服務(wù)器維護(hù)CentOS 7.0防火墻Firewalld和服務(wù)相關(guān)配置

2020-06-25 11:16 作者：admin

服務(wù)器維護(hù)CentOS 7.0防火墻Firewalld和服務(wù)相關(guān)配置

服務(wù)器維護(hù)小知識(shí)CentOS 7.0版本之后相對(duì)于以前的版本更改行還是很大的，原先在6.5版本之前命令和配置文件大致都差不多，自7.0版本之后一些功能都有較大的改變，接下來會(huì)從防火墻和服務(wù)的相關(guān)配置來進(jìn)行剖析。
服務(wù)器維護(hù)小知識(shí)（一）防火墻firewall的相關(guān)介紹及配置
CentOS 7中防火墻是一個(gè)非常的強(qiáng)大的功能，在CentOS 6.5中在iptables防火墻中進(jìn)行了升級(jí)了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文檔)
服務(wù)器維護(hù)小知識(shí)firewall--區(qū)域zone
網(wǎng)絡(luò)區(qū)域定義了網(wǎng)絡(luò)連接的可信等級(jí)。這是一個(gè) 一對(duì)多的關(guān)系，這意味著一次連接可以僅僅是一個(gè)區(qū)域的一部分，而一個(gè)區(qū)域可以用于很多連接。那個(gè)區(qū)域是否可用室友firewall提供的區(qū)域按照從不信任到信任的順序排序。
服務(wù)器維護(hù)小知識(shí)firewall 分類
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
服務(wù)器維護(hù)小知識(shí)firewall相關(guān)的配置:
1，系統(tǒng)配置目錄：/usr/lib/firewalld
[root@linuxidc firewalld]# cd /usr/lib/firewalld
[root@linuxidc firewalld]# ls
icmptypes  services  xmlschema  zones
[root@linuxidc firewalld]# cd services/
[root@linuxidc services]# ls
amanda-client.xml        high-availability.xml  ldap.xml        pmproxy.xml        samba.xml
bacula-client.xml        https.xml              libvirt-tls.xml  pmwebapis.xml      smtp.xml
bacula.xml              http.xml              libvirt.xml      pmwebapi.xml        ssh.xml
dhcpv6-client.xml        imaps.xml              mdns.xml        pop3s.xml          telnet.xml
dhcpv6.xml              ipp-client.xml        mountd.xml      postgresql.xml      tftp-client.xml
dhcp.xml                ipp.xml                ms-wbt.xml      proxy-dhcp.xml      tftp.xml
dns.xml                  ipsec.xml              mysql.xml        radius.xml          transmission-client.xml
freeipa-ldaps.xml        iscsi-target.xml      nfs.xml          RH-Satellite-6.xml  vdsm.xml
freeipa-ldap.xml        kerberos.xml          ntp.xml          rpc-bind.xml        vnc-server.xml
freeipa-replication.xml  kpasswd.xml            openvpn.xml      rsyncd.xml          wbem-https.xml
ftp.xml                  ldaps.xml              pmcd.xml        samba-client.xml
[root@linuxidc services]#
注意：目錄中存放定義好的網(wǎng)絡(luò)服務(wù)和端口參數(shù)，系統(tǒng)參數(shù)，不能修改。
2，用戶配置目錄：/etc/firewalld/
[root@linuxidc firewalld]# cd /etc/firewalld/
[root@linuxidc firewalld]# ls
firewalld.conf  icmptypes  lockdown-whitelist.xml  services  zones
3,用戶如何自定義添加端口，分為使用命令行添加和修改相關(guān)的配置文件。
3.1，使用命令的方式添加
[root@linuxidc services]# firewall-cmd --zone=public --permanent --add-port=8080/tcp 
success
[root@linuxidc services]# firewall-cmd --reload
CentOS 7防火墻服務(wù)FirewallD指南  http://www.linuxidc.com/Linux/2016-10/136431.htm
firewalld和iptables 詳解  http://www.linuxidc.com/Linux/2017-03/141434.htm
CentOS7下Firewalld防火墻使用實(shí)例  http://www.linuxidc.com/Linux/2017-01/139637.htm
服務(wù)器維護(hù)小知識(shí)CentOS 7下FirewallD使用簡(jiǎn)介  http://www.linuxidc.com/Linux/2016-11/137093.htm
服務(wù)器維護(hù)小知識(shí)參數(shù)介紹：
1、firewall-cmd：是Linux提供的操作firewall的一個(gè)工具；
2、--permanent：表示設(shè)置為持久；
3、--add-port：標(biāo)識(shí)添加的端口
4、--zone:指定某個(gè)區(qū)域
5、firewall-cmd --reload ：重啟生效
 
3.2修改配置文件方式添加端口
[root@linuxidc zones]# vim /usr/lib/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. O
nly selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="127.0.0.1"/>
    <port protocol="tcp" port="10050-10051"/>
    <accept/>
  </rule>
</zone>
服務(wù)器維護(hù)小知識(shí)firewall常用命令：
1，重啟，關(guān)閉開啟firewall.service服務(wù)
[root@linuxidc zones]# service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
[root@linuxidc zones]# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service
[root@linuxidc zones]# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service
2，查看firewalld服務(wù)狀態(tài)：
[root@linuxidc zones]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: active (running) since Wed 2017-04-19 11:10:50 CST; 43s ago
 Main PID: 4290 (firewalld)
  CGroup: /system.slice/firewalld.service
          └─4290 /usr/bin/Python -Es /usr/sbin/firewalld --nofork --nopid
Apr 19 11:10:50 linuxidc systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 19 11:10:50 linuxidc systemd[1]: Started firewalld - dynamic firewall daemon.
3，查看firewall的狀態(tài)
[root@linuxidc zones]# firewall-cmd --state 
running
4,查看防火墻firewall規(guī)則
[root@linuxidc ~]# firewall-cmd --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 10050/tcp 8080/tcp 10051/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
后注：如果感覺firewall防火墻玩不好，可以關(guān)閉firewall而安裝iptables,具體步驟如下
[root@linuxidc ~]# service firewalld stop                    ####停止firewalld服務(wù)
Redirecting to /bin/systemctl stop  firewalld.service                         
[root@linuxidc ~]# systemctl disable firewalld.service  ####禁止firewalld開機(jī)啟動(dòng)
[root@linuxidc ~]# yum install iptables-services    #####安裝iptables
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base                                                                                          | 3.6 kB  00:00:00     
epel                                                                                          | 4.3 kB  00:00:00     
extras                                                                                        | 3.4 kB  00:00:00     
updates                                                                                      | 3.4 kB  00:00:00 
[root@linuxidc ~]# vim /etc/sysconfig/iptables        ########編輯iptables配置文件
[root@linuxidc ~]#service iptables start                  #開啟
[root@linuxidc ~]#systemctl enable iptables.service      #設(shè)置防火墻開機(jī)啟動(dòng)
IT運(yùn)維  我們選擇北京艾銻無限
以上文章由北京艾銻無限科技發(fā)展有限公司整理