ftp 防火墙配置

2020-06-12  本文已影响0人  CloudFlyKing

firewall

一些基本语法
增加端口

[root@localhost ~]# firewall-cmd --zone=work --add-port=3306/tcp --permanent 
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s20f0u1u6 enp90s0f3
  sources: 
  services: dhcpv6-client ftp ssh
  ports: 3306/tcp 80/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

删除端口

[root@localhost ~]# firewall-cmd --zone=work --remove-port=80/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s20f0u1u6 enp90s0f3
  sources: 
  services: dhcpv6-client ftp ssh
  ports: 3306/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

查看防火墙策略

[root@localhost ~]# firewall-cmd --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s20f0u1u6 enp90s0f3
  sources: 
  services: dhcpv6-client ftp ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

1.更改默认zone:默认public

[root@weixing01 ~]# firewall-cmd --set-default-zone=work
success
[root@weixing01 ~]# firewall-cmd --get-default-zone 
work

2.查看当前zone下有哪些service:

[root@localhost upload]# firewall-cmd --list-services 
ssh dhcpv6-client

3.查看指定zone下有哪些service

[root@localhost upload]# firewall-cmd --zone=public  --list-services 
ssh dhcpv6-client

4.把一些服务增加到指定zone下面:

[root@localhost upload]# firewall-cmd --zone=public  --add-service=http
success
[root@localhost upload]# firewall-cmd --zone=public  --list-services 
ssh dhcpv6-client http

6.模板文件存在路径:

[root@localhost upload]# ls /usr/lib/firewalld/zones/
block.xml  drop.xml      home.xml      public.xml   work.xml
dmz.xml    external.xml  internal.xml  trusted.xml

[root@localhost upload]# ls /usr/lib/firewalld/services/
amanda-client.xml        ipp-client.xml    pmwebapis.xml       squid.xml
amanda-k5-client.xml     ipp.xml           pmwebapi.xml        ssh.xml
bacula-client.xml        ipsec.xml         pop3s.xml           synergy.xml
bacula.xml               iscsi-target.xml  pop3.xml            syslog-tls.xml
ceph-mon.xml             kadmin.xml        postgresql.xml      syslog.xml
ceph.xml                 kerberos.xml      privoxy.xml         telnet.xml
dhcpv6-client.xml        kpasswd.xml       proxy-dhcp.xml      tftp-client.xml
dhcpv6.xml               ldaps.xml         ptp.xml             tftp.xml
dhcp.xml                 ldap.xml          pulseaudio.xml      tinc.xml
dns.xml                  libvirt-tls.xml   puppetmaster.xml    tor-socks.xml
docker-registry.xml      libvirt.xml       radius.xml          transmission-client.xml
dropbox-lansync.xml      mdns.xml          RH-Satellite-6.xml  vdsm.xml
freeipa-ldaps.xml        mosh.xml          rpc-bind.xml        vnc-server.xml
freeipa-ldap.xml         mountd.xml        rsyncd.xml          wbem-https.xml
freeipa-replication.xml  ms-wbt.xml        samba-client.xml    xmpp-bosh.xml
ftp.xml                  mysql.xml         samba.xml           xmpp-client.xml
high-availability.xml    nfs.xml           sane.xml            xmpp-local.xml
https.xml                ntp.xml           smtps.xml           xmpp-server.xml
http.xml                 openvpn.xml       smtp.xml
imaps.xml                pmcd.xml          snmptrap.xml
imap.xml                 pmproxy.xml       snmp.xml

7.拷贝ftp模板过来

cp  /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="21"/>
  <module name="nf_conntrack_ftp"/>
</service>

8.拷贝work模板过来

cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

9.修改work.xml增加ftp服务

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="ftp"/>
</zone>

10.更改默认zone为work

 firewall-cmd --set-default-zone=work

11.重启防火墙

service firewalld restart

iptables设置

1.增加21端口

vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

2.加载额外模块 ip_conntrack_ftp

vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"

3.重启防火墙

service iptables restart
上一篇 下一篇

猜你喜欢

热点阅读