Firewlld

1、Firewalld 防火墙有了区域的概念，常用的区域有 dorp、public、trusted三个区域如下图所示：

Firewalld关系图

2、在这里需要注意的是Firewalld中的区域与接口：

1)、一个网卡仅能绑定一个区域。比如：eth0-->A区域

2)、但是一个区域可以绑定多个网卡。比如：B区域-->eth0、eth1

3)、可以根据来源的地址设定不同的规则。比如：所有人都能访问80端口，只有公司才能访问22端口

3、为了能够正常使用firewalld服务和相关工具去管理防火墙，必须启动防火墙服务，通知瓜关闭以前的

旧版的防火墙（iptables），在这里需要注意防火墙的两种状态：

1)、runtime状态：立即生效，修改规则马上生效，重启失效。

2)、permanent状态：持久生效，修改规则后需要reload服务才能生效

关闭旧版防火墙服务

[root@lb01 ~]# systemctl mask iptables
[root@lb01 ~]# systemctl mask ip6tables

开启firewalld防火墙

[root@lb01~]#systemctl start firewalld.service

4、Firewall 区域查看

查看默认区域

root@lb01 ~]# firewall-cmd --get-default-zone
public
[root@lb01 ~]#

查看活动区域

[root@lb01 ~]# firewall-cmd --get-active-zones 

查看区域下的规则明细

[root@lb01 ~]# firewall-cmd  --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@lb01 ~]# 

5、Firewalld小练习

1、使用firewalld各区域规则结合配置，调整默认public区域拒绝所有流量，但如果来源IP是 10.0.0.8/32 则放行所有流量

[root@lb01 ~]#  firewall-cmd --remove-service=ssh --remove-service=dhcpv6-client
success
[root@lb01 ~]# 
[root@lb01 ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=trusted
success
[root@lb01 ~]# 
测试：使用10.0.0.8主机登录当前机器

6.Firewalld端口、服务规则配置

#放行端口
[root@m01 ~]# firewall-cmd --add-port={80,8080,9090}/tcp        #添加多个端口
success
[root@m01 ~]# firewall-cmd --remove-port=80/tcp         #移除
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 80/tcp 8080/tcp 9090/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

放行服务

[root@m01 ~]# firewall-cmd --add-service=http
[root@m01 ~]# firewall-cmd --remove-service=http

*Firewalld 定义服务，但是这里要注意，服务名即调用服务的名称,文件名必须以.xml结尾

[root@lb01 /usr/lib/firewalld/services]# cat http.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>
[root@lb01 /usr/lib/firewalld/services]# 

[root@lb01 /usr/lib/firewalld/services]# touch zibbax.xml
[root@lb01 /usr/lib/firewalld/services]# vim zibbax.xml 
[root@lb01 /usr/lib/firewalld/services]# systemctl restart firewalld
[root@lb01 /usr/lib/firewalld/services]# firewall-cmd --add-service=zibbax 
success
[root@lb01 /usr/lib/firewalld/services]# cat zibbax.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>zibbax (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="10051"/>
</service>
[root@lb01 /usr/lib/firewalld/services]# 

7、Firewall 防火墙富规则(富规则拒绝优先)

Firewalld中富规则表示的更细致、更详细的防火墙策略配置，他尅针对系统服务、端口号、源地址、和目标地址等诸多信息进行更有针对的策略配置，
优先级在所有防火墙中也是最高的的。

[root@Firewalld ~]# man firewall-cmd            # 帮助手册
[root@Firewalld ~]# man firewalld.richlanguage  # 获取富规则手册
    rule
        [source]
        [destination]
        service name |port|protocol|icmp-block|masquerade|forward-port
        [log]
        [audit]
        [accept|reject|drop]

rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
service name="service name"
port port="port value" protocol="tcp|udp"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
accept | reject [type="reject type"] | drop

举例1、允许10.0.0.1主机能够访问HTTP服务，允许172.16.1.0/24能访问22端口

[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 port port=80 protocol=tcp accept'
success
[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port=22 protocol=tcp accept'
success
[root@lb01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1/32" port port="80" protocol="tcp" accept
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept
# 这里是临时配置，永久配置需要 --permanent 

举例2、默认public区域开放所有人通过ssh 服务连接，但是拒绝172.16.1.0/24 网段通过ssh服务连接服务器

[root@lb01 ~]# firewall-cmd --add-service=ssh
success
[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source  address=172.16.1.0/24 port port=22 protocol=tcp drop'
success
[root@lb01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop
[root@lb01 ~]# 
# 这里是临时配置，永久配置需要 --permanent 

举例3、使用firewalld，允许所有人能访问http.https服务单只有10.0.0.1主机可以访问ssh服务

[root@lb01 ~]# firewall-cmd --add-service=http --permanent
success
[root@lb01 ~]# firewall-cmd --add-service=https --permanent
success
[root@lb01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 port port=22 protocol=tcp accept' --permanent 
success
[root@lb01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: http https
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1/32" port port="22" protocol="tcp" accept 

永久配置最终都保存在这个文件里（/etc/firewalld/zones/public.xml），如果规则过多，可以直接修改配置文件后reload即可

[root@lb01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <rule family="ipv4">
    <source address="10.0.0.1/32"/>
    <port protocol="tcp" port="22"/>
    <accept/>
  </rule>
</zone>
[root@lb01 ~]# 

8、Firewalld实现内部主机共享上网

第一步开启firewalld 的masquerade 功能

[root@lb01 ~]# firewall-cmd --add-masquerade --permanent
success
[root@lb01 ~]# systemctl reload firewalld
[root@lb01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@lb01 ~]# 

第二步配置内网主机网卡配置文件：

[root@lb02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.5
IPADDR=172.16.1.6
PREFIX=24
DNS1=223.5.5.5
[root@lb02 ~]# systemctl restart network
[root@lb02 ~]# ifdown eth0
[root@lb02 ~]# ping www.baidu.com
PING www.a.shifen.com (220.181.38.149) 56(84) bytes of data.
64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=1 ttl=127 time=8.93 ms
64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=2 ttl=127 time=8.02 ms
64 bytes from 220.181.38.149 (220.181.38.149): icmp_seq=3 ttl=127 time=5.95 ms
--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.950/7.638/8.935/1.249 ms