firewalld和iptables的关系

firewalld自身并不具备防火墙的功能,而是和iptables一样需要通过内核的netfilter来实现,也就是说firewalld和iptables一样,他们的作用都是用于维护规则,而真正使用规则干活的是内核的netfilter,只不过firewalld和iptables的结构以及使用方法不一样罢了。

firewalld的配置模式

firewalld的配置文件以xml格式为主(主配置文件firewalld.conf例外),他们有两个存储位置

1、/etc/firewalld/ 用户配置文件

2、/usr/lib/firewalld/ 系统配置文件,预置文件

我们知道每个zone就是一套规则集,但是有那么多zone,对于一个具体的请求来说应该使用哪个zone(哪套规则)来处理呢?这个问题至关重要,如果这点不弄明白其他的都是空中楼阁,即使规则设置的再好,不知道怎样用、在哪里用也不行。

对于一个接受到的请求具体使用哪个zone,firewalld是通过三种方法来判断的:

1、source,也就是源地址 优先级最高

2、interface,接收请求的网卡 优先级第二

3、firewalld.conf中配置的默认zone 优先级最低

这三个的优先级按顺序依次降低,也就是说如果按照source可以找到就不会再按interface去查找,如果前两个都找不到才会使用第三个,也就是学生在前面给大家讲过的在firewalld.conf中配置的默认zone。

安装firewalld,运行、停止、禁用firewalld

root执行 # yum install firewalld

启动:# systemctl start firewalld
查看状态:# systemctl status firewalld 或者 firewall-cmd --state
停止:# systemctl disable firewalld
禁用:# systemctl stop firewalld

配置firewalld
查看版本:$ firewall-cmd --version
查看帮助:$ firewall-cmd --help
查看设置:
显示状态:$ firewall-cmd --state
查看区域信息: $ firewall-cmd --get-active-zones
查看指定接口所属区域:$ firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:# firewall-cmd --panic-on
取消拒绝状态:# firewall-cmd --panic-off
查看是否拒绝:$ firewall-cmd --query-panic

更新防火墙规则:# firewall-cmd --reload
# firewall-cmd --complete-reload
两者的区别就是第一个无需断开连接,就是firewalld特性之一动态添加规则,第二个需要断开连接,类似重启服务

将接口添加到区域,默认接口都在public
# firewall-cmd --zone=public --add-interface=eth0
永久生效再加上 --permanent 然后reload防火墙

设置默认接口区域
# firewall-cmd --set-default-zone=public
立即生效无需重启

打开端口(貌似这个才最常用)
查看所有打开的端口:
# firewall-cmd --zone=dmz --list-ports
加入一个端口到区域:
# firewall-cmd --zone=dmz --add-port=8080/tcp
若要永久生效方法同上

打开一个服务,类似于将端口可视化,服务需要在配置文件中添加,/etc/firewalld 目录下有services文件夹,这个不详细说了,详情参考文档
# firewall-cmd --zone=work --add-service=smtp

移除服务
# firewall-cmd --zone=work --remove-service=smtp

测试:[root@iotApp&iagri-44 ~]# echo "hello felix" |nc -l 6666

远程主机:telnet iotApp&iagri-44 6666   返回:

Connected to iotApp&iagri-44
Escape character is '^]'.
hello felix
Connection closed by foreign host.

The format or structure of the rich rule commands is as follows:

rule [family="rule family"]
[ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ]
[ destination [NOT] address="address" ]
[ element ]
[ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
[ audit ]
[ action ]

Elements:

The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block, forward-port, and source-port.

service name=service_name
port port=number_or_range protocol=protocol
protocol value=protocol_name_or_ID
icmp-block name=icmptype_name
forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
source-port port=number_or_range protocol=protocol
log [prefix=prefix text] [level=log level] limit value=rate/duration

action:
accept | reject [type=reject type] | drop | mark set="mark[/mask]"

Using the Rich Rule Log Command Example 3:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
Using the Rich Rule Log Command Example 4 :
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept

[root@iotApp&iagri-44 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=0.0.0.0/16 accept' --permanent



[root@iotApp&iagri-44 ~]# firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options

-h, --help           Prints a short help text and exists

-V, --version        Print the version string of firewalld

-q, --quiet          Do not print status messages

Status Options

--state              Return and print firewalld state

--reload             Reload firewall and keep state information

--complete-reload    Reload firewall and loose state information

--runtime-to-permanent

Create permanent from runtime configuration

Permanent Options

--permanent          Set an option permanently

Usable for options maked with [P]

