CentOS7防火墙配置

DevOps Tool评论199字数 6814阅读22分42秒阅读模式

查看防火墙

[root@devops ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since 一 2023-01-16 13:47:59 CST; 16min ago
     Docs: man:firewalld(1)
 Main PID: 714 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─714 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

1月 16 13:47:58 devops systemd[1]: Starting firewalld - dynamic firewall d.....
1月 16 13:47:59 devops systemd[1]: Started firewalld - dynamic firewall daemon.
1月 16 13:47:59 devops firewalld[714]: WARNING: AllowZoneDrifting is enable....
Hint: Some lines were ellipsized, use -l to show in full.

启动防火墙

[root@devops ~]# systemctl start firewalld

关闭防火墙

[root@devops ~]# systemctl stop firewalld

selinux

临时关闭

[root@devops ~]# setenforce 0

永久关闭

[root@devops ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

常用端口配置

firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --permanent --zone=public --add-port=33060/tcp
firewall-cmd --permanent --zone=public --add-port=33061/tcp
firewall-cmd --reload

查看配置文件

[root@devops ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

查看状态selinux

[root@devops ~]# getenforce
Disabled

配置ssh访问

  • 开始配置访问策略,首先取消默认开启的没有访问限制的ssh服务,让ssh服务默认情况下拒绝连接。

取消默认访问限制

[root@devops ~]#  firewall-cmd --permanent --remove-service=ssh
success

配置允许访问ssh服务的控制策略

  • 允许ip或ip段访问22端口的ssh服务
[root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="22" accept'
success
[root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.12.0/24" port protocol="tcp" port="22" accept'
success
[root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="39.98.81.166" port protocol="tcp" port="22" accept'
success
[root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="114.64.234.104" port protocol="tcp" port="22" accept'
success

重载firewall配置,使其生效

[root@devops ~]# firewall-cmd --reload 
success

查看目前防火墙生效的策略

[root@devops ~]# firewall-cmd --zone=public --list-rich-rules
rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept
rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept
rule family="ipv4" source address="39.98.81.166" port port="22" protocol="tcp" accept
rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept

删除之前的复杂规则

[root@devops ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="39.98.81.166" port protocol="tcp" port="22" accept'
success
[root@devops ~]# firewall-cmd --reload 
success
[root@devops ~]# firewall-cmd --zone=public --list-rich-rules
rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept
rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept
rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept

手动开放指定端口

[root@devops ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@devops ~]# firewall-cmd --reload
success

删除指定开放的端口

[root@devops ~]# firewall-cmd --permanent --remove-port=80/tcp
success
[root@devops ~]# firewall-cmd --reload
success

限制某个IP访问指定端口

[root@devops ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.134" port protocol="tcp" port="80" accept"
success
[root@devops ~]# firewall-cmd --reload
success

限制某个IP段访问指定端口

[root@devops ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="80" accept"
success

脚本添加端口

[root@devops ~]# cat firewall.sh 
#!/bin/bash
########devops.centoscn.vip#############
port=( 80 443 8080 9090 9091 9093 3306 6379 4444 5900 7600 15672 5672)
for p in ${port[*]};do
firewall-cmd --zone=public --add-port=$p/tcp --permanent > /dev/null 2>&1
   if [[ $? == 0 ]];then
      echo "$p Add successfully!" 
   else
     echo "$p Add failed!"
   fi
   done
firewall-cmd --reload

查看firewall规则与状态

查看默认防火墙状态(关闭后显示notrunning,开启后显示running)

[root@devops ~]# firewall-cmd --state     
running

查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)

[root@devops ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client
  ports: 443/tcp 8080/tcp 9090/tcp 9091/tcp 9093/tcp 3306/tcp 6379/tcp 4444/tcp 5900/tcp 7600/tcp 15672/tcp 5672/tcp 80/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept

查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略)

[root@devops ~]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client
  ports: 443/tcp 8080/tcp 9090/tcp 9091/tcp 9093/tcp 3306/tcp 6379/tcp 4444/tcp 5900/tcp 7600/tcp 15672/tcp 5672/tcp 80/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

[root@devops ~]# 

继续阅读
Tool最后更新:2023-2-24
DevOps
  • 本文由 发表于 2023年1月16日 14:05:03
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
  • firewalld
部署NFS服务 NFS

部署NFS服务

部署 NFS 服务 服务端: 192.168.100.11 安装依赖 yum -y install epel-release 安装 NFS yum -y install nfs-...
git clone代码报文件名过长 Tool

git clone代码报文件名过长

简述 由于工程路径过长导致克隆代码时会出现文件名过长的问题不能clone代码中断 打开git Bash窗口执行 git config --global core.longpaths tr...
服务器禁ping Tool

服务器禁ping

ping是通的 [root@nginx-2 ~]# ping 192.168.1.227 PING 192.168.1.227 (192.168.1.227) 56(84) bytes of da...
linux压缩包加密 Tool

linux压缩包加密

OpenSSL加密算法 OpenSSL是一个开源的用以实现SSL协议的产品,它主要包括了三个部分:密码算法库、应用程序、SSL协议库[vip] Openssl支持的加密算法有: ...
评论  0  访客  0

发表评论