Bii o ṣe le Tunto FirewallD ni RHEL, CentOS ati Fedora


Net-filter bi gbogbo wa ṣe mọ pe ogiriina ni Lainos. Firewalld jẹ daemon ti o ni agbara lati ṣakoso awọn ogiriina pẹlu atilẹyin fun awọn agbegbe nẹtiwọọki. Ninu ẹya iṣaaju, RHEL & CentOS 6 a ti nlo awọn iptables bi daemon fun ilana sisẹ apo-iwe. Ninu RHEL / CentOS 7/8 , Fedora ati openSUSE - rong> wiwo iptables ti wa ni rọpo nipasẹ firewalld.

O ni iṣeduro lati bẹrẹ lilo Firewalld dipo awọn iptables nitori eyi le dawọ ni ọjọ iwaju. Sibẹsibẹ, awọn iptables tun ni atilẹyin ati pe o le fi sii pẹlu aṣẹ yum. A ko le tọju Firewalld ati iptables mejeeji ni eto kanna eyiti o le ja si ariyanjiyan.

Ninu awọn ohun elo iptables, a lo lati tunto bi INPUT, OUTPUT & FORAD CHAINS ṣugbọn nibi ni Firewalld, imọran lo Awọn agbegbe. Nipa aiyipada, awọn agbegbe oriṣiriṣi wa ti o wa ni firewalld, eyiti yoo ṣe ijiroro ninu nkan yii.

Agbegbe ipilẹ eyiti o dabi agbegbe ilu ati agbegbe ikọkọ. Lati jẹ ki awọn nkan ṣiṣẹ ni ayika pẹlu awọn agbegbe wọnyi, a nilo lati ṣafikun atọkun pẹlu atilẹyin agbegbe agbegbe pàtó kan lẹhinna a le ṣafikun awọn iṣẹ si firewalld.

Nipa aiyipada, ọpọlọpọ awọn iṣẹ wa o wa, ọkan ninu awọn ẹya ti o dara julọ ti firewalld ni, o wa pẹlu awọn iṣẹ ti a ṣalaye tẹlẹ ati pe a le mu awọn iṣẹ wọnyi bi apẹẹrẹ lati ṣafikun awọn iṣẹ wa nipa didakọ wọn nikan.

Firewalld ṣiṣẹ nla pẹlu IPv4, IPv6, ati awọn afara Ethernet paapaa. A le ni akoko ṣiṣe lọtọ ati iṣeto ni titi aye ni firewalld.

Jẹ ki a bẹrẹ lori bii a ṣe le ṣiṣẹ pẹlu awọn agbegbe ati ṣẹda awọn iṣẹ ti ara wa ati lilo iṣojulọyin pupọ ti firewalld.

Operating System :	CentOS Linux release 7.0.1406 (Core)
IP Address       :	192.168.0.55
Host-name	:	server1.tecmintlocal.com

Igbesẹ 1: Fifi Firewalld sii ni CentOS

1. A ti fi package Firewalld sori ẹrọ nipasẹ aiyipada ni RHEL/CentOS 7/8, Fedora ati openSUSE. Ti kii ba ṣe bẹ, o le fi sii nipa lilo pipaṣẹ yum atẹle.

# yum install firewalld -y

2. Lẹhin ti a ti fi package firewalld sori ẹrọ, o to akoko lati ṣayẹwo boya iṣẹ iptables n ṣiṣẹ tabi rara, ti o ba n ṣiṣẹ, o nilo lati da duro ati boju (ko lo mọ) iṣẹ iptables pẹlu awọn ofin isalẹ.

# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables

Igbesẹ 2: Jiroro Awọn paati Firewalld

3. Ṣaaju ki o to lọ soke fun iṣeto-ina, Emi yoo fẹ lati jiroro awọn agbegbe kọọkan. Nipa aiyipada, awọn agbegbe diẹ wa o wa. A nilo lati fi oju wiwo si agbegbe naa. Agbegbe kan ṣalaye pe agbegbe ti o ni igbẹkẹle tabi sẹ ipele si wiwo lati gba asopọ kan. Agbegbe kan le ni awọn iṣẹ & awọn ibudo.

Nibi, a yoo ṣe apejuwe awọn agbegbe kọọkan ti o wa ni Firewalld.

  • Agbegbe Agbegbe : Eyikeyi awọn apo-iwe ti nwọle ti lọ silẹ ti a ba lo agbegbe ibi silẹ yii. Eyi kanna ni a nlo lati ṣafikun iptables -j drop . Ti a ba lo ofin silẹ, tumọ si pe ko si esi, awọn isopọ nẹtiwọọki ti njade nikan ni yoo wa.
  • Agbegbe Agbegbe : Agbegbe agbegbe yoo sẹ awọn isopọ nẹtiwọọki ti nwọle ni a kọ pẹlu icmp-ogun-leewọ. Awọn isopọ ti a ṣeto laarin olupin nikan ni yoo gba laaye.
  • Agbegbe Agbegbe : Lati gba awọn asopọ ti o yan a le ṣalaye awọn ofin ni agbegbe ita gbangba. Eyi yoo gba laaye ibudo pato lati ṣii ninu olupin wa awọn isopọ miiran yoo lọ silẹ.
  • Agbegbe Ita : Agbegbe yii yoo ṣiṣẹ bi awọn aṣayan olulana pẹlu sisọ-ọrọ ti muu ṣiṣẹ awọn isopọ miiran yoo wa silẹ ati pe ko ni gba, asopọ ti o sọ nikan ni yoo gba laaye.
  • DMZ Agbegbe : Ti a ba nilo lati gba aaye laaye si diẹ ninu awọn iṣẹ si gbogbo eniyan, o le ṣalaye rẹ ni agbegbe DMZ. Eyi paapaa ni ẹya ti awọn isopọ ti nwọle ti a yan nikan ni a gba.
  • Agbegbe iṣẹ: Ni agbegbe yii, a le ṣalaye awọn nẹtiwọọki ti inu nikan ie ijabọ awọn nẹtiwọọki ikọkọ ni a gba laaye.
  • Agbegbe Ibile : A lo agbegbe yii ni awọn agbegbe ile, a le lo agbegbe yii lati gbẹkẹle awọn kọnputa miiran lori awọn nẹtiwọọki lati maṣe ba kọnputa rẹ jẹ bi gbogbo agbegbe. Eyi paapaa ngbanilaaye awọn isopọ ti nwọle ti a yan nikan.
  • Agbegbe Agbegbe : Eyi jẹ iru si agbegbe iṣẹ pẹlu awọn isopọ ti a yan laaye.
  • Agbegbe igbẹkẹle : Ti a ba ṣeto agbegbe ti o ni igbẹkẹle gbogbo awọn ijabọ gba.

Bayi o ti ni imọran ti o dara julọ nipa awọn agbegbe, bayi jẹ ki a wa awọn agbegbe ti o wa, awọn agbegbe aiyipada, ati ṣe atokọ gbogbo awọn agbegbe ita nipa lilo awọn ofin wọnyi.

# firewall-cmd --get-zones
# firewall-cmd --get-default-zone
# firewall-cmd --list-all-zones

Akiyesi: Ijade ti aṣẹ ti o wa loke kii yoo dada sinu oju-iwe kan nitori eyi yoo ṣe atokọ gbogbo awọn agbegbe bi Àkọsílẹ, dmz, ju silẹ, ita, ile, ti inu, ti gbogbo eniyan, igbẹkẹle, ati iṣẹ. Ti awọn agbegbe naa ba ni eyikeyi awọn ofin ọlọrọ, awọn iṣẹ ti o ṣiṣẹ tabi awọn ibudo yoo tun ṣe akojọ pẹlu alaye agbegbe agbegbe wọnyẹn.

Igbesẹ 3: Ṣiṣeto Agbegbe Firewalld Aiyipada

4. Ti o ba fẹ lati ṣeto agbegbe aiyipada bi ti inu, ita, ju silẹ, iṣẹ tabi agbegbe miiran, o le lo aṣẹ isalẹ lati ṣeto agbegbe aiyipada. Nibi a nlo agbegbe “inu” bi aiyipada.

# firewall-cmd --set-default-zone=internal

5. Lẹhin ti o ṣeto agbegbe naa, ṣayẹwo agbegbe aiyipada nipa lilo pipaṣẹ isalẹ.

# firewall-cmd --get-default-zone

6. Nibi, Ọlọpọọmídíà wa ni enp0s3 , Ti a ba nilo lati ṣayẹwo agbegbe wa ninu eyiti wiwo wa ni didi a le lo pipaṣẹ isalẹ.

# firewall-cmd --get-zone-of-interface=enp0s3

7. Ẹya ti o nifẹ miiran ti firewalld ni 'icmptype' jẹ ọkan ninu awọn iru icmp ti o ni atilẹyin nipasẹ firewalld. Lati gba atokọ ti awọn iru icmp ti a ṣe atilẹyin a le lo aṣẹ isalẹ.

# firewall-cmd --get-icmptypes

Igbesẹ 4: Ṣiṣẹda Awọn iṣẹ tirẹ ni Firewalld

8. Awọn iṣẹ jẹ ipilẹ awọn ofin pẹlu awọn ibudo ati awọn aṣayan eyiti Firewalld nlo. Awọn iṣẹ ti o ṣiṣẹ, yoo gbejade laifọwọyi nigbati iṣẹ Firewalld ba n ṣiṣẹ.

Nipa aiyipada, ọpọlọpọ awọn iṣẹ wa, lati gba atokọ ti gbogbo awọn iṣẹ to wa, lo aṣẹ atẹle.

# firewall-cmd --get-services

9. Lati gba atokọ ti gbogbo awọn iṣẹ to wa ni aiyipada, lọ si itọsọna atẹle, nibi o yoo gba atokọ awọn iṣẹ.

# cd /usr/lib/firewalld/services/

10. Lati ṣẹda iṣẹ tirẹ, o nilo lati ṣalaye rẹ ni ipo atẹle. Fun apẹẹrẹ, nibi Mo fẹ lati ṣafikun iṣẹ kan fun ibudo RTMP 1935, akọkọ ṣe ẹda ti eyikeyi awọn iṣẹ naa.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

Ati lẹhinna, lilö kiri si ipo nibiti a ti daakọ faili iṣẹ wa, atẹle fun lorukọ mii faili 'ssh.xml' si 'rtmp.xml' bi o ṣe han ninu aworan isalẹ.

