FIREWALLD firewall installation using the Arch Linux operating system

Source: Internet
Author: User
Tags symlink ssh iptables arch linux


This article describes the installation of the arch under the firewall Firewall (centos7.x series, firewalld default directly open).

[root@centos6 ~]# chkconfig--list | grep iptables #centos6. x series iptables is turned on by default
Iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
################################################################################
[Root@centos7 ~]# systemctl list-unit-files | grep firewalld #可以看到centos下firewall是默认开启的
Firewalld.service enabled
[Root@centos7 ~]# firewall-cmd-v #Centos7. x System FIREWALLD version is 0.3.9
0.3.9
################################################################################
[Root@arch ~]# systemctl list-unit-files | grep firewalld #Arch没有安装, can pacman-s Firewalld

Installation

Firewalld.service disabled
[Root@arch ~]# firewall-cmd-v #FirewallD防火墙版本0.3.13
0.3.13
[Root@arch ~]# systemctl start Firewalld #开启firewalld防火墙
[Root@arch ~]# firewall-cmd--state #查看FirewallD防火墙状态
Running
[Root@arch ~]# systemctl enable Firewalld #设置firewald开机启动
Created symlink From/etc/systemd/system/dbus-org.fedoraproject.firewalld1.service to/usr/lib/systemd/system/ Firewalld.service.
Created symlink From/etc/systemd/system/basic.target.wants/firewalld.service to/usr/lib/systemd/system/ Firewalld.service.
[Root@arch ~]# systemctl list-unit-files | grep firewalld
Firewalld.service enabled
[Root@arch zones]# pwd
/usr/lib/firewalld/zones #firewalld默认配置文件
[Root@arch zones]# pwd
/etc/firewalld/zones #firewalld系统配置文件
[Root@arch ~]# firewall-cmd--get-zones #firewall支持的区域
Block DMZ drop external home internal public trusted work
[Root@arch ~]# firewall-cmd--get-default-zone #获取默认区域
[Root@arch ~]# firewall-cmd--set-default-zone=public #设置默认区域
[Root@arch ~]# firewall-cmd--zone=public--list-all #区域public支持启用的特性
Public (default)
Interfaces:
Sources
Services:dhcpv6-client SSH
Ports:80/tcp
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:
[Root@arch ~]# firewall-cmd--zone=public--add-interface=eno16777736 #将eno16777736 join the public area
[Root@arch ~]# firewall-cmd--get-zone-of-interface=eno16777736 #查看eno16777736所在区域
[Root@arch ~]# firewall-cmd--zone=public--remove-interface=eno16777736 #将eno16777736接口从public接口中删除
[Root@arch ~]# firewall-cmd--zone=public--list-services #查看public启用那些服务, default is Dhcpv6-client SSH
[Root@arch ~]# firewall-cmd--zone=public--add-port=80/tcp #从public区域增加tcp 80 port
[Root@arch ~]# firewall-cmd--zone=public--remove-port=80/tcp #从public区域删除tcp 80 port
[Root@arch ~]# firewall-cmd--zone=dmz--remove-service=ssh #dmz区域删除ssh服务
[Root@arch ~]# firewall-cmd--zone=external--remove-service=ssh #dmz区域删除ssh服务
[Root@arch ~]# firewall-cmd--zone=home--remove-service=dhcpv6-client #home区域删除dhcpv6-client Service
[Root@arch ~]# firewall-cmd--zone=work--remove-service=ssh #work区域删除ssh服务

Temporary entry into force and permanent entry into force:

[Root@arch zones]# firewall-cmd--zone=work--add-service=ssh
Success
[Root@arch zones]# Cat/etc/firewalld/zones/work.xml
<?xml version= "1.0" encoding= "Utf-8"?>
<zone>
<short>Work</short>
<description>for use in work areas. You are mostly trust of the other computers in networks to not harm your computer. Only selected incoming connections are accepted.</description>
</zone>
[Root@arch zones]# firewall-cmd--zone=work--remove-service=ssh
Success
[Root@arch zones]# firewall-cmd--permanent--zone=work--add-service=ssh
Success
[Root@arch zones]# Cat/etc/firewalld/zones/work.xml
<?xml version= "1.0" encoding= "Utf-8"?>
<zone>
<short>Work</short>
<description>for use in work areas. You are mostly trust of the other computers in networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name= "ssh"/>
</zone>
[Root@arch zones]#

Note: Without the--permanent parameter, the configuration will be restored after Firewalld--reload, so it is recommended that all configurations increase the--permanent parameters.

Configuration Demo:

[Root@arch/]# ls/sys/class/net/    #我的虚拟机对外接口是eno16777736, the real server may be enp3s1 eth1 similar
eno16777736   Lo
[root@arch/]# firewall-cmd--permanent--new-zone=personal    #增加一个名字叫做personal的区域
[ Root@arch ~]# firewall-cmd--permanent--zone=personal--add-service=ssh    #在personal区域增加ssh服务
[ Root@arch ~]# firewall-cmd--permanent--zone=public--remove-interface=eno16777736    # Zone public network card removal
[Root@arch ~]# firewall-cmd--permanent--zone=personal--add-interface=eno16777736      #将网卡添加到personal区中
[root@arch ~]# firewall-cmd--permanent--zone=personal--add-port=443/tcp     #personal增加tcp 443 Port
[root@arch ~]# firewall-cmd--permanent--zone=personal--add-service=http     #personal增加http服务支持
[root@arch ~]# firewall-cmd--set-default=personal
[Root@arch/]# Firewall-cmd--reload
Iptables vs Firewalld:

[root@centos6 ~]# iptables-t filter-a input-p tcp--dport 22-j accept    #开启22端口允许通过
[Root@Cento S6 ~]# iptables-t filter-a input-p TCP--dport 22! -S 1.1.1.1/32-j drop    #源IP不是1.1.1.1, linked to Port 22, data dropped
########################################### #########################
[root@arch ~]# firewall-cmd--permanent--zone=personal--add-port=22/tcp     #[root@arch ~]# firewall-cmd--permanent--zone=personal--add-service=ssh
[Root@arch ~]#-Firewall-cmd- Permanent--zone=personal--add-rich-rule= ' rule family= ' IPv4 ' source address= ' 1.1.1.1/32 ' service name= ' ssh ' Accept ' & nbsp;   #firewall-cmd--reload effective   (reference: Man Firewalld.richlanguage)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.