CentOS 7 巨大变动之firewalld 取代 iptables

2014-09-16 17:13 34063人阅读 评论(1) 收藏 举报

http://static.blog.csdn.net/images/category_icon.jpg 分类:

 

Linux相关(102) http://static.blog.csdn.net/images/arrow_triangle%20_down.jpg

目录(?)[+]

转自 http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php?utm_source=tuicool

Fedora 18 introduced firewalld as a replacement for the previous iptables service. Since RHEL7 and Oracle Linux 7 are based on Fedora 19,the switch from iptables service to firewalld is now part of theEnterprise Linux distributions. This article is a rework of the previous Linux Firewall article, bringing it upto date.

Note. You need to distinguish between the iptables service and the iptables command. Although firewalld is a replacementfor the firewall management provided by iptables service, it still uses the iptables command fordynamic communication with the kernel packet filter (netfilter). So it is onlythe iptables service that is replaced, not the iptables command. That canbe a confusing distinction at first.

Related articles.

Reverting to the iptables Service

If you are not ready to make the break to firewalld, you can still use the iptables service by issuing the following commands.

# systemctl stopfirewalld

# systemctl disablefirewalld

 

# iptables-service

 

# touch/etc/sysconfig/iptables

# systemctl startiptables

# systemctl enableiptables

 

# touch/etc/sysconfig/ip6tables

# systemctl startip6tables

# systemctl enableip6table

From this point forward, firewalladministration will be similar to that described here.

The rest of this article assumes you are goingto use firewalld.

Installation

Most installations will include thefirewall functionality, but if you need to manually install it, do thefollowing.

# yum installfirewalld firewall-config

Make sure the service is started and willauto-start on reboot.

# systemctl startfirewalld.service

# systemctl enablefirewalld.service

You can check the current status of theservice using the following command.

# systemctl statusfirewalld

firewalld.service -firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service;enabled)

   Active: active (running) since Sun2014-04-20 14:06:46 BST; 30s ago

 Main PID: 13246 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─13246 /usr/bin/python/usr/sbin/firewalld --nofork --nopid

 

Apr 20 14:06:44localhost.localdomain systemd[1]: Starting firewalld - dynamic firewalldaemon...

Apr 20 14:06:46localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

#

To disable the firewall, run the followingcommands.

# systemctl stopfirewalld.service

# systemctl disablefirewalld.service

firewall-config

The GUI screen to control the firewall isavailable from the menu.

  • Fedora : System >     Administration > Firewall

  • RHEL7/OL7 : Applications     > Sundry > Firewall

Alternatively, if can be started from thecommand line using the firewall-config command. If it is not already present, itcan be installed using the following command.

# yum installfirewall-config

Once started, the"Configuration:" drop-down allows you to decide if you are modifyingcurrently running settings (Runtime) or those saved for future use (Permanent).You can also configure basic trusted services, such as SSH, FTP and HTTP, byputting a tick in the appropriate checkbox. All changes are applied immediately.

Firewall GUI - Trusted Services

The "Ports" tab allows you tomanually open ports that are not covered in the "Trusted Services"section.

Firewall GUI - Other Ports

Remember, changes to the runtimeconfiguration will be lost after the next reboot. If in doubt, make all changesto the permanent configuration and reload the runtime configuration using the"Options > Reload Firewalld" menu option.

firewall-cmd

In addition to the GUI interface, thefirewall rules can be amended directly using the firewall-cmd command. The full extent of the firewall configuration is beyond the scopeof this article, so instead a few specific examples will be given to allow youto get a feel for it. This article also assumes you have a single networkinterface and are happy to keep it set to the default zone (public).

The firewall-cmd usage notes are displayed when you use the "-h" or"--help" options.

# firewall-cmd --help

Check the current top-level firewallconfiguration using the following commands.

# Check firewallstate.

firewall-cmd --state

 

# Check active zones.

firewall-cmd--get-active-zones

 

# Check currentactive services.

firewall-cmd--get-service

 

# Check services thatwill be active after next reload.

firewall-cmd--get-service --permanent

Lock down and unlock the firewall usingthe following commands.

# firewall-cmd--panic-on

success

# firewall-cmd--query-panic

yes

# firewall-cmd--panic-off

success

# firewall-cmd--query-panic

no

#

Reload the runtime configuration from thepermanent files using the following command.

# firewall-cmd--reload

The firewall comes with predefinedservices, which are XML files is the "/usr/lib/firewalld/services/"directory.

