firewalld防火墙策略:
Linux系统上的防火墙体系
系统服务:firewalld
管理工具:firewall-cmd
图形管理工具firewall-config
预设安全区域
根据所在的网络场所区分,预设保护规则集。
最常用的四个区域:
– public:仅允许访问本机的sshd dhcp ping
– trusted:允许任何访问
– block:拒绝任何来访请求(明确拒绝回应)
– drop:丢弃任何来访的数据包(直接丢弃不给回应,节省服务器资源)
防火墙的判定规则: 匹配及停止
1.查看请求数据包中的源IP地址,并与自己所有区域规则依次比较,如果有该源IP地址的规则,则进
入该区域。剩余其它区域不再比对,数据包进入该区域后具体的处理方法依据该区域的具体规则。
2.如果所有区域都没有该源IP地址,则把数据包交给默认区域(public).
firewalld的安装
[root@server1 ~]# rpm -q firewalld package firewalld is not installed [root@server1 ~]# yum -y install firewalld-0.4.4.4-14.el7.noarch [root@server1 ~]# systemctl start firewalld [root@server1 ~]# systemctl enable firewalld
防火墙默认区域修改
#查看默认区域
[root@server1 ~]# firewall-cmd --get-default-zone
[root@client1 ~]# ping 192.168.4.100 #客户端client1可以Ping通
#把默认区别修改为block
[root@server1 ~]# firewall-cmd --set-default-zone=block
[root@server1 ~]# firewall-cmd --get-default-zone
[root@server1 ~]#
[root@client1 ~]# ping 192.168.4.100 #client1不能ping通,但有回应
PING 192.168.4.100 (192.168.4.100) 56(84) bytes of data.
From 192.168.4.100 icmp_seq=1 Destination Host Prohibited
From 192.168.4.100 icmp_seq=2 Destination Host Prohibited
#修改默认区域为drop
[root@server1 ~]# firewall-cmd --set-default-zone=drop
[root@server1 ~]# firewall-cmd --get-default-zone
[root@server1 ~]#
#客户端测试时,不可以通信,没有回应
[root@client1 ~]# ping 192.168.4.100
PING 192.168.4.100 (192.168.4.100) 56(84) bytes of data.
在默认区域添加协议:
#修改默认区域为public
[root@server1 ~]# firewall-cmd --set-default-zone=public
[root@server1 ~]# firewall-cmd --get-default-zone
#查看区域详细规则
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1 eth2 eth3
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server1 ~]#
在客户端上访问server1上的ftp,httpd服务
[root@client1 ~]# ftp 192.168.4.100 #ftp服务连接失败
ftp: connect: No route to host
#httpd服务连接失败
[root@client1 ~]# curl http://192.168.4.100
curl: (7) Failed connect to 192.168.4.100:80; No route to host
#在server1上添加规则,允许http,ftp
[root@server1 html]# firewall-cmd --zone=public --add-service=http
[root@server1 html]# firewall-cmd --zone=public --add-service=ftp
[root@server1 html]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1 eth2 eth3
sources:
services: ssh dhcpv6-client http ftp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
客户端再次测试
[root@client1 ~]# curl http://192.168.4.100
hello~ #http连接成功
[root@client1 ~]# ftp 192.168.4.100 #ftp连接成功
Connected to 192.168.4.100 (192.168.4.100).
#以上修改策略可以立即生效,但重启系统或服务时会丢失
[root@server1 ~]# firewall-cmd --reload
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1 eth2 eth3
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server1 ~]#
防火墙永久策略 permanent
#通过permanent使用策略写入到配置文件
[root@server1 ~]# firewall-cmd --permanent --zone=public --add-service=http
[root@server1 ~]# firewall-cmd --permanent --zone=public --add-service=ftp
#再次查看规则,因为策略被写于到了配置文件,所以当前策略中看不到
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1 eth2 eth3
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server1 ~]# firewall-cmd --reload #重新加载防火墙所有配置,使配置文件中的策略生效
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1 eth2 eth3
sources:
services: ssh dhcpv6-client http ftp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server1 ~]#
单独拒绝虚拟机client1的访问
[root@server1 ~]# firewall-cmd --zone=block --add-source=192.168.4.1
[root@server1 ~]# firewall-cmd --zone=block --list-all
block (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources: 192.168.4.1
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server1 ~]#
[root@client1 ~]# ftp 192.168.4.100 #客户端再次访问时会被拒绝
ftp: connect: No route to host #此方法是临时修改,立即生效,如果需要恢复
#firewall-cmd --reload
实现本机的端口映射
本地应用的端口重定向(端口1 --> 端口2)
从客户机访问 端口1 的请求,自动映射到本机 端口2
比如,访问以下两个地址可以看到相同的页面:
http://192.168.4.100:5423 ---> http://192.168.4.100:80
当client1访问server1的5423,用防火墙把端口重定义为80
[root@server1 ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5423:proto=tcp:toport=80
[root@server1 ~]# firewall-cmd --reload
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1 eth2 eth3
sources:
services: ssh dhcpv6-client http ftp
ports:
protocols:
masquerade: no
forward-ports: port=5423:proto=tcp:toport=80:toaddr=
source-ports:
icmp-blocks:
rich rules:
[root@server1 ~]#
#在客户端访问5423端口时会被防火墙映射到80
[root@client1 ~]# curl http://192.168.4.100:5423
[root@client1 ~]#