Firewalld

1.区域

1）总共8个区域，查看区域的命令：

[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

trusted：白名单区域，方通进出的流量
public：默认拒绝进入方向的流量(ssh，dhcp除外)，放通出方向的流量
dmz：默认拒绝进入方向的流量(ssh)，放通出方向的流量
block：默认拒绝流入的流量

2）查看默认区域，接口默认在此区域

[root@localhost ~]# firewall-cmd --get-default-zone 
public
[root@localhost ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth1 eth0

3）查看当前配置的规则

[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

4）变更区域

[root@localhost ~]# firewall-cmd --set-default-zone=dmz
success
[root@localhost ~]# firewall-cmd --get-active-zones 
dmz
  interfaces: eth1 eth0

5）指定接口的区域

[root@localhost ~]# firewall-cmd --zone=public --change-interface=eth1 
success
[root@localhost ~]# firewall-cmd --get-active-zones 
dmz
  interfaces: eth0
public
  interfaces: eth1

2.策略

1）指定IP白名单和删除IP白名单

[root@localhost ~]# firewall-cmd --add-source=10.10.10.202/32 --zone=trusted
[root@localhost ~]# firewall-cmd --list-all --zone=trusted 
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 10.10.100.202/32
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
[root@localhost ~]# firewall-cmd --zone=trusted --remove-source=10.10.100.202/32
success
[root@localhost ~]# firewall-cmd --list-all --zone=trusted 
trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

2）指定IP黑名单和删除IP黑名单

[root@localhost ~]# firewall-cmd --zone=block --add-source=10.10.100.202/32 
success
[root@localhost ~]# firewall-cmd --zone=block --list-all 
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 10.10.100.202/32
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
 [root@localhost ~]# firewall-cmd --zone=block --remove-source=10.10.100.202/32 
success

3）放通预定义的协议，预定义的协议放在 /usr/lib/firewalld/services/目录下。

[root@localhost ~]# firewall-cmd --zone=dmz --add-service={http,https,mysql}
success
[root@localhost ~]# firewall-cmd --zone=dmz --list-all 
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: http https mysql ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
删除已放通的策略
[root@localhost ~]# firewall-cmd --zone=dmz --remove-service={http,https,mysql}
success
[root@localhost ~]# firewall-cmd --zone=dmz --list-all 
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

4）放通指定的端口。

[root@localhost ~]# firewall-cmd --zone=dmz --add-port={3306,5432,80,443}/tcp
success
[root@localhost ~]# firewall-cmd --zone=dmz --list-all 
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh
  ports: 3306/tcp 5432/tcp 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
删除已放通的端口  
[root@localhost ~]# firewall-cmd --zone=dmz --remove-port=3306/tcp
success
[root@localhost ~]# firewall-cmd --zone=dmz --list-all 
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh
  ports: 5432/tcp 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

3.丰富规则

可以理解为高级的策略，支持源目IP，源目端口，动作

firewall-cmd --zone=dmz --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'
firewall-cmd --zone=dmz --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp accept'