firewalld: firewall-cmd |
解释 | |
1 | firewall-cmd --get-default-zone | 查看默认域 |
2 | firewall-cmd --set-default-zone | 修改默认域 |
3 | firewall-cmd --permanent --zone=work --change-interface=eno16777736 |
永久修改if=eno16777736的域为work或者说 Change zone (the interface eno16777736 is bound to) to zone work. If zone is omitted(省略), default zone will be used. If old and new zone are the same, the call will be ignored without an error. If the interface has not been bound to a zone before, it will behave like --add-interface. |
4 | firewall-cmd --get-zone-of-interface=eno16777736 | Print the name of the zone the interface is bound to or no zone. |
5 | firewall-cmd --panic-on/ off |
Enable panic mode. All incoming and outgoing packets are dropped, active connections will expire. Enable this only if there are serious problems with your network environment. For example if the machine is getting hacked in. This is a runtime only change. |
6 | firewall-cmd --zone=public --query-service=ssh |
查询服务ssh是否被绑定到域public,yes即放行,no即被拒绝 Return whether service ssh has been added for zone public. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise. |
7 | firewall-cmd --zone=public --add-service=http | 添加服务http到域public。一次性,非永久性 |
8 | firewall-cmd --permanent --zone=public --remove-service=http | 重启后永久删除域public内的服务http |
9 | firewall-cmd --permanent --add-port=443-453/tcp | Enable port 443 to 453/tcp permanently, after reboot, in default zone. |
10 | firewall-cmd --permanent --zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.77 |
端口转发,命令格式为firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址> |
11 | firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.10.7/24" service name="ssh" reject" | 富规则添加 |
12 | firewall-cmd --zone=public --remove-rich-rule="rule family="ipv4" source address="192.168.10.7/24" service name="ssh" reject" | 富规则删除 |
runtime:当前生效,重启时效。(默认,考试时不能使用,否则机器重启零分)
permanent:当前无效,重启(永久)生效。若要立即生效:A:重启,B:执行firewall-cmd --reload
---------------------------------------------------------------------------
firewalld
(RHEL7),命令+图形
---------------------------------------------------------------------------
1,查看默认所在区域zone
[root@localhost ~]# firewall-cmd --get-default-zone
public #默认所在区域zone,所配置服务必须都在public上,否则不生效。
2,修改默认区域
[root@localhost ~]# firewall-cmd --set-default-zone= #tab可以补齐参数
block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone #修改成功
work
[root@localhost ~]#
3,
[root@localhost ~]# firewall-cmd --permanent --zone=work --change-interface=eno16777736
#--永久生效,--要绑定的新区域为work,--变更网卡。即,将某网卡绑定到区域work,并且是重启或者reload后永久生效。
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eno16777736 #查询某网卡当前对应的区域,上条命令并未生效。
public
[root@localhost ~]# firewall-cmd --permanent --get-zone-of-interface=eno16777736 #查询某网卡重启或者reload之后对应的区域,此时上上条命令生效。
work
[root@localhost ~]#
4, 开启紧急模式
[root@localhost ~]# firewall-cmd --panic-on #开启后,阻断一切网络连接
success
[root@localhost ~]# firewall-cmd --panic-off #关闭后,开启一切网络连接
success
5,编辑策略
[root@localhost ~]# firewall-cmd --zone=public --query-service=ssh #yes,即为ssh被放行,no即为禁止
yes
[root@localhost ~]# firewall-cmd --zone=public --query-service=https
no
6,添加(允许)服务
[root@localhost ~]# firewall-cmd --zone=public --add-service=http #临时添加
success
[root@localhost ~]#
[root@localhost ~]# firewall-cmd --zone=public --query-service=http
yes
[root@localhost ~]# firewall-cmd --permanent --zone=public --add-service=https #重启后才能永久添加生效
success
[root@localhost ~]# firewall-cmd --zone=public --query-service=https #当前状态查询
no
[root@localhost ~]# firewall-cmd --permanent --zone=public --query-service=https #将要重启后才能有的状态
yes
[root@localhost ~]# firewall-cmd --reload #reload
success
[root@localhost ~]# firewall-cmd --zone=public --query-service=https #reload之后再查询重启之后的状态
yes
7,拒绝服务
[root@localhost ~]# firewall-cmd --zone=public --query-service=http
yes
[root@localhost ~]# firewall-cmd --zone=public --remove-service=http #拒绝(移除)服务
success
[root@localhost ~]# firewall-cmd --zone=public --query-service=http
no
8,添加/移除某未知服务的端口号
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp
no
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp #添加
success
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp
yes
[root@localhost ~]# firewall-cmd --zone=public --remove-port=80/tcp
success
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp
no
9,允许端口80-100的服务
[root@localhost ~]# firewall-cmd --zone=public --add-port=80-100/tcp #添加20个(80-100)端口
success
10,端口转发(端口使用范围:0-65535)
[root@localhost Desktop]# firewall-cmd --permanent --zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.77 #流量转发命令格式:
#firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>
success
[root@localhost Desktop]# firewall-cmd --reload #使将来重启后才能永久生效
success
11,富规则
---------------------------------------------------------------------------
iptables
(RHEL5,6,7.0,7.1)
---------------------------------------------------------------------------
---动作:ACCEPT(允许), REJECT(拒绝), LOG(记录日志信息), DROP(不响应)
iptables -L #查看规则链
iptables -F #清空规则链
iptables -P INPUT DROP #把INPUT规则链的默认策略设置为拒绝
iptables -I INPUT -p icmp -j ACCEPT #-I 在规则链头部写入新规则,-A尾部;-p 协议(ping: icmp); -j 动作
1,命令与规则对应顺序,举例:
iptables -I INPUT -p icmp -j ACCEPT #1
iptables -I INPUT -p icmp -j DROP #2
iptables -A INPUT -p icmp -j REJECT #3
--->
Chain INPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere #2
ACCEPT icmp -- anywhere anywhere #1
REJECT icmp -- anywhere anywhere reject-with icmp-port-unreachable #3
---
2,允许192.168.10.7通过tcp协议和端口22 连接
---
[root@localhost ~]# iptables -I INPUT -s 192.168.10.7/24 -p tcp --dport 22 -j ACCEPT
--->
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh
DROP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT icmp -- anywhere anywhere reject-with icmp-port-unreachable
3,删除某一条规则
[root@localhost ~]# iptables -D INPUT 2 #删除INPUT的第二条规则
4,禁止端口号12345
[root@localhost ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT
[root@localhost ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT
#未严明哪种协议,所以tcp,udp两个都写上
5,恢复
[root@localhost ~]# iptables -L | less #前提(或者说背景):默认规则链为DROP
Chain INPUT (policy DROP)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh
[root@localhost ~]# iptables -P INPUT ACCEPT #将默认规则改为ACCEPT
[root@localhost ~]# iptables -L | less
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh
---配置防火墙的策略情况:
拒绝所有人,允许策略
允许所有人,拒绝策略
6,当端口号是范围,而非具体某一两个时,用冒号(1000:1500)。当然也要注意两个协议
[root@localhost ~]# iptables -I INPUT -p tcp --dport 1000:1500 -j REJECT
[root@localhost ~]# iptables -I INPUT -p udp --dport 1000:1500 -j REJECT