IT之道-艾锑知道

您当前位置: 主页 > 资讯动态 > 艾锑分享 >

服务器维护CentOS 7.0防火墙Firewalld和服务相关配置


2020-06-25 11:16 作者:admin

服务器维护CentOS 7.0防火墙Firewalld和服务相关配置

服务器维护小知识CentOS 7.0版本之后相对于以前的版本更改行还是很大的,原先在6.5版本之前命令和配置文件大致都差不多,自7.0版本之后一些功能都有较大的改变,接下来会从防火墙和服务的相关配置来进行剖析。
服务器维护小知识(一)防火墙firewall的相关介绍及配置
CentOS 7中防火墙是一个非常的强大的功能,在CentOS 6.5中在iptables防火墙中进行了升级了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文档)
服务器维护小知识firewall--区域zone
网络区域定义了网络连接的可信等级。这是一个 一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,而一个区域可以用于很多连接。那个区域是否可用室友firewall提供的区域按照从不信任到信任的顺序排序。
服务器维护小知识firewall 分类
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
服务器维护小知识firewall相关的配置:
1,系统配置目录:/usr/lib/firewalld
[root@linuxidc firewalld]# cd /usr/lib/firewalld
[root@linuxidc firewalld]# ls
icmptypes  services  xmlschema  zones
[root@linuxidc firewalld]# cd services/
[root@linuxidc services]# ls
amanda-client.xml        high-availability.xml  ldap.xml        pmproxy.xml        samba.xml
bacula-client.xml        https.xml              libvirt-tls.xml  pmwebapis.xml      smtp.xml
bacula.xml              http.xml              libvirt.xml      pmwebapi.xml        ssh.xml
dhcpv6-client.xml        imaps.xml              mdns.xml        pop3s.xml          telnet.xml
dhcpv6.xml              ipp-client.xml        mountd.xml      postgresql.xml      tftp-client.xml
dhcp.xml                ipp.xml                ms-wbt.xml      proxy-dhcp.xml      tftp.xml
dns.xml                  ipsec.xml              mysql.xml        radius.xml          transmission-client.xml
freeipa-ldaps.xml        iscsi-target.xml      nfs.xml          RH-Satellite-6.xml  vdsm.xml
freeipa-ldap.xml        kerberos.xml          ntp.xml          rpc-bind.xml        vnc-server.xml
freeipa-replication.xml  kpasswd.xml            openvpn.xml      rsyncd.xml          wbem-https.xml
ftp.xml                  ldaps.xml              pmcd.xml        samba-client.xml
[root@linuxidc services]#
注意:目录中存放定义好的网络服务和端口参数,系统参数,不能修改。
2,用户配置目录:/etc/firewalld/
[root@linuxidc firewalld]# cd /etc/firewalld/
[root@linuxidc firewalld]# ls
firewalld.conf  icmptypes  lockdown-whitelist.xml  services  zones
3,用户如何自定义添加端口,分为使用命令行添加和修改相关的配置文件。
3.1,使用命令的方式添加
[root@linuxidc services]# firewall-cmd --zone=public --permanent --add-port=8080/tcp 
success
[root@linuxidc services]# firewall-cmd --reload
CentOS 7防火墙服务FirewallD指南  http://www.linuxidc.com/Linux/2016-10/136431.htm
firewalld和iptables 详解  http://www.linuxidc.com/Linux/2017-03/141434.htm
CentOS7下Firewalld防火墙使用实例  http://www.linuxidc.com/Linux/2017-01/139637.htm
服务器维护小知识CentOS 7下FirewallD使用简介  http://www.linuxidc.com/Linux/2016-11/137093.htm
服务器维护小知识参数介绍:
1、firewall-cmd:是Linux提供的操作firewall的一个工具;
2、--permanent:表示设置为持久;
3、--add-port:标识添加的端口
4、--zone:指定某个区域
5、firewall-cmd --reload :重启生效
 
3.2修改配置文件方式添加端口
[root@linuxidc zones]# vim /usr/lib/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. O
nly selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="127.0.0.1"/>
    <port protocol="tcp" port="10050-10051"/>
    <accept/>
  </rule>
</zone>
服务器维护小知识firewall常用命令:
1,重启,关闭开启firewall.service服务
[root@linuxidc zones]# service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
[root@linuxidc zones]# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service
[root@linuxidc zones]# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service
2,查看firewalld服务状态:
[root@linuxidc zones]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: active (running) since Wed 2017-04-19 11:10:50 CST; 43s ago
 Main PID: 4290 (firewalld)
  CGroup: /system.slice/firewalld.service
          └─4290 /usr/bin/Python -Es /usr/sbin/firewalld --nofork --nopid
Apr 19 11:10:50 linuxidc systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 19 11:10:50 linuxidc systemd[1]: Started firewalld - dynamic firewall daemon.
3,查看firewall的状态
[root@linuxidc zones]# firewall-cmd --state 
running
4,查看防火墙firewall规则
[root@linuxidc ~]# firewall-cmd --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 10050/tcp 8080/tcp 10051/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
后注:如果感觉firewall防火墙玩不好,可以关闭firewall而安装iptables,具体步骤如下
[root@linuxidc ~]# service firewalld stop                    ####停止firewalld服务
Redirecting to /bin/systemctl stop  firewalld.service                         
[root@linuxidc ~]# systemctl disable firewalld.service  ####禁止firewalld开机启动
[root@linuxidc ~]# yum install iptables-services    #####安装iptables
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base                                                                                          | 3.6 kB  00:00:00     
epel                                                                                          | 4.3 kB  00:00:00     
extras                                                                                        | 3.4 kB  00:00:00     
updates                                                                                      | 3.4 kB  00:00:00 
[root@linuxidc ~]# vim /etc/sysconfig/iptables        ########编辑iptables配置文件
[root@linuxidc ~]#service iptables start                  #开启
[root@linuxidc ~]#systemctl enable iptables.service      #设置防火墙开机启动
IT运维  我们选择北京艾锑无限
以上文章由北京艾锑无限科技发展有限公司整理

相关文章

IT外包服务
二维码 关闭