Linux防火墙操作
一、介绍
1. firewalld
动态防火墙后台程序 firewalld 提供了一个动态管理的防火墙,用以支持网络 “zones”,以分配对一个网络及其相关链接和界面一定程度的信任。它具备对IPv4和IPv6防火墙设置的支持。它支持以太网桥,并有分离运行时间和永久性配置选择。它还具备一个通向服务或者应用程序以直接增加防火墙规则的接口。
Firewalld作为Centos系统内置的防火墙软件,可以限制网络流量访问,性能上不能满足高防要求。
2. ufw
ufw(简单防火墙Uncomplicated FireWall),ufw是一个主机端的iptables类防火墙配置工具。
二、firewalld操作
1. 安装firewalld(一般都是忽略)
# yum install -y firewalld
# firewall-cmd --version # 查看版本0.9.3
2. 开启|关闭服务
# systemctl start firewalld # 开启
# systemctl stop firewalld # 关闭
3. 设置|取消开机自启
# systemctl enable firewalld # 设置开机自启
# systemctl disable firewalld # 取消开机自启
4. 查看运行状态
# systemctl status firewalld
Active: active (running)
# firewall-cmd --state
running
5. 查看支持的服务
# firewall-cmd --get-services
6. 开启|关闭应急模式
# firewall-cmd --query-panic # 查看应急模式状态
# firewall-cmd --panic-on # 开启,会拒绝所有包
# firewall-cmd --panic-off # 关闭
7. 开放|禁用端口
# firewall-cmd --zone=public --add-port=8080/tcp --permanent
success
# firewall-cmd --zone=public --remove-port=8080/tcp --permanent
success
# 注意:--permanent 表示永久生效,去掉则为临时生效
# firewall-cmd --reload #重载配置
success
# firewall-cmd --zone=public --add-port=8080-8088/tcp --permanent
success
# firewall-cmd --remove-port=80/tcp --permanent # 关闭端口
success
8. 开放|关闭服务
# firewall-cmd --add-service=http --permanent # 添加服务
success
# firewall-cmd --remove-service=http --permanent # 关闭服务
success
# firewall-cmd --reload # 重载配置
success
9. 端口转发
# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.11.32 --permanent
success
# firewall-cmd --add-masquerade --permanent # 允许转发到其他地址
success
# firewall-cmd --reload # 重载配置
success
10. 查看开启的服务和端口
# firewall-cmd --zone=public --list-services
# firewall-cmd --zone=public --list-port
# firewall-cmd --zone=public --list-ports
11. 设置|删除特定网络访问特定服务
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.11.32/24" service name="http" accept"
success
# firewall-cmd --reload #重载
success
# firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="192.168.11.32/24" service name="http" accept"
success
# firewall-cmd --reload #重载
三、ufw操作
1. 安装ufw,通常这步可以忽略
$ sudo apt-get install -y ufw
2. 开启|关闭
$ sudo ufw enable # 开启ufw并设置开机自启
$ sudo ufw disable # 关闭并取消开机自启(默认)
3. 查看ufw版本
$ sudo ufw version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.
4. 快速查看配置文件
$ grep -v '^#\|^$' /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES=""
5. 查看运行状态,注意以下两个操作
$ sudo ufw status
Status: active
To Action From
-- ------ ----
111 ALLOW Anywhere
80 ALLOW Anywhere
6. 查看已开放端口
$ sudo ufw status numbered #按编号显示
Status: active
To Action From
-- ------ ----
[ 1] 111 ALLOW IN Anywhere
[ 3] 111 (v6) ALLOW IN Anywhere (v6)
7. 开启|关闭服务端口
$ sudo ufw allow 443/tcp # 开启外部访问443端口(tcp)
Rules updated
Rules updated (v6)
$ sudo ufw allow http # 开启http服务
Rules updated
Rules updated (v6)
$ sudo ufw allow 80 #开放80端口(tcp/udp)
Skipping adding existing rule
Skipping adding existing rule (v6)
$ sudo ufw delete allow 80 # 关闭外部访问80端口
Rule deleted
Rule deleted (v6)
$ sudo ufw delete allow 80/tcp # 关闭外部访问80(tcp)端口
Rule deleted
Rule deleted (v6)
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 111 ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 111 (v6) ALLOW IN Anywhere (v6)
[ 4] 443/tcp (v6) ALLOW IN Anywhere (v6)
$ sudo ufw delete 2 #删除编号为2的那条规则
Deleting:
allow 443/tcp
Proceed with operation (y|n)? y
Rule deleted
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 111 ALLOW IN Anywhere
[ 2] 111 (v6) ALLOW IN Anywhere (v6)
8. 指定网络接口开放端口
$ sudo ufw allow in on ens33 to any port 80
Rule added
Rule added (v6)
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 111 ALLOW IN Anywhere
[ 2] 80 on ens33 ALLOW IN Anywhere
[ 3] 111 (v6) ALLOW IN Anywhere (v6)
[ 4] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 80 (v6) on ens33 ALLOW IN Anywhere (v6)
9. 开放范围端口
$ sudo ufw allow 40000:41000/tcp
Rule added
Rule added (v6)
10. 允许特定的IP访问
# 允许特定IP访问所有端口
$ sudo ufw allow from 172.127.1.101
Rule added
# 允许特定IP通过特定端口连接
$ sudo ufw allow from 172.127.1.101 to any port 111
Rule added
# 允许某个网段的主机访问
$ sudo ufw allow from 192.168.1.1/24 to any port 11111
# IP地址转换
$ sudo ufw allow proto tcp from 192.168.11.20 port 80 to 192.168.11.21 port 80
Rule added
11. 拒绝特定连接
# 禁止特定IP
$ sudo ufw deny from 172.127.1.101
Rule updated
# 拒绝访问443端口
$ sudo ufw deny 443/tcp
Rule added
Rule updated (v6)
# 删除规则
$ sudo ufw delete deny 443/tcp
12. 重置防火墙
$ sudo ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
- 点赞
- 收藏
- 关注作者
评论(0)