Zone Options

--get-default-zone   Print default zone for connections and interfaces

--set-default-zone=<zone>

Set default zone

--get-active-zones   Print currently active zones

--get-zones          Print predefined zones [P]

--get-services       Print predefined services [P]

--get-icmptypes      Print predefined icmptypes [P]

--get-zone-of-interface=<interface>

Print name of the zone the interface is bound to [P]

--get-zone-of-source=<source>[/<mask>]

Print name of the zone the source[/mask] is bound to [P]

--list-all-zones     List everything added for or enabled in all zones [P]

--new-zone=<zone>    Add a new zone [P only]

--delete-zone=<zone> Delete an existing zone [P only]

--zone=<zone>        Use this zone to set or query options, else default zone

Usable for options maked with [Z]

--get-target         Get the zone target [P] [Z]

--set-target=<target>

Set the zone target [P] [Z]

IcmpType Options

--new-icmptype=<icmptype>

Add a new icmptype [P only]

--delete-icmptype=<icmptype>

Delete and existing icmptype [P only]

Service Options

--new-service=<service>

Add a new service [P only]

--delete-service=<service>

Delete and existing service [P only]

Options to Adapt and Query Zones

--list-all           List everything added for or enabled in a zone [P] [Z]

--list-services      List services added for a zone [P] [Z]

--timeout=<timeval>  Enable an option for timeval time, where timeval is

a number followed by one of letters 's' or 'm' or 'h'

Usable for options maked with [T]

--add-service=<service>

Add a service for a zone [P] [Z] [T]

--remove-service=<service>

Remove a service from a zone [P] [Z]

--query-service=<service>

Return whether service has been added for a zone [P] [Z]

--list-ports         List ports added for a zone [P] [Z]

--add-port=<portid>[-<portid>]/<protocol>

Add the port for a zone [P] [Z] [T]

--remove-port=<portid>[-<portid>]/<protocol>

Remove the port from a zone [P] [Z]

--query-port=<portid>[-<portid>]/<protocol>

Return whether the port has been added for zone [P] [Z]

--list-icmp-blocks   List Internet ICMP type blocks added for a zone [P] [Z]

--add-icmp-block=<icmptype>

Add an ICMP block for a zone [P] [Z] [T]

--remove-icmp-block=<icmptype>

Remove the ICMP block from a zone [P] [Z]

--query-icmp-block=<icmptype>

Return whether an ICMP block has been added for a zone

[P] [Z]

--list-forward-ports List IPv4 forward ports added for a zone [P] [Z]

--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]

Add the IPv4 forward port for a zone [P] [Z] [T]

--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]

Remove the IPv4 forward port from a zone [P] [Z]

--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]

Return whether the IPv4 forward port has been added for

a zone [P] [Z]

--add-masquerade     Enable IPv4 masquerade for a zone [P] [Z] [T]

--remove-masquerade  Disable IPv4 masquerade for a zone [P] [Z]

--query-masquerade   Return whether IPv4 masquerading has been enabled for a

zone [P] [Z]

--list-rich-rules    List rich language rules added for a zone [P] [Z]

--add-rich-rule=<rule>

Add rich language rule 'rule' for a zone [P] [Z] [T]

--remove-rich-rule=<rule>

Remove rich language rule 'rule' from a zone [P] [Z]

--query-rich-rule=<rule>

Return whether a rich language rule 'rule' has been

added for a zone [P] [Z]

Options to Handle Bindings of Interfaces

--list-interfaces    List interfaces that are bound to a zone [P] [Z]

--add-interface=<interface>

Bind the <interface> to a zone [P] [Z]

--change-interface=<interface>

Change zone the <interface> is bound to [Z]

--query-interface=<interface>

Query whether <interface> is bound to a zone [P] [Z]

--remove-interface=<interface>

Remove binding of <interface> from a zone [P] [Z]

Options to Handle Bindings of Sources

--list-sources       List sources that are bound to a zone [P] [Z]

--add-source=<source>[/<mask>]

Bind <source>[/<mask>] to a zone [P] [Z]

--change-source=<source>[/<mask>]

Change zone the <source>[/<mask>] is bound to [Z]

--query-source=<source>[/<mask>]

Query whether <source>[/<mask>] is bound to a zone

[P] [Z]

--remove-source=<source>[/<mask>]

Remove binding of <source>[/<mask>] from a zone [P] [Z]

Direct Options

--direct             First option for all direct options

--get-all-chains

Get all chains [P]

--get-chains {ipv4|ipv6|eb} <table>

Get all chains added to the table [P]

--add-chain {ipv4|ipv6|eb} <table> <chain>

Add a new chain to the table [P]

--remove-chain {ipv4|ipv6|eb} <table> <chain>

Remove the chain from the table [P]

--query-chain {ipv4|ipv6|eb} <table> <chain>

Return whether the chain has been added to the table [P]

--get-all-rules

Get all rules [P]

--get-rules {ipv4|ipv6|eb} <table> <chain>

Get all rules added to chain in table [P]

--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...

Add rule to chain in table [P]

--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...

Remove rule with priority from chain in table [P]

--remove-rules {ipv4|ipv6|eb} <table> <chain>

Remove rules from chain in table [P]

--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...

Return whether a rule with priority has been added to

chain in table [P]

--passthrough {ipv4|ipv6|eb} <arg>...

Pass a command through (untracked by firewalld)

--get-all-passthroughs

Get all tracked passthrough rules [P]

--get-passthroughs {ipv4|ipv6|eb} <arg>...

Get tracked passthrough rules [P]

--add-passthrough {ipv4|ipv6|eb} <arg>...

Add a new tracked passthrough rule [P]

--remove-passthrough {ipv4|ipv6|eb} <arg>...

Remove a tracked passthrough rule [P]

--query-passthrough {ipv4|ipv6|eb} <arg>...

Return whether the tracked passthrough rule has been

added [P]

Lockdown Options

--lockdown-on        Enable lockdown.

--lockdown-off       Disable lockdown.

--query-lockdown     Query whether lockdown is enabled

Lockdown Whitelist Options

--list-lockdown-whitelist-commands

List all command lines that are on the whitelist [P]

--add-lockdown-whitelist-command=<command>

Add the command to the whitelist [P]

--remove-lockdown-whitelist-command=<command>

Remove the command from the whitelist [P]

--query-lockdown-whitelist-command=<command>

Query whether the command is on the whitelist [P]

--list-lockdown-whitelist-contexts

List all contexts that are on the whitelist [P]

--add-lockdown-whitelist-context=<context>

Add the context context to the whitelist [P]

--remove-lockdown-whitelist-context=<context>

Remove the context from the whitelist [P]

--query-lockdown-whitelist-context=<context>

Query whether the context is on the whitelist [P]

--list-lockdown-whitelist-uids

List all user ids that are on the whitelist [P]

--add-lockdown-whitelist-uid=<uid>

Add the user id uid to the whitelist [P]

--remove-lockdown-whitelist-uid=<uid>

Remove the user id uid from the whitelist [P]

--query-lockdown-whitelist-uid=<uid>

Query whether the user id uid is on the whitelist [P]

--list-lockdown-whitelist-users

List all user names that are on the whitelist [P]

--add-lockdown-whitelist-user=<user>

Add the user name user to the whitelist [P]

--remove-lockdown-whitelist-user=<user>

Remove the user name user from the whitelist [P]

--query-lockdown-whitelist-user=<user>

Query whether the user name user is on the whitelist [P]

Panic Options

--panic-on           Enable panic mode

--panic-off          Disable panic mode

--query-panic        Query whether panic mode is enabled

centos7&redhat 之 firewalld 详细介绍配置的更多相关文章

  1. linux配置网卡IP地址命令详细介绍及一些常用网络配置命令

    linux配置网卡IP地址命令详细介绍及一些常用网络配置命令2010-- 个评论 收藏 我要投稿 Linux命令行下配置IP地址不像图形界面下那么方 便,完全需要我们手动配置,下面就给大家介绍几种配置 ...

  2. MySQL Cluster 配置详细介绍

    在上篇文章已经详细说明了MySQL Cluster搭建与测试,现在来说说详细的配置参数.在MySQL Cluster 环境的配置文件 config.ini 里面,每一类节点都有两个(或以上)的相应配置 ...

  3. CentOS6.0/RedHat Server 6.4安装配置过程 详细图解!

    1.准备安装 1.1 系统简介 CentOS 是什么? CentOS是一个基于Red Hat 企业级 Linux 提供的可自由使用的源代码企业级的 Linux 发行版本.每个版本的 CentOS 都会 ...

