firewalld的9个zone
开启firewalld
在之前的iptables中,我们关闭掉了firewalld,并且设置开机不可启动,安装了iptables-service,开启了iptables,并且设置了开机启动。这次我们反的操作,把iptables关闭掉,开启firewalld。
[root@linux-001 ~]# systemctl stop iptables.service
[root@linux-001 ~]# systemctl disable iptables.service
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@linux-001 ~]#
[root@linux-001 ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@linux-001 ~]# systemctl start firewalld.service
[root@linux-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 2056 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 20 packets, 1904 bytes)
pkts bytes target prot opt in out source destination
20 1904 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
1 92 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@linux-001 ~]#
[root@linux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination
1 328 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1 328 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1 328 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 POST_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (3 references)
pkts bytes target prot opt in out source destination
0 0 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 PRE_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
1 328 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (3 references)
pkts bytes target prot opt in out source destination
1 328 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
1 328 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1 328 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
[root@linux-001 ~]#
firewalld中的zone
firewalld 默认有 9 个 zone,默认的 zone 为 public,zone 可以理解为 firewalld 的单位:规则集。
## 查看firewalld种的zone ##
[root@linux-02 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@linux-02 ~]#
## 查看默认的zone是什么 ##
[root@linux-02 ~]# firewall-cmd --get-default-zone
public
[root@linux-02 ~]#
firewalld种zone的区别如下图:
firewalld关于zone的操作
firewall-cmd --set-default-zone=work //设定默认zone
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
## 设定默认zone ##
[root@linux-02 ~]# firewall-cmd --set-default-zone=work
success
[root@linux-02 ~]# firewall-cmd --get-default-zone
work
## 查指定网卡的zone ##
[root@linux-02 ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@linux-02 ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@linux-02 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
## 给指定网卡设置zone ##
[root@linux-02 ~]# firewall-cmd --zone=dmz --add-interface=ens37
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@linux-02 ~]# firewall-cmd --get-zone-of-interface=ens37
dmz
## 给指定网卡更改zone ##
[root@linux-02 ~]# firewall-cmd --zone=public --change-interface=ens37
The interface is under control of NetworkManager, setting zone to 'public'.
success
[root@linux-02 ~]# firewall-cmd --get-zone-of-interface=ens37
public
## 删除指定网卡的zone ##
[root@linux-02 ~]# firewall-cmd --zone=public --remove-interface=ens37
The interface is under control of NetworkManager, setting zone to default.
success
[root@linux-02 ~]# firewall-cmd --get-zone-of-interface=ens37
work
## 查看所有网卡的zone ##
[root@linux-02 ~]# firewall-cmd --get-active-zones
work
interfaces: ens33 ens37
firewalld中关于service的操作
firewall-cmd --get-services //查看所有的servies
firewall-cmd --list-services //查看当前zone下有哪些service
firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
firewall-cmd --zone=public --remove-service=http
ls /usr/lib/firewalld/zones/ //zone的配置文件模板
firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
## 查看所有的service ##
[root@linux-02 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
## 查看当前zone下都有哪些service ##
[root@linux-02 ~]# firewall-cmd --list-services
ssh dhcpv6-client
## 查看public的zone下都有哪些service ##
[root@linux-02 ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
## 把http增加到public的zone下 ##
[root@linux-02 ~]# firewall-cmd --zone=public --add-service=http
success
[root@linux-02 ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http
## 把public所在的zone下的http service删除 ##
[root@linux-02 ~]# firewall-cmd --zone=public --remove-service=http
success
[root@linux-02 ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
## 把增加的service保存到配置文件当中去,配置文件在/etc/firewalld/zones/下 ##
[root@linux-02 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@linux-02 ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@linux-02 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="http"/>
</zone>
## firewalld中zones的模板在/usr/bin/firewalld/zones/ ##
[root@linux-02 ~]# ls /usr/lib/firewalld/zones/
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
[root@linux-02 ~]# ls /usr/lib/firewalld/services/
amanda-client.xml ftp.xml libvirt-tls.xml pop3.xml ssh.xml
amanda-k5-client.xml ganglia-client.xml libvirt.xml postgresql.xml syncthing-gui.xml
bacula-client.xml ganglia-master.xml managesieve.xml privoxy.xml syncthing.xml
bacula.xml git.xml mdns.xml proxy-dhcp.xml synergy.xml
bgp.xml gre.xml minidlna.xml ptp.xml syslog-tls.xml
bitcoin-rpc.xml high-availability.xml mongodb.xml pulseaudio.xml syslog.xml
bitcoin-testnet-rpc.xml https.xml mosh.xml puppetmaster.xml telnet.xml
bitcoin-testnet.xml http.xml mountd.xml quassel.xml tftp-client.xml
bitcoin.xml imaps.xml mssql.xml radius.xml tftp.xml
ceph-mon.xml imap.xml ms-wbt.xml redis.xml tinc.xml
ceph.xml ipp-client.xml murmur.xml RH-Satellite-6.xml tor-socks.xml
cfengine.xml ipp.xml mysql.xml rpc-bind.xml transmission-client.xml
condor-collector.xml ipsec.xml nfs3.xml rsh.xml upnp-client.xml
ctdb.xml ircs.xml nfs.xml rsyncd.xml vdsm.xml
dhcpv6-client.xml irc.xml nmea-0183.xml samba-client.xml vnc-server.xml
dhcpv6.xml iscsi-target.xml nrpe.xml samba.xml wbem-https.xml
dhcp.xml jenkins.xml ntp.xml sane.xml xmpp-bosh.xml
dns.xml kadmin.xml openvpn.xml sips.xml xmpp-client.xml
docker-registry.xml kerberos.xml ovirt-imageio.xml sip.xml xmpp-local.xml
docker-swarm.xml kibana.xml ovirt-storageconsole.xml smtp-submission.xml xmpp-server.xml
dropbox-lansync.xml klogin.xml ovirt-vmconsole.xml smtps.xml zabbix-agent.xml
elasticsearch.xml kpasswd.xml pmcd.xml smtp.xml zabbix-server.xml
freeipa-ldaps.xml kprop.xml pmproxy.xml snmptrap.xml
freeipa-ldap.xml kshell.xml pmwebapis.xml snmp.xml
freeipa-replication.xml ldaps.xml pmwebapi.xml spideroak-lansync.xml
freeipa-trust.xml ldap.xml pop3s.xml squid.xml
[root@linux-02 ~]#
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
解决思路:
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
vi /etc/firewalld/services/ftp.xml //把21改为1121
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
vi /etc/firewalld/zones/work.xml //增加一行
firewall-cmd --reload //重新加载
firewall-cmd --zone=work --list-services
[root@linux-02 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@linux-02 ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
[root@linux-02 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@linux-02 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
[root@linux-02 ~]# firewall-cmd --reload
success
[root@linux-02 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
版权声明:本文为qq_40964554原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。