RHCE:Firewall配置
关闭与firewalld有冲突的服务:
[root@foundation0 network-scripts]# for server in iptables ip6tables ebtables;do systemctl mask $server.service;done
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
ln -s '/dev/null' '/etc/systemd/system/ebtables.service'
Firewalld命令:
创建一个新区域:
[root@desktop ~]# firewall-cmd --new-zone="rhce" --permanent
Success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public rhce trusted work
删除一个区域:
[root@desktop ~]# firewall-cmd --delete-zone=rhce --permanent
success
[root@desktop ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public rhce trusted work
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work
查看一个接口属于那个区域:
[root@desktop ~]# firewall-cmd --get-zone-of-interface="eth1"
public
[root@desktop ~]# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
查询当前默认的区域:
[root@desktop ~]# firewall-cmd --get-default-zone
Public
设置默认区域:
[root@desktop ~]# firewall-cmd --set-default-zone=public
Warning: ZONE_ALREADY_SET: public
列出所有可用的区域:
[root@desktop ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work
列出当前正在使用的所有区域:
[root@desktop ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
将源IP地址的所有流量路由到指定区域:
[root@desktop ~]# firewall-cmd --add-source=192.168.10.1/16 --zone=trusted
success
[root@desktop ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
trusted
sources: 192.168.10.1/16
删除指定源IP的区域
[root@desktop ~]# firewall-cmd --remove-source=192.168.10.1/16 --zone=trusted
success
[root@desktop ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
将来自网络接口的所有流量路由到指定区域:
[root@desktop ~]# firewall-cmd --add-interface=eth0 --zone=public
Warning: ZONE_ALREADY_SET
[root@desktop ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
修改网络接口与区域的关联
[root@server ~]#firewall-cmd --change-interface=eth1 --zone=trusted
[root@server ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth2
trusted
interfaces: eth1
将已启动的接口修改成其它的区域:
[root@desktop ~]# firewall-cmd --get-zone-of-interface="eth2"
public
[root@desktop ~]# firewall-cmd --zone="trusted" --change-interface="eth2"#zone为目标的区域
Success
[root@desktop ~]# firewall-cmd --get-zone-of-interface="eth2"
Trusted
--add-interface只能用在接口没有配置到其它区域时,才能使用。
[root@desktop ~]# firewall-cmd --remove-interface="eth2" --zone="trusted"#zone为源的区域
success
[root@desktop ~]# firewall-cmd --get-zone-of-interface="eth2"
no zone
[root@desktop ~]# firewall-cmd --add-interface="eth2" --zone="public"
success
[root@desktop ~]# firewall-cmd --get-zone-of-interface="eth2"
public
显示所有已配置的接口,源,服务和端口:
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client mountd nfs rpc-bind samba ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
显示所有区域的所有信息(接口,源,端口,服务)
[root@server ~]# firewall-cmd --list-all-zones
ROL
interfaces:
sources: 172.25.0.252/32
services: ssh vnc-server
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
.................
允许到<service>的流量
[root@server ~]# firewall-cmd --add-service=http
Success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client http mountd nfs rpc-bind samba ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
允许到<port/protocol>的端口的流量
[root@server ~]# firewall-cmd --add-port=8000/tcp
Success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client http mountd nfs rpc-bind samba ssh
ports: 8000/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
从区域列表中删除<service>的项目:
[root@server ~]# firewall-cmd --remove-service=http
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client mountd nfs rpc-bind samba ssh
ports: 8000/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
从区域列表中删除<port/protocol>的项目:
[root@server ~]# firewall-cmd --remove-port=8000/tcp
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client mountd nfs rpc-bind samba ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
查看防火墙支持的服务类型:
[root@desktop ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
Service 列表:
[root@desktop ~]# ll /usr/lib/firewalld/services/
amanda-client.xml kpasswd.xml pop3s.xml
bacula-client.xml ldaps.xml postgresql.xml
bacula.xml ldap.xml proxy-dhcp.xml
dhcpv6-client.xml libvirt-tls.xml radius.xml
dhcpv6.xml libvirt.xml rpc-bind.xml
如果没有需要的服务,可以通过配置文件手动添加:
[root@desktop services]# cat amanda-client.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Amanda Backup Client</short>
