转载:https://blog.csdn.net/xlgen157387/article/details/52672988

一、firewall介绍

CentOS 7中防火墙是一个非常的强大的功能,在CentOS 6.5中在iptables防火墙中进行了升级了。

1、官方介绍

The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.

2、什么是区域Zone:

网络区域定义了网络连接的可信等级。这是一个 一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,而一个区域可以用于很多连接。

3、哪个区域可用?

由firewalld 提供的区域按照从不信任到信任的顺序排序。

4、区域的分类?

Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.

The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:

drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block
Any incoming network connections are rejected with an
icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6.
Only network connections initiated from within the system are possible.

public
For use in public areas. You do not trust the other computers on the
network to not harm your computer. Only selected incoming connections
are accepted.

external
For use on external networks with masquerading enabled especially for
routers. You do not trust the other computers on the network to not harm
your computer. Only selected incoming connections are accepted.

dmz
For computers in your demilitarized zone that are publicly-accessible
with limited access to your internal network. Only selected incoming
connections are accepted.

work
For use in work areas. You mostly trust the other computers on networks
to not harm your computer. Only selected incoming connections are
accepted.

home
For use in home areas. You mostly trust the other computers on networks
to not harm your computer. Only selected incoming connections are
accepted.

internal
For use on internal networks. You mostly trust the other computers on
the networks to not harm your computer. Only selected incoming
connections are accepted.

trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone.
When interface connections are added to NetworkManager, they are
assigned to the default zone. On installation, the default zone in
firewalld is set to be the public zone.

注:具体内容,请参见官方文档介绍!

二、firewall配置

The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/.

This allows a great deal of flexibility as the files can be edited,
written to, backed up, used as templates for other installations and so
on.

注意:以下firewalld 的操作只有重启之后才有效:service firewalld restart 重启

1、系统配置目录

/usr/lib/firewalld/services

目录中存放定义好的网络服务和端口参数,系统参数,不能修改。

2、用户配置目录

/etc/firewalld/

3、如何自定义添加端口

用户可以通过修改配置文件的方式添加端口,也可以通过命令的方式添加端口,注意,修改的内容会在/etc/firewalld/ 目录下的配置文件中还体现。

  • 3.1、命令的方式添加端口
firewall-cmd --permanent --add-port=9527/tcp 

参数介绍:

1、firewall-cmd:是Linux提供的操作firewall的一个工具;
2、--permanent:表示设置为持久;
3、--add-port:标识添加的端口;

另外,firewall中有Zone的概念,可以将具体的端口制定到具体的zone配置文件中。

例如:添加8010端口

firewall-cmd --zone=public --permanent --add-port=8010/tcp

--zone=public:指定的zone为public;

添加结果如下:

如果–zone=dmz 这样设置的话,会在dmz.xml文件中新增一条。

3.2、修改配置文件的方式添加端口

<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas.</description>
<rule family="ipv4">
<source address="122.10.70.234"/>
<port protocol="udp" port="514"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="123.60.255.14"/>
<port protocol="tcp" port="10050-10051"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.249.87.114"/> 放通指定ip,指定端口、协议
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4"> 放通任意ip访问服务器的9527端口
<port protocol="tcp" port="9527"/>
<accept/>
</rule>
</zone>
 

上述的一个配置文件可以很好的看出:

1、添加需要的规则,开放通源ip为122.10.70.234,端口514,协议tcp;
2、开放通源ip为123.60.255.14,端口10050-10051,协议tcp;/3、开放通源ip为任意,端口9527,协议tcp;

三、firewall常用命令

1、重启、关闭、开启firewalld.service服务

service firewalld restart 重启
service firewalld start 开启
service firewalld stop 关闭

2、查看firewall服务状态

systemctl status firewall 

3、查看firewall的状态

firewall-cmd --state

4、查看防火墙规则

firewall-cmd --list-all 

四、CentOS切换为iptables防火墙

切换到iptables首先应该关掉默认的firewalld,然后安装iptables服务。

1、关闭firewall:

service firewalld stop
systemctl disable firewalld.service #禁止firewall开机启动

2、安装iptables防火墙

yum install iptables-services #安装

3、编辑iptables防火墙配置

vi /etc/sysconfig/iptables #编辑防火墙配置文件

下边是一个完整的配置文件:

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

:wq! #保存退出

service iptables start #开启
systemctl enable iptables.service #设置防火墙开机启动
 

CentOS 7.4中firewall防火墙详解和配置以及切换为iptables防火墙的更多相关文章

  1. CentOS 7中firewall防火墙详解和配置以及切换为iptables防火墙

    官方文档介绍地址: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Gui ...