  4. 网卡配置和DNS配置,手动挂在nas存储的共享目录,网络相关其它操作命令,修改防火墙中的端口配置,resolv.conf配置详细介绍和网卡信息配置详细介绍

    1.   网卡配置和DNS配置 若想服务器能够发邮件,需要让部署的服务器能够访问到外网环境.若部署的服务器访问不到外网,通过ping www.baidu.com的方式执行的时候,会出现以下问题: &q ...

  5. CCNA网络工程师学习进程(4)网络设备的基本配置和详细介绍

        网络设备(路由器.交换机和防火墙等)与计算机一样需要操作系统.网络设备采用专用的操作系统,统称为IOS(Internetwork Operating System,网络操作系统).     ( ...

  6. CentOS7防火墙管理firewalld

    学习apache安装的时候需要打开80端口,由于centos 7版本以后默认使用firewalld后,网上关于iptables的设置方法已经不管用了,想着反正iptable也不太熟悉,索性直接搬官方文 ...

  7. 详细的linux目录结构详细介绍

    详细的linux目录结构详细介绍 --树状目录结构图 下面红色字体为比较重要的目录 1./目录 目录 描述 / 第一层次结构的根,整个文件系统层次结构的根目录 /bin/ 需要在单用户模式可用的必要命 ...

  8. kvm详细介绍

    KVM详解,太详细太深入了,经典 2016-07-18 19:56:38 分类: 虚拟化 原文地址:KVM详解,太详细太深入了,经典 作者:zzjlzx KVM 介绍(1):简介及安装 http:// ...

  9. Ubuntu根目录下各文件夹的功能详细介绍

    Ubuntu的根目录下存在着很多的文件夹,但你知道他们都存放着哪些文件呢?这些是深入了解Ubuntu系统必不缺少的知识,本文就关于此做一下介绍吧. /bin/    用以存储二进制可执行命令文件. / ...

随机推荐

  1. 2017 Multi-University Training Contest - Team 1 03Colorful Tree

    地址:http://acm.split.hdu.edu.cn/showproblem.php?pid=6035 题面: Colorful Tree Time Limit: 6000/3000 MS ( ...

  2. Hive的静态分区和动态分区

    作者:Syn良子 出处:http://www.cnblogs.com/cssdongl/p/6831884.html 转载请注明出处 虽然之前已经用过很多次hive的分区表,但是还是找时间快速回顾总结 ...

  3. 微信公众平台Java版极速SDK

    JEEWX-API 是第一个微信公众平台Java版极速SDK,基于 jeewx-api 开发可以立即拥有简单易用的API,让开发更加轻松自如,节省更多时间 http://www.jeewx.com/

  4. Linux ./configure --prefix 命令是什么意思?

    源码的安装一般由3个步骤组成:配置(configure).编译(make).安装(makeinstall). Configure是一个可执行脚本,它有很多选项,在待安装的源码路径下使用命令./conf ...

  5. Centos编译安装 LAMP (apache-2.4.7 + mysql-5.5.35 + php 5.5.8)+ Redis

    转载地址:http://www.cnblogs.com/whoamme/p/3530056.html 软件源代码包存放位置:/usr/local/src 源码包编译安装位置:/usr/local/软件 ...

  6. git推送到github报错:error: The requested URL returned error: 403 Forbidden while accessing https://github.com

    最近使用git命令从github克隆仓库到版本,然后进行提交到github时报错如下: [root@node1 git_test]# git push origin mastererror: The ...

  7. 20145303刘俊谦 《Java程序设计》第2周学习总结

    20145303刘俊谦 <Java程序设计>第2周学习总结 教材学习内容总结 1.对于标识符的一些名称规范(觉得挺重要而且容易混淆!定义就不写了,列一些例子): 包名: xxxyyyzzz ...

  8. SVN一直提示需要clean up

    无论到那一级都提示clean up, 这是陷入clean up 死循环的结果. 解决办法: 使用任何一款可以连sqllit 的数据库管理软件例如(Navicat Premium),连入 项目跟目录/. ...

  9. 【前端】jQuery选择器$()的实现原理

    今天三七互娱技术面试的时候面试官问了我这个问题,当时一脸懵逼,于是好好总结一下. 当我们使用jquery选择器的时候,$(s).回默认去执行jquery内部封装好的一个init的构造函数每次申明一个j ...

  10. SaltStack使用salt-ssh模式-第十一篇

    salt-ssh介绍 1.salt-ssh 是 0.17.0 新引入的一个功能,不需要minion对客户端进行管理,也不需要master. 2.salt-ssh 支持salt大部分的功能:如 grai ...