標籤:centos 7 firewalld
CentOS 7 預設實用的用Firewalld作為防火牆,摒棄了原先的iptables。但是核心還是使用iptable作為管理
參考文檔
https://access.redhat.com/documentation/zh-CN/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html
http://www.myhome.net.tw/2015_02/p10.htm
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/72/74/wKioL1XkFm3AvG20AAL-747JQqk399.jpg" title="firewall_stack.png" width="500" height="455" border="0" hspace="0" vspace="0" style="width:500px;height:455px;" alt="wKioL1XkFm3AvG20AAL-747JQqk399.jpg" />
firewall的啟動和關閉命令
#systemctl start firewalld#systemctl enable firewalld#systemctl stop firewalld#systemctl disable firewalld#systemctl status firewalld
1Firewalld目錄
/usr/lib/firewalld 這個目錄是預設的設定資料,就是最原始的配置。可以在其目錄下面看到很多的xml檔案。
/etc/firewalld 存放現在正在實用的配置文檔,如果下面沒有就會採用/usr/lib/firewalld 目錄中預設的配置文檔。
2Friewall的命令
可以通過GUI介面來管理firewalld ,在有視窗的centos中,Applications->sundry->firewall可以來管理和配置
也可以通過命令列的方式來管理 firewall-cmd來具體的配置,可以實用man命令來瞭解firewalld相關命令的實用方式
# man firewalld.conf# man firewall-cmd# man firewalld.zone# man firewalld.service# man firewalld.icmptype# man firewalld.direct
常用的命令如下
1 添加http和https服務
# firewall-cmd --permanent --zone=public --add-service=http# firewall-cmd --permanent --zone=public --add-service=https# firewall-cmd --reload(不中斷串連載入)
其中 --permanent(翻譯:永久)是永久修改
2 修改SSH的連接埠22到23456
[[email protected] ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/[[email protected] ~]# vi /etc/firewalld/services/ssh.xml<?xml version="1.0" encoding="utf-8"?><service> <short>SSH</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="23456"/></service>[[email protected] ~]# firewall-cmd --complete-reload (中斷串連載入)[[email protected] ~]# vi /etc/ssh/sshd_config# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options override the# default value.# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER#Port 23456#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress :: [[email protected] ~]# systemctl restart sshd[[email protected] ~]# systemctl status sshdsshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) Active: active (running) since Mon 2015-08-31 17:47:22 CST; 25s ago Main PID: 12302 (sshd) CGroup: /system.slice/sshd.service ?..12302 /usr/sbin/sshd -DAug 31 17:47:22 localhost.localdomain systemd[1]: Started OpenSSH server daemon.Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on 0.0.0.0 port 23456.Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on :: port 23456.Aug 31 17:47:23 localhost.localdomain python[12304]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 23456. ***** Plugin bind_ports (92.2 confidence) suggests ************************...Hint: Some lines were ellipsized, use -l to show in full.[[email protected] ~]#
本文出自 “站在巨人的肩膀上看世界” 部落格,請務必保留此出處http://lixiaotao.blog.51cto.com/985722/1690193
CentOS 7 下的 Firewall