说明:此规范分为两部分:一是,常规配置方法;二是集合配置方法
常规的配置方法是指对于端口,服务及源地址的限制方法
集合配置方法是针对于源地址和端口组合限制,但源地址是一个IP地址集合,此集合中可以任意添加IP地址及网段
一、常规配置方法:
1、端口限制
1)放开UDP 161/162端口
firewall-cmd –permanent –zone=public –add-port=161/udp
firewall-cmd –permanent –zone=public –add-port=162/udp
–permanent 永久生效
firewall-cmd –reload //更新防火墙规则
2)禁用UDP 161/162端口
firewall-cmd –permanent –zone=public –remove-port=161/udp
firewall-cmd –permanent –zone=public –remove-port=162/udp
firewall-cmd –reload
3)放行连续的端口(1000-2000)
firewall-cmd –permanent –zone=public –add-port=1000-2000/tcp
firewall-cmd –reload
4)放行不连续的端口(9000,9001)
firewall-cmd –permanent –zone=public –add-port=9000/tcp –add-port=9001/tcp
firewall-cmd –reload
2、服务限制,如:ssh服务
firewall-cmd –permanent –zone=public –add-service=ssh
firewall-cmd –reload
3、源地址和端口限制
1)放行IP地址及端口
firewall-cmd –permanent –zone=public –add-rich-rule=”rule family=”ipv4″ source address=”111.13.124.226/32″ port protocol=”tcp” port=”4505″ accept”
firewall-cmd –reload
2)禁用放行IP地址及端口
firewall-cmd –permanent –remove-rich-rule=”rule family=”ipv4″ source address=”111.13.124.226/32″ port port=”4505″ protocol=”tcp” accept”
firewall-cmd –reload
3)放行IP地址及连续的端口
firewall-cmd –permanent –add-rich-rule=”rule family=”ipv4″ source address=”192.168.81.190/32″ port port=”8080-8081″ protocol=”tcp” accept”
firewall-cmd –reload
4)禁用放行IP地址及连续的端口
firewall-cmd –permanent –remove-rich-rule=”rule family=”ipv4″ source address=”192.168.81.190/32″ port port=”8080-8081″ protocol=”tcp” accept”
firewall-cmd –reload
4、查看开启的端口和服务
1)查看服务 例如 dhcpv6-client https ssh
firewall-cmd –permanent –zone=public –list-services
2)查看端口 例如 8080-8081/tcp 8388/tcp 80/tcp
firewall-cmd –permanent –zone=public –list-ports
3)查看服务是否生效(例:添加的端口为8080)
firewall-cmd –zone=public –query-port=8080/tcp
4)查看所有富规则(rich rules)
firewall-cmd –list-rich-rules
5)查看默认域下的所有规则
firewall-cmd –list-all
6)加载配置
firewall-cmd –reload
二、ipset集合配置方法:
配置逻辑说明:
1)手动创建ipset配置文件
2)根据模板配置规则地址
3)将ipset应用到策略中
4)新增、删除IP地址规则
1、手动创建ipset配置文件
注意:集合命名规范:permit_端口_input
系统默认没有ipset配置文件,需要手动创建ipset配置文件
mkdir -p /etc/firewalld/ipsets/permit_22_input.xml permit_22_input就是ipset名称
<?xml version=”1.0″ encoding=”utf-8″?>
<ipset type=”hash:net”>
<short>white-list</short>
<entry>192.168.1.1</entry>
<entry>192.168.1.2</entry>
</ipset>
2、将ipset应用到策略中
firewall-cmd –permanent –add-rich-rule ‘rule family=”ipv4″ source ipset=”permit_22_input” port port=22 protocol=tcp accept’
firewall-cmd –reload
3、新增,删除IP地址
firewall-cmd –permanent –ipset=permit_22_input –add-entry=”192.168.81.190″
firewall-cmd –permanent –ipset=permit_22_input –remove-entry=”192.168.81.190″
firewall-cmd –reload
注:此方法新增,删除是ipset配置文件配置项
查看ipset集合中的地址
firewall-cmd –permanent –ipset=permit_22_input –get-entries
4、清除或删除ipset
清除ipset的xml配置文件信息
firewall-cmd –permanent –delete-ipset=permit_22_input
清除ipset list信息
ipset destroy permit_22_input
5、查看ipset信息
1)查看ipset名称
firewall-cmd –get-ipsets
2)查看ipset详细信息
firewall-cmd –info-ipset permit_22_input