镜缘浮影 小人本住在 苏州的城外 家里有屋又有田 生活乐无边

Firewalld 3

2018-07-17
wilmosfang
原文地址 http://soft.dog/2018/07/17/firewalld-03/

前言

Firewalld 是一个本地的网络策略管理软件,与 iptables 启相同的作用

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly

RHEL7/Centos7 开始,系统默认的防火墙软件从 iptables 替换成了 firewalld

这的确是一个不小的变化,从而让很多以前熟悉 iptables 的运维小伙伴一下子变得无所适从

相对于 iptables, firewalld 的确有一些更先进的管理理念,不过也在挑战传统的运维体验

这里就 firewalld 的简单实例进行一个讲解

参考 A service daemon with D-Bus interfaceUSING FIREWALLS

Documentation

Tip: 当前最新的版本为 firewalld 0.6.0 release


操作

系统环境

[root@ds1 ~]# hostnamectl 
   Static hostname: ds1
         Icon name: computer-vm
           Chassis: vm
        Machine ID: fce1d1d9ca0345dca5e300f4ee8f6b0a
           Boot ID: bcec9e257f154e0d9f0191c13ce7c1d9
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-862.2.3.el7.x86_64
      Architecture: x86-64
[root@ds1 ~]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:c9:c7:04 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
       valid_lft 74709sec preferred_lft 74709sec
    inet6 fe80::5054:ff:fec9:c704/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:fc:bf:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.181/24 brd 192.168.1.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fefc:bf30/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b3:ae:0b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.181/24 brd 192.168.56.255 scope global noprefixroute eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:feb3:ae0b/64 scope link 
       valid_lft forever preferred_lft forever
[root@ds1 ~]# 

停止服务

[root@ds1 ~]# systemctl stop firewalld.service 
[root@ds1 ~]# 

启动服务

[root@ds1 ~]# systemctl start firewalld.service 
[root@ds1 ~]# 

查看状态

[root@ds1 ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-07-17 16:00:21 UTC; 22s ago
     Docs: man:firewalld(1)
 Main PID: 4962 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─4962 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jul 17 16:00:21 ds1 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 17 16:00:21 ds1 systemd[1]: Started firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@ds1 ~]# 

也可以通过命令看

[root@ds1 ~]# firewall-cmd --state
running
[root@ds1 ~]# 

查看 zone

[root@ds1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@ds1 ~]# 

查看 default zone

[root@ds1 ~]# firewall-cmd --get-default-zone 
public
[root@ds1 ~]# 

查看 active zone

[root@ds1 ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0 eth1 eth2
[root@ds1 ~]# 

设置 default zone

[root@ds1 ~]# firewall-cmd --set-default-zone=trusted 
success
[root@ds1 ~]# firewall-cmd --get-default-zone 
trusted
[root@ds1 ~]# 

获取接口 zone

[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth2
trusted
[root@ds1 ~]# 

查看 zone 配置

[root@ds1 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

调整接口所在的 zone

[root@ds1 ~]# firewall-cmd --zone=internal --change-interface=eth2
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth2
internal
[root@ds1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth2
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
NM_CONTROLLED=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.56.181
NETMASK=255.255.255.0
DEVICE=eth2
PEERDNS=no
#VAGRANT-END
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System eth2"
UUID=3a73717e-65ab-93e8-b518-24f5af32dc0d
ZONE=internal
[root@ds1 ~]# 

获取 service

[root@ds1 ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@ds1 ~]#

添加 ssh 服务

[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 
[root@ds1 ~]# firewall-cmd --add-service=ssh 
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

删除 ssh 服务

[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --remove-service=ssh 
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

设定规则超时时间

[root@ds1 ~]# firewall-cmd --add-service=ssh --timeout=600
success
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

600s 后这条规则会自动被清除

[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

指定 zone 添加服务

[root@ds1 ~]# firewall-cmd --list-all --zone=internal 
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --add-service=http --zone=internal 
success
[root@ds1 ~]# 
[root@ds1 ~]# firewall-cmd --list-all --zone=internal 
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client http
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

打开端口

[root@ds1 ~]# firewall-cmd --zone=internal --add-port=443/tcp
success
[root@ds1 ~]# firewall-cmd --zone=internal --list-all
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh mdns samba-client dhcpv6-client http
  ports: 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

