2023/09/25

firewalld

在 rockylinux 8 以前,可以不使用firewalld,還是沿用舊的 iptables

# Stop firewalld
systemctl stop firewalld
# disable firewalld
systemctl disable firewalld
# hide firewalld
systemctl mask firewalld

安裝 iptables

dnf -y install iptables iptables-services

systemctl enable iptables
systemctl start iptables
systemctl status --no-pager iptables

在 rockylinux 9 以後,firewalld 成為預設的 firewall

  • firewalld 支援 network/firewall zones,定義 trust level of network connections

  • 同時支援 IPv4, IPv6

  • 支援由 service/applcation 直接建立 firewall rules

如果有圖形介面,可透過 firewall-config 進行 firewall 設定

啟用 firewalld

systemctl enable --now firewalld
systemctl restart firewalld

systemctl status --no-pager firewalld

基本指令

以下是 firewalld 幾個基本常用的指令

# 檢查 firewalld 狀態
firewall-cmd --state

# 設定完成後,要重新載入設定,讓設定永久生效
firewall-cmd --reload

# 查閱設定
firewall-cmd --list-all

# 查閱詳細設定
firewall-cmd --list-rich-rules

# 將設定永久儲存
firewall-cmd --runtime-to-permanent

# 在設定過程中,直接增加rule 並永久儲存
firewall-cmd --permanent [the rest of your command]

zone

firewalld 最重要的是加入了 zone 的概念,以下是內建基本的 zones

zone 說明 example use
drop 不回應任何封包,直接拒絕所有外部連線,只允許內部往外傳送的 packets。 drop incoming connections without reply - only outgoing packets are allowed
block 以 icmp-host-prohibited, icmp6-adm-prohibited 拒絕外部連線 incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6
public 允許所有外部連線 all incoming connections are allowed
external 有使用 IP 偽裝時,用在外部網路 for use on external networks with masquerading enabled
dmz 給 DMZ 的電腦使用 for computers on your demilitarized zone that are publicly-accessible with limited access to your internal network
work for computers in work areas (nope, I don't get this one either)
home for use in home areas (nope, I don't get this one either)
internal 內部網路使用 for your internal network device access
trusted 允許所有網路連線 all network connections are accepted

如果滿足以下兩個條件中某一個,該 zone 就會是在 active 狀態

  1. zone 被綁定到某一個 network interface

  2. zone 被綁定 source IPs 或 network ranges

一般使用者比較會使用 trusted, home, public 這幾個 zone

zone 的相關指令

# 查詢 default zone
firewall-cmd --get-default-zone

# 查詢 active zones
firewall-cmd --get-active-zones

# 修改 default zone
firewall-cmd --set-default-zone [your-zone]

# 將某個 zone 綁定 network interface
firewall-cmd --zone=[your-zone] --add-interface=[your-network-device]

# 修改 zone 的 network interface
firewall-cmd --zone=[your-zone] --change-interface=[your-network-device]

# 移除 network interface
firewall-cmd --zone=[your-zone] --remove-interface=[your-network-device]

# 新增 zones
firewall-cmd --new-zone=[your-new-zone]
firewall-cmd --get-zones

rule

port

# 查詢
firewall-cmd --list-ports

# add remove
firewall-cmd --zone=public --add-port=9001/tcp
firewall-cmd --zone=public --add-port=20000-20100/tcp

firewall-cmd --zone=public --remove-port=9001/tcp

service

# 查詢可使用的 services
firewall-cmd --get-services

# 查詢目前的 active services
firewall-cmd --list-services

# add/remove
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --remove-service=http

ip

firewall-cmd --permanent --zone=trusted --add-source=192.168.1.0/24

firewall-cmd --permanent --zone=trusted --remove-source=192.168.1.0/24

rich rule

#單一IP

firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
#除了針對特定單一IP外,再針對特別連線port進行設定
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
#針對IP範圍
firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.77.100/32" accept'

在 iptables, firewalld 允許某個 ip 使用 ssh

# iptables
iptables -A INPUT -p tcp -m tcp -s 192.168.1.122 --dport 22 -j ACCEPT

# firewalld
firewall-cmd --zone=trusted --add-source=192.168.1.122 --permanent
firewall-cmd --zone=trusted --add-service=ssh --permanent

# remove
firewall-cmd --zone=trusted --remove-source=192.168.1.122
firewall-cmd --zone=trusted --remove-service ssh

# 儲存設定
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

ICMP rule

# iptables
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 192.168.1.136 -j ACCEPT

# "public" zone 的 ICMP 預設是開啟的
# block ICMP in "public" "trusted" zone
firewall-cmd --zone=public --add-icmp-block={echo-request,echo-reply} --permanent
firewall-cmd --zone=trusted --add-icmp-block={echo-request,echo-reply} --permanent

web server ports

# iptables
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# add service
firewall-cmd --zone=public --add-service=http --add-service=https --permanent

# 移除
firewall-cmd --zone=public --remove-service=http --remove-service=https --permanent

DNS

# iptables
iptables -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 53 -j ACCEPT

# 
firewall-cmd --zone=trusted --add-service=dns
firewall-cmd --zone=public --add-service=dns

TCP state

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# firewalld 不需要做這個設定

mysql

# iptables
iptables -A INPUT -p tcp -m tcp --dport=3600 -j ACCEPT

# firewalld
firewall-cmd --zone=public --add-service=mysql --permanent

postgresql

# iptables
iptables -A INPUT -p tcp -m tcp --dport 5432 -s 192.168.1.0/24 -j ACCEPT

# firewalld
firewall-cmd --zone=trusted --add-service=postgresql

References

Enabling iptables Firewall - Documentation

firewalld from iptables - Documentation

firewalld for Beginners - Documentation

基本防火牆設定 | 晟鑫科技線上手冊

Firewalld 防火牆 - HackMD

Linux Firewall-cmd 防火牆安裝, 允許/禁止 IP, Port 用法介紹

沒有留言:

張貼留言