command-line tool firewall-cmd.
Using the graphical tool firewall-config.
Using the configuration files in /etc/firewalld/.


1. firewall-cmd
注：在使用firewall-cmd添加或删除规则时应用指明相应的zone，如果不指定为默认zone
[root@server0 ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work

[root@server0 ~]# firewall-cmd --get-default-zone
public

====LAB1=====: 将source 172.25.0.0/24 引导到zone work

[root@server0 ~]# yum install httpd mod_ssl -y
[root@server0 ~]# echo "tianyun" > /var/www/html/index.html
[root@server0 ~]# systemctl enable httpd.service
[root@server0 ~]# systemctl start httpd.service

[root@desktop0 ~]# curl http://server0
curl: (7) Failed connect to server0:80; No route to host

[root@server0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ftp ssh
ports: 514/tcp 514/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@server0 ~]# firewall-cmd --permanent --zone=work --add-service=http
success
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# firewall-cmd --permanent --zone=work --list-all
work
interfaces:
sources:
services: dhcpv6-client http ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@server0 ~]# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@desktop0 ~]# curl http://server0
curl: (7) Failed connect to server0:80; No route to host
依然无法从客户端访问http，因为访问http流量默认进入默认zone public

[root@server0 ~]# firewall-cmd --permanent --zone=work --add-source=172.25.0.0/24
[root@server0 ~]# firewall-cmd --reload

[root@server0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@server0 ~]# firewall-cmd --zone=work --list-all
work
interfaces:
sources: 172.25.0.0/24
services: dhcpv6-client http ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@desktop0 ~]# curl http://server0
tianyun

LAB2: 将source 172.25.0.0/24 引导到zone trusted

[root@server0 ~]# firewall-cmd --permanent --zone=work --remove-source=172.25.0.0/24
[root@server0 ~]# firewall-cmd --permanent --zone=work --remove-service=http
[root@server0 ~]# firewall-cmd --reload

[root@server0 ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.0.0/24
success
[root@server0 ~]# firewall-cmd --reload
success

[root@server0 ~]# firewall-cmd --permanent --zone=trusted --list-all
trusted
interfaces:
sources: 172.25.0.0/24
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@server0 ~]# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@desktop0 ~]# curl http://server0
tianyun

LAB3: 将source 172.25.0.0/24 引导到zone block

[root@server0 ~]# firewall-cmd --permanent --zone=trusted --remove-source=172.25.0.0/24
[root@server0 ~]# firewall-cmd --permanent --zone=block --add-source=172.25.0.0/24

[root@server0 ~]# firewall-cmd --permanent --add-service=http
[root@server0 ~]# firewall-cmd --reload

[root@server0 ~]# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@server0 ~]# firewall-cmd --permanent --zone=block --list-all
block
interfaces:
sources: 172.25.0.0/24
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@desktop0 ~]# curl http://server0
curl: (7) Failed connect to server0:80; No route to host

LAB4:

[root@server0 ~]# firewall-cmd --permanent --zone=block --remove-source=172.25.0.0/24
success
[root@server0 ~]# firewall-cmd --reload

[root@desktop0 ~]# curl http://server0
tianyun

=====所有进入包都可以route 到 zone public, 一样可以允许 或 拒绝=====

==rule规则 仅允许xxx==
[root@server0 ~]# firewall-cmd --permanent --add-service=http
[root@server0 ~]# firewall-cmd --permanent --add-service=https
[root@server0 ~]# firewall-cmd --permanent --add-service=ftp
[root@server0 ~]# firewall-cmd --permanent --add-service=mysql
[root@server0 ~]# firewall-cmd --permanent --add-service=ssh
[root@server0 ~]# firewall-cmd --permanent --add-port=3306/tcp
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ftp http https mysql ssh
ports: 3306/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

lab6: 允许172.25.0.10访问

==rich rule 富规则==
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" service name="http" source address="172.25.0.10" accept'
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" service name="http" NOT source address="172.25.0.10" accept'

lab7: 允许172.25.0.0/24 访问any service

[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.25.0.0/24" accept'

lab8: 参考

[root@server0 ~]# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.0/24" accept
rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept

[root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept

lab9: other examples

[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 reject'
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.0.0/24 service name=http reject'
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule service name=ftp limit value=100/m accept'
[root@server0 ~]# firewall-cmd --permanent --zone=vnc --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'
[root@server0 ~]# firewall-cmd --permanent --zone=work --add-rich-rule='rule service name="ssh" log prefix="ssh " level="notice" limit value="3/m" accept'

== NAT ==

sina.com 20.20.20.1 20.20.20.10 NAT(Firewalld) 192.168.0.254 (gateway 192.168.0.254) client 192.168.0.0/24

方法一：masquerade （SNAT）
[root@server0 ~]# firewall-cmd --permanent --add-masquerade
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# firewall-cmd --permanent --list-all

方法二：source 192.168.0.0/24
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 masquerade'


方法三：NOT source 192.168.0.0/24
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source NOT address=192.168.0.0/24 masquerade'
[root@server0 ~]# firewall-cmd --permanent --list-all

==Port forwarding 转到本机==

本机端口转发
[root@server0 ~]# firewall-cmd --permanent --add-forward-port=port=6666:proto=tcp:toport=22
[root@tianyun ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" forward-port port="6666" protocol="tcp" to-port="22"'
[root@desktop0 ~]# ssh -p 6666 server0

==Port forwarding 转到其它主机== （DNAT）
[root@server0 ~]# firewall-cmd --permanent --add-masquerade
[root@server0 ~]# firewall-cmd --permanent --add-forward-port=port=7777:proto=tcp:toport=22:toaddr=172.25.0.10

[kiosk@foundation0 ~]$ ssh root@server0 -p 7777
Last login: Sun Jun 5 17:18:42 2016 from 172.25.0.250
[root@desktop0 ~]#

examples:

[root@server0 ~]# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" masquerade
rule family="ipv4" forward-port port="7777" protocol="tcp" to-port="22" to-addr="172.25.0.10"
rule family="ipv4" source address="172.26.0.0/24" service name="http" reject
rule family="ipv4" source address="172.25.0.0/24" protocol value="icmp" reject <===
rule family="ipv4" forward-port port="6666" protocol="tcp" to-port="22"
rule family="ipv4" port port="3306" protocol="tcp" accept
rule family="ipv4" service name="http" accept <===
rule family="ipv4" source address="172.25.0.0/24" service name="https" accept