Centos7 firewall 和 SELinux 第一道防御墙

Author：苏子季、
发布时间：February 9, 2020
1346 views
No comments
4521 words
Categories： Linux

# Centos7 firewall 和 SELinux 第一道防御墙

## firewall 基本了解

### firewall 的状态

> firewall 一般在开发环境中都不会使用
> 在生产环境中使用一些规则防止遭受攻击

1. 查看状态：`systemctl status firewalld `
2. 开启：`systemctl start firewalld`
3. 停止：`systemctl stop firewalld`
4. 重启：`systemctl restart firewalld`
5. 重新加载：`systemctl reload firewalld`
6. 启用：`systemctl enable firewalld`
7. 禁止：`systemctl disable firewalld`

### firewall 允许开放某个服务

```shell
# for example, add http (the change will be valid at once)
[root@dlp ~]# firewall-cmd --add-service=http 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client http ssh
# for example, remove http
[root@dlp ~]# firewall-cmd --remove-service=http 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client ssh
# for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change)
[root@dlp ~]# firewall-cmd --add-service=http --permanent 
success
[root@dlp ~]# firewall-cmd --reload 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client http ssh
```

### firewall 允许开放某个端口

```shell
# for example, add TCP 465
[root@dlp ~]# firewall-cmd --add-port=465/tcp 
success
[root@dlp ~]# firewall-cmd --list-port 
465/tcp
# for example, remove TCP 465
[root@dlp ~]# firewall-cmd --remove-port=465/tcp 
success
[root@dlp ~]# firewall-cmd --list-port 
 
# for example, add TCP 465 permanently
[root@dlp ~]# firewall-cmd --add-port=465/tcp --permanent 
success
[root@dlp ~]# firewall-cmd --reload 
success
[root@dlp ~]# firewall-cmd --list-port 
465/tcp
```

### firewall 开启 ICMP（Internet Control Message Protocol ）

> ICMP 是什么，如果感兴趣可以查询相关的资料
> ICMP协议大致分为两类，一种是查询报文，一种是差错报文。其中查询报文有以下几种用途:
> ping查询、子网掩码查询（用于无盘工作站在初始化自身的时候初始化子网掩码）、时间戳查询（可以用来同步时间）
> ICMP的应用：ping、Traceroute
> 这里大概了解这么多久基本明白了,下面的 echo-request 就是 ping

```shell
# for example, add echo-request to prohibit it
[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request 
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
echo-request
# for example, remove echo-request
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request 
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
 
# display ICMP types
[root@dlp ~]# firewall-cmd --get-icmptypes 
destination-unreachable echo-reply echo-request parameter-problem redirect 
router-advertisement router-solicitation source-quench time-exceeded
```

## 检查 SElinux 有没有开启

### 1. 检查 SELinux 是否开启：

```shell
# display current mode
[root@dlp ~]# getenforce 
Enforcing
# enforcing   ⇒ SELinux is enabled (default)
# permissive  ⇒ MAC is not enabled, but only records audit logs according to Policies
# disabled    ⇒ SELinux is disabled
possible to display with the command, too ("Current mode" line)
[root@dlp ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
```

### 2. 可以临时关闭使用 SElinux

```shell
[root@dlp ~]# getenforce 
Enforcing
# switch to "Permissive" with "setenforce 0"
[root@dlp ~]# setenforce 0 
[root@dlp ~]# getenforce 
Permissive
# switch to "Enforcing" with "setenforce 1"
[root@dlp ~]# setenforce 1 
[root@dlp ~]# getenforce 
Enforcing
```

### 3. 永久关闭使用 SElinux

```shell
[root@dlp ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart to apply changing
[root@dlp ~]# reboot
```

### 4. 需要注意的问题

> 如果将 SELinux 将 "Disabled" 改回 "Enforcing/Permissive"状态
> 除了在文件里面改回 Enforcing/Permissive
> 还要一些操作
> 因为文件系统是 disable SELinux 的状态了

```shell
# set re-labeling like follows, then it will be done on next system restarting
[root@dlp ~]# touch /.autorelabel 
[root@dlp ~]# reboot
```

Last modification：September 3, 2022