firewalld

firewalld防火墙策略：

Linux系统上的防火墙体系
系统服务:firewalld
管理工具:firewall-cmd
图形管理工具firewall-config

预设安全区域
  根据所在的网络场所区分,预设保护规则集。
  最常用的四个区域：
– public:仅允许访问本机的sshd dhcp ping
  – trusted:允许任何访问
  – block:拒绝任何来访请求(明确拒绝回应)
  – drop:丢弃任何来访的数据包(直接丢弃不给回应,节省服务器资源)

防火墙的判定规则：匹配及停止
1.查看请求数据包中的源IP地址,并与自己所有区域规则依次比较,如果有该源IP地址的规则,则进

入该区域。剩余其它区域不再比对，数据包进入该区域后具体的处理方法依据该区域的具体规则。
2.如果所有区域都没有该源IP地址，则把数据包交给默认区域(public).

firewalld的安装

[root@server1 ~]# rpm  -q  firewalld
package firewalld is not installed
[root@server1 ~]# yum -y install firewalld-0.4.4.4-14.el7.noarch
[root@server1 ~]# systemctl start firewalld
[root@server1 ~]# systemctl enable  firewalld

防火墙默认区域修改

                                           #查看默认区域
[root@server1 ~]# firewall-cmd --get-default-zone                                                                                                     
[root@client1 ~]# ping 192.168.4.100       #客户端client1可以Ping通           
                                           #把默认区别修改为block
[root@server1 ~]# firewall-cmd --set-default-zone=block
[root@server1 ~]# firewall-cmd --get-default-zone
[root@server1 ~]#

[root@client1 ~]# ping 192.168.4.100 #client1不能ping通，但有回应
PING 192.168.4.100 (192.168.4.100) 56(84) bytes of data.
From 192.168.4.100 icmp_seq=1 Destination Host Prohibited
From 192.168.4.100 icmp_seq=2 Destination Host Prohibited

#修改默认区域为drop
[root@server1 ~]# firewall-cmd --set-default-zone=drop
[root@server1 ~]# firewall-cmd --get-default-zone
[root@server1 ~]#

#客户端测试时，不可以通信,没有回应
[root@client1 ~]# ping 192.168.4.100
PING 192.168.4.100 (192.168.4.100) 56(84) bytes of data.

在默认区域添加协议:

                                          #修改默认区域为public
[root@server1 ~]# firewall-cmd --set-default-zone=public
[root@server1 ~]# firewall-cmd --get-default-zone
                                          #查看区域详细规则
[root@server1 ~]# firewall-cmd --zone=public --list-all  
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2 eth3
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@server1 ~]#  

在客户端上访问server1上的ftp,httpd服务
[root@client1 ~]# ftp 192.168.4.100        #ftp服务连接失败
ftp: connect: No route to host
                                           #httpd服务连接失败
[root@client1 ~]#  curl http://192.168.4.100
curl: (7) Failed connect to 192.168.4.100:80; No route to host
                                     
                                           #在server1上添加规则，允许http,ftp
[root@server1 html]# firewall-cmd --zone=public --add-service=http
[root@server1 html]# firewall-cmd --zone=public --add-service=ftp
[root@server1 html]# firewall-cmd --zone=public  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2 eth3
  sources: 
  services: ssh dhcpv6-client http ftp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  
客户端再次测试                                                        
[root@client1 ~]#  curl http://192.168.4.100
hello~                                     #http连接成功
[root@client1 ~]# ftp 192.168.4.100        #ftp连接成功
Connected to 192.168.4.100 (192.168.4.100).

                                           #以上修改策略可以立即生效，但重启系统或服务时会丢失
[root@server1 ~]# firewall-cmd  --reload
[root@server1 ~]# firewall-cmd --zone=public  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2 eth3
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@server1 ~]#

防火墙永久策略 permanent

                                           #通过permanent使用策略写入到配置文件
[root@server1 ~]# firewall-cmd --permanent --zone=public --add-service=http
[root@server1 ~]# firewall-cmd --permanent --zone=public --add-service=ftp                                   
                                           #再次查看规则，因为策略被写于到了配置文件，所以当前策略中看不到
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2 eth3
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

[root@server1 ~]# firewall-cmd --reload   #重新加载防火墙所有配置,使配置文件中的策略生效
[root@server1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2 eth3
  sources: 
  services: ssh dhcpv6-client http ftp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@server1 ~]#

单独拒绝虚拟机client1的访问

[root@server1 ~]# firewall-cmd --zone=block --add-source=192.168.4.1
[root@server1 ~]# firewall-cmd --zone=block --list-all
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 192.168.4.1
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@server1 ~]#
[root@client1 ~]# ftp 192.168.4.100       #客户端再次访问时会被拒绝
ftp: connect: No route to host            #此方法是临时修改,立即生效,如果需要恢复
                                          #firewall-cmd --reload

实现本机的端口映射
本地应用的端口重定向(端口1 --> 端口2)
从客户机访问端口1 的请求,自动映射到本机端口2
比如,访问以下两个地址可以看到相同的页面:
http://192.168.4.100:5423 ---> http://192.168.4.100:80

当client1访问server1的5423,用防火墙把端口重定义为80

[root@server1 ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5423:proto=tcp:toport=80
[root@server1 ~]# firewall-cmd --reload
[root@server1 ~]# firewall-cmd --zone=public  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2 eth3
  sources: 
  services: ssh dhcpv6-client http ftp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: port=5423:proto=tcp:toport=80:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules:     
[root@server1 ~]# 

                                           #在客户端访问5423端口时会被防火墙映射到80
[root@client1 ~]# curl http://192.168.4.100:5423
[root@client1 ~]#