# ls/usr/lib/firewalld/services/

amanda-client.xml      http.xml         libvirt.xml  pmwebapis.xml     ssh.xml

bacula-client.xml      imaps.xml        mdns.xml     pmwebapi.xml      telnet.xml

bacula.xml             ipp-client.xml   mountd.xml  pop3s.xml         tftp-client.xml

dhcpv6-client.xml      ipp.xml          ms-wbt.xml   postgresql.xml    tftp.xml

dhcpv6.xml             ipsec.xml        mysql.xml    proxy-dhcp.xml    transmission-client.xml

dhcp.xml               kerberos.xml     nfs.xml      radius.xml        vnc-server.xml

dns.xml                kpasswd.xml      ntp.xml      rpc-bind.xml      wbem-https.xml

ftp.xml                ldaps.xml        open***.xml  samba-client.xml

high-availability.xml  ldap.xml         pmcd.xml     samba.xml

https.xml              libvirt-tls.xml  pmproxy.xml smtp.xml

#

You shouldn't edit these. Instead, copy aspecific service file to the "/etc/firewalld/services/" directory andediting it there. The firewalld service always uses files in"/etc/firewalld/services/" directory in preference to those in the"/usr/lib/firewalld/services/" directory. Remember to reload theconfig after making any changes.

# firewall-cmd--reload

As with the GUI interface, you need todecide if you want to make changes to either the runtime configuration,permanent configuration or both. If you want to set both the runtime andpermanent configuration you have two choices. Set them both independently, orset the permanent configuration and reload the firewall.

Add an existing service to a zone.

# # Set runtime andpermanent independently.

# firewall-cmd--zone=public --add-service=https

# firewall-cmd--permanent --zone=public --add-service=https

 

or

 

# # Set permanent andreload the runtime config.

# firewall-cmd--permanent --zone=public --add-service=https

# firewall-cmd--reload

All subsequent examples will assume youwant to amend both the runtime and permanent configuration and will only setthe permanent configuration and then reload the runtime configuration.

Once you've amended the defaultconfiguration, the "/etc/firewalld/zones/public.xml" file will becreated. You can manually amend this file, but you will need to issue a reloadfor the changes to take effect.

Check the services in a zone.

# firewall-cmd--zone=public --list-services

dhcpv6-client httpsss

# firewall-cmd--permanent --zone=public --list-services

dhcpv6-client httpsss

#

Remove a service from a zone.

# firewall-cmd--permanent --zone=public --remove-service=https

# firewall-cmd--reload

Open a specific port or range in a zone,check its runtime and permanent configuration, then remove it.

# firewall-cmd--permanent --zone=public --add-port=8080-8081/tcp

# firewall-cmd--reload

 

# firewall-cmd--zone=public --list-ports

8080-8081/tcp

# firewall-cmd--permanent --zone=public --list-ports

8080-8081/tcp

#

 

# firewall-cmd--permanent --zone=public --remove-port=8080-8081/tcp

# firewall-cmd --reload

Rich rules allow you to create morecomplex configurations. The following command allows you to open HTTP access toa specific IP address.

# firewall-cmd--permanent --zone=public --add-rich-rule="rule family="ipv4" \

    source address="192.168.0.4/24"service name="http" accept"

The"/etc/firewalld/zones/public.xml" file now contains the rich rule.

<?xmlversion="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas.You do not trust the other computers on networks

               to not harm your computer. Onlyselected incoming connections are accepted.</description>

  <servicename="dhcpv6-client"/>

  <service name="ssh"/>

  <rule family="ipv4">

    <sourceaddress="192.168.0.4/24"/>

    <service name="http"/>

    <accept/>

  </rule>

</zone>

The rule can be removed directly from theXML file, or removed using the "--remove-rich-rule" option.

# firewall-cmd--permanent --zone=public --remove-rich-rule="rule family="ipv4"\

    source address="192.168.0.4/24"service name="http" accept"

The following example opens and closesport 8080 for a specific source IP address using a rich rule.

# firewall-cmd--permanent --zone=public --add-rich-rule="rule family="ipv4" \

     source address="192.168.0.4/24"\

     port protocol="tcp"port="8080" accept"

 

# cat/etc/firewalld/zones/public.xml

<?xmlversion="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas.You do not trust the other computers on networks

               to not harm your computer. Onlyselected incoming connections are accepted.</description>

  <servicename="dhcpv6-client"/>

  <service name="ssh"/>

  <rule family="ipv4">

    <sourceaddress="192.168.0.4/24"/>

    <port protocol="tcp"port="8080"/>

    <accept/>

  </rule>

</zone>

#

 

# firewall-cmd--permanent --zone=public --remove-rich-rule="rule family="ipv4"\

     source address="192.168.0.4/24"\

     port protocol="tcp"port="8080" accept"

Backups and Transfers of FirewallConfiguration

As all non-default configuration is placedunder the "/etc/firewalld/" directory, taking a copy of the contentsof this directory and its sub-directories constitutes a backup of the firewallconfiguration.

Not surprisingly, transferring thecontents of this directory will allow you to duplicate the firewallconfiguration in other servers.

For more information see:

Hope this helps. Regards Tim...