CentOS 7 下的 Firewall

hk8lo

CentOS 7 默认实用的用Firewalld作为防火墙，摒弃了原先的iptables。但是内核还是使用iptable作为管理

参考文档
https://access.redhat.com/docume ... sing_Firewalls.html
http://www.myhome.net.tw/2015_02/p10.htm




firewall的启动和关闭命令

1 2 3 4 5

#systemctl start firewalld #systemctl enable firewalld #systemctl stop firewalld #systemctl disable firewalld #systemctl status firewalld

1Firewalld目录

/usr/lib/firewalld 这个目录是预设的设定资料，就是最原始的配置。可以在其目录下面看到很多的xml文件。
/etc/firewalld 存放现在正在实用的配置文档,如果下面没有就会采用/usr/lib/firewalld 目录中默认的配置文档。

2Friewall的命令
可以通过GUI界面来管理firewalld ,在有视窗的centos中，Applications->sundry->firewall可以来管理和配置
也可以通过命令行的方式来管理 firewall-cmd来具体的配置，可以实用man命令来了解firewalld相关命令的实用方式

1 2 3 4 5 6

# man firewalld.conf # man firewall-cmd # man firewalld.zone # man firewalld.service # man firewalld.icmptype # man firewalld.direct

常用的命令如下
1 添加http和https服务

1 2 3

# firewall-cmd --permanent --zone=public --add-service=http # firewall-cmd --permanent --zone=public --add-service=https #  firewall-cmd --reload（不中断连接加载）

其中 --permanent（翻译：永久）是永久修改

2 修改SSH的端口22到23456

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

[iyunv@localhost ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ [iyunv@localhost ~]# vi /etc/firewalld/services/ssh.xml <?xml version="1.0" encoding="utf-8"?> <service>   <short>SSH</short>   <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>   <port protocol="tcp" port="23456"/> </service> [iyunv@localhost ~]# firewall-cmd --complete-reload （中断连接加载） [iyunv@localhost ~]# vi /etc/ssh/sshd_config #       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 23456 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: [iyunv@localhost ~]# systemctl restart sshd [iyunv@localhost ~]# systemctl status sshd sshd.service - OpenSSH server daemon    Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)    Active: active (running) since Mon 2015-08-31 17:47:22 CST; 25s ago Main PID: 12302 (sshd)    CGroup: /system.slice/sshd.service            ?..12302 /usr/sbin/sshd -D Aug 31 17:47:22 localhost.localdomain systemd[1]: Started OpenSSH server daemon. Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on 0.0.0.0 port 23456. Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on :: port 23456. Aug 31 17:47:23 localhost.localdomain python[12304]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 23456.                                                      *****  Plugin bind_ports (92.2 confidence) suggests   ************************... Hint: Some lines were ellipsized, use -l to show in full. [iyunv@localhost ~]#