This article describes the installation of the arch under the firewall Firewall (centos7.x series, firewalld default directly open).
[root@centos6 ~]# chkconfig--list | grep iptables #centos6. x series iptables is turned on by default
Iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
################################################################################
[Root@centos7 ~]# systemctl list-unit-files | grep firewalld #可以看到centos下firewall是默认开启的
Firewalld.service enabled
[Root@centos7 ~]# firewall-cmd-v #Centos7. x System FIREWALLD version is 0.3.9
0.3.9
################################################################################
[Root@arch ~]# systemctl list-unit-files | grep firewalld #Arch没有安装, can pacman-s Firewalld
Installation
Firewalld.service disabled
[Root@arch ~]# firewall-cmd-v #FirewallD防火墙版本0.3.13
0.3.13
[Root@arch ~]# systemctl start Firewalld #开启firewalld防火墙
[Root@arch ~]# firewall-cmd--state #查看FirewallD防火墙状态
Running
[Root@arch ~]# systemctl enable Firewalld #设置firewald开机启动
Created symlink From/etc/systemd/system/dbus-org.fedoraproject.firewalld1.service to/usr/lib/systemd/system/ Firewalld.service.
Created symlink From/etc/systemd/system/basic.target.wants/firewalld.service to/usr/lib/systemd/system/ Firewalld.service.
[Root@arch ~]# systemctl list-unit-files | grep firewalld
Firewalld.service enabled
[Root@arch zones]# pwd
/usr/lib/firewalld/zones #firewalld默认配置文件
[Root@arch zones]# pwd
/etc/firewalld/zones #firewalld系统配置文件
[Root@arch ~]# firewall-cmd--get-zones #firewall支持的区域
Block DMZ drop external home internal public trusted work
[Root@arch ~]# firewall-cmd--get-default-zone #获取默认区域
[Root@arch ~]# firewall-cmd--set-default-zone=public #设置默认区域
[Root@arch ~]# firewall-cmd--zone=public--list-all #区域public支持启用的特性
Public (default)
Interfaces:
Sources
Services:dhcpv6-client SSH
Ports:80/tcp
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:
[Root@arch ~]# firewall-cmd--zone=public--add-interface=eno16777736 #将eno16777736 join the public area
[Root@arch ~]# firewall-cmd--get-zone-of-interface=eno16777736 #查看eno16777736所在区域
[Root@arch ~]# firewall-cmd--zone=public--remove-interface=eno16777736 #将eno16777736接口从public接口中删除
[Root@arch ~]# firewall-cmd--zone=public--list-services #查看public启用那些服务, default is Dhcpv6-client SSH
[Root@arch ~]# firewall-cmd--zone=public--add-port=80/tcp #从public区域增加tcp 80 port
[Root@arch ~]# firewall-cmd--zone=public--remove-port=80/tcp #从public区域删除tcp 80 port
[Root@arch ~]# firewall-cmd--zone=dmz--remove-service=ssh #dmz区域删除ssh服务
[Root@arch ~]# firewall-cmd--zone=external--remove-service=ssh #dmz区域删除ssh服务
[Root@arch ~]# firewall-cmd--zone=home--remove-service=dhcpv6-client #home区域删除dhcpv6-client Service
[Root@arch ~]# firewall-cmd--zone=work--remove-service=ssh #work区域删除ssh服务
Temporary entry into force and permanent entry into force:
[Root@arch zones]# firewall-cmd--zone=work--add-service=ssh
Success
[Root@arch zones]# Cat/etc/firewalld/zones/work.xml
<?xml version= "1.0" encoding= "Utf-8"?>
<zone>
<short>Work</short>
<description>for use in work areas. You are mostly trust of the other computers in networks to not harm your computer. Only selected incoming connections are accepted.</description>
</zone>
[Root@arch zones]# firewall-cmd--zone=work--remove-service=ssh
Success
[Root@arch zones]# firewall-cmd--permanent--zone=work--add-service=ssh
Success
[Root@arch zones]# Cat/etc/firewalld/zones/work.xml
<?xml version= "1.0" encoding= "Utf-8"?>
<zone>
<short>Work</short>
<description>for use in work areas. You are mostly trust of the other computers in networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name= "ssh"/>
</zone>
[Root@arch zones]#
Note: Without the--permanent parameter, the configuration will be restored after Firewalld--reload, so it is recommended that all configurations increase the--permanent parameters.
Configuration Demo:
[Root@arch/]# ls/sys/class/net/ #我的虚拟机对外接口是eno16777736, the real server may be enp3s1 eth1 similar
eno16777736 Lo
[root@arch/]# firewall-cmd--permanent--new-zone=personal #增加一个名字叫做personal的区域
[ Root@arch ~]# firewall-cmd--permanent--zone=personal--add-service=ssh #在personal区域增加ssh服务
[ Root@arch ~]# firewall-cmd--permanent--zone=public--remove-interface=eno16777736 # Zone public network card removal
[Root@arch ~]# firewall-cmd--permanent--zone=personal--add-interface=eno16777736 #将网卡添加到personal区中
[root@arch ~]# firewall-cmd--permanent--zone=personal--add-port=443/tcp #personal增加tcp 443 Port
[root@arch ~]# firewall-cmd--permanent--zone=personal--add-service=http #personal增加http服务支持
[root@arch ~]# firewall-cmd--set-default=personal
[Root@arch/]# Firewall-cmd--reload
Iptables vs Firewalld:
[root@centos6 ~]# iptables-t filter-a input-p tcp--dport 22-j accept #开启22端口允许通过
[Root@Cento S6 ~]# iptables-t filter-a input-p TCP--dport 22! -S 1.1.1.1/32-j drop #源IP不是1.1.1.1, linked to Port 22, data dropped
########################################### #########################
[root@arch ~]# firewall-cmd--permanent--zone=personal--add-port=22/tcp #[root@arch ~]# firewall-cmd--permanent--zone=personal--add-service=ssh
[Root@arch ~]#-Firewall-cmd- Permanent--zone=personal--add-rich-rule= ' rule family= ' IPv4 ' source address= ' 1.1.1.1/32 ' service name= ' ssh ' Accept ' & nbsp; #firewall-cmd--reload effective (reference: Man Firewalld.richlanguage)