内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍firewalld防火墙的高级配置方法。
Part01-区域管理
1.1 自定义区域
$ sudo firewall-cmd –get-zones
block dmz drop external home internal public trusted work
# 查看默认区域
$ sudo firewall-cmd –get-default-zone
public
# 设置默认区域
$ sudo firewall-cmd –set-default-zone=internal
# 查看区域详细信息
$ sudo firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 创建新区域
$ sudo firewall-cmd –permanent –new-zone=custom
$ sudo firewall-cmd –reload
# 删除区域
$ sudo firewall-cmd –permanent –delete-zone=custom
$ sudo firewall-cmd –reload
# 绑定接口到区域
$ sudo firewall-cmd –zone=internal –change-interface=eth1
$ sudo firewall-cmd –zone=internal –add-interface=eth1
# 绑定源地址到区域
$ sudo firewall-cmd –zone=trusted –add-source=192.168.1.0/24
$ sudo firewall-cmd –zone=trusted –add-source=10.0.0.100
Part02-服务管理
2.1 自定义服务
$ sudo firewall-cmd –get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
# 查看服务配置
$ sudo firewall-cmd –service=ssh –get-settings
ssh
ports: 22/tcp
protocols:
source-ports:
modules:
destination:
# 创建自定义服务
$ sudo firewall-cmd –permanent –new-service=myservice
$ sudo firewall-cmd –permanent –service=myservice –set-description=”My Custom Service”
$ sudo firewall-cmd –permanent –service=myservice –add-port=8080/tcp
$ sudo firewall-cmd –permanent –service=myservice –add-port=8443/tcp
$ sudo firewall-cmd –reload
# 添加服务到区域
$ sudo firewall-cmd –zone=public –add-service=myservice
$ sudo firewall-cmd –zone=public –remove-service=myservice
# 查看服务文件
$ cat /etc/firewalld/services/myservice.xml
Part03-富规则
3.1 配置富规则
rule [family=”ipv4|ipv6″]
source [not] address=”address[/mask]” [mac=”mac-address”]
destination [not] address=”address[/mask]”
service name=”service-name”
port port=”port-number” protocol=”tcp|udp”
protocol value=”protocol-name”
icmp-block name=”icmp-type-name”
masquerade
forward-port port=”port-number” protocol=”tcp|udp” to-port=”port-number” to-addr=”address”
log [prefix=”prefix”] [level=”level”] [limit value=”rate”]
audit [limit value=”rate”]
accept | reject [type=”type”] | drop
# 允许特定IP访问SSH
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 拒绝特定IP访问
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”10.0.0.100″ reject’
# 允许特定端口
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ port port=”8080″ protocol=”tcp” accept’
# 端口转发
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”8080″‘
# 限制连接速率
$ sudo firewall-cmd –permanent –add-rich-rule=’rule service name=”ssh” limit value=”3/m” accept’
# 记录日志
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ log prefix=”ssh-access” level=”notice” service name=”ssh” accept’
# 查看富规则
$ sudo firewall-cmd –list-rich-rules
# 删除富规则
$ sudo firewall-cmd –permanent –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
from PG视频:www.itpux.com
Part04-直接规则
4.1 配置直接规则
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –set
# 限制SSH连接速率
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 1 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
# 查看直接规则
$ sudo firewall-cmd –direct –get-all-rules
ipv4 filter INPUT 0 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –set
ipv4 filter INPUT 1 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
# 删除直接规则
$ sudo firewall-cmd –permanent –direct –remove-rule ipv4 filter INPUT 0 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –set
# 查看直接链
$ sudo firewall-cmd –direct –get-chains ipv4 filter
Part05-ICMP配置
5.1 ICMP类型管理
$ sudo firewall-cmd –get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
# 阻止ICMP类型
$ sudo firewall-cmd –zone=public –add-icmp-block=echo-request
# 允许ICMP类型
$ sudo firewall-cmd –zone=public –remove-icmp-block=echo-request
# 阻止所有ICMP
$ sudo firewall-cmd –zone=public –add-icmp-block-inversion
# 允许所有ICMP
$ sudo firewall-cmd –zone=public –remove-icmp-block-inversion
# 查看ICMP阻止
$ sudo firewall-cmd –zone=public –list-icmp-blocks
1. 使用区域管理网络
2. 创建自定义服务
3. 使用富规则实现复杂逻辑
4.更多视频教程www.fgedu.net.cn 定期审查规则
5. 持久化所有配置
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
