5,574 瀏覽數

RHEL 7 (Systemd) – 防火牆

Red Hat Enterprise Linux 7 防火牆 Firewall 預設是開啟的 (可以透過 #iptables -L 指令觀察),但要怎麼關閉它呢!!

首先 RHEL7 已經改用 systemd 的開機方式.以前的指令 #service , /etc/init.d/ , #chkconfig 的方式都不適用了.必須用 #systemctl 指令,關於 #systemctl 請自行參考,而且 Firewall 服務名稱不叫做 iptables 改成為 firewalld .

  • FireWall Status
    [root@localhost ~]# systemctl status firewalld
    firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
       Active: active (running) since Wed 2016-03-16 06:02:23 EDT; 15min ago
     Main PID: 550 (firewalld)
       CGroup: /system.slice/firewalld.service
               └─550 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
    
    Mar 16 06:02:19 localhost.localdomain systemd[1]: Starting firewalld - dynami...
    Mar 16 06:02:23 localhost.localdomain systemd[1]: Started firewalld - dynamic...
    Hint: Some lines were ellipsized, use -l to show in full.
    
  • Stop and Start firewall
    還是可以用 service 這個指令,不過系統會自動導向成 systemctl 指令來做,systemctl 透過 start , stop 來立即性的開啟與關閉防火牆的功能.

    [root@localhost ~]# service firewalld stop
    Redirecting to /bin/systemctl stop  firewalld.service
    [root@localhost ~]# /bin/systemctl stop firewalld.service
    
    [root@localhost ~]# service firewalld start
    Redirecting to /bin/systemctl start  firewalld.service
    [root@localhost ~]# /bin/systemctl start firewalld.service
    
  • Disable and Enable firewall
    systemctl 透過 enable , disable 就是像以前透過 chkconfig iptables on , off 一樣,設定開機的時候是不是要把服務啟動.

    [root@localhost ~]# systemctl disable firewalld
    rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
    rm '/etc/systemd/system/basic.target.wants/firewalld.service'
    
    [root@localhost ~]# systemctl enable firewalld
    ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
    ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
    

但是有可能透過 iptables -L 還是會看到有定義 iptables

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere  

這是因為 RHEL7 有安裝了 KVM (關於 KVM Network 請參考 http://benjr.tw/8189 ) 時所產生的 virbr0 裝置.

[root@localhost ~]# ifconfig virbr0
virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:46:34:b0  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
           anywhere             udp dpt:bootpc
[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.5254004634b0	yes		virbr0-nic

可以透過下面的方式把 virbr0 關閉 (不關閉也不影響)

[root@localhost ~]# virsh net-list
[root@localhost ~]# virsh net-destroy default
[root@localhost ~]# virsh net-autostart default --disable
[root@localhost ~]# virsh net-undefine default
[root@localhost ~]# systemctl disable libvirtd.service

發表迴響