一、描述
firewall-cmd是firewalld守护程序的命令行客户端。它提供了用于管理运行时和永久配置的界面。
Firewalld中的运行时配置与永久配置分开。这意味着可以在运行时或永久配置中进行更改。
二、临时or永久
永久选项permanent,永久选项则需要加–permanent选项。临时选项不需要添加,这里不讨论临时选项。
三、zone区域简介
- 查看firewalld所有区域
[root@test ~]# firewall-cmd --list-all-zones block //限制 target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz //非军事区 target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop //丢弃 target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external //外部 target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home //家庭 target: default icmp-block-inversion: no interfaces: sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal //内部 target: default icmp-block-inversion: no interfaces: sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) //公共 target: default icmp-block-inversion: no interfaces: ens33 sources: services: ssh dhcpv6-client http ports: 2256/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted //信任 target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work //工作区域 target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: - 查看当前默认的区域
[root@test ~]# firewall-cmd --get-default-zone //public区域是firewalld默认的区域 public - 查看当前活跃的区域
[root@test ~]# firewall-cmd --get-active-zones //可以看到活动为public区域,接口为ens33 public interfaces: ens33
四、配置public区域firewalld
- 目标(常规firewalld规则用例)
- 允许任意ip访问端口8080
- 允许特定ip访问端口27017
- 添加单独服务对外开放
- 关闭某个特定端口访问
- 删除某个特定IP端口访问
- 删除服务
- 计划任务停止firewalld
crontab添加如下计划任务: */10 * * * * systemctl stop firewalld.service - 允许任意ip访问端口8080
[root@iZ94ml3rt22Z ~]# firewall-cmd --zone=public --add-port=8080/tcp --permanent - 允许特定ip访问端口27017
[root@iZ94ml3rt22Z ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule port port="27017" protocol="tcp" family="ipv4" source address="181.213.102.106/32" accept' - 添加单独服务对外开放
[root@iZ94ml3rt22Z ~]# firewall-cmd --permanent --zone=public --add-service=nfs [root@iZ94ml3rt22Z ~]# firewall-cmd --permanent --zone=public --add-service=rpc-bind [root@iZ94ml3rt22Z ~]# firewall-cmd --permanent --zone=public --add-service=mountd - 关闭某个特定端口访问
[root@iZ94ml3rt22Z ~]# firewall-cmd --permanent --zone=public --remove-rich-rule='rule port port="27017" protocol="tcp" family="ipv4" source address="181.213.102.106/32" accept' - 删除服务
[root@iZ94ml3rt22Z ~]# firewall-cmd --permanent --zone=public --remove-service=mountd - 重新加载firewalld和去除计划任务
[root@iZ94ml3rt22Z ~]# firewall-cmd --reload [root@iZ94ml3rt22Z ~]# firewall-cmd --list-all [root@test ~]# vim /etc/firewalld/zones/public.xml //查看public区域列表
五、配置trusted区域
- 使用场景
某些情况下需要开启内部机器进行互相授信操作,比如CDH集群内部机器如果开启firewalld可以使用相互授信方式
-
配置
[root@iZ94ml3rt22Z ~]# vim /etc/firewalld/zones/trusted.xml <?xml version="1.0" encoding="utf-8"?> <zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <interface name="ens192"/> <source address="192.168.0.97/32"/> <source address="192.168.0.98/32"/> <source address="192.168.0.99/32"/> </zone> 备注:这里网卡口及允许ip访问根据实际情况填写 [root@iZ94ml3rt22Z ~]# firewall-cmd --reload - 其他命令
[root@iZ94ml3rt22Z ~]# firewall-cmd --get-active-zones //可以看到开启trusted区域 public interfaces: ens33 trusted interfaces: ens192 sources: 192.168.0.97/32 192.168.0.98/32 192.168.0.99/32
留言