| 区域 | 默认策略规则 |
|---|---|
| trusted | 允许所有的数据包 |
| home | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关,则允许流量 |
| internal | 等同于home区域 |
| work | 拒绝流入的流量,除非与流出的流量数相关;而如果流量与ssh、ipp-client与dhcpv6-client服务相关,则允许流量 |
| public | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许流量 |
| external | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
| dmz | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
| block | 拒绝流入的流量,除非与流出的流量相关 |
| drop | 拒绝流入的流量,除非与流出的流量相关 |
| 参数 | 作用 |
|---|---|
| --get-default-zone | 查询默认的区域名称 |
| --set-default-zone=<区域名称> | 设置默认的区域,使其永久生效 |
| --get-zones | 显示可用的区域 |
| --get-services | 显示预先定义的服务 |
| --get-active-zones | 显示当前正在使用的区域与网卡名称 |
| --add-source= | 将源自此IP或子网的流量导向指定的区域 |
| --remove-source= | 不再将源自此IP或子网的流量导向某个指定区域 |
| --add-interface=<网卡名称> | 将源自该网卡的所有流量都导向某个指定区域 |
| --change-interface=<网卡名称> | 将某个网卡与区域进行关联 |
| --list-all | 显示当前区域的网卡配置参数、资源、端口以及服务等信息 |
| --list-all-zones | 显示所有区域的网卡配置参数、资源、端口以及服务等信息 |
| --add-service=<服务名> | 设置默认区域允许该服务的流量 |
| --add-port=<端口号/协议> | 设置默认区域允许该端口的流量 |
| --remove-service=<服务名> | 设置默认区域不再允许该服务的流量 |
| --remove-port=<端口号/协议> | 设置默认区域不再允许该端口的流量 |
| --reload | 让“永久生效”的配置规则立即生效,并覆盖当前的配置规则 |
| --panic-on | 开启应急状况模式 |
| --panic-off | 关闭应急状况模式 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82firewall-cmd --get-default-zone public firewall-cmd --get-zone-of-interface=eno16777728 public firewall-cmd --permanent --zone=external --change-interface= eno16777728 success firewall-cmd --get-zone-of-interface=eno16777728 public firewall-cmd --permanent --get-zone-of-interface=eno16777728 external firewall-cmd --set-default-zone=public success firewall-cmd --get-default-zone public firewall-cmd --panic-on success firewall-cmd --panic-off success firewall-cmd --zone=public --query-service=ssh yes firewall-cmd --zone=public --query-service=https no firewall-cmd --zone=public --add-service=https success firewall-cmd --permanent --zone=public --add-service=https success firewall-cmd --reload success firewall-cmd --permanent --zone=public --remove-service=http success firewall-cmd --reload success firewall-cmd --zone=public --add-port=8080-8081/tcp success firewall-cmd --zone=public --list-ports 8080-8081/tcp #流量转发命令格式 #firewall-cmd --permanent --zone=<区域> --add-forward-port=port= <源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址> firewall-cmd --permanent --zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10 success firewall-cmd --reload success ssh -p 888 192.168.10.10 The authenticity of host '[192.168.10.10]:888 ([192.168.10.10]:888)' can't be established. ECDSA key fingerprint is b8:25:88:89:5c:05:b6:dd:ef:76:63:ff:1a:54:02:1a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.10.10]:888' (ECDSA) to the list of known hosts. root@192.168.10.10's password:此处输入远程root管理员的密码 Last login: Sun Jul 19 21:43:48 2017 from 192.168.10.10 firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.10.0/24" service name="ssh" reject" success firewall-cmd --reload success ssh 192.168.10.10 Connecting to 192.168.10.10:22... Could not connect to '192.168.10.10' (port 22): Connection failed.
允许控制列表文件(/etc/hosts.allow)
拒绝控制列表文件(/etc/hosts.deny)
| 客户端类型 | 示例 | 满足示例的客户端列表 |
|---|---|---|
| 单一主机 | 192.168.10.10 | IP地址为192.168.10.10的主机 |
| 指定网段 | 192.168.10. | IP段为192.168.10.0/24的主机 |
| 指定网段 | 192.168.10.0/255.255.255.0 | IP段为192.168.10.0/24的主机 |
| 指定DNS后缀 | .linuxprobe.com | 所有DNS后缀为.linuxprobe.com的主机 |
| 指定主机名称 | www.linuxprobe.com | 主机名称为www.linuxprobe.com的主机 |
| 指定所有客户端 | ALL | 所有主机全部包括在内 |
编写拒绝策略规则时,填写的是服务名称,而非协议名称
先编写拒绝策略规则,再编写允许策略规则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37vim /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers sshd:* ssh 192.168.10.10 ssh_exchange_identification: read: Connection reset by peer vim /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers sshd:192.168.10. ssh 192.168.10.10 The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. ECDSA key fingerprint is 70:3b:5d:37:96:7b:2e:a5:28:0d:7e:dc:47:6a:fe:5c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. root@192.168.10.10's password: Last login: Wed May 4 07:56:29 2017
Copyright ©2010-2022 比特日记 All Rights Reserved.