服務器維護CentOS 7.0防火墻Firewalld和服務相關配置
2020-06-25 11:16 作者:admin
服務器維護CentOS 7.0防火墻Firewalld和服務相關配置
服務器維護小知識CentOS 7.0版本之后相對于以前的版本更改行還是很大的,原先在6.5版本之前命令和配置文件大致都差不多,自7.0版本之后一些功能都有較大的改變,接下來會從防火墻和服務的相關配置來進行剖析。服務器維護小知識(一)防火墻firewall的相關介紹及配置
CentOS 7中防火墻是一個非常的強大的功能,在CentOS 6.5中在iptables防火墻中進行了升級了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文檔)
服務器維護小知識firewall--區(qū)域zone
網絡區(qū)域定義了網絡連接的可信等級。這是一個 一對多的關系,這意味著一次連接可以僅僅是一個區(qū)域的一部分,而一個區(qū)域可以用于很多連接。那個區(qū)域是否可用室友firewall提供的區(qū)域按照從不信任到信任的順序排序。
服務器維護小知識firewall 分類
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
服務器維護小知識firewall相關的配置:
1,系統配置目錄:/usr/lib/firewalld
[root@linuxidc firewalld]# cd /usr/lib/firewalld
[root@linuxidc firewalld]# ls
icmptypes services xmlschema zones
[root@linuxidc firewalld]# cd services/
[root@linuxidc services]# ls
amanda-client.xml high-availability.xml ldap.xml pmproxy.xml samba.xml
bacula-client.xml https.xml libvirt-tls.xml pmwebapis.xml smtp.xml
bacula.xml http.xml libvirt.xml pmwebapi.xml ssh.xml
dhcpv6-client.xml imaps.xml mdns.xml pop3s.xml telnet.xml
dhcpv6.xml ipp-client.xml mountd.xml postgresql.xml tftp-client.xml
dhcp.xml ipp.xml ms-wbt.xml proxy-dhcp.xml tftp.xml
dns.xml ipsec.xml mysql.xml radius.xml transmission-client.xml
freeipa-ldaps.xml iscsi-target.xml nfs.xml RH-Satellite-6.xml vdsm.xml
freeipa-ldap.xml kerberos.xml ntp.xml rpc-bind.xml vnc-server.xml
freeipa-replication.xml kpasswd.xml openvpn.xml rsyncd.xml wbem-https.xml
ftp.xml ldaps.xml pmcd.xml samba-client.xml
[root@linuxidc services]#
注意:目錄中存放定義好的網絡服務和端口參數,系統參數,不能修改。
2,用戶配置目錄:/etc/firewalld/
[root@linuxidc firewalld]# cd /etc/firewalld/
[root@linuxidc firewalld]# ls
firewalld.conf icmptypes lockdown-whitelist.xml services zones
3,用戶如何自定義添加端口,分為使用命令行添加和修改相關的配置文件。
3.1,使用命令的方式添加
[root@linuxidc services]# firewall-cmd --zone=public --permanent --add-port=8080/tcp
success
[root@linuxidc services]# firewall-cmd --reload
CentOS 7防火墻服務FirewallD指南 http://www.linuxidc.com/Linux/2016-10/136431.htm
firewalld和iptables 詳解 http://www.linuxidc.com/Linux/2017-03/141434.htm
CentOS7下Firewalld防火墻使用實例 http://www.linuxidc.com/Linux/2017-01/139637.htm
服務器維護小知識CentOS 7下FirewallD使用簡介 http://www.linuxidc.com/Linux/2016-11/137093.htm
服務器維護小知識參數介紹:
1、firewall-cmd:是Linux提供的操作firewall的一個工具;
2、--permanent:表示設置為持久;
3、--add-port:標識添加的端口
4、--zone:指定某個區(qū)域
5、firewall-cmd --reload :重啟生效
3.2修改配置文件方式添加端口
[root@linuxidc zones]# vim /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. O
nly selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<rule family="ipv4">
<source address="127.0.0.1"/>
<port protocol="tcp" port="10050-10051"/>
<accept/>
</rule>
</zone>
服務器維護小知識firewall常用命令:
1,重啟,關閉開啟firewall.service服務
[root@linuxidc zones]# service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service
[root@linuxidc zones]# service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
[root@linuxidc zones]# service firewalld start
Redirecting to /bin/systemctl start firewalld.service
2,查看firewalld服務狀態(tài):
[root@linuxidc zones]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2017-04-19 11:10:50 CST; 43s ago
Main PID: 4290 (firewalld)
CGroup: /system.slice/firewalld.service
└─4290 /usr/bin/Python -Es /usr/sbin/firewalld --nofork --nopid
Apr 19 11:10:50 linuxidc systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 19 11:10:50 linuxidc systemd[1]: Started firewalld - dynamic firewall daemon.
3,查看firewall的狀態(tài)
[root@linuxidc zones]# firewall-cmd --state
running
4,查看防火墻firewall規(guī)則
[root@linuxidc ~]# firewall-cmd --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports: 10050/tcp 8080/tcp 10051/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
后注:如果感覺firewall防火墻玩不好,可以關閉firewall而安裝iptables,具體步驟如下
[root@linuxidc ~]# service firewalld stop ####停止firewalld服務
Redirecting to /bin/systemctl stop firewalld.service
[root@linuxidc ~]# systemctl disable firewalld.service ####禁止firewalld開機啟動
[root@linuxidc ~]# yum install iptables-services #####安裝iptables
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base | 3.6 kB 00:00:00
epel | 4.3 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
[root@linuxidc ~]# vim /etc/sysconfig/iptables ########編輯iptables配置文件
[root@linuxidc ~]#service iptables start #開啟
[root@linuxidc ~]#systemctl enable iptables.service #設置防火墻開機啟動
IT運維 我們選擇北京艾銻無限
以上文章由北京艾銻無限科技發(fā)展有限公司整理
相關文章
IT電腦維護外包
關閉