Linux Admin 简明教程

Linux Admin - Firewall Setup

firewalld 是 CentOS 上用于 iptables 的默认前端控制器。与原始 iptables 相比,firewalld 前端有两个主要优点 −

firewalld is the default front-end controller for iptables on CentOS. The firewalld front-end has two main advantages over raw iptables −

  1. Uses easy-to-configure and implement zones abstracting chains and rules.

  2. Rulesets are dynamic, meaning stateful connections are uninterrupted when the settings are changed and/or modified.

记住,firewalld 是 iptables 的包装器——而不是替代品。虽然可以将自定义 iptables 命令与 firewalld 一起使用,但建议使用 firewalld 以免破坏防火墙功能。

Remember, firewalld is the wrapper for iptables - not a replacement. While custom iptables commands can be used with firewalld, it is recommended to use firewalld as to not break the firewall functionality.

首先,让我们确保 firewalld 已启动并已启用。

First, let’s make sure firewalld is both started and enabled.

[root@CentOS rdc]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-01-26 21:42:05 MST; 3h 46min ago
 Docs: man:firewalld(1)
Main PID: 712 (firewalld)
  Memory: 34.7M
 CGroup: /system.slice/firewalld.service
       └─712 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

我们可以看到,firewalld 处于活动状态(开机自启动)且当前正在运行。如果处于非活动状态或未启动,我们可以使用 −

We can see, firewalld is both active (to start on boot) and currently running. If inactive or not started we can use −

systemctl start firewalld && systemctl enable firewalld

现在我们已经配置了 firewalld 服务,让我们确保它可操作。

Now that we have our firewalld service configured, let’s assure it is operational.

[root@CentOS]# firewall-cmd --state
running
[root@CentOS]#

我们可以看到,firewalld 服务已完全正常工作。

We can see, the firewalld service is fully functional.

Firewalld 基于区域这一概念工作。区域通过网络管理器应用到网络接口。我们将在配置网络时对此进行讨论。但目前,默认情况下,更改默认区域将更改留在“默认区域”默认状态中的任何网络适配器。

Firewalld works on the concept of zones. A zone is applied to network interfaces through the Network Manager. We will discuss this in configuring networking. But for now, by default, changing the default zone will change any network adapters left in the default state of "Default Zone".

让我们快速查看一下 firewalld 随附的每个区域。

Let’s take a quick look at each zone that comes out-of-the-box with firewalld.

Sr.No.

Zone & Description

1

drop Low trust level. All incoming connections and packetsare dropped and only outgoing connections are possible via statefullness

2

block Incoming connections are replied with an icmp message letting the initiator know the request is prohibited

3

public All networks are restricted. However, selected incoming connections can be explicitly allowed

4

external Configures firewalld for NAT. Internal network remains private but reachable

5

dmz Only certain incoming connections are allowed. Used for systems in DMZ isolation

6

work By default, trust more computers on the network assuming the system is in a secured work environment

7

hone By default, more services are unfiltered. Assuming a system is on a home network where services such as NFS, SAMBA and SSDP will be used

8

trusted All machines on the network are trusted. Most incoming connections are allowed unfettered. This is not meant for interfaces exposed to the Internet

最常用的区域为:public、drop、work 和 home。

The most common zones to use are:public, drop, work, and home.

以下是一些会使用每个常见区域的情景 −

Some scenarios where each common zone would be used are −

  1. public − It is the most common zone used by an administrator. It will let you apply the custom settings and abide by RFC specifications for operations on a LAN.

  2. drop − A good example of when to use drop is at a security conference, on public WiFi, or on an interface connected directly to the Internet. drop assumes all unsolicited requests are malicious including ICMP probes. So any request out of state will not receive a reply. The downside of drop is that it can break the functionality of applications in certain situations requiring strict RFC compliance.

  3. work − You are on a semi-secure corporate LAN. Where all traffic can be assumed moderately safe. This means it is not WiFi and we possibly have IDS, IPS, and physical security or 802.1x in place. We also should be familiar with the people using the LAN.

  4. home − You are on a home LAN. You are personally accountable for every system and the user on the LAN. You know every machine on the LAN and that none have been compromised. Often new services are brought up for media sharing amongst trusted individuals and you don’t need to take extra time for the sake of security.

区域和网络接口按照一对多的级别工作。一个网络接口 一次只能应用一个区域。而一个区域可以同时应用到多个接口。

Zones and network interfaces work on a one to many level. One network interface can only have a single zone applied to it at a time. While, a zone can be applied to many interfaces simultaneously.

让我们看看可以使用哪些区域,以及当前应用了哪些区域。

Let’s see what zones are available and what are the currently applied zone.

[root@CentOS]# firewall-cmd --get-zones
 work drop internal external trusted home dmz public block
[root@CentOS]# firewall-cmd --get-default-zone
public
[root@CentOS]#

准备好向 firewalld 中添加一些自定义规则了吗?

Ready to add some customized rules in firewalld?

