Centos7防火墙firewalld操作

systemctl status firewalld

systemctl start firewalld

systemctl stop firewalld

systemctl restart firewalld

 

之前遇到设置firewalld防火墙不生效,直接编辑centos7的iptables

vi /etc/sysconfig/iptables #编辑防火墙配置文件

iptables -L -n #查看规则

systemctl restart iptables #重启

 

firewall-cmd命令

firewall-cmd --state 查看防火墙状态

firewall-cmd --list-all 查看防火墙策略

firewall-cmd --reload 重新加载策略

firewall-cmd --list-all --zone=trusted 查看trusted域

【services: ssh dhcpv6-client 列出允许通过这个防火墙的服务】

firewall-cmd --get-services  查看防火墙预定义服务的详细列表

firewall-cmd --permanent --remove-service=ssh   删除ssh服务

firewall-cmd --permanent --zone=trusted --add-source=127.0.0.1 添加IP白名单

firewall-cmd --permanent --remove-source=127.0.0.1 --zone=trusted 删除IP白名单

firewall-cmd --permanent --zone=block --add-source=127.0.0.1 添加IP黑名单

firewall-cmd --permanent --remove-source=127.0.0.1 --zone=block 删除IP黑名单

 

firewall-cmd --zone=public --add-port=80/tcp --permanent 添加80端口

firewall-cmd --zone=public --add-port=443/tcp --permanent 添加443端口

firewall-cmd --permanent --zone=public --remove-port=22/tcp 关闭22端口

 

限制ip登录22端口

删除/usr/lib/firewalld/services/ssh.xml
重新加载防火墙规则
firewall-cmd --reload

 

添加对应ip的规则

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.128.93" port protocol="tcp" port="22" accept"

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="3306" accept"

firewall-cmd --reload

 删除规则

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.128.93" port protocol="tcp" port="22" accept"

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="3306" accept"

firewall-cmd --reload

 

参考资料:

https://blog.csdn.net/m0_72838865/article/details/126176718

https://blog.csdn.net/qwefyjwww/article/details/84964797

https://blog.csdn.net/weixin_42326851/article/details/124713022

 

 

ICMP timestamp请求响应漏洞

允许Traceroute探测

添加规则:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 0 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 3 -m comment --comment "deny traceroute" -j DROP

firewall-cmd --reload

firewall-cmd --direct --get-all-rules  查看规则

删除规则:

firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 0 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 3 -m comment --comment "deny traceroute" -j DROP

 

 参考资料

https://www.jianshu.com/p/e22a338361c3

https://www.csdn.net/tags/OtDacg2sNzMzNTktYmxvZwO0O0OO0O0O.html

https://www.cnblogs.com/ybinshi/p/15830306.html

 

posted @ 2021-06-11 10:34  day959  阅读(589)  评论(0)    收藏  举报