firewall
The firewall in CentOS 7 has been managed by firewalld, and Centos7 has firewalld installed by default.
Differences from iptables
- iptables can only be configured through the command line; firewalld provides a graphical interface, similar to the operation of Windows firewall;
- Each individual change of iptables means clearing all old rules and reading all new rules from /etc/sysconfig/iptables; and firewalld can only run the differences in the rules after the rules are changed, that is During the running time of firewalld, you can change the settings without losing the current link;
- The configuration files of iptables are in /etc/sysconfig/iptables; and the configuration files of firewalld are in various XML files in /usr/lib/firewalld/ and /etc/firewalld/;
- iptables does not have a daemon and cannot be regarded as a real service; firewalld has a daemon;
- iptables controls services through control ports, while firewalld controls ports through control protocols;
- firewalld denies by default; iptables allows by default .
firewall service
# 查看服务状态
service firewalld status
systemctl status firewalld
firewall-cmd --state
# 启动
service firewalld start
systemctl start firewalld
# 重启
service firewalld restart
systemctl start firewalld
# 关闭
service firewalld stop
# 重新加载
firewall-cmd --reload # 每次修改规则、配置后,需要重新加载使其生效!
boot
# 设置开机启动
systemctl enable firewalld
# 停止并禁用开机启动
systemctl disable firewalld
firewalld zones and configuration rules
Loose mode:: trusted, individually rejected source IP addresses are written into block, suitable for application scenarios where few are rejected and many are allowed :
Strict mode: block, individually allowed source IP addresses are written into trusted, suitable for allowed Fewer, more rejected application scenarios ;
# 默认为 public
-public: 仅允许访问本机的sshd,dhcp,ping少数几个服务
-trusted: 允许任何访问
-block: 阻塞任何来访请求(明确拒绝)
-drop: 丢弃任何来访的数据包(直接丢弃,不给客户端回应,节省资源)
Firewalld provides nine zone configuration files by default : block.xml, dmz.xml, drop.xml, external.xml, home.xml, internal.xml, public.xml, trusted.xml, and work.xml, all stored in **/usr/lib/firewalld/zones/** directory.
View default zone
firewall-cmd --get-default-zone #默认就是public
Modify default area
# 修改默认区域为: trusted 区域
firewall-cmd --set-default-zone=trusted
Add a protocol to a zone
# 查看区域public里面的所有配置,ping服务没有列出来
firewall-cmd --zone=public --list-all
# runtime,添加http到public区域中,可以正常访问http了
firewall-cmd --zone=public --add-service=http
# runtime,添加ftp到public区域中,可以正常访问ftp了
firewall-cmd --zone=public --add-service=ftp
# 永久添加,写到了相当的配置文件中了
firewall-cmd --zone=public --add-service=http --permanent
# 从public中永久的移除dhcpv6-client服务
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
Deny source IP
A source IP can only be in one zone. If it is in the block zone, it cannot be in the trusted zone.
# firewall-cmd --zone=block --add-source=10.10.67.40 --permanent
firewall-cmd rule configuration
View rules
firewall-cmd --list-all
prots : open and exposed ports (including ipv4, ipv6)
rich rules : customized firewall rules, flexible use, very practical (can limit ipv4, ipv6, source address, etc.)
Port policy
# 查看端口列表
firewall-cmd --permanent --list-port
# 查看所有已开端口
firewall-cmd --list-ports
# 查询8080端口是否开放
firewall-cmd --query-port=8080/tcp
# 开放80端口
firewall-cmd --permanent --add-port=80/tcp
# 开放3306端口(--permanent:永久生效,没有此参数防火墙重启便失效)
firewall-cmd --zone=public --add-port=3306/tcp --permanent
# 关闭开放的3306端口
firewall-cmd --zone=public --remove-port=3306/tcp --permanent
# 移除端口
firewall-cmd --permanent --remove-port=8080/tcp
firwall-cmd : It is a tool provided by Linux to operate the firewall;
permanent : indicates that the setting is persistent;
add-port : identifies the added port;
ipv4, ipv6 dual protocol distinction restrictions
# ipv4
# 默认是public域
# 添加端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="3306" accept'
# 删除端口
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" port protocol="tcp" port="3306" accept'
# ipv6
# 添加端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv6" port protocol="tcp" port="3306" accept'
# 删除端口
firewall-cmd --permanent --remove-rich-rule='rule family="ipv6" port protocol="tcp" port="3306" accept'
# 查看已经设置的规则
firewall-cmd --zone=public --list-rich-rules
Open all ports in the IP range
# 添加
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.127.0/24" accept'
# 删除
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.127.0/24" accept'
firewall-cmd --reload
Restrict access sources and access ports
# 限制具体ip
# 添加
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.21.4" port protocol="tcp" port="3005-3007" accept"
# 删除
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.21.4" port protocol="tcp" port="3005-3007" accept"
# 限制ip段
# 添加
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.254.0.0/16" accept'
# 删除
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="10.254.0.0/16" accept'
Trust docker, tunl0 and calico cards (commonly used in k8s)
# 需要注意的是如果使用了多个域例如trusted、public,加规则时需要加声明参数,否则会有提示
# 例如:--zone=public
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=trusted --change-interface=tunl0
firewall-cmd --permanent --zone=trusted --change-interface=calixxx
firewall-cmd --reload
# 查看信任网卡
firewall-cmd --zone=trusted --list-interfaces
Implement native port mapping
Port redirection for local applications (8080–>80), application scenario: requests to access 8080 from the client are automatically mapped to local 80
# 8080映射到80
firewall-cmd --permanent --zone=public --add-forward-port=port=8080:proto=tcp:toport=80
firewall-cmd --reload
Clear all rules
# root执行
firewall-cmd --permanent --list-all | grep ports | head -n 1 | \
cut -d: -f2 | tr ' ' '\n' | xargs -I {
} firewall-cmd --permanent --remove-port={
}
firewall-cmd --reload