红帽Linux防火墙 firewall 中文文档以及我的笔记

红帽Linux防火墙 firewall 中文文档以及我的笔记

王忘杰
2023-03-01 / 0 评论 / 469 阅读 / 正在检测是否收录...
温馨提示:
本文最后更新于2023年03月01日,已超过418天没有更新,若内容或图片失效,请留言反馈。

文档地址
https://access.redhat.com/documentation/zh-CN/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

lepcc0zt.png

禁止ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
开启ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

安装firewall

yum install firewalld

服务相关

systemctl disable firewalld
systemctl enable firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
firewall-cmd --state

查看当前防火墙规则

firewall-cmd --list-all

重载防火墙

firewall-cmd --reload

查看当前接口情况

firewall-cmd --get-active-zones

IP伪装端口转发

firewall-cmd --permanent --add-masquerade  --zone=external
firewall-cmd --add-forward-port=port=22:proto=tcp:toport=3753 --permanent  --zone=external
firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55 --permanent  --zone=external
firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55 --permanent  --zone=external

添加删除http限制并发规则

firewall-cmd --zone=public --add-rich-rule='rule service name="http" limit value="80/s" accept' --permanent
firewall-cmd --zone=public --remove-rich-rule='rule service name="http" limit value="80/s" accept' --permanent

添加删除80端口限制并发规则

firewall-cmd --zone=public --add-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent
firewall-cmd --zone=public --remove-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent

添加删除tcp端口

firewall-cmd  --permanent --add-port=80/tcp
firewall-cmd  --permanent --remove-port=80/tcp

黑名单

firewall-cmd --zone=drop --add-source 192.168.1.1
firewall-cmd --zone=drop --remove-source 192.168.1.1
    
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" drop' --permanent
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" drop' --permanent

控制规则

 rule [family="<rule family>"]
        [ source address="<address>" [invert="True"] ]
        [ destination address="<address>" [invert="True"] ]
        [ <element> ]
        [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ]
        [ audit ]
        [ accept|reject|drop ]
`port`
端口既可以是一个独立端口数字,又或者端口范围,例如,5060-5062。协议可以指定为 tcp 或 udp 。命令为以下形式:

    port port=number_or_range protocol=protocol

综合应用

允许指定IP的端口访问
[root@ADmanagement ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.16.21.118" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success
[root@ADmanagement ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 10050-10051/tcp 61222/tcp 80/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="172.16.21.118" port port="61234" protocol="tcp" accept

移除策略
[root@ADmanagement ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.16.21.118" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success

允许指定网段的端口访问
[root@ADmanagement ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success

移除策略
[root@ADmanagement ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success

允许 accept
阻止 drop
0

评论

博主关闭了所有页面的评论