CentOS 7 巨大变动之 firewalld 取代 iptables

前端之家收集整理的这篇文章主要介绍了CentOS 7 巨大变动之 firewalld 取代 iptables前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

转自http://www.Oracle-base.com/articles/Linux/linux-firewall-firewalld.PHP?utm_source=tuicool

Fedora 18 introducedfirewalldas a replacement for the prevIoUsiptables service. Since RHEL7 and Oracle Linux 7 are based on Fedora 19,the switch fromiptables servicetofirewalldis now part of the Enterprise Linux distributions. This article is a rework of theprevious Linux Firewall article,bringing it up to date.

Note. You need to distinguish between theiptables serviceand theiptablescommand. Althoughfirewalldis a replacement for the firewall management provided byiptables service,it still uses theiptablescommand for dynamic communication with the kernel packet filter (netfilter). So it is only theiptables servicethat is replaced,not theiptablescommand. That can be a confusing distinction at first.

Related articles.

Reverting to the iptables Service

If you are not ready to make the break tofirewalld,you can still use theiptables serviceby issuing the following commands.

#systemctlstopfirewalld
#systemctldisablefirewalld

#iptables-service

#touch/etc/sysconfig/iptables
#systemctlstartiptables
#systemctlenableiptables

#touch/etc/sysconfig/ip6tables
#systemctlstartip6tables
#systemctlenableip6table

From this point forward,firewall administration will be similar to that describedhere.

The rest of this article assumes you are going to usefirewalld.

Installation

Most installations will include the firewall functionality,but if you need to manually install it,do the following.

#yuminstallfirewalldfirewall-config

Make sure the service is started and will auto-start on reboot.

#systemctlstartfirewalld.service
#systemctlenablefirewalld.service

You can check the current status of the service using the following command.

#systemctlstatusfirewalld
firewalld.service-firewalld-dynamicfirewalldaemon
Loaded:loaded(/usr/lib/systemd/system/firewalld.service;enabled)
Active:active(running)sinceSun2014-04-2014:06:46BST;30sago
MainPID:13246(firewalld)
CGroup:/system.slice/firewalld.service
└─13246/usr/bin/python/usr/sbin/firewalld--nofork--nopid

Apr2014:06:44localhost.localdomainsystemd[1]:Startingfirewalld-dynamicfirewalldaemon...
Apr2014:06:46localhost.localdomainsystemd[1]:Startedfirewalld-dynamicfirewalldaemon.
#

To disable the firewall,run the following commands.

#systemctlstopfirewalld.service
#systemctldisablefirewalld.service

firewall-config

The GUI screen to control the firewall is available from the menu.

  • Fedora : System > Administration > Firewall

  • RHEL7/OL7 : Applications > Sundry > Firewall

Alternatively,if can be started from the command line using thefirewall-configcommand. If it is not already present,it can be installed using the following command.

#yuminstallfirewall-config

Once started,the "Configuration:" drop-down allows you to decide if you are modifying currently running settings (Runtime) or those saved for future use (Permanent). You can also configure basic trusted services,such as SSH,FTP and HTTP,by putting a tick in the appropriate checkBox. All changes are applied immediately.

Firewall GUI - Trusted Services

The "Ports" tab allows you to manually open ports that are not covered in the "Trusted Services" section.

Firewall GUI - Other Ports

Remember,changes to the runtime configuration will be lost after the next reboot. If in doubt,make all changes to the permanent configuration and reload the runtime configuration using the "Options > Reload Firewalld" menu option.

firewall-cmd

In addition to the GUI interface,the firewall rules can be amended directly using thefirewall-cmdcommand. The full extent of the firewall configuration is beyond the scope of this article,so instead a few specific examples will be given to allow you to get a feel for it. This article also assumes you have a single network interface and are happy to keep it set to the default zone (public).

Thefirewall-cmdusage notes are displayed when you use the "-h" or "--help" options.

#firewall-cmd--help

Check the current top-level firewall configuration using the following commands.

#Checkfirewallstate.
firewall-cmd--state

#Checkactivezones.
firewall-cmd--get-active-zones

#Checkcurrentactiveservices.
firewall-cmd--get-service

#Checkservicesthatwillbeactiveafternextreload.
firewall-cmd--get-service--permanent

Lock down and unlock the firewall using the following commands.

#firewall-cmd--panic-on
success
#firewall-cmd--query-panic
yes
#firewall-cmd--panic-off
success
#firewall-cmd--query-panic
no
#

Reload the runtime configuration from the permanent files using the following command.

#firewall-cmd--reload

The firewall comes with predefined services,which are XML files is the "/usr/lib/firewalld/services/" directory.

