Firewlld

1划咐、Firewalld 防火墻有了區(qū)域的概念抡四，常用的區(qū)域有 dorp央串、public、trusted三個區(qū)域如下圖所示：

Firewalld關系圖

2扼睬、在這里需要注意的是Firewalld中的區(qū)域與接口：

1)逮栅、一個網(wǎng)卡僅能綁定一個區(qū)域。比如：eth0-->A區(qū)域

2)窗宇、但是一個區(qū)域可以綁定多個網(wǎng)卡措伐。比如：B區(qū)域-->eth0、eth1

3)军俊、可以根據(jù)來源的地址設定不同的規(guī)則侥加。比如：所有人都能訪問80端口，只有公司才能訪問22端口

3粪躬、為了能夠正常使用firewalld服務和相關工具去管理防火墻担败，必須啟動防火墻服務，通知瓜關閉以前的

舊版的防火墻（iptables）镰官，在這里需要注意防火墻的兩種狀態(tài)：

1)提前、runtime狀態(tài)：立即生效，修改規(guī)則馬上生效泳唠，重啟失效狈网。

2)、permanent狀態(tài)：持久生效笨腥，修改規(guī)則后需要reload服務才能生效

關閉舊版防火墻服務

[root@lb01 ~]# systemctl mask iptables
[root@lb01 ~]# systemctl mask ip6tables

開啟firewalld防火墻

[root@lb01~]#systemctl start firewalld.service

4拓哺、Firewall 區(qū)域查看

查看默認區(qū)域

root@lb01 ~]# firewall-cmd --get-default-zone
public
[root@lb01 ~]#

查看活動區(qū)域

[root@lb01 ~]# firewall-cmd --get-active-zones 

查看區(qū)域下的規(guī)則明細

[root@lb01 ~]# firewall-cmd  --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@lb01 ~]# 

5、Firewalld小練習

1脖母、使用firewalld各區(qū)域規(guī)則結合配置士鸥，調(diào)整默認public區(qū)域拒絕所有流量，但如果來源IP是 10.0.0.8/32 則放行所有流量

[root@lb01 ~]#  firewall-cmd --remove-service=ssh --remove-service=dhcpv6-client
success
[root@lb01 ~]# 
[root@lb01 ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=trusted
success
[root@lb01 ~]# 
測試：使用10.0.0.8主機登錄當前機器

6.Firewalld端口谆级、服務規(guī)則配置

#放行端口
[root@m01 ~]# firewall-cmd --add-port={80,8080,9090}/tcp        #添加多個端口
success
[root@m01 ~]# firewall-cmd --remove-port=80/tcp         #移除
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 80/tcp 8080/tcp 9090/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

放行服務

[root@m01 ~]# firewall-cmd --add-service=http
[root@m01 ~]# firewall-cmd --remove-service=http

*Firewalld 定義服務烤礁，但是這里要注意讼积，服務名即調(diào)用服務的名稱,文件名必須以.xml結尾

[root@lb01 /usr/lib/firewalld/services]# cat http.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>
[root@lb01 /usr/lib/firewalld/services]# 

[root@lb01 /usr/lib/firewalld/services]# touch zibbax.xml
[root@lb01 /usr/lib/firewalld/services]# vim zibbax.xml 
[root@lb01 /usr/lib/firewalld/services]# systemctl restart firewalld
[root@lb01 /usr/lib/firewalld/services]# firewall-cmd --add-service=zibbax 
success
[root@lb01 /usr/lib/firewalld/services]# cat zibbax.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>zibbax (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="10051"/>
</service>
[root@lb01 /usr/lib/firewalld/services]# 

7、Firewall 防火墻富規(guī)則(富規(guī)則拒絕優(yōu)先)

Firewalld中富規(guī)則表示的更細致鸽凶、更詳細的防火墻策略配置币砂，他尅針對系統(tǒng)服務、端口號玻侥、源地址、和目標地址等諸多信息進行更有針對的策略配置亿蒸，
優(yōu)先級在所有防火墻中也是最高的的凑兰。

[root@Firewalld ~]# man firewall-cmd            # 幫助手冊
[root@Firewalld ~]# man firewalld.richlanguage  # 獲取富規(guī)則手冊
    rule
        [source]
        [destination]
        service name |port|protocol|icmp-block|masquerade|forward-port
        [log]
        [audit]
        [accept|reject|drop]

rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
service name="service name"
port port="port value" protocol="tcp|udp"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
accept | reject [type="reject type"] | drop

舉例1、允許10.0.0.1主機能夠訪問HTTP服務边锁，允許172.16.1.0/24能訪問22端口

[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 port port=80 protocol=tcp accept'
success
[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port=22 protocol=tcp accept'
success
[root@lb01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1/32" port port="80" protocol="tcp" accept
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept
# 這里是臨時配置姑食，永久配置需要 --permanent 

舉例2、默認public區(qū)域開放所有人通過ssh 服務連接茅坛，但是拒絕172.16.1.0/24 網(wǎng)段通過ssh服務連接服務器

[root@lb01 ~]# firewall-cmd --add-service=ssh
success
[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source  address=172.16.1.0/24 port port=22 protocol=tcp drop'
success
[root@lb01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop
[root@lb01 ~]# 
# 這里是臨時配置音半，永久配置需要 --permanent 

舉例3、使用firewalld贡蓖，允許所有人能訪問http.https服務單只有10.0.0.1主機可以訪問ssh服務

[root@lb01 ~]# firewall-cmd --add-service=http --permanent
success
[root@lb01 ~]# firewall-cmd --add-service=https --permanent
success
[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 port port=22 protocol=tcp accept' --permanent 
success
[root@lb01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: http https
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1/32" port port="22" protocol="tcp" accept 

永久配置最終都保存在這個文件里（/etc/firewalld/zones/public.xml）曹鸠，如果規(guī)則過多，可以直接修改配置文件后reload即可

[root@lb01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <rule family="ipv4">
    <source address="10.0.0.1/32"/>
    <port protocol="tcp" port="22"/>
    <accept/>
  </rule>
</zone>
[root@lb01 ~]# 

8斥铺、Firewalld實現(xiàn)內(nèi)部主機共享上網(wǎng)

第一步開啟firewalld 的masquerade 功能

[root@lb01 ~]# firewall-cmd --add-masquerade --permanent
success
[root@lb01 ~]# systemctl reload firewalld
[root@lb01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@lb01 ~]# 

第二步配置內(nèi)網(wǎng)主機網(wǎng)卡配置文件：

[root@lb02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.5
IPADDR=172.16.1.6
PREFIX=24
DNS1=223.5.5.5
[root@lb02 ~]# systemctl restart network
[root@lb02 ~]# ifdown eth0
[root@lb02 ~]# ping www.baidu.com
PING www.a.shifen.com (220.181.38.149) 56(84) bytes of data.
64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=1 ttl=127 time=8.93 ms
64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=2 ttl=127 time=8.02 ms
64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=3 ttl=127 time=5.95 ms
--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.950/7.638/8.935/1.249 ms