官方文檔地址:
修改防火牆配置文件之前,需要對之前防火牆做好備份
重啟防火牆后,需要確認防火牆狀態和防火牆規則是否加載,若重啟失敗或規則加載失敗,則所有請求都會被防火牆攔截
|
1
2
3
4
5
6
7
8
9
10
|
systemctl status firewall
#查看firewall服務狀態
firewall-cmd --state
#查看firewall的狀態
firewall-cmd --list-all
#查看防火牆規則(只顯示/etc/firewalld/zones/
public
.xml中防火牆策略)
firewall-cmd --list-all-zones
#查看所有的防火牆策略(即顯示/etc/firewalld/zones/下的所有策略)
firewall-cmd --reload
#重新加載配置文件
|
方法1、修改配置文件/etc/firewalld/zones/public.xml,重啟或重新加載配置生效
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@nginx01 zones]# cat
public
.xml
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<zone>
<short>Public</short>
<description>For
use
in
public
areas. You
do
not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<rule family=
"ipv4"
>
<source address=
"122.x.x.234"
/>
<port protocol=
"udp"
port=
"514"
/>
<accept/>
</rule>
<rule family=
"ipv4"
>
<source address=
"123.x.x.14"
/>
<port protocol=
"tcp"
port=
"10050-10051"
/> ##可以開放端口地址范圍
"10050-10051"
,不單只限定一個端口
<accept/>
</rule>
<rule family=
"ipv4"
>
<source address=
"192.x.x.114"
/> ##放通指定ip,指定端口、協議
<port protocol=
"tcp"
port=
"80"
/>
<accept/>
</rule>
<rule family=
"ipv4"
> ##放通任意ip訪問服務器的
9527
端口
<port protocol=
"tcp"
port=
"9527"
/>
<accept/>
</rule>
</zone>
firewall-cmd --reload
service firewalld restart #使配置文件重新加載
|
方法2、命令行修改防火牆策略,仍需重啟firewalld.service或重新加載防火牆配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
firwall-cmd --permanent --add-port=
9527
/tcp 插入防火牆規則,放通
9527
端口。
success
#命令執行成功同時,在/etc/firewall/zones/
public
.xml中自動生成該規則。
<zone>
<short>xx.</short>
<description>xxx.</description>
<port protocol=
"tcp"
port=
"9527"
/>
</zone>
service firewalld restart
firewall-cmd --reload #重啟或重新加載配置文件,使配置生效
firewall-cmd --list-all
firewall-cmd --permanent --query-port=
9527
/tcp #查詢剛插入的規則是否生效
|
firewall-cmd --zone=public --add-port=80/tcp --permanent 添加防火牆規則;
firewall-cmd --reload 重新加載防火牆;
firewall-cmd --permanent --zone=public --add-masquerade 允許內網上網;
/etc/firewalld/zones/public.xml添加策略標准規則:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=122.x.x.234/24 port port=5423 protocol=tcp drop'
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=122.x.x.234 port port=80 protocol=tcp accept'
firewall-cmd --reload
[root@nginx02 ~]# firewall-cmd --list-all
public (default, active)
interfaces: em1
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="122.x.x.234" port port="5234" protocol="tcp" drop
rule family="ipv4" source address="122.x.x.234" port port="80" protocol="tcp" accept
rule family="ipv4" source address="123.x.x.14" port port="10050-10051" protocol="tcp" accept
|
二、以服務的形式(例如:ssh.xml/http.xml)添加新的防火牆策略
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
cat /etc/firewalld/zones/ssh.xml
<?xml version=
'1.0'
encoding=
'utf-8'
?>
<zone>
<short>ssh</short>
<description>ssh.</description>
#fortress-
new
<source address=
'122.x.x.2/29'
/>
<service name=
'ssh'
/>
</zone>
firewall-cmd --list-all-zones
...
ssh
interfaces:
sources:
122
.x.x.
2
/
29
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
|
因為在/usr/lib/firewalld/services/中事先定義了ssh.xml的相應的規則
|
1
2
3
4
5
6
7
8
9
|
cat /usr/lib/firewalld/services/ssh.xml
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<service>
<short>SSH</short>
<description>Secure Shell (SSH)
is
a protocol
for
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled
interface
, enable
this
option. You need the openssh-server
package
installed
for
this
option to be useful.</description>
<port protocol=
"tcp"
port=
"22"
/>
</service>
##定義ssh.xml服務使用的協議,和通信的端口信息。
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
自定義服務(mongo.xml)模塊
cat /usr/lib/firewalld/services/mongo.xml
<service>
<short>mongo</short>
<description>The service of mongo.</description>
<port protocol=
"tcp"
port=
"27017"
/>
</service>
防火牆應用服務器模塊
cat /etc/firewalld/zones/mongo.xml
<zone>
<short>mongo</short>
<description>mongo service</description>
<source address=
"2.2.2.2/24"
/>
<service name=
"mongo"
/>
</zone>
查看mongo.xml服務的防火牆生效情況
firewall-cmd --list-all-zones
...
mongo
interfaces:
sources:
2.2
.
2.2
/
24
services: mongo
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
|
PS:如果一個IP同時應用在多個.xml服務,則只會在最先匹配的服務生效,之后的服務則不匹配該IP。若需要將該IP應用在多個服務,則需要另開服務,將該IP應用的服務都綁定在該服務下。
例如:10.10.86.44同時需要放通ssh、http、mysql等服務
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
cat multi.xml
<zone>
<short> multi services</short>
<description>IP of
10.10
.
86.44
apply
in
multi srevices.</description>
<source address=
"10.10.86.44"
/>
<service name=
"ssh"
/>
<service name=
"mysql"
/>
<service name=
"http"
/> ##同時添加多個服務
</zone>
firewall-cmd --list-all-zones
...
multi
interfaces:
sources:
10.10
.
86.44
services: http mysql ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
|
總結:
(1)修改配置文件的方法和命令行添加防火牆策略的方法,都不能立即生效,需要重啟或重新加載防火牆配置文件,是新的策略生效。
service firewalld restart
firewall-cmd --reload
(2)修改完防火牆后,一定要檢查防火牆狀態和策略加載狀態,若失敗則可能攔截所有請求。
(3)以服務(ssh.xml)的方式添加防火牆,可以方便管理。前提需要先查看/usr/lib/firewalld/services中是否定義相應的服務。
(4)若一個IP同時應用多個了服務,則會最先匹配第一個應用了該ip的服務,之后的服務中則不匹配。若需要同時應用到多個服務,則需要另開服務,在該服務(multi.xml)下同時應用多個服務(ssh/http/mysql等)
擴展文檔:
1.CentOS7下Firewall防火牆配置用法詳解
http://www.centoscn.com/CentOS/Intermediate/2015/0313/4879.html
2.在CentOS7.0 中默認的防火牆 “firewall” 使用方法
http://f.dataguru.cn/thread-473492-1-1.html
3.CentOS 7 巨大變動之 firewalld 取代 iptables
http://blog.csdn.net/smstong/article/details/39317277(外文官方文檔)
4.CentOS 7 中firewall-cmd命令
http://blog.sina.com.cn/s/blog_43b39e250102v4zt.html
5.CentOS7 Firewall防火牆配置用法詳解
http://www.111cn.net/sys/linux/75503.htm