  2. CentOS 7中firewall防火墙详解和配置以及切换为iptables防火墙--转载

    最近在linux(这里用到的是Centos7的64位版本)安装nginx时,在开放80端口时用iptables设置端口 和重启服务发现提示未找到文件,在网络上收集查找后发现在Centos7中iptab ...

  3. CentOS7中firewall防火墙详解和配置,.xml服务配置详解

    修改防火墙配置文件之前,需要对之前防火墙做好备份 重启防火墙后,需要确认防火墙状态和防火墙规则是否加载,若重启失败或规则加载失败,则所有请求都会被防火墙 1. firewall-cmd --state ...

  4. Linux(centos)系统各个目录的作用详解

    Linux(centos)系统各个目录的作用详解 文件系统的类型 LINUX有四种基本文件系统类型:普通文件.目录文件.连接文件和特殊文件,可用file命令来识别. 普通文件:如文本文件.C语言元代码 ...

  5. virtualbox centos安装增强工具和问题详解

    virtualbox centos安装增强工具和问题详解 VirtualBox 大家都习惯性把它简称为 Vbox ,比 VM 的体积小.开源.速 度快.不过在使用 VirtualBox 在虚拟机中安装 ...

  6. php中关于引用(&)详解

    php中关于引用(&)详解 php的引用(就是在变量或者函数.对象等前面加上&符号) 在PHP 中引用的意思是:不同的变量名访问同一个变量内容. 与C语言中的指针是有差别的.C语言中的 ...

  7. JavaScript正则表达式详解(二)JavaScript中正则表达式函数详解

    二.JavaScript中正则表达式函数详解(exec, test, match, replace, search, split) 1.使用正则表达式的方法去匹配查找字符串 1.1. exec方法详解 ...

  8. AngularJS select中ngOptions用法详解

    AngularJS select中ngOptions用法详解   一.用法 ngOption针对不同类型的数据源有不同的用法,主要体现在数组和对象上. 数组: label for value in a ...

  9. 【转载】C/C++中extern关键字详解

    1 基本解释:extern可以置于变量或者函数前,以标示变量或者函数的定义在别的文件中,提示编译器遇到此变量和函数时在其他模块中寻找其定义.此外extern也可用来进行链接指定. 也就是说extern ...

随机推荐

  1. Codeforces Round #357 (Div. 2) 优先队列+模拟

    C. Heap Operations time limit per test 1 second memory limit per test 256 megabytes input standard i ...

  2. web.config文件配置解决网站上传大文件限制

    Asp.Net网站对上传文件的大小,请求执行的时间都做了限制,上传的文件如果超过限制或者执行上传时间超出, 文件上传都将失败. 因此,需要配置web.config来增加最大文件上传的大小和执行超时时间 ...

  3. gulp+es6构建页面

    遇到的问题: 1.es6如何使用,定义一个demo.js //demo.js export default class demo { // 构造函数 constructor(){ //在构造函数中调用 ...

  4. mongodb安装、运行

    1.下载安装: 切换到:/usr/local/ mkdir -p mongodb groupadd -g 800 mongodb useradd -u 801 -g mongodb mongodb c ...

  5. 搭建selenium + Python环境的总结:

    安装Python+Selenium 写博客是一个不错的选择,首先,是担心自己忘掉,其次,可以供大家做一个参考: 其实,这是自己第一次搭建Python环境(之前用了一周的Idle),还是比较容易的吧: ...

  6. How to find per-process I/O statistics on Linux

    以下转自http://www.xaprb.com/blog/2009/08/23/how-to-find-per-process-io-statistics-on-linux/ Newer Linux ...

  7. (新)自己动手写ORM框架(1)-增删查改的使用

    之前写过一个系列文章自己动手写ORM框架,经过在多个项目的中的使用,对这套代码进行了许多改进,下面是使用方法: 新增学员信息代码预览: DBHelper db = DBHelper.getInstan ...

  8. Git 的origin和master分析(转)

    转:http://lishicongli.blog.163.com/blog/static/1468259020132125247302/ 首先要明确一点,对git的操作是围绕3个大的步骤来展开的(其 ...

  9. BOM-event事件

    添加事件监听 <button id="btnShoot">shoot</button><br> <button id="btnA ...

  10. Nginx+keepalived 脚本安装主从双机热备自动切换解决方案

    Nginx+keepalived 脚本安装主从双机热备自动切换解决方案 2013-07-02 19:24:13 标签:filesnginx keepalived 原创作品,允许转载,转载时请务必以超链 ...