#ls/usr/lib/firewalld/services/
amanda-client.xmlhttp.xmllibvirt.xmlpmwebapis.xmlssh.xml
bacula-client.xmlimaps.xmlmdns.xmlpmwebapi.xmltelnet.xml
bacula.xmlipp-client.xmlmountd.xmlpop3s.xmltftp-client.xml
dhcpv6-client.xmlipp.xmlms-wbt.xmlpostgresql.xmltftp.xml
dhcpv6.xmlipsec.xmlMysqL.xmlproxy-dhcp.xmltransmission-client.xml
dhcp.xmlkerberos.xmlnfs.xmlradius.xmlvnc-server.xml
dns.xmlkpasswd.xmlntp.xmlrpc-bind.xmlwbem-https.xml
ftp.xmlldaps.xmlopenvpn.xmlsamba-client.xml
high-availability.xmlldap.xmlpmcd.xmlsamba.xml
https.xmllibvirt-tls.xmlpmproxy.xmlsmtp.xml
#

You shouldn't edit these. Instead,copy a specific service file to the "/etc/firewalld/services/" directory and editing it there. Thefirewalldservice always uses files in "/etc/firewalld/services/" directory in preference to those in the "/usr/lib/firewalld/services/" directory. Remember to reload the config after making any changes.

As with the GUI interface,you need to decide if you want to make changes to either the runtime configuration,permanent configuration or both. If you want to set both the runtime and permanent configuration you have two choices. Set them both independently,or set the permanent configuration and reload the firewall.

Add an existing service to a zone.

##Setruntimeandpermanentindependently.
#firewall-cmd--zone=public--add-service=https
#firewall-cmd--permanent--zone=public--add-service=https

or

##Setpermanentandreloadtheruntimeconfig.
#firewall-cmd--permanent--zone=public--add-service=https
#firewall-cmd--reload

All subsequent examples will assume you want to amend both the runtime and permanent configuration and will only set the permanent configuration and then reload the runtime configuration.

Once you've amended the default configuration,the "/etc/firewalld/zones/public.xml" file will be created. You can manually amend this file,but you will need to issue a reload for the changes to take effect.

Check the services in a zone.

#firewall-cmd--zone=public--list-services
dhcpv6-clienthttpsss
#firewall-cmd--permanent--zone=public--list-services
dhcpv6-clienthttpsss
#

Remove a service from a zone.

#firewall-cmd--permanent--zone=public--remove-service=https
#firewall-cmd--reload

Open a specific port or range in a zone,check its runtime and permanent configuration,then remove it.

#firewall-cmd--permanent--zone=public--add-port=8080-8081/tcp
#firewall-cmd--reload

#firewall-cmd--zone=public--list-ports
8080-8081/tcp
#firewall-cmd--permanent--zone=public--list-ports
8080-8081/tcp
#

#firewall-cmd--permanent--zone=public--remove-port=8080-8081/tcp
#firewall-cmd--reload

Rich rules allow you to create more complex configurations. The following command allows you to open HTTP access to a specific IP address.

#firewall-cmd--permanent--zone=public--add-rich-rule="rulefamily="ipv4"\
sourceaddress="192.168.0.4/24"servicename="http"accept"

The "/etc/firewalld/zones/public.xml" file now contains the rich rule.

<?xmlversion="1.0"encoding="utf-8"?>
<zone>
<short>Public</short>
<description>Foruseinpublicareas.Youdonottrusttheothercomputersonnetworks
tonotharmyourcomputer.Onlyselectedincomingconnectionsareaccepted.</description>
<servicename="dhcpv6-client"/>
<servicename="ssh"/>
<rulefamily="ipv4">
<sourceaddress="192.168.0.4/24"/>
<servicename="http"/>
<accept/>
</rule>
</zone>

The rule can be removed directly from the XML file,or removed using the "--remove-rich-rule" option.

#firewall-cmd--permanent--zone=public--remove-rich-rule="rulefamily="ipv4"\
sourceaddress="192.168.0.4/24"servicename="http"accept"

The following example opens and closes port 8080 for a specific source IP address using a rich rule.

#firewall-cmd--permanent--zone=public--add-rich-rule="rulefamily="ipv4"\
sourceaddress="192.168.0.4/24"\
portprotocol="tcp"port="8080"accept"

#cat/etc/firewalld/zones/public.xml
<?xmlversion="1.0"encoding="utf-8"?>
<zone>
<short>Public</short>
<description>Foruseinpublicareas.Youdonottrusttheothercomputersonnetworks
tonotharmyourcomputer.Onlyselectedincomingconnectionsareaccepted.</description>
<servicename="dhcpv6-client"/>
<servicename="ssh"/>
<rulefamily="ipv4">
<sourceaddress="192.168.0.4/24"/>
<portprotocol="tcp"port="8080"/>
<accept/>
</rule>
</zone>
#

#firewall-cmd--permanent--zone=public--remove-rich-rule="rulefamily="ipv4"\
sourceaddress="192.168.0.4/24"\
portprotocol="tcp"port="8080"accept"

Backups and Transfers of Firewall Configuration

As all non-default configuration is placed under the "/etc/firewalld/" directory,taking a copy of the contents of this directory and its sub-directories constitutes a backup of the firewall configuration.

Not surprisingly,transferring the contents of this directory will allow you to duplicate the firewall configuration in other servers.

For more information see:

Hope this helps. Regards Tim...

猜你在找的CentOS相关文章