systemctl status firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl enable firewalld
systemctl disable firewalld
systemctl is-enabled firewalld
systemctl is-active firewalld
systemctl is-failed firewalld
systemctl reload firewalld
systemctl restart firewalld永久保存和其他常用参数
--permanent 永久生效参数
--state 查看状态
--reload 重新加载(不中断服务)
--complete-reload 重新加载(中断服务)
--runtime-to-permanent 把运行的全部参数存到永久保存里
--check-config 检查永久保存的配置是否有错误
--help 帮助
--version 版本
--panic-on 开启恐慌模式(即拒绝所有包访问)
--panic-off 关闭恐慌模式(即关闭拒绝所有包访问)
--query-panic 查询恐慌模式是否开启(on开启,off)
--get-zones 查看所有预定义区域
--get-services 查看所有预定义服务
--get-icmptypes 查看所有预定义ICMP类型
--get-policies 查看所有预定义的策略
--get-ipsets 查看所有预定义ipset(ip集合)集合
--get-helpers 查看所有预定义Helpers一、firewalld的各种名词介绍和操作
A、zone相关(zone)(区域,或者可以理解为配置模板)
查看所有zone
#firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work查看默认的zone
# firewall-cmd --get-default-zone
public设置默认的zone
# firewall-cmd --set-default-zone=<zone>查看活动的zone
# firewall-cmd --get-active-zone
public
interfaces: enp0s3新增zone
# firewall-cmd --new-zone=qq --permanent删除zone
# firewall-cmd --delete-zone=qq --permanent查看某个zone的信息
# firewall-cmd --info-zone=work
zone(区域)和interface(网卡)进行绑定
firewall-cmd --list-interfaces
#firewall --zone=public --add-interface=eth0B、service相关(service)(服务,可以理解为指定了端口,协议等信息的组合)
查看firewall所有的service
# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jellyfin jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier查看指定某个service的信息
# firewall-cmd --info-service=zabbix-server
zabbix-server
ports: 10051/tcp
protocols:
source-ports:
modules:
destination:
includes:
helpers: 删除一个指定的service信息,一般很少删除吧,一般加上永久
# firewall-cmd ----delete-service=zabbix-server --permanent新建一个service,也一般加上永久保存
# firewall-cmd --new-service=zabbix-server --permanent查看当前使用中的services
# firewall-cmd --list-servicesC、ICMP类型相关(icmptype)(可以理解为网络控制协议的一些预定义处理)
新增一个icmptype
# firewall-cmd --new-icmptype=<icmptype>删除一个icmptype
# firewall-cmd --delete-icmptype=<icmptype>查看一个icmptype
# firewall-cmd --info-icmptype=<icmptype>D、policies策略相关(policies)(可以理解为一个规则的集合)
查看所有的预策略
# firewall-cmd --get-policies
allow-host-ipv6查看所有激活的策略
# firewall-cmd --get-active-policies
allow-host-ipv6
ingress-zones: ANY
egress-zones: HOST查看所有的策略状态
firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
新增一个策略policy
#firewall-cmd --new-policy=<policy>删除一个策略policy
#firewall-cmd --delete-policy=<policy>查看一个策略的信息
#firewall-cmd --info-policy=<policy>设置策略policy
#firewall-cmd --policy=<policy>E、IPSET相关(ipset)(可以理解为一个IP集合)
查看所有的ipset-types
# firewall-cmd --get-ipset-types查看所有的ipset
# firewall-cmd --get-ipsets新增ipset
# firewall-cmd --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
删除ipset
# firewall-cmd --delete-ipset=<ipset>查看一个指定的ipset
# firewall-cmd --info-ipset=<ipset>F、Helper相关(helper)(由模块,协议家族,协议,端口等构成一个辅助工具)
module模块名(字符串,使用/lib/modules/$(uname -r)/kernel/net/netfilter/)
This is one of the netfilter conntrack helper modules. The name starts with nf_conntrack_ and has one or several module aliases that start with nfct-helper-. The nf conntrack helpers are located in the /lib/modules/$(uname -r)/kernel/net/netfilter/ directory.