首先,让我们看看我们的盒子在外面对端口扫描仪是什么样子。

First, let’s see what our box looks like, to a portscanner from outside.

bash-3.2# nmap -sS -p 1-1024 -T 5  10.211.55.1

Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:36 MST
Nmap scan report for centos.shared (10.211.55.1)
Host is up (0.00046s latency).
Not shown: 1023 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh


Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds
bash-3.2#

让我们允许端口 80 的传入请求。

Let’s allow the incoming requests to port 80.

首先,检查当前应用了什么区域。

First, check to see what zone is applied as default.

[root@CentOs]# firewall-cmd --get-default-zone
public
[root@CentOS]#

然后,将允许端口 80 的规则设为当前默认区域。

Then, set the rule allowing port 80 to the current default zone.

[root@CentOS]# firewall-cmd --zone=public --add-port = 80/tcp
success
[root@CentOS]#

现在,让我们在允许端口 80 连接后检查一下我们的盒子。

Now, let’s check our box after allowing port 80 connections.

bash-3.2# nmap -sS -p 1-1024 -T 5  10.211.55.1

Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:42 MST
Nmap scan report for centos.shared (10.211.55.1)
Host is up (0.00053s latency).
Not shown: 1022 filtered ports
PORT   STATE  SERVICE
22/tcp open   ssh
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
bash-3.2#

现在它允许非请求流量进入 80。

It now allows unsolicited traffic to 80.

让我们将默认区域设为 drop,看看对端口扫描会发生什么。

Let’s put the default zone to drop and see what happens to port scan.

[root@CentOS]# firewall-cmd --set-default-zone=drop
success

[root@CentOS]# firewall-cmd --get-default-zone
drop

[root@CentOs]#

现在我们使用位于更安全区域中的网络接口扫描该主机。

Now let’s scan the host with the network interface in a more secure zone.

bash-3.2# nmap -sS -p 1-1024 -T 5  10.211.55.1
Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:50 MST
Nmap scan report for centos.shared (10.211.55.1)
Host is up (0.00094s latency).
All 1024 scanned ports on centos.shared (10.211.55.1) are filtered

Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds
bash-3.2#

现在,从外部过滤了一切。

Now, everything is filtered from outside.

如下所示,drop 时主机甚至不会响应 ICMP ping 请求。

As demonstrated below, the host will not even respond to ICMP ping requests when in drop.

bash-3.2# ping 10.211.55.1
PING 10.211.55.1 (10.211.55.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

让我们再次将默认区域设为 public。

Let’s set the default zone to public again.

[root@CentOs]# firewall-cmd --set-default-zone=public
success

[root@CentOS]# firewall-cmd --get-default-zone
public

[root@CentOS]#

现在让我们在 public 中检查我们当前的过滤规则集。

Now let’s check our current filtering ruleset in public.

[root@CentOS]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s5
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[root@CentOS rdc]#

在配置中,我们 80 端口的过滤规则仅在运行配置的上下文中。这意味着在系统重启或 firewalld 服务重启后,我们的规则将被舍弃。

As configured, our port 80 filter rule is only within the context of the running configuration. This means once the system is rebooted or the firewalld service is restarted, our rule will be discarded.

我们很快将配置一个 httpd 服务守护程序,所以让我们使我们的变更持久 -

We will be configuring an httpd daemon soon, so let’s make our changes persistent −

[root@CentOS]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success

[root@CentOS]# systemctl restart firewalld

[root@CentOS]#

现在我们在公有区域中的 80 端口规则在重启和服务重启期间将持久。

Now our port 80 rule in the public zone is persistent across reboots and service restarts.

以下是通过 firewall-cmd 应用的常见的 firewalld 命令。

Following are the common firewalld commands applied with firewall-cmd.

Command

Action

firewall-cmd --get-zones

Lists all zones that can be applied to an interface

firewall-cmd —status

Returns the currents status of the firewalld service

firewall-cmd --get-default-zone

Gets the current default zone

firewall-cmd --set-default-zone=<zone>

Sets the default zone into the current context

firewall-cmd --get-active-zone

Gets the current zones in context as applied to an interface

firewall-cmd --zone=<zone> --list-all

Lists the configuration of supplied zone

firewall-cmd --zone=<zone> --addport=<port/transport protocol>

Applies a port rule to the zone filter

--permanent

Makes changes to the zone persistent. Flag is used inline with modification commands

这些是管理和配置 firewalld 的基本概念。

These are the basic concepts of administrating and configuring firewalld.

在 CentOS 中配置基于主机的防火墙服务在更复杂的网络场景中可能是一个复杂的任务。firewalld 和 iptables 在 CentOS 中的高级使用和配置可能需要一整套教程。然而,我们已经展示了应该足以完成大多数日常任务的基础知识。

Configuring host-based firewall services in CentOS can be a complex task in more sophisticated networking scenarios. Advanced usage and configuration of firewalld and iptables in CentOS can take an entire tutorial. However, we have presented the basics that should be enough to complete a majority of daily tasks.