端口转发

[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth1
trusted
[root@ds1 ~]# firewall-cmd --zone=public --change-interface=eth1
The interface is under control of NetworkManager, setting zone to 'public'.
success
[root@ds1 ~]# firewall-cmd --get-zone-of-interface=eth1
public
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 
[root@ds1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
NM_CONTROLLED=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.181
NETMASK=255.255.255.0
DEVICE=eth1
PEERDNS=no
#VAGRANT-END
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System eth1"
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
ZONE=public
[root@ds1 ~]# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80
success
[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# curl localhost:80
ds1
[root@ds1 ~]# curl localhost:8888
curl: (7) Failed connect to localhost:8888; Connection refused
[root@ds1 ~]# 

这个时候,从外面访问

wilmos@Nothing:~$ curl 192.168.1.181:8888
ds1
wilmos@Nothing:~$ 
wilmos@Nothing:~$ curl 192.168.1.181:80
curl: (7) Failed to connect to 192.168.1.181 port 80: No route to host
wilmos@Nothing:~$ 

发现可以成功的进行端口转发

DNAT 加上端口映射

这个可以模拟 LVS 的效果

[root@ds1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@ds1 ~]# firewall-cmd --zone=public --add-masquerade
success
[root@ds1 ~]# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
success
[root@ds1 ~]# cat  /proc/sys/net/ipv4/ip_forward
1
[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# 

在 rs 上加上默认路由

[root@rs1 ~]# ip route add default via 192.168.56.181 dev eth1
[root@rs1 ~]# 

进行访问

wilmos@Nothing:~$ curl 192.168.1.181:80
curl: (7) Failed to connect to 192.168.1.181 port 80: No route to host
wilmos@Nothing:~$ curl 192.168.1.181:8888
rs1
wilmos@Nothing:~$ 

查看 icmptypes

[root@ds1 ~]#  firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[root@ds1 ~]# 

拒绝 icmp

[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks

[root@ds1 ~]# firewall-cmd --zone=public --add-icmp-block=echo-request 
success
[root@ds1 ~]#  firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: echo-request
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
echo-request
[root@ds1 ~]# 

客户端验证

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.395 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.426 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.395/0.410/0.426/0.025 ms
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1006ms

wilmos@Nothing:~$

解封 icmp

[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: echo-request
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks
echo-request
[root@ds1 ~]# firewall-cmd --zone=public --remove-icmp-block=echo-request
success
[root@ds1 ~]# firewall-cmd --zone=public --list-icmp-blocks

[root@ds1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=8888:proto=tcp:toport=80:toaddr=192.168.56.183
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

客户端验证

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1006ms

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.394 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.430 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 0.394/0.412/0.430/0.018 ms
wilmos@Nothing:~$

封 IP

[root@ds1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --zone=public  --add-rich-rule="rule family='ipv4' source address='192.168.1.6' reject"
success
[root@ds1 ~]# firewall-cmd --list-all --zone=publicpublic (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.1.6" reject
[root@ds1 ~]# firewall-cmd  --list-rich-rules --zone=publicrule family="ipv4" source address="192.168.1.6" reject
[root@ds1 ~]# 

客户端校验

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.472 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.397/0.434/0.472/0.042 ms
wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^C^]
telnet> quit
Connection closed.
wilmos@Nothing:~$ 
wilmos@Nothing:~$ 
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Port Unreachable
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: Connection refused
wilmos@Nothing:~$ 

放开特定端口与源

[root@ds1 ~]# firewall-cmd --zone=block --change-interface=eth1
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@ds1 ~]# firewall-cmd --list-all --zone=block 
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

此时是无法访问的

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 192.168.1.181: icmp_seq=2 ttl=64 time=0.472 ms
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.397/0.434/0.472/0.042 ms
wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^C^]
telnet> quit
Connection closed.
wilmos@Nothing:~$ 
wilmos@Nothing:~$ 
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Port Unreachable
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: Connection refused
wilmos@Nothing:~$ 

添加规则

[root@ds1 ~]# firewall-cmd --zone=block  --add-rich-rule="rule family='ipv4' source address='192.168.1.6' port port=80  protocol=tcp accept"
success
[root@ds1 ~]# firewall-cmd --list-all --zone=block
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.1.6" port port="80" protocol="tcp" accept
[root@ds1 ~]# firewall-cmd  --list-rich-rules --zone=block
rule family="ipv4" source address="192.168.1.6" port port="80" protocol="tcp" accept
[root@ds1 ~]#

