服務器維護CentOS 7.0防火墻Firewalld和服務相關配置

2020-06-25 11:16 作者：admin

服務器維護CentOS 7.0防火墻Firewalld和服務相關配置

服務器維護小知識CentOS 7.0版本之后相對于以前的版本更改行還是很大的，原先在6.5版本之前命令和配置文件大致都差不多，自7.0版本之后一些功能都有較大的改變，接下來會從防火墻和服務的相關配置來進行剖析。
服務器維護小知識（一）防火墻firewall的相關介紹及配置
CentOS 7中防火墻是一個非常的強大的功能，在CentOS 6.5中在iptables防火墻中進行了升級了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文檔)
服務器維護小知識firewall--區域zone
網絡區域定義了網絡連接的可信等級。這是一個 一對多的關系，這意味著一次連接可以僅僅是一個區域的一部分，而一個區域可以用于很多連接。那個區域是否可用室友firewall提供的區域按照從不信任到信任的順序排序。
服務器維護小知識firewall 分類
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
服務器維護小知識firewall相關的配置:
1，系統配置目錄：/usr/lib/firewalld
[root@linuxidc firewalld]# cd /usr/lib/firewalld
[root@linuxidc firewalld]# ls
icmptypes  services  xmlschema  zones
[root@linuxidc firewalld]# cd services/
[root@linuxidc services]# ls
amanda-client.xml        high-availability.xml  ldap.xml        pmproxy.xml        samba.xml
bacula-client.xml        https.xml              libvirt-tls.xml  pmwebapis.xml      smtp.xml
bacula.xml              http.xml              libvirt.xml      pmwebapi.xml        ssh.xml
dhcpv6-client.xml        imaps.xml              mdns.xml        pop3s.xml          telnet.xml
dhcpv6.xml              ipp-client.xml        mountd.xml      postgresql.xml      tftp-client.xml
dhcp.xml                ipp.xml                ms-wbt.xml      proxy-dhcp.xml      tftp.xml
dns.xml                  ipsec.xml              mysql.xml        radius.xml          transmission-client.xml
freeipa-ldaps.xml        iscsi-target.xml      nfs.xml          RH-Satellite-6.xml  vdsm.xml
freeipa-ldap.xml        kerberos.xml          ntp.xml          rpc-bind.xml        vnc-server.xml
freeipa-replication.xml  kpasswd.xml            openvpn.xml      rsyncd.xml          wbem-https.xml
ftp.xml                  ldaps.xml              pmcd.xml        samba-client.xml
[root@linuxidc services]#
注意：目錄中存放定義好的網絡服務和端口參數，系統參數，不能修改。
2，用戶配置目錄：/etc/firewalld/
[root@linuxidc firewalld]# cd /etc/firewalld/
[root@linuxidc firewalld]# ls
firewalld.conf  icmptypes  lockdown-whitelist.xml  services  zones
3,用戶如何自定義添加端口，分為使用命令行添加和修改相關的配置文件。
3.1，使用命令的方式添加
[root@linuxidc services]# firewall-cmd --zone=public --permanent --add-port=8080/tcp 
success
[root@linuxidc services]# firewall-cmd --reload
CentOS 7防火墻服務FirewallD指南  http://www.linuxidc.com/Linux/2016-10/136431.htm
firewalld和iptables 詳解  http://www.linuxidc.com/Linux/2017-03/141434.htm
CentOS7下Firewalld防火墻使用實例  http://www.linuxidc.com/Linux/2017-01/139637.htm
服務器維護小知識CentOS 7下FirewallD使用簡介  http://www.linuxidc.com/Linux/2016-11/137093.htm
服務器維護小知識參數介紹：
1、firewall-cmd：是Linux提供的操作firewall的一個工具；
2、--permanent：表示設置為持久；
3、--add-port：標識添加的端口
4、--zone:指定某個區域
5、firewall-cmd --reload ：重啟生效
 
3.2修改配置文件方式添加端口
[root@linuxidc zones]# vim /usr/lib/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. O
nly selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="127.0.0.1"/>
    <port protocol="tcp" port="10050-10051"/>
    <accept/>
  </rule>
</zone>
服務器維護小知識firewall常用命令：
1，重啟，關閉開啟firewall.service服務
[root@linuxidc zones]# service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
[root@linuxidc zones]# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service
[root@linuxidc zones]# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service
2，查看firewalld服務狀態：
[root@linuxidc zones]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: active (running) since Wed 2017-04-19 11:10:50 CST; 43s ago
 Main PID: 4290 (firewalld)
  CGroup: /system.slice/firewalld.service
          └─4290 /usr/bin/Python -Es /usr/sbin/firewalld --nofork --nopid
Apr 19 11:10:50 linuxidc systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 19 11:10:50 linuxidc systemd[1]: Started firewalld - dynamic firewall daemon.
3，查看firewall的狀態
[root@linuxidc zones]# firewall-cmd --state 
running
4,查看防火墻firewall規則
[root@linuxidc ~]# firewall-cmd --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 10050/tcp 8080/tcp 10051/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
后注：如果感覺firewall防火墻玩不好，可以關閉firewall而安裝iptables,具體步驟如下
[root@linuxidc ~]# service firewalld stop                    ####停止firewalld服務
Redirecting to /bin/systemctl stop  firewalld.service                         
[root@linuxidc ~]# systemctl disable firewalld.service  ####禁止firewalld開機啟動
[root@linuxidc ~]# yum install iptables-services    #####安裝iptables
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base                                                                                          | 3.6 kB  00:00:00     
epel                                                                                          | 4.3 kB  00:00:00     
extras                                                                                        | 3.4 kB  00:00:00     
updates                                                                                      | 3.4 kB  00:00:00 
[root@linuxidc ~]# vim /etc/sysconfig/iptables        ########編輯iptables配置文件
[root@linuxidc ~]#service iptables start                  #開啟
[root@linuxidc ~]#systemctl enable iptables.service      #設置防火墻開機啟動
IT運維  我們選擇北京艾銻無限
以上文章由北京艾銻無限科技發展有限公司整理