<description>The Amanda backup client option allows you to connect to a Amanda backup and archiving server. You need the amanda-client package installed for this option to be useful.</description>
<port protocol="udp" port="10080"/>
<port protocol="tcp" port="10080"/>
<module name="nf_conntrack_amanda"/>
</service>
丢弃运行时配置,应用持久配置:
[root@server ~]# firewall-cmd --reload
success
Firewall-cmd 富规则配置:
语法:
Rule
[source]
[destination]
service|port|protocol|icmp-block|masquerade|forward-port
[log]
[audit]
[accept|reject|drop]
所有区域内规则匹配顺序:
1. 为该区域设置的任何端口转发和伪装规则
2. 为该区域设置的任何记录规则
3. 为该区域设置的任何允许的规则
4. 为该区域设置的任何拒绝规则
富规则的添加,删除和查询
--add-rich-rule=’<RULE>’ --zone=<ZONE>
--remove-rich-rule=’<RULE>’ --zone=<ZONE>
--query-rich-rule=’<RULE>’--zone=<ZONE>
--list-rich-rules
Firewall-cmd --list-all
Firewall-cmd --list-all-zones
添加富规则:
拒绝来自rhce区域中IP地址为192.168.10.1的所有流量
[root@desktop ~]# firewall-cmd --permanent --zone=rhce --add-rich-rule='rule family=ipv4 source address=192.168.10.1/32 reject'
success
[root@desktop ~]# firewall-cmd --reload
Success
[root@desktop ~]# firewall-cmd --zone=rhce --list-rich-rules
rule family="ipv4" source address="192.168.10.1/32" reject
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.10.1/32" reject
删除富规则:
[root@desktop ~]# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.10.1/32" reject' --zone=rhce --permanent=号前后不能有空格
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
允许每分钟对FTP有两次新连接:
[root@desktop ~]# firewall-cmd --add-rich-rule="rule service name=ftp limit value=2/m accept" --permanent --zone=rhce
success
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule service name="ftp" accept limit value="2/m"
限制limit的单位:
s秒
m :分钟
h小时
d天
丢弃任何位置所有传入的IPSEC ESP协议包:
firewall-cmd --add-rich-rule="rule protocol value=esp drop" --zone=rhce --permanent
firewall-cmd --list-all
firewall-cmd --zone=rhce --remove-rich-rule="rule protocol value="esp" drop" --permanent
firewall-cmd --zone=rhce --list-all
firewall-cmd --reload
接受端口7900到7905内上的所有TCP包,在子网192.168.1.0/24中
[root@desktop ~]# firewall-cmd --zone=rhce --permanent --add-rich-rule="rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept"
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" port port="7900-7905" protocol="tcp" accept
使用富规则进行记录:
将允许和拒绝信息记录到syslog或audit子系统
记录到syslog语法:
Log [prefix=”<PREFIX TEXT>” [level=<LOGLEVEL>] [limit value=”<RATE/DURATION>”]]
Level:emery,alert,crit,error,warning,notive,info,debug
DURATION:s秒,m分钟,h小时,d天
记录到audit审计系统语法:
Audit [limit value=”<RATE/DURATION>”]
示例:
接受从rhce区域到SSH的新连接,以notice级别且每分钟最多三条消息的方式将新连接记录到syslog
[root@desktop ~]# firewall-cmd --zone=rhce --permanent --add-rich-rule="rule service name="ssh" log prefix="ssh" level="notice" limit value="3/m" accept"
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule service name="ssh" log prefix="ssh" level="notice" limit value="3/m" accept
rule family="ipv4" source address="192.168.1.0/24" port port="7900-7905" protocol="tcp" accept
在接下来的五分钟内,将拒绝从rhce区域中子网2001:db8::/64到DNS的新IPV6连接,并且拒绝的连接将记录到audit系统,且每小时最多一条记录
[root@desktop ~]# firewall-cmd --zone=rhce --permanent --add-rich-rule="rule family=ipv6 source address="2001:db8::/64" service name="dns" audit limit value="1/h" reject" --timeout=300
usage: see firewall-cmd man page
Can't specify timeout for permanent action.
[root@desktop ~]# firewall-cmd --zone=rhce --add-rich-rule="rule family=ipv6 source address="2001:db8::/64" service name="dns" audit limit value="1/h" reject" --timeout=300
success
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv6" source address="2001:db8::/64" service name="dns" audit limit value="1/h" reject
查看所有的富规则:
[root@desktop ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="172.24.0.0/16" service name="ssh" reject
实验:
通过配置自定义富规则来查看由防火墙过滤的http访问日志
在server端配置httpd和富规则:
[root@server ~]# yum install httpd -y
[root@server ~]# systemctl start httpd
[root@server ~]# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address="172.25.0.10/32" service name="http" log level=notice limit value="3/s" accept"
在desktop客户端上访问server上的httpd服务
[root@desktop ~]# curl http://server.example.com
在server端可以查看到由desktop的访问记录:
[root@server ~]# tail -f /var/log/messages
Dec 14 14:36:01 server systemd: Started The Apache HTTP Server.
