本章树妖介绍RHEL8中的firewalld的配置
[root@node01 ~]# firewall-cmd --get-default-zone
public
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --get-zones
block dmz drop external home internal libvirt nm-shared public trusted work
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --get-default-zone
public
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --set-default-zone=trusted
success
[root@node01 ~]# firewall-cmd --get-default-zone
trusted
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --set-default-zone=public
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --get-zone-of-interface=ens160
public
[root@node01 ~]#
firewall-cmd --add-interface=网卡名称 --zone=zone名
[root@node01 ~]# firewall-cmd --add-interface=ens160 --zone=home
Error: ZONE_CONFLICT: 'ens160' already bound to a zone
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --remove-interface=ens160 --zone=public
success
[root@node01 ~]# firewall-cmd --get-zone-of-interface=ens160
no zone
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-interface=ens160 --zone=home
success
[root@node01 ~]# firewall-cmd --get-zone-of-interface=ens160
home
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --change-interface=ens160 --zone=public
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --get-zone-of-interface=ens160
public
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client mountd nfs rpc-bind ssh
ports: 123/udp 323/udp 20-21/tcp 10010-10020/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@node01 ~]#
一共有多少种类型的icmp包,可以通过“firewall-cmd --get-icmptypes”来查看。
[root@node01 ~]# tcpdump -i ens160 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
[root@node03 ~]# ping 192.168.182.200
PING 192.168.182.200 (192.168.182.200) 56(84) bytes of data.
64 bytes from 192.168.182.200: icmp_seq=1 ttl=64 time=0.321 ms
64 bytes from 192.168.182.200: icmp_seq=2 ttl=64 time=0.611 ms
64 bytes from 192.168.182.200: icmp_seq=3 ttl=64 time=0.488 ms
[root@node01 ~]# tcpdump -i ens160 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
11:58:33.122650 IP 192.168.182.193 > node01: ICMP echo request, id 2179, seq 1, length 64
11:58:33.122758 IP node01 > 192.168.182.193: ICMP echo reply, id 2179, seq 1, length 64
11:58:34.141822 IP 192.168.182.193 > node01: ICMP echo request, id 2179, seq 2, length 64
11:58:34.141877 IP node01 > 192.168.182.193: ICMP echo reply, id 2179, seq 2, length 64
^C
58 packets captured
68 packets received by filter
8 packets dropped by kernel
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-icmp-block=echo-request //拒绝请求
success
[root@node01 ~]# firewall-cmd --list-all //查看是否添加成功
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client mountd nfs rpc-bind ssh
ports: 123/udp 323/udp 20-21/tcp 10010-10020/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-request //已经添加
rich rules:
[root@node01 ~]#
[root@node03 ~]# ping 192.168.182.200 -c2
PING 192.168.182.200 (192.168.182.200) 56(84) bytes of data.
From 192.168.182.200 icmp_seq=1 Packet filtered
From 192.168.182.200 icmp_seq=2 Packet filtered
--- 192.168.182.200 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1061ms
[root@node03 ~]#
[root@node01 ~]# firewall-cmd --remove-icmp-block=echo-request
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@node01 ~]#
firewall-cmd --query-service=服务名称
[root@node01 ~]# firewall-cmd --get-services
[root@node01 ~]# firewall-cmd --query-service=http
no
[root@node01 ~]#
[root@node01 ~]# systemctl start httpd //启动http服务
[root@node01 ~]# echo "hello ls" > /var/www/html/index.html //把hello ls重定向导入网页文件内
[root@node01 ~]# cat /var/www/html/index.html //查看文件内容
hello ls
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-service=http
success
[root@node01 ~]# firewall-cmd --query-service=http
yes
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --remove-service=http
success
[root@node01 ~]# firewall-cmd --query-service=http
no
[root@node01 ~]#
[root@node01 ~]# setenforce 0
[root@node01 ~]# getenforce
Permissive
[root@node01 ~]#
[root@node01 ~]# sed -i '/^Listen/cListen 8080' /etc/httpd/conf/httpd.conf
[root@node01 ~]# firewall-cmd --add-service=http
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --remove-service=http
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-port=1000-2000/tcp
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-port=8080/tcp
success
[root@node01 ~]# firewall-cmd --query-port=8080/tcp
yes
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --remove-port=8080/tcp
success
[root@node01 ~]# firewall-cmd --query-port=8080/tcp
no
[root@node01 ~]#
[root@node01 ~]# setenforce 1
[root@node01 ~]# getenforce
Enforcing
[root@node01 ~]#
[root@node01 ~]# sed -i '/^Listent/cListent 80' /etc/httpd/conf/httpd.conf
[root@node01 ~]# systemctl restart httpd
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=源网段 service name=服务名 accept'
这里用单引号或双引号均可,先查看现在是否有富规则。
[root@node01 ~]# firewall-cmd --list-rich-rules
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --query-service=http
no
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=192.168.182.1 service name=http accept"
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.182.1" service name="http" accept
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --remove-rich-rule="rule family=ipv4 source address=192.168.182.1 service name=http accept"
success
[root@node01 ~]#
[root@node01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=源网段 port port=M-N protocol=协议 accept'