在 rockylinux 8 以前,可以不使用firewalld,還是沿用舊的 iptables
# Stop firewalld
systemctl stop firewalld
# disable firewalld
systemctl disable firewalld
# hide firewalld
systemctl mask firewalld
安裝 iptables
dnf -y install iptables iptables-services
systemctl enable iptables
systemctl start iptables
systemctl status --no-pager iptables
在 rockylinux 9 以後,firewalld 成為預設的 firewall
firewalld 支援 network/firewall zones,定義 trust level of network connections
同時支援 IPv4, IPv6
支援由 service/applcation 直接建立 firewall rules
如果有圖形介面,可透過 firewall-config
進行 firewall 設定
啟用 firewalld
systemctl enable --now firewalld
systemctl restart firewalld
systemctl status --no-pager firewalld
基本指令
以下是 firewalld 幾個基本常用的指令
# 檢查 firewalld 狀態
firewall-cmd --state
# 設定完成後,要重新載入設定,讓設定永久生效
firewall-cmd --reload
# 查閱設定
firewall-cmd --list-all
# 查閱詳細設定
firewall-cmd --list-rich-rules
# 將設定永久儲存
firewall-cmd --runtime-to-permanent
# 在設定過程中,直接增加rule 並永久儲存
firewall-cmd --permanent [the rest of your command]
zone
firewalld 最重要的是加入了 zone 的概念,以下是內建基本的 zones
zone | 說明 | example use |
---|---|---|
drop | 不回應任何封包,直接拒絕所有外部連線,只允許內部往外傳送的 packets。 | drop incoming connections without reply - only outgoing packets are allowed |
block | 以 icmp-host-prohibited, icmp6-adm-prohibited 拒絕外部連線 | incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6 |
public | 允許所有外部連線 | all incoming connections are allowed |
external | 有使用 IP 偽裝時,用在外部網路 | for use on external networks with masquerading enabled |
dmz | 給 DMZ 的電腦使用 | for computers on your demilitarized zone that are publicly-accessible with limited access to your internal network |
work | for computers in work areas (nope, I don't get this one either) | |
home | for use in home areas (nope, I don't get this one either) | |
internal | 內部網路使用 | for your internal network device access |
trusted | 允許所有網路連線 | all network connections are accepted |
如果滿足以下兩個條件中某一個,該 zone 就會是在 active 狀態
zone 被綁定到某一個 network interface
zone 被綁定 source IPs 或 network ranges
一般使用者比較會使用 trusted, home, public 這幾個 zone
zone 的相關指令
# 查詢 default zone
firewall-cmd --get-default-zone
# 查詢 active zones
firewall-cmd --get-active-zones
# 修改 default zone
firewall-cmd --set-default-zone [your-zone]
# 將某個 zone 綁定 network interface
firewall-cmd --zone=[your-zone] --add-interface=[your-network-device]
# 修改 zone 的 network interface
firewall-cmd --zone=[your-zone] --change-interface=[your-network-device]
# 移除 network interface
firewall-cmd --zone=[your-zone] --remove-interface=[your-network-device]
# 新增 zones
firewall-cmd --new-zone=[your-new-zone]
firewall-cmd --get-zones
rule
port
# 查詢
firewall-cmd --list-ports
# add remove
firewall-cmd --zone=public --add-port=9001/tcp
firewall-cmd --zone=public --add-port=20000-20100/tcp
firewall-cmd --zone=public --remove-port=9001/tcp
service
# 查詢可使用的 services
firewall-cmd --get-services
# 查詢目前的 active services
firewall-cmd --list-services
# add/remove
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --remove-service=http
ip
firewall-cmd --permanent --zone=trusted --add-source=192.168.1.0/24
firewall-cmd --permanent --zone=trusted --remove-source=192.168.1.0/24
rich rule
#單一IP
firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
#除了針對特定單一IP外,再針對特別連線port進行設定
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
#針對IP範圍
firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.77.100/32" accept'
在 iptables, firewalld 允許某個 ip 使用 ssh
# iptables
iptables -A INPUT -p tcp -m tcp -s 192.168.1.122 --dport 22 -j ACCEPT
# firewalld
firewall-cmd --zone=trusted --add-source=192.168.1.122 --permanent
firewall-cmd --zone=trusted --add-service=ssh --permanent
# remove
firewall-cmd --zone=trusted --remove-source=192.168.1.122
firewall-cmd --zone=trusted --remove-service ssh
# 儲存設定
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
ICMP rule
# iptables
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 192.168.1.136 -j ACCEPT
# "public" zone 的 ICMP 預設是開啟的
# block ICMP in "public" "trusted" zone
firewall-cmd --zone=public --add-icmp-block={echo-request,echo-reply} --permanent
firewall-cmd --zone=trusted --add-icmp-block={echo-request,echo-reply} --permanent
web server ports
# iptables
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# add service
firewall-cmd --zone=public --add-service=http --add-service=https --permanent
# 移除
firewall-cmd --zone=public --remove-service=http --remove-service=https --permanent
DNS
# iptables
iptables -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 53 -j ACCEPT
#
firewall-cmd --zone=trusted --add-service=dns
firewall-cmd --zone=public --add-service=dns
TCP state
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# firewalld 不需要做這個設定
mysql
# iptables
iptables -A INPUT -p tcp -m tcp --dport=3600 -j ACCEPT
# firewalld
firewall-cmd --zone=public --add-service=mysql --permanent
postgresql
# iptables
iptables -A INPUT -p tcp -m tcp --dport 5432 -s 192.168.1.0/24 -j ACCEPT
# firewalld
firewall-cmd --zone=trusted --add-service=postgresql
References
Enabling iptables
Firewall - Documentation
firewalld from iptables - Documentation