# cd /etc/firewalld/services/

11. Nigbamii ṣii ati ṣatunkọ faili bi Akọle, Apejuwe, Ilana, ati Nọmba Port , eyiti a nilo lati lo fun iṣẹ RTMP bi o ṣe han ninu aworan isalẹ.

12. Lati ṣe awọn ayipada wọnyi muu ṣiṣẹ, tun bẹrẹ iṣẹ ina tabi tun gbe awọn eto naa pada.

# firewall-cmd --reload

13. Lati jẹrisi, boya a fikun iṣẹ tabi rara, ṣiṣe aṣẹ ni isalẹ lati gba atokọ ti awọn iṣẹ to wa.

# firewall-cmd --get-services

Igbesẹ 5: Ṣiṣẹ Awọn iṣẹ si Awọn agbegbe Firewalld

14. Nibi a yoo rii bi a ṣe le ṣakoso ogiriina nipa lilo aṣẹ ogiri-cmd. Lati mọ ipo lọwọlọwọ ti ogiriina ati gbogbo awọn agbegbe ita gbangba, tẹ aṣẹ atẹle.

# firewall-cmd --state
# firewall-cmd --get-active-zones

15. Lati gba agbegbe ti gbogbo eniyan fun wiwo enp0s3 , eyi ni wiwo aiyipada, eyiti o ṣalaye ni /etc/firewalld/firewalld.conf faili bi DefaultZone = àkọsílẹ .

Lati ṣe atokọ gbogbo awọn iṣẹ to wa ni agbegbe wiwo aiyipada.

# firewall-cmd --get-service

Igbesẹ 6: Fifi Awọn Iṣẹ si Awọn agbegbe Firewalld

16. Ninu awọn apẹẹrẹ ti o wa loke, a ti rii bii a ṣe le ṣẹda awọn iṣẹ ti ara wa nipa ṣiṣẹda iṣẹ rtmp, nibi a yoo rii bi a ṣe le ṣafikun iṣẹ rtmp si agbegbe naa naa.

# firewall-cmd --add-service=rtmp

17. Lati yọ agbegbe ti a fi kun, tẹ.

# firewall-cmd --zone=public --remove-service=rtmp

Igbesẹ ti o wa loke jẹ akoko asiko nikan. Lati jẹ ki o wa titi lailai a nilo lati ṣiṣẹ aṣẹ ni isalẹ pẹlu aṣayan –permanent .

# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload

18. Ṣalaye awọn ofin fun ibiti orisun nẹtiwọọki ati ṣii eyikeyi ọkan ninu awọn ibudo naa. Fun apẹẹrẹ, ti o ba fẹ lati ṣii ibiti nẹtiwọọki kan sọ ‘192.168.0.0/24’ ati ibudo ‘1935’ lo awọn ofin wọnyi.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

Rii daju lati tun gbe iṣẹ iṣẹ ina pada lẹhin fifi kun tabi yọkuro eyikeyi awọn iṣẹ tabi awọn ibudo.

# firewall-cmd --reload 
# firewall-cmd --list-all

Igbesẹ 7: Fifi Awọn Ofin Ọlọrọ fun Ibiti Nẹtiwọọki

19. Ti Mo fẹ lati gba awọn iṣẹ bii http, https, vnc-server, PostgreSQL, o lo awọn ofin wọnyi. Ni akọkọ, ṣafikun ofin naa ki o jẹ ki o wa titi ati tun gbe awọn ofin pada ki o ṣayẹwo ipo naa.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanent

Bayi, ibiti Nẹtiwọọki 192.168.0.0/24 le lo iṣẹ ti o wa loke lati ọdọ olupin mi. Aṣayan –permanent le ṣee lo ni gbogbo ofin, ṣugbọn a ni lati ṣalaye ofin ati ṣayẹwo pẹlu iwọle alabara lẹhin eyi a ni lati jẹ ki o wa titi.

20. Lẹhin ti o ṣafikun awọn ofin ti o wa loke, maṣe gbagbe lati tun gbe awọn ofin ogiri naa sori ati ṣe atokọ awọn ofin nipa lilo:

# firewall-cmd --reload
# firewall-cmd --list-all

Lati mọ diẹ sii nipa Firewalld.

# man firewalld

Iyen ni, a ti rii bii a ṣe le ṣeto àlẹmọ apapọ nipa lilo Firewalld ni RHEL/CentOS ati Fedora.

Ajọ-àlẹmọ jẹ ilana fun ogiriina fun ọkọọkan ati pinpin kaakiri Linux. Pada ni gbogbo awọn ẹda RHEL ati CentOS, a lo awọn iptables ṣugbọn ni awọn ẹya tuntun, wọn ti ṣafihan Firewalld. O rọrun lati ni oye ati lo firewalld. Ireti pe o ti gbadun kikọ-silẹ.