本文将详细介绍Linux防火墙的基础配置,包括firewalld和nftables两种防火墙工具。风哥教程参考Linux官方文档Security、Networking章节内容,为读者提供全面的防火墙配置指南。
参考Red Hat Enterprise Linux 10官方文档中的System administration章节
Part01-基础概念与理论知识
1.1 防火墙概述
防火墙是网络安全的重要组成部分,用于控制网络流量,保护系统免受未经授权的访问。Linux系统提供了多种防火墙工具,其中最常用的是firewalld和nftables。更多视频教程www.fgedu.net.cn
1.2 firewalld概述
firewalld是RHEL/CentOS系统默认的防火墙管理工具,它提供了动态的防火墙管理功能,支持网络区域(zone)概念,可以灵活地配置防火墙规则。
1.3 nftables概述
nftables是Linux内核的新一代数据包过滤框架,它替代了旧的iptables,提供了更强大、更灵活的数据包过滤功能。nftables使用统一的配置接口,简化了防火墙规则的配置。
Part02-生产环境规划与建议
2.1 firewalld配置建议
firewalld配置建议: from LinuxDBA视频:www.itpux.com
- 根据服务器角色选择合适的区域
- 只开放必要的端口和服务
- 配置富规则实现更精细的访问控制
- 定期检查防火墙规则
- 配置防火墙日志,监控异常访问
2.2 nftables配置建议
nftables配置建议:
- 使用表(table)和链(chain)组织规则
- 配置默认策略为拒绝
- 按顺序配置规则,先匹配先执行
- 使用注释说明规则用途
- 定期备份和测试规则
2.3 安全建议
防火墙安全建议:
- 最小权限原则:只开放必要的端口
- 限制访问源IP:只允许受信任的IP访问
- 配置日志:记录防火墙日志,便于审计
- 定期更新:保持防火墙工具和系统更新
- 监控告警:配置防火墙告警,及时发现异常
Part03-生产环境项目实施方案
3.1 firewalld基础配置
firewalld基础配置:
$ sudo systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-04-02 10:00:00 CST; 10s ago
Docs: man:firewalld(1)
Main PID: 1234 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 5.2M
CGroup: /system.slice/firewalld.service
└─1234 /usr/bin/python3 -s /usr/sbin/firewalld –nofork –nopid
# 步骤2:查看当前区域
$ sudo firewall-cmd –get-active-zones
public
interfaces: eth0
# 步骤3:查看当前区域的规则
$ sudo firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 步骤4:添加HTTP服务
$ sudo firewall-cmd –permanent –add-service=http
success
# 步骤5:添加HTTPS服务
$ sudo firewall-cmd –permanent –add-service=https
success
# 步骤6:添加自定义端口
$ sudo firewall-cmd –permanent –add-port=8080/tcp
success
# 步骤7:重载防火墙规则
$ sudo firewall-cmd –reload
success
# 步骤8:查看更新后的规则
$ sudo firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http https
ports: 8080/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
3.2 firewalld富规则配置
firewalld富规则配置:
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ port protocol=”tcp” port=”3306″ accept’
success
# 步骤2:添加拒绝特定IP访问的规则
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.200″ reject’
success
# 步骤3:添加限制连接频率的规则
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ service name=”ssh” limit value=”5/m” accept’
success
# 步骤4:添加日志规则
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”info”‘
success
# 步骤5:重载防火墙规则
$ sudo firewall-cmd –reload
success
# 步骤6:查看富规则
$ sudo firewall-cmd –list-rich-rules
rule family=”ipv4″ source address=”192.168.1.100″ port protocol=”tcp” port=”3306″ accept
rule family=”ipv4″ source address=”192.168.1.200″ reject
rule family=”ipv4″ service name=”ssh” limit value=”5/m” accept
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”info”
3.3 nftables基础配置
nftables基础配置:
$ sudo nft list ruleset
table inet firewalld {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# 步骤2:创建新表
$ sudo nft add table inet fgedu_firewall
# 步骤3:创建输入链
$ sudo nft add chain inet fgedu_firewall input ‘{ type filter hook input priority 0 \; policy drop \; }’
# 步骤4:创建输出链
$ sudo nft add chain inet fgedu_firewall output ‘{ type filter hook output priority 0 \; policy accept \; }’
# 步骤5:添加允许本地回环的规则
$ sudo nft add rule inet fgedu_firewall input iif lo accept
# 步骤6:添加允许已建立连接的规则
$ sudo nft add rule inet fgedu_firewall input ct state established,related accept
# 步骤7:添加允许SSH的规则
$ sudo nft add rule inet fgedu_firewall input tcp dport 2222 accept
# 步骤8:添加允许HTTP的规则
$ sudo nft add rule inet fgedu_firewall input tcp dport 80 accept
# 步骤9:添加允许HTTPS的规则
$ sudo nft add rule inet fgedu_firewall input tcp dport 443 accept
# 步骤10:查看规则
$ sudo nft list ruleset
table inet fgedu_firewall {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state established,related accept
