firewalld:
禁用iptables:
[root@linux ~]# systemctl stop iptables.service
[root@linux ~]# systemctl disable iptables.service
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
启用firewalld并设置开机启动:
[root@linux ~]# systemctl start firewalld.service
[root@linux ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
firewalld有9个zone,每个zone可以看作一个规则集,每个规则集的内容都不同,默认的zone是public
查看所有zone:
[root@linux ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
查看默认zone:
[root@linux ~]# firewall-cmd --get-default-zone
public
设置默认的zone:
[root@linux ~]# firewall-cmd --set-default-zone=work
success
[root@linux ~]# firewall-cmd --get-default-zone
work
查看指定网卡的zone:
[root@linux ~]# firewall-cmd --get-zone-of-interface=ens33
public
对于没有zone的网卡,可以手动添加:
[root@linux ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@linux ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@linux ~]# firewall-cmd --get-zone-of-interface=lo
public
更改指定网卡的zone:
[root@linux ~]# firewall-cmd --zone=work --change-interface=lo
success
[root@linux ~]# firewall-cmd --get-zone-of-interface=lo
work
删除指定网卡的zone:
[root@linux ~]# firewall-cmd --zone=work --remove-interface=lo
success
[root@linux ~]# firewall-cmd --get-zone-of-interface=lo
no zone
查看所有网卡所在的zone:
[root@linux ~]# firewall-cmd --get-active-zones
public
interfaces: ens33
查看所有zone包含的service:
[root@linux ~]# firewall-cmd --get-services
查看当前zone中的service:
[root@linux ~]# firewall-cmd --list-services
ssh dhcpv6-client
查看指定zone中的service:
[root@linux ~]# firewall-cmd --zone=work --list-services
添加service到当前zone:
[root@linux ~]# firewall-cmd --add-service=http --permanent
[root@linux ~]# firewall-cmd --list-services
ssh dhcpv6-client http
添加service到指定zone:
[root@linux ~]# firewall-cmd --zone=work --add-service=http --permanent
success
[root@linux ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client
查看zone的配置文件:
[root@linux ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="http"/> #刚添加的http已显示
</zone>
#在给zone添加service时,不加 -permanent 参数添加的service存在内存中,重启服务失效,如需永久有些,加上 -permanent 参数新增的service才会写入配置文件
zone配置模板路径:
[root@linux zones]# ls /usr/lib/firewalld/zones
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
service配置模板路径:
cd /usr/lib/firewalld/services/
#该目录下的每个文件都包含了对应的每个服务的名称、协议、端口号
案例:
需求:自定义ftp服务端口为2121,work zone下面放行ftp
1.拷贝service配置模板到 /etc/firewalld/services/目录下:
[root@linux ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
2.更改配置模板中端口号port为2121:
[root@linux ~]# cat /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="2121"/>
<module name="nf_conntrack_ftp"/>
</service>
3.拷贝work模板到 /etc/firewalld/zones/目录下:
[root@linux ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
4.添加ftp服务:
[root@linux ~]# vi /etc/firewalld/zones/work.xml
[root@linux ~]# cat !$
cat /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
5.重新加载:
[root@linux ~]# firewall-cmd --reload
success
6.查看work zone 的service:
[root@linux ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp