Linux命令（4）firewalld

Posted on 2023-07-09 In Linux Word count in article: 1.3k Reading time ≈ 5 mins.

FirewallD 是 iptables 的一个封装，可以让你更容易地管理 iptables 规则 - 它并不是 iptables 的替代品。

firewalld自身并不具备防火墙的功能，而是和iptables一样需要通过内核的netfilter来实现，

常用命令

服务状态控制

安装firewalld

1	$ yum install firewalld firewall-config

启动服务。

1	$ sudo systemctl start firewalld

设置开机启动。

1	$ sudo systemctl enable firewalld

停止并且停用。

1 2	$ sudo systemctl stop firewalld $ sudo systemctl disable firewalld

检查防火墙状态，输出应该是running或者not running状态。

1 2	$ sudo firewall-cmd --state running

查看守护进程状态。

$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2023-07-09 15:35:07 CST; 31s ago
     Docs: man:firewalld(1)
 Main PID: 1987 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1987 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Jul 09 15:35:07 bogon systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 09 15:35:07 bogon systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 09 15:35:07 bogon firewalld[1987]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.

重新加载firewalld配置。

1 2	$ sudo firewall-cmd --reload success

配置

firewalld有两个配置集，一个是运行时，另一个是永久。

运行时配置仅仅在当前运行的firewalld中生效，在重启之后这个运行时配置会失效。

永久配置在修改之后并不会立刻生效，需要重新加载一下配置才行。

获取可用区配置，可以看到开放了9001和6379端口。

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: dhcpv6-client ssh
  ports: 9001/tcp 6379/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

默认使用的zone是public。

给默认的zone放开一个端口。

1 2	$ sudo firewall-cmd --permanent --add-port=1000/tcp # 端口号1000开放tcp $ sudo firewall-cmd --reload # 设置了永久配置之后需要重新加载一下

查看区域打开的端口。

1 2	$ sudo firewall-cmd --list-ports --zone=public 9001/tcp 6379/tcp

临时开放MySQL服务并且立刻生效，可以看到firewalld开启了mysql服务。

1
2
3

$ sudo firewall-cmd --add-service=mysql
$ sudo firewall-cmd --list-services
dhcpv6-client ssh mysql

如果不需要可以删除服务。

1	$ sudo firewall-cmd --remove-service=mysql

如果不确定，可以先获取所有支持的服务。

1
2

$ sudo firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

所有的服务的配置都可以在/usr/lib/firewalld/services/文件夹内找到。

$ ls /usr/lib/firewalld/services/
RH-Satellite-6-capsule.xml  bitcoin-rpc.xml          dhcpv6.xml           freeipa-ldaps.xml        imap.xml          kerberos.xml           llmnr.xml        mssql.xml          ovirt-storageconsole.xml  proxy-dhcp.xml    salt-master.xml      snmp.xml               syslog-tls.xml           wbem-http.xml
RH-Satellite-6.xml          bitcoin-testnet-rpc.xml  distcc.xml           freeipa-replication.xml  imaps.xml         kibana.xml             managesieve.xml  murmur.xml         ovirt-vmconsole.xml       ptp.xml           samba-client.xml     snmptrap.xml           syslog.xml               wbem-https.xml
amanda-client.xml           bitcoin-testnet.xml      dns.xml              freeipa-trust.xml        ipp-client.xml    klogin.xml             matrix.xml       mysql.xml          plex.xml                  pulseaudio.xml    samba-dc.xml         spideroak-lansync.xml  telnet.xml               wsman.xml
amanda-k5-client.xml        bitcoin.xml              docker-registry.xml  ftp.xml                  ipp.xml           kpasswd.xml            mdns.xml         nfs.xml            pmcd.xml                  puppetmaster.xml  samba.xml            squid.xml              tftp-client.xml          wsmans.xml
amqp.xml                    ceph-mon.xml             docker-swarm.xml     ganglia-client.xml       ipsec.xml         kprop.xml              minidlna.xml     nfs3.xml           pmproxy.xml               quassel.xml       sane.xml             ssh.xml                tftp.xml                 xdmcp.xml
amqps.xml                   ceph.xml                 dropbox-lansync.xml  ganglia-master.xml       irc.xml           kshell.xml             mongodb.xml      nmea-0183.xml      pmwebapi.xml              radius.xml        sip.xml              steam-streaming.xml    tinc.xml                 xmpp-bosh.xml
apcupsd.xml                 cfengine.xml             elasticsearch.xml    git.xml                  ircs.xml          ldap.xml               mosh.xml         nrpe.xml           pmwebapis.xml             redis.xml         sips.xml             svdrp.xml              tor-socks.xml            xmpp-client.xml
audit.xml                   condor-collector.xml     etcd-client.xml      gre.xml                  iscsi-target.xml  ldaps.xml              mountd.xml       ntp.xml            pop3.xml                  rpc-bind.xml      slp.xml              svn.xml                transmission-client.xml  xmpp-local.xml
bacula-client.xml           ctdb.xml                 etcd-server.xml      high-availability.xml    isns.xml          libvirt-tls.xml        mqtt-tls.xml     nut.xml            pop3s.xml                 rsh.xml           smtp-submission.xml  syncthing-gui.xml      upnp-client.xml          xmpp-server.xml
bacula.xml                  dhcp.xml                 finger.xml           http.xml                 jenkins.xml       libvirt.xml            mqtt.xml         openvpn.xml        postgresql.xml            rsyncd.xml        smtp.xml             syncthing.xml          vdsm.xml                 zabbix-agent.xml
bgp.xml                     dhcpv6-client.xml        freeipa-ldap.xml     https.xml                kadmin.xml        lightning-network.xml  ms-wbt.xml       ovirt-imageio.xml  privoxy.xml               rtsp.xml          smtps.xml            synergy.xml            vnc-server.xml           zabbix-server.xml

打开其中一个文件就可以看到配置的协议和端口号，如果需要自己配置service，可以自行添加一个类似的文件。

$ cat mysql.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>MySQL</short>
  <description>MySQL Database Server</description>
  <port protocol="tcp" port="3306"/>
</service>

也可以通过命令行直接获取service详情。

$ sudo firewall-cmd --info-service mysql
mysql
  ports: 3306/tcp
  protocols:
  source-ports:
  modules:
  destination:

添加端口转发，把本机的12345端口转发到10.20.30.40的22端口。

$ sudo firewall-cmd --zone=public --add-forward-port=port=12345:proto=tcp:toport=22:toaddr=10.20.30.40
success
$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: dhcpv6-client ssh
  ports: 9001/tcp 6379/tcp
  protocols:
  masquerade: no
  forward-ports: port=12345:proto=tcp:toport=22:toaddr=10.20.30.40
  source-ports:
  icmp-blocks:
  rich rules: