A kiválasztott változat és az aktuális verzió közötti különbségek a következők.
Előző változat mindkét oldalon Előző változat | |||
tudasbazis:linux:firewalld [2023.07.28 03:55] tia eltávolítva |
— (aktuális) | ||
---|---|---|---|
Sor 1: | Sor 1: | ||
- | ====== FirewallD ====== | ||
- | |||
- | <code> | ||
- | https://serverfault.com/a/1127636/122703 | ||
- | |||
- | firewall-cmd --list-all-zones | ||
- | firewall-cmd --get-active-zones | ||
- | firewall-cmd --get-services | ||
- | firewall-cmd --zone=public --list-all | ||
- | firewall-cmd --zone=public --list-all | ||
- | |||
- | firewall-cmd --change-interface=eth0 --zone=public --permanent | ||
- | firewall-cmd --zone=public --add-service=ssh --permanent | ||
- | firewall-cmd --set-default-zone=drop | ||
- | |||
- | firewall-cmd --reload | ||
- | |||
- | iptables -L | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | # https://github.com/firewalld/firewalld/issues/869#issuecomment-1246740576 | ||
- | # https://www.cherryservers.com/blog/how-to-setup-linux-firewall-using-firewalld | ||
- | # firewall-cmd --get-zones | ||
- | # firewall-cmd --get-active-zones | ||
- | |||
- | # https://serverfault.com/a/1127636/122703 | ||
- | ## 1. Stop Docker | ||
- | systemctl stop docker.socket docker.service | ||
- | |||
- | # Create clean DOCKER-USER chain | ||
- | firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER | ||
- | firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER | ||
- | firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER | ||
- | |||
- | ## 3. Add iptables rules to DOCKER-USER chain - unrestricted outbound, restricted inbound to private IPs | ||
- | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world' | ||
- | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 127.0.0.0/8 -m comment --comment 'allow internal docker communication, loopback addresses' | ||
- | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication, private range' | ||
- | |||
- | ## 3.1 optional: for wider internal networks | ||
- | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 192.168.0.0/16 -m comment --comment 'allow internal docker communication, private range' | ||
- | |||
- | ## 4. Block all other IPs. This rule has lowest precedence, so you can add rules before this one later. | ||
- | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j DROP -m comment --comment 'reject all other traffic to DOCKER-USER' | ||
- | |||
- | ## 5. Activate rules | ||
- | firewall-cmd --reload | ||
- | |||
- | ## 6. Start Docker | ||
- | systemctl start docker.socket docker.service | ||
- | </code> | ||