firewall-config是firewalld防火牆管理工具的GUI(圖形用戶界面)版本,幾乎可以實現所有以命令行來執行的操作(linux就該這么學p164)。
firewall-config的界面如下圖(在終端直接運行firewall-config即彈出),其功能如下:
1:選擇運行時(Runtime)和永久(Permanent)模式的配置
2:可選的策略集合區域的列表
3:常用的系統服務列表
4:當前正在使用的區域
5:管理當前被選中區域中的服務
6:管理當前被選中區域中的端口
7:開啟或關閉SNAT(源地址轉換協議)技術
8:設置端口轉發策略
9:控制請求icmp服務的流量
10:管理防火牆的富規則
11:管理網卡設備
12:被選中區域的服務
13:firewall-config工具的運行狀態
1、查看當前firewalld服務所使用的區域
[root@linuxprobe ~]# firewall-config
2、切換firewalld服務所使用的區域
切換至external:
切換至public:
3、把在firewalld服務中訪問8080和8081端口的流量策略設置為允許,僅當前有效
查看設置前的端口列表:
[root@linuxprobe ~]# firewall-cmd --zone=public --list-ports [root@linuxprobe ~]#
增加端口:
查看效果:
[root@linuxprobe ~]# firewall-cmd --zone=public --list-ports 8080-8081/tcp
4、查詢public區域是否允許請求ssh和https協議的流量,並進行設置:
使用firewall-cmd命令行查詢:
[root@linuxprobe ~]# firewall-cmd --zone=public --query-service=ssh yes [root@linuxprobe ~]# firewall-cmd --zone=public --query-service=https no
使用firewall-config圖形用戶界面查詢:
利用圖形界面工具將https協議的流量在public區域設置為允許並利用命令行測試:
[root@linuxprobe ~]# firewall-cmd --zone=public --query-service=https yes
5、把firewalld服務中請求https協議設置為永久拒絕,並立即生效:
查看當前狀態:
[root@linuxprobe ~]# firewall-cmd --zone=public --query-service=https yes
設置為永久拒絕:
測試:
[root@linuxprobe ~]# firewall-cmd --zone=public --query-service=https yes
立即生效:
測試:
[root@linuxprobe ~]# firewall-cmd --zone=public --query-service=https no
6、利用圖形用戶界面將原本訪問本機888端口的流量轉發到22端口
測試設置前效果:
[root@linuxprobe ~]# ifconfig | head -n 5 ## 查看當前主機IP eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.13 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::20c:29ff:feab:7b00 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ab:7b:00 txqueuelen 1000 (Ethernet) RX packets 553 bytes 52426 (51.1 KiB) [root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一台主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.14 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::d7fe:9dfc:42ec:c255 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ef:86:f2 txqueuelen 1000 (Ethernet) RX packets 2531 bytes 3395800 (3.2 MiB) [root@linuxprobe ~]# ssh -p 888 192.168.3.13 ## 測試遠程連接服務 ssh: connect to host 192.168.3.13 port 888: No route to host
利用圖形用戶界面設置:
測試效果:
[root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一台主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.14 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::d7fe:9dfc:42ec:c255 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ef:86:f2 txqueuelen 1000 (Ethernet) RX packets 2621 bytes 3403906 (3.2 MiB) [root@linuxprobe ~]# ssh -p 888 192.168.3.13 ## 遠程測試,通過 The authenticity of host '[192.168.3.13]:888 ([192.168.3.13]:888)' can't be established.
ECDSA key fingerprint is SHA256:K5A4gXWj7saZdeIJ7CpMozT2rSvDBbcA2iJEoqtCx+c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.3.13]:888' (ECDSA) to the list of known hosts. root@192.168.3.13's password:
Last login: Sat Oct 31 18:00:24 2020 from 192.168.3.4
7、利用圖形用戶界面的富規則設置拒絕192.168.3.0/24所有用戶訪問本機22端口(ssh服務)
測試設置前效果:
[root@linuxprobe ~]# ifconfig | head -n 5 ## 查看本機IP eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.13 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::20c:29ff:feab:7b00 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ab:7b:00 txqueuelen 1000 (Ethernet) RX packets 792 bytes 76004 (74.2 KiB) [root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.14 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::d7fe:9dfc:42ec:c255 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ef:86:f2 txqueuelen 1000 (Ethernet) RX packets 3139 bytes 3459666 (3.2 MiB) [root@linuxprobe ~]# ssh 192.168.3.13 ## 測試遠程控制,通過 root@192.168.3.13's password:
Last login: Sat Oct 31 18:44:29 2020 from 192.168.3.4 [root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.8 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::54f8:bbf7:7760:3745 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:8d:79:f8 txqueuelen 1000 (Ethernet) RX packets 73 bytes 12740 (12.4 KiB) [root@linuxprobe ~]# ssh 192.168.3.13 ## 測試遠程控制,通過 root@192.168.3.13's password:
Last login: Sat Oct 31 18:44:40 2020 from 192.168.3.14
使用圖形用戶界面設置:
測試設置效果:
[root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一台主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.14 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::d7fe:9dfc:42ec:c255 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ef:86:f2 txqueuelen 1000 (Ethernet) RX packets 3372 bytes 3485851 (3.3 MiB) [root@linuxprobe ~]# ssh 192.168.3.13 ## 測試遠程連接 ssh: connect to host 192.168.3.13 port 22: No route to host [root@linuxprobe ~]# ifconfig |head -n 5 ## 登錄另一台主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.8 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::54f8:bbf7:7760:3745 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:8d:79:f8 txqueuelen 1000 (Ethernet) RX packets 299 bytes 35971 (35.1 KiB) [root@linuxprobe ~]# ssh 192.168.3.13 ## 測試遠程連接 ssh: connect to host 192.168.3.13 port 22: No route to host
刪除該設置進行測試:
測試:
[root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.14 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::d7fe:9dfc:42ec:c255 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ef:86:f2 txqueuelen 1000 (Ethernet) RX packets 427 bytes 61356 (59.9 KiB) [root@linuxprobe ~]# ssh 192.168.3.13 ## 遠程測試,通過 root@192.168.3.13's password:
Last login: Sat Oct 31 19:13:11 2020 from 192.168.3.14 [root@linuxprobe ~]# ifconfig | head -n 5 ## 登錄另一主機,查看IP ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.8 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::54f8:bbf7:7760:3745 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:8d:79:f8 txqueuelen 1000 (Ethernet) RX packets 594 bytes 68784 (67.1 KiB) [root@linuxprobe ~]# ssh 192.168.3.13 ## 遠程測試,通過 root@192.168.3.13's password:
Last login: Sat Oct 31 19:13:41 2020 from 192.168.3.14