本文主要是介绍防火墙策略之firewall,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
1.关闭iptables并打开firewalld
[root@localhost ~]# systemctl stop iptables ##停止iptables
[root@localhost ~]# systemctl mask iptables ##冻结iptables不再启用ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# systemctl enable firewalld
[root@localhost ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since 五 2017-06-02 21:03:09 EDT; 15min ago
Main PID: 481 (firewalld)
CGroup: /system.slice/firewalld.service
└─481 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
6月 02 21:03:09 localhost systemd[1]: Started firewalld - dynamic firewall...n.
6月 02 21:18:02 localhost systemd[1]: Started firewalld - dynamic firewall...n.
Hint: Some lines were ellipsized, use -l to show in full.
2.firewalld常用命令
running
[root@localhost ~]# firewall-cmd --get-active-zones ##查看当前活动区域
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
[root@localhost ~]# firewall-cmd --get-default-zone ##查看默认区域
public
[root@localhost ~]# firewall-cmd --get-zones ##查看所有可用区域
ROL block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --zone=public --list-all ##列出指定域的所有设置
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --get-services ##列出所有预设服务
***这样将列出 /usr/lib/firewalld/services/ 中的服务器名称。注意:配置文件是以服务本身命名的service-name. xml***
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@localhost ~]# firewall-cmd --set-default-zone=trusted
success
[root@localhost ~]# firewall-cmd --list-all
trusted (default, active)
interfaces: eth0 eth1
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@localhost ~]# yum clean all
Loaded plugins: langpacks
Cleaning repos: rhel_dvd
Cleaning up everything
[root@localhost ~]# yum install httpd
[root@localhost ~]# systemctl restart httpd
****测试端用浏览器访问172.25.254.140****
[root@localhost ~]# firewall-cmd --set-default-zone=public
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --zone=public --remove-interface=eth0 ##将eth0网卡从public域移除
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --zone=trusted --add-interface=eth0 ##将eth0网卡添加到trusted域
success
****测试端浏览器不能访问172.25.255.140,但可以访问172.25.40.10****
[root@desktop ~]# firewall-cmd --add-masquerade
[root@desktop ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@desktop ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.40.140 masquerade'
success
[root@desktop ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.40.140" masquerade
这篇关于防火墙策略之firewall的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!