Centos7 firewall 和 SELinux 第一道防御墙

firewall 基本了解

firewall 的状态

firewall 一般在开发环境中都不会使用
在生产环境中使用一些规则防止遭受攻击
  1. 查看状态:systemctl status firewalld
  2. 开启:systemctl start firewalld
  3. 停止:systemctl stop firewalld
  4. 重启:systemctl restart firewalld
  5. 重新加载:systemctl reload firewalld
  6. 启用:systemctl enable firewalld
  7. 禁止:systemctl disable firewalld

firewall 允许开放某个服务

# for example, add http (the change will be valid at once)
[root@dlp ~]# firewall-cmd --add-service=http 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client http ssh
# for example, remove http
[root@dlp ~]# firewall-cmd --remove-service=http 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client ssh
# for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change)
[root@dlp ~]# firewall-cmd --add-service=http --permanent 
success
[root@dlp ~]# firewall-cmd --reload 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client http ssh

firewall 允许开放某个端口

# for example, add TCP 465
[root@dlp ~]# firewall-cmd --add-port=465/tcp 
success
[root@dlp ~]# firewall-cmd --list-port 
465/tcp
# for example, remove TCP 465
[root@dlp ~]# firewall-cmd --remove-port=465/tcp 
success
[root@dlp ~]# firewall-cmd --list-port 
 
# for example, add TCP 465 permanently
[root@dlp ~]# firewall-cmd --add-port=465/tcp --permanent 
success
[root@dlp ~]# firewall-cmd --reload 
success
[root@dlp ~]# firewall-cmd --list-port 
465/tcp

firewall 开启 ICMP(Internet Control Message Protocol )

ICMP 是什么,如果感兴趣可以查询相关的资料
ICMP协议大致分为两类,一种是查询报文,一种是差错报文。其中查询报文有以下几种用途:
ping查询、子网掩码查询(用于无盘工作站在初始化自身的时候初始化子网掩码)、时间戳查询(可以用来同步时间)
ICMP的应用:ping、Traceroute
这里大概了解这么多久基本明白了,下面的 echo-request 就是 ping
# for example, add echo-request to prohibit it
[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request 
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
echo-request
# for example, remove echo-request
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request 
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
 
# display ICMP types
[root@dlp ~]# firewall-cmd --get-icmptypes 
destination-unreachable echo-reply echo-request parameter-problem redirect 
router-advertisement router-solicitation source-quench time-exceeded

检查 SElinux 有没有开启

1. 检查 SELinux 是否开启:

# display current mode
[root@dlp ~]# getenforce 
Enforcing
# enforcing   ⇒ SELinux is enabled (default)
# permissive  ⇒ MAC is not enabled, but only records audit logs according to Policies
# disabled    ⇒ SELinux is disabled
possible to display with the command, too ("Current mode" line)
[root@dlp ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

2. 可以临时关闭使用 SElinux

[root@dlp ~]# getenforce 
Enforcing
# switch to "Permissive" with "setenforce 0"
[root@dlp ~]# setenforce 0 
[root@dlp ~]# getenforce 
Permissive
# switch to "Enforcing" with "setenforce 1"
[root@dlp ~]# setenforce 1 
[root@dlp ~]# getenforce 
Enforcing

3. 永久关闭使用 SElinux

[root@dlp ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart to apply changing
[root@dlp ~]# reboot

4. 需要注意的问题

如果将 SELinux 将 "Disabled" 改回 "Enforcing/Permissive"状态
除了在文件里面改回 Enforcing/Permissive
还要一些操作
因为文件系统是 disable SELinux 的状态了
# set re-labeling like follows, then it will be done on next system restarting
[root@dlp ~]# touch /.autorelabel 
[root@dlp ~]# reboot
Last modification:February 9th, 2020 at 08:48 pm
小编很用心去写文章的,大家伙们给点支持呗。