Linux 防火墙白名单Zone

发表于 | 分类于
字数统计:

Linux firewalld 设置白名单 Zone,设置默认 target="DROP",允许 sshhttphttps 等服务端口、协议或者自定端口等。

连通性测试

检测比如 ICMP 协议、http 服务等。

1
2
3
4
5
6
7
8
9
 
[root@localhost ~]# ping -c4 <server_domain_or_ip>
PING <server_domain_or_ip> (<server_ip>) 56(84) bytes of data.
64 bytes from <server_domain_or_ip> (<server_ip>): icmp_seq=1 ttl=51 time=23 ms

[root@localhost ~]# curl <your_server_domain_or_ip>
<!DOCTYPE html>

<html>
</html>

新建自定义区域ZONE

1
2
3
4
 
[root@localhost ~]# firewall-cmd --permanent --new-zone=customdrop
success
[root@localhost ~]# firewall-cmd --permanent --get-zones
block customdrop dmz drop external home internal public trusted work

编辑配置文件

/etc/firewalld/zones/customdrop.xml

1
2
3
4
5
6
7
8
 
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
  <short>CustomDrop</short>
  <description>Only specific services or ports are allowed.Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="ssh"/>
  <service name="http"/>
  <service name="https"/>
</zone>

热载入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --permanent --get-zones
block customdrop dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --info-zone=customdrop
customdrop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

更改默认ZONE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
[root@localhost ~]# firewall-cmd --set-default-zone=customdrop
success
[root@localhost ~]# firewall-cmd --get-default-zone
customdrop
[root@localhost ~]# firewall-cmd --info-zone=customdrop
customdrop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: ens32
  sources:
  services: ssh http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

确保当前网卡已经分配到防火墙区域。

1
2
3
 
[root@localhost ~]# firewall-cmd --get-zone-of-interface="ens32"
customdrop
[root@localhost ~]# firewall-cmd --zone=customzoen--change-interface=<interface>

或者直接指定网卡所在防火墙区域,不指定则默认为激活区域。

1
2
 
[root@localhost ~]# cat etc/sysconfig/network-scripts/ifcfg-<interface> | grep "ZONE="
ZONE=customdrop

测试

在区域规则生效后,已经无法 ping 通。

1
2
3
4
5
 
[root@localhost ~]# ping -c4 <server_domain_or_ip>
PING <server_domain_or_ip> (<server_ip>) 56(84) bytes of data.

--- host.velne.win ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3002ms

检查特定服务端口。

1
2
3
4
5
 
[root@localhost ~]# curl <your_server_domain_or_ip>
<!DOCTYPE html>

<html>
</html>
0%