此时客户端已经可以访问 80 端口

wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
From 192.168.1.181 icmp_seq=1 Destination Host Prohibited
From 192.168.1.181 icmp_seq=2 Destination Host Prohibited
^C
--- 192.168.1.181 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1016ms

wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...
telnet: Unable to connect to remote host: No route to host
wilmos@Nothing:~$ curl 192.168.1.181:80
ds1
wilmos@Nothing:~$ 

利用 ipset 管理多个 IP

[root@ds1 ~]# firewall-cmd --permanent --new-ipset=iplist --type=hash:ip
success
[root@ds1 ~]# firewall-cmd --permanent --get-ipsets
iplist
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 
[root@ds1 ~]#
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --add-entry=192.168.1.6
success
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 192.168.1.6
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --add-entry=192.168.1.5
success
[root@ds1 ~]# firewall-cmd --permanent --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 192.168.1.6 192.168.1.5
[root@ds1 ~]# firewall-cmd --permanent --ipset=iplist --get-entries
192.168.1.6
192.168.1.5
[root@ds1 ~]#

ipset 的创建要加 --permanent 参数

否则会报错

[root@ds1 ~]# firewall-cmd --list-all --zone=drop drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]#

访问不通

wilmos@Nothing:~$ telnet  192.168.1.181 
Trying 192.168.1.181...



^C
wilmos@Nothing:~$ telnet  192.168.1.181 22
Trying 192.168.1.181...



^C
wilmos@Nothing:~$ 
wilmos@Nothing:~$ curl 192.168.1.181:80



^C
wilmos@Nothing:~$ 

添加规则

[root@ds1 ~]# firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" source ipset="iplist" accept'
success
[root@ds1 ~]# firewall-cmd --list-all --zone=drop drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source ipset="iplist" accept
[root@ds1 ~]#

于是可以访问了

wilmos@Nothing:~$ curl 192.168.1.181:80
ds1
wilmos@Nothing:~$ ping  192.168.1.181
PING 192.168.1.181 (192.168.1.181) 56(84) bytes of data.
64 bytes from 192.168.1.181: icmp_seq=1 ttl=64 time=0.403 ms
^C
--- 192.168.1.181 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.403/0.403/0.403/0.000 ms
wilmos@Nothing:~$ telnet 192.168.1.181 22
Trying 192.168.1.181...
Connected to 192.168.1.181.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
^]
telnet> quit
Connection closed.
wilmos@Nothing:~$

ipset 有很多种组合形式

[root@ds1 ~]# firewall-cmd --get-ipset-types 
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
[root@ds1 ~]# 

查看 zone 详情

[root@ds1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@ds1 ~]# firewall-cmd --info-zone=public
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@ds1 ~]# firewall-cmd --info-zone=drop
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source ipset="iplist" accept
[root@ds1 ~]# 

查看 service 详情

[root@ds1 ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@ds1 ~]# firewall-cmd --info-service=http
http
  ports: 80/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
[root@ds1 ~]# 

查看 ipset 详情

[root@ds1 ~]# firewall-cmd --get-ipset-types 
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
[root@ds1 ~]# firewall-cmd --info-ipset=iplist
iplist
  type: hash:ip
  options: 
  entries: 192.168.1.6 192.168.1.5
[root@ds1 ~]# 

查看 helpers 详情

[root@ds1 ~]# firewall-cmd --get-helpers 
Q.931 RAS amanda ftp h323 irc netbios-ns pptp sane sip snmp tftp
[root@ds1 ~]# firewall-cmd --info-helper=ftp
ftp
  family: 
  module: nf_conntrack_ftp
  ports: 21/tcp
[root@ds1 ~]# 

查看 icmptypes 详情

[root@ds1 ~]# firewall-cmd --get-icmptypes 
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[root@ds1 ~]# firewall-cmd --info-icmptype=destination-unreachable
destination-unreachable
  destination: ipv4 ipv6
[root@ds1 ~]# firewall-cmd --info-icmptype=echo-reply 
echo-reply
  destination: ipv4 ipv6
[root@ds1 ~]# firewall-cmd --info-icmptype=echo-request
echo-request
  destination: ipv4 ipv6
[root@ds1 ~]#

总结

firewalld 毕竟是一个更为先进的 firewall 配置软件

对于防火墙的管理有一套更为强大和灵活的管理方法 

但是有一定的学习成本,影响简单直接的 iptables 运维体验

但是走出舒适区,进行技能的更新和迭代也是一个合格运维的基础素质

后面有空再讲讲其它的 firewalld 实例,和其它相关知识


原文地址 http://soft.dog/2018/07/17/firewalld-03/

类似博客

评论