Dec 14 14:37:00 server kernel: IN=eth0 OUT= MAC=52:54:00:f2:1a:23:52:54:00:b3:20:55:08:00 SRC=172.25.0.10 DST=172.25.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33149 DF PROTO=TCP SPT=36389 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
Dec 14 14:37:12 server kernel: IN=eth0 OUT= MAC=52:54:00:f2:1a:23:52:54:00:b3:20:55:08:00 SRC=172.25.0.10 DST=172.25.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33509 DF PROTO=TCP SPT=36390 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
端口转发:
在本地服务器上做端口转发:
语法:
firewall-cmd --permanent --zone=<ZONE>
--add-forward-port=port=<PORTNUMBER>:proto=<PROTOCOL>:[toport=<PORTNUMBER>][:toaddr=<IPADDR>]
到达本地端口的80端口的流量转发到本地的12345端口上
Firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=12345 --permanent
firewall-cmd --reload
Firewall-cmd --zone=public --list-forward-ports
删除:
Firewall-cmd --zone=public --list-all
Firewall-cmd --permanent --zone=public --remove-forward-port=port80:proto=tcp:toport=12345 --permanent
通过富规则在本地进行端口转发配置语法:
Forward-port port=<PORTNUM> protocol=tcp|udp [to-port=<PORTNUM>] [to-add=<ADDRESS>]
Firewall-cmd --permanent --zone=rhce --add-rich-rule=”rule family=ipv4 source address=192.168.0.0/26 forward-port port=80 protocol=tcp to-port=8080”
将指定端口的流量转发到与防火墙相连接的其它主机上指定的端口:(端口映射)
Firewall-cmd --zone=public --permanent --add-masquerade #在public区域开启masquerade功能
Firewall-cmd --zone=public --permanent --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.3.34.2.
Firewall-cmd --reload
查看:
[root@desktop ~]# firewall-cmd --list-all --zone=rhce
rhce
interfaces:
sources:
services:
ports:
masquerade: yes#开启SNAT
forward-ports: port=789:proto=tcp:toport=22:toaddr=172.25.0.11 #开启非本机的端口转发
icmp-blocks:
rich rules:
删除:
[root@desktop ~]# firewall-cmd --remove-masquerade --zone=rhce --permanent
[root@desktop ~]# firewall-cmd --remove-forward-port=port=789:proto=tcp:toport=22:toaddr=172.25.0.11 --permanent --zone=rhce
开启服务器上SNAT功能:
[root@foundation0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno33554960 eno50332200 eno67109424 eno83886648
sources:
services: dhcp dns ftp http mysql nfs ntp samba samba-client smtp ssh telnet tftp tftp-client vnc-server
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
通过富规则配置masquerade,端口伪装,防火墙后端的服务器可以上网
精确匹配源IP能进行SNAT转换的条件:
[root@foundation0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno33554960 eno50332200 eno67109424 eno83886648
sources:
services: dhcp dns ftp http mysql nfs ntp samba samba-client smtp ssh telnet tftp tftp-client vnc-server
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.0/24" masquerade log level="notice" limit value="3/s" accept
管理SELinux端口标记:
Selinux的功能,对文件和进程标记, 网络开放的端口标记
22端口标记标签:ssh_port_t
8080端口标记标签:http_port_t
查看系统与端口标记相对应的标签:
[root@server ~]# semanage port -l
SELinux Port Type Proto Port Number
afs3_callback_port_t tcp 7001
afs3_callback_port_t udp 7001
afs_bos_port_t udp 7007
afs_fs_port_t tcp 2040
afs_fs_port_t udp 7000, 7005
afs_ka_port_t udp 7004
afs_pt_port_t udp 7002
afs_vl_port_t udp 7003
agentx_port_t tcp 705
查看在本地更改的端口:
-C, --locallist List port local customizations
[root@server ~]# semanage port -l -C
向现有端口标签中添加端口号
Semanage port -a -t port_label -p tcp|udp PORTNUMBER
[root@server ~]# semanage port -a -t http_port_t -p tcp 9002
[root@server ~]# semanage port -l -C
SELinux Port Type Proto Port Number
http_port_t tcp 9002
[root@server ~]# semanage port -l | grep http_port_t
http_port_t tcp 9002, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
