出現(xiàn)的問題

cubecloud的centos7修改使用了iptables防火墻，但他的firewalld不能啟動。
注意iptables和firewalld不能同時運行

systemctl disable iptables 禁止開機啟動iptables systemctl stop iptables 關閉iptables







問題1
啟動報錯

systemctl restart firewalld Failed to restart firewalld.service: Unit is masked.

解決辦法

systemctl unmask firewalld.service




問題2
無報錯，無法啟動

firewall-cmd --statenot running

查看詳細信息

systemctl  status firewalld        firewalld.service - firewalld - dynamic firewall daemon       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)       Active: inactive (dead) since Wed 2017-11-08 09:51:17 CST; 36s ago         Docs: man:firewalld(1)      Process: 2061 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)     Main PID: 2061 (code=exited, status=0/SUCCESS)        Nov 08 09:51:17 CubeCloud-201763575 systemd[1]: Starting firewalld - dynamic firewall daemon...    Nov 08 09:51:17 CubeCloud-201763575 firewalld[2061]: ERROR: Exception DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.22" is not allowed to own the service "org.fedoraproject.FirewallD1" d...figuration file    Nov 08 09:51:17 CubeCloud-201763575 systemd[1]: Started firewalld - dynamic firewall daemon.    Hint: Some lines were ellipsized, use -l to show in full.

解決辦法
新建DBus需要的配置文件

vi /etc/dbus-1/system.d/com.foxbryant.demo.conf<!DOCTYPE busconfig PUBLIC   "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"   "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">  <busconfig>    <policy user="root">      <allow own="com.foxbryant.demo"/>      <allow send_destination="com.foxbryant.demo"/>      <allow send_interface="com.foxbryant.demo"/>    </policy>      <policy user="foxbryant">      <allow own="com.foxbryant.demo"/>      <allow send_destination="com.foxbryant.demo"/>      <allow send_interface="com.foxbryant.demo"/>    </policy>    </busconfig>




問題3
無法添加端口

firewall-cmd --zone=public --permanent --add-port=80/tcp success firewall-cmd --zone=public --list-allpublic  target: default  icmp-block-inversion: no  interfaces:  sources:  services: ssh dhcpv6-client  ports:  protocols:  masquerade: no  forward-ports:  source-ports:  icmp-blocks:  rich rules:

解決辦法
安裝iptables

yum -y install iptstate systemctl disable iptables




問題4
status報錯

systemctl  status firewalld ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'

解決辦法
重啟（可以先不解決，注意先添加ssh的端口）

reboot




簡單的使用教程

紅帽官方中文教程地址
https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls

禁止ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 開啟ping echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all




安裝firewall

yum install firewalld




服務相關

systemctl disable firewalld systemctl enable firewalld systemctl start firewalld systemctl stop firewalld systemctl restart firewalld firewall-cmd --state




查看當前防火墻規(guī)則

firewall-cmd --zone=public --list-all




重載防火墻

firewall-cmd --reload




查看當前接口情況

firewall-cmd --get-active-zones




IP偽裝端口轉發(fā)

firewall-cmd --permanent --add-masquerade  --zone=external firewall-cmd --add-forward-port=port=22:proto=tcp:toport=3753 --permanent  --zone=external firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55 --permanent  --zone=external firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55 --permanent  --zone=external




添加刪除http限制并發(fā)規(guī)則

firewall-cmd --zone=public --add-rich-rule='rule service name="http" limit value="80/s" accept' --permanent firewall-cmd --zone=public --remove-rich-rule='rule service name="http" limit value="80/s" accept' --permanent




添加刪除80端口限制并發(fā)規(guī)則

firewall-cmd --zone=public --add-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent firewall-cmd --zone=public --remove-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent




添加刪除tcp端口

firewall-cmd --zone=public --permanent --add-port=80/tcp firewall-cmd --zone=public --permanent --remove-port=80/tcp




黑名單

firewall-cmd --zone=drop --add-source 192.168.1.1firewall-cmd --zone=drop --remove-source 192.168.1.1firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" drop' --permanent firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" drop' --permanent




rule

rule [family="<rule family>"]    [ source address="<address>" [invert="True"] ]    [ destination address="<address>" [invert="True"] ]    [ <element> ]    [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ]    [ audit ]    [ accept|reject|drop ]




port
端口既可以是一個獨立端口數(shù)字，又或者端口范圍，例如，5060-5062。協(xié)議可以指定為 tcp 或 udp 。命令為以下形式：

port port=number_or_range protocol=protocol