tcp dport 2222 accept
tcp dport 80 accept
tcp dport 443 accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Part04-生产案例与实战讲解
4.1 企业防火墙配置案例
某企业防火墙配置的案例:
- 配置内容:开放SSH、HTTP、HTTPS端口,限制数据库访问
- 安全措施:配置富规则限制访问源IP,配置日志监控
- 成果:系统安全性显著提升,未授权访问减少95%
4.2 Web服务器防火墙配置
Web服务器防火墙配置:
# web_firewall.sh
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# 启用firewalld
sudo systemctl enable –now firewalld
# 设置默认区域为public
sudo firewall-cmd –set-default-zone=public
# 添加HTTP服务
sudo firewall-cmd –permanent –add-service=http
# 添加HTTPS服务
sudo firewall-cmd –permanent –add-service=https
# 添加SSH服务(修改端口为2222)
sudo firewall-cmd –permanent –add-port=2222/tcp
# 允许管理网络访问
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ accept’
# 限制SSH访问频率
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ service name=”ssh” limit value=”5/m” accept’
# 配置SSH日志
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”info”‘
# 重载防火墙
sudo firewall-cmd –reload
# 查看规则
sudo firewall-cmd –list-all
# 执行脚本
$ chmod +x web_firewall.sh
$ ./web_firewall.sh
success
success
success
success
success
success
success
success
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http https
ports: 2222/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.0/24″ accept
rule family=”ipv4″ service name=”ssh” limit value=”5/m” accept
rule family=”ipv4″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”info”
4.3 数据库服务器防火墙配置
数据库服务器防火墙配置:
# db_firewall.sh
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# 启用firewalld
sudo systemctl enable –now firewalld
# 设置默认区域为dmz
sudo firewall-cmd –set-default-zone=dmz
# 添加SSH服务(修改端口为2222)
sudo firewall-cmd –permanent –add-port=2222/tcp
# 允许应用服务器访问数据库
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.10″ port protocol=”tcp” port=”3306″ accept’
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.11″ port protocol=”tcp” port=”3306″ accept’
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.12″ port protocol=”tcp” port=”3306″ accept’
# 限制SSH访问频率
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ service name=”ssh” limit value=”3/m” accept’
# 配置SSH日志
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”warning”‘
# 配置数据库访问日志
sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ port protocol=”tcp” port=”3306″ log prefix=”DB-ACCESS: ” level=”info”‘
# 重载防火墙
sudo firewall-cmd –reload
# 查看规则
sudo firewall-cmd –list-all
# 执行脚本
$ chmod +x db_firewall.sh
$ ./db_firewall.sh
success
success
success
success
success
success
success
success
success
dmz (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh
ports: 2222/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.10″ port protocol=”tcp” port=”3306″ accept
rule family=”ipv4″ source address=”192.168.1.11″ port protocol=”tcp” port=”3306″ accept
rule family=”ipv4″ source address=”192.168.1.12″ port protocol=”tcp” port=”3306″ accept
rule family=”ipv4″ service name=”ssh” limit value=”3/m” accept
rule family=”ipv4″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”warning”
rule family=”ipv4″ port protocol=”tcp” port=”3306″ log prefix=”DB-ACCESS: ” level=”info”
Part05-风哥经验总结与分享
5.1 防火墙配置建议
风哥提示:防火墙配置的建议:
- 最小权限:只开放必要的端口和服务
- 限制访问:限制访问源IP,只允许受信任的IP访问
- 配置日志:配置防火墙日志,便于审计和监控
- 定期检查:定期检查防火墙规则,清理无效规则
- 备份规则:定期备份防火墙规则,便于恢复
5.2 常见问题与解决方案
防火墙配置的常见问题与解决方案:
- 服务无法访问:检查防火墙规则,确认端口是否开放
- 规则不生效:检查规则顺序,确认是否重载防火墙
- 性能问题:优化规则顺序,减少规则数量
- 日志过多:调整日志级别,过滤不必要的日志
5.3 最佳实践
防火墙配置的最佳实践:
- 使用脚本自动化防火墙配置
- 建立防火墙规则文档
- 定期审计防火墙规则
- 配置防火墙监控和告警
- 定期测试防火墙规则
通过本文的介绍,相信读者对Linux防火墙基础配置有了更全面的了解。掌握这些配置有助于保护系统免受未经授权的访问。学习交流加群风哥QQ113257174
更多学习教程公众号风哥教程itpux_com
from Linux:www.itpux.com
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