family协议家族
family="ipv4|ipv6"ports端口+协议
ports: 10080/udp
新增helper
# firewall-cmd --new-helper=<helper-name>删除helper
# firewall-cmd --delete-helper=<helper-name>查看helper
# firewall-cmd --info-helper=<helper-name>二、firewalld防火墙功能配置(允许通过否)
--list-services基于服务的方式
查看当前所有开启的service
# firewall-cmd --list-services开启一个service服务
# firewall-cmd --add-service=ftp移除一个service服务
# firewall-cmd --remove-service=ftp查询某个service服务
# firewall-cmd --query-service=ftp
--list-protocols基于协议的方式(如果是基于tcp,udp这种应该没有人使用这个来配置防火墙,基本等于没有配置)
查看当前所有开启的protocols
# firewall-cmd --list-services开启一个protocol协议
# firewall-cmd --add-protocol=tcp移除一个protocol协议
# firewall-cmd --remove-protocol=udp查询某个protocol协议
# firewall-cmd --query-protocol=udp
--list-ports基于端口的方式
查看当前所有开启的port端口
# firewall-cmd --list-ports开启一个port端口
# firewall-cmd --add-port=10086/tcp移除一个port端口
# firewall-cmd --remove-port=10086/tcp查询某个port端口
# firewall-cmd --query-port=10086/tcp
--list-source-ports基于源端口的方式
查看当前所有开启的源port端口
# firewall-cmd --list-ports开启一个源port端口
# firewall-cmd --add-source-port=10086/tcp移除一个源port端口
# firewall-cmd --remove-source-port=10086/tcp查询某个源port端口
# firewall-cmd --query-source-port=10086/tcp
--list-sources基于源地址的方式
查看当前所有开启的源地址source
# firewall-cmd --list-sources开启一个源地址source
# firewall-cmd --add-source=192.168.5.4
success移除一个源地址source
# firewall-cmd --remove-source=192.168.5.4
success查询某个源地址source
# firewall-cmd --query-source=192.168.5.4
yes
其他:
#firewall-cmd --add-source={192.168.31.230/32,192.168.31.100/32} --permanent --zone=internal --list-icmp-blocks(ICMP协议相关)
--list-icmp-blocks List Internet ICMP type blocks added [P] [Z] [O]
--add-icmp-block=<icmptype>
Add an ICMP block [P] [Z] [O] [T]
--remove-icmp-block=<icmptype>
Remove the ICMP block [P] [Z] [O]
--query-icmp-block=<icmptype>
Return whether an ICMP block has been added [P] [Z] [O]--add-icmp-block-inversion(ICMP协议相关)
--list-forward-ports List IPv4 forward ports added [P] [Z] [O]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Add the IPv4 forward port [P] [Z] [O] [T]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Remove the IPv4 forward port [P] [Z] [O]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Return whether the IPv4 forward port has been added [P] [Z] [O]--list-forward-ports(查看端口转发B)
--list-rich-rules(查看富规则A)
A、富规则相关(rich rules;rule)
富规则列表
#firewall-cmd --list-rich-rules新增一个富规则
#firewall-cmd --add-rich-rule=<rule>删除一个富规则
#firewall-cmd --remove-rich-rule=<rule>查看一个富规则
#firewall-cmd --query-rich-rule=<rule>B、端口转发
端口转发可以将指定地址访问指定的端口时,将流量转发至指定地址的指定端口。转发的目的如果不指定 ip 的话就默认为本机,如果指定了 ip 却没指定端口,则默认使用来源端口。 如果配置好端口转发之后不能用,可以检查下面两个问题:
- 比如我将 80 端口转发至 8080 端口,首先检查本地的 80 端口和目标的 8080 端口是否开放监听了
- 其次检查是否允许伪装 IP,没允许的话要开启伪装 IP
#firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 # 将80端口的流量转发至8080
#firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1 # 将80端口的流量转发至192.168.0.1
#firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # 将80端口的流量转发至192.168.0.1的8080端口- 当我们想把某个端口隐藏起来的时候,就可以在防火墙上阻止那个端口访问,然后再开一个不规则的端口,之后配置防火墙的端口转发,将流量转发过去。
- 端口转发还可以做流量分发,一个防火墙拖着好多台运行着不同服务的机器,然后用防火墙将不同端口的流量转发至不同机器。
查看所有的端口转发
#firewall-cmd --list-forward-ports新增端口转发
#firewall-cmd --add-forward-port=port=<portid>删除端口转发
#firewall-cmd --remove-forward-port=port=<portid>查看具体的某一个端口转发
#firewall-cmd --query-forward-port=port=<portid>三、伪装 IP(masquerade)和转发(forward)
开启伪装
# firewall-cmd --add-masquerade关闭伪装
# firewall-cmd --remove-masquerade查询是否开启伪装
# firewall-cmd --query-masquerade注:开启伪装和端口转发,都需要开启linux系统转发功能和
echo "1">/proc/sys/net/ipv4/ip_forward
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p开启防火墙的转发功能
#firewall-cmd --add-forward
#firewall-cmd --remove-forward
#firewall-cmd --query-forward
四、直连,直接操作(--direct)
--get-all-chains
--get-all-rules
--get-all-passthroughs
各种例子集合吧
firewall-cmd –permanent –direct –passthrough ipv4 -t -nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.100.0/24
firewall-cmd –permanent –direct –passthrough ipv4 -t -nat -I POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100五、ingress和egress(暂时不知道这个功能的作用)
暂时不知道这个功能的作用,感觉像是绑定策略到对应的流量输入和输入区域的绑定
firewall-cmd --permanent --policy=ExamplePolicy --add-ingress-zone=HOST
firewall-cmd --permanent --policy=ExamplePolicy --add-egress-zone=ANY --list-ingress-zones
List ingress zones that are bound to a policy [P] [O]
--add-ingress-zone=<zone>
Add the ingress zone to a policy [P] [O]
--remove-ingress-zone=<zone>
Remove the ingress zone from a policy [P] [O]
--query-ingress-zone=<zone>
Query whether the ingress zone has been adedd to a
policy [P] [O]
--list-egress-zones
List egress zones that are bound to a policy [P] [O]
--add-egress-zone=<zone>
Add the egress zone to a policy [P] [O]
--remove-egress-zone=<zone>
Remove the egress zone from a policy [P] [O]
--query-egress-zone=<zone>
Query whether the egress zone has been adedd to a
policy [P] [O]
六、其他命令
查看所有zone的配置
#firewall-cmd --list-all-zone
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:#firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
