firewalld的富规则可以定义更复杂强大的防火墙规则
语法:
fiewall-cmd [--permanent] --add-rich-rule="rich rule"其中富规则的结构如下:
1,一般规则结构
rule
[source]
[destination]
service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
[log]
[audit]
[accept|reject|drop|mark]其中[]中的关键词称为元素,每个元素都有自己的选项,如下:
Rule:
rule [family="ipv4|ipv6"]
Source:
source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"
Destination:
destination [not] address="address[/mask]"
Service:
service name="service name"
Port:
port port="port value" protocol="tcp|udp"
Protocol:
protocol value="protocol value"
ICMP-Block:
icmp-block name="icmptype name"
ICMP-Type:
icmp-type name="icmptype name"
Forward-Port:
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
Source-Port:
source-port port="port value" protocol="tcp|udp"
Log:
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
Audit:
audit [limit value="rate/duration"]
Action:
accept, reject, drop,mark.
Limit:
limit value="rate/duration"例1:放行ipv4和ipv6的ah协议:
rule protocol value="ah" accept例2:使用审核允许ftp服务每分钟1个新的IPv4和IPv6连接,并且记录日志
rule service name="ftp" log limit value="1/m" audit accept例3:允许来自 192.168.0.0/24 的ip使用tftp服务,并且用syslog每分钟记录一次日志
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept例4:拒绝来自1:2:3:4:6:: 的ipv6连接 radius 服务,但允许其它ipv6的ip连接,并且每三分钟记录一次日志,日志级别为info,前缀为dns
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept例5:转发1:2:3:4:6::的tcp 4012端口访问到1::2:3:4:7的4011端口
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"2,基于源的黑白名单结构
rule
source
[log]
[audit]
accept|reject|drop|mark例6:把192.168.2.2加入白名单
rule family="ipv4" source address="192.168.2.2" accept例7:把192.168.2.3加入黑名单
rule family="ipv4" source address="192.168.2.3" reject type="icmp-admin-prohibited"例8:把192.168.2.4加入黑名单
rule family="ipv4" source address="192.168.2.4" drop3,使用ipset
当使用防火墙需要配置的黑白名单有些庞大或者复杂,可以使用ipset来统一进行配置
第一步,创建ipset
使用方法:firewall-cmd --permanent --new-ipset=ipset_name --type=ipset_type
即,ipset有一个名字,一个类别
支持的类别有:
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net第二步,给ipset增加入口,即增设具体ip项目
使用方法:firewall-cmd --permanent --ipset=ipset_name --add-entry=ip
第三步,基于ipset创建防火墙规则
firewall-cmd --permanent --add-rich-rule="rule family="<ipv4|ipv6>" source ipset=ipset_name [log] <reject|drop|accept...>"第四步,重载防火墙规则firewall-cmd --reload
比如:
firewall-cmd --permanent --new-ipset=deny-ip type=hash:ip
firewall-cmd --permanent --ipset=deny-ip --add-entry=1.1.1.1
firewall-cmd --permanent --ipset=deny-ip --add-entry=2.2.2.2/24
firewall-cmd --permanent --ipset=deny-ip --add-entry=3.3.3.10-3.3.3.20
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source ipset=deny-ip log drop"
firewall-cmd --reload以上规则创建完成后,即为阻止1.1.1.1,2.2.2.2/24,3.3.3.10-3.3.3.20对服务器的访问.
若要从某个ipset移除某个ip或者ip段firewall-cmd --permanent --ipset=deny-ip --remove-entry=ip
其它具体参数及用法可以--help,或者查看man文档.
来源:oschina
链接:https://my.oschina.net/u/4416282/blog/4732338