查看防火墙
[root@devops ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2023-01-16 13:47:59 CST; 16min ago
Docs: man:firewalld(1)
Main PID: 714 (firewalld)
CGroup: /system.slice/firewalld.service
└─714 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
1月 16 13:47:58 devops systemd[1]: Starting firewalld - dynamic firewall d.....
1月 16 13:47:59 devops systemd[1]: Started firewalld - dynamic firewall daemon.
1月 16 13:47:59 devops firewalld[714]: WARNING: AllowZoneDrifting is enable....
Hint: Some lines were ellipsized, use -l to show in full.
启动防火墙
[root@devops ~]# systemctl start firewalld
关闭防火墙
[root@devops ~]# systemctl stop firewalld
selinux
临时关闭
[root@devops ~]# setenforce 0
永久关闭
[root@devops ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
常用端口配置
firewall-cmd --permanent --zone=public --add-port=80/tcp firewall-cmd --permanent --zone=public --add-port=443/tcp firewall-cmd --permanent --zone=public --add-port=2222/tcp firewall-cmd --permanent --zone=public --add-port=33060/tcp firewall-cmd --permanent --zone=public --add-port=33061/tcp firewall-cmd --reload
查看配置文件
[root@devops ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
查看状态selinux
[root@devops ~]# getenforce Disabled
配置ssh访问
- 开始配置访问策略,首先取消默认开启的没有访问限制的ssh服务,让ssh服务默认情况下拒绝连接。
取消默认访问限制
[root@devops ~]# firewall-cmd --permanent --remove-service=ssh success
配置允许访问ssh服务的控制策略
- 允许ip或ip段访问22端口的ssh服务
[root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="22" accept' success [root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.12.0/24" port protocol="tcp" port="22" accept' success [root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="39.98.81.166" port protocol="tcp" port="22" accept' success [root@devops ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="114.64.234.104" port protocol="tcp" port="22" accept' success
重载firewall配置,使其生效
[root@devops ~]# firewall-cmd --reload success
查看目前防火墙生效的策略
[root@devops ~]# firewall-cmd --zone=public --list-rich-rules rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="39.98.81.166" port port="22" protocol="tcp" accept rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept
删除之前的复杂规则
[root@devops ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="39.98.81.166" port protocol="tcp" port="22" accept' success [root@devops ~]# firewall-cmd --reload success [root@devops ~]# firewall-cmd --zone=public --list-rich-rules rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept
手动开放指定端口
[root@devops ~]# firewall-cmd --permanent --add-port=80/tcp success [root@devops ~]# firewall-cmd --reload success
删除指定开放的端口
[root@devops ~]# firewall-cmd --permanent --remove-port=80/tcp success [root@devops ~]# firewall-cmd --reload success
限制某个IP访问指定端口
[root@devops ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.134" port protocol="tcp" port="80" accept" success [root@devops ~]# firewall-cmd --reload success
限制某个IP段访问指定端口
[root@devops ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="80" accept" success
脚本添加端口
[root@devops ~]# cat firewall.sh
#!/bin/bash
########devops.centoscn.vip#############
port=( 80 443 8080 9090 9091 9093 3306 6379 4444 5900 7600 15672 5672)
for p in ${port[*]};do
firewall-cmd --zone=public --add-port=$p/tcp --permanent > /dev/null 2>&1
if [[ $? == 0 ]];then
echo "$p Add successfully!"
else
echo "$p Add failed!"
fi
done
firewall-cmd --reload
查看firewall规则与状态
查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
[root@devops ~]# firewall-cmd --state running
查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)
[root@devops ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ports: 443/tcp 8080/tcp 9090/tcp 9091/tcp 9093/tcp 3306/tcp 6379/tcp 4444/tcp 5900/tcp 7600/tcp 15672/tcp 5672/tcp 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept
查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略)
[root@devops ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ports: 443/tcp 8080/tcp 9090/tcp 9091/tcp 9093/tcp 3306/tcp 6379/tcp 4444/tcp 5900/tcp 7600/tcp 15672/tcp 5672/tcp 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="192.168.12.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="114.64.234.104" port port="22" protocol="tcp" accept trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@devops ~]#
继续阅读
评论