Felhasználói eszközök
tudasbazis:private:linux:firewalld
Különbségek
A kiválasztott változat és az aktuális verzió közötti különbségek a következők.
| Előző változat mindkét oldalon Előző változat | |||
|
tudasbazis:private:linux:firewalld [2023.07.28 03:55] tia eltávolítva |
— (aktuális) | ||
|---|---|---|---|
| Sor 1: | Sor 1: | ||
| - | ====== FirewallD ====== | ||
| - | |||
| - | <code> | ||
| - | https://serverfault.com/a/1127636/122703 | ||
| - | |||
| - | firewall-cmd --list-all-zones | ||
| - | firewall-cmd --get-active-zones | ||
| - | firewall-cmd --get-services | ||
| - | firewall-cmd --zone=public --list-all | ||
| - | firewall-cmd --zone=public --list-all | ||
| - | |||
| - | firewall-cmd --change-interface=eth0 --zone=public --permanent | ||
| - | firewall-cmd --zone=public --add-service=ssh --permanent | ||
| - | firewall-cmd --set-default-zone=drop | ||
| - | |||
| - | firewall-cmd --reload | ||
| - | |||
| - | iptables -L | ||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| - | # https://github.com/firewalld/firewalld/issues/869#issuecomment-1246740576 | ||
| - | # https://www.cherryservers.com/blog/how-to-setup-linux-firewall-using-firewalld | ||
| - | # firewall-cmd --get-zones | ||
| - | # firewall-cmd --get-active-zones | ||
| - | |||
| - | # https://serverfault.com/a/1127636/122703 | ||
| - | ## 1. Stop Docker | ||
| - | systemctl stop docker.socket docker.service | ||
| - | |||
| - | # Create clean DOCKER-USER chain | ||
| - | firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER | ||
| - | firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER | ||
| - | firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER | ||
| - | |||
| - | ## 3. Add iptables rules to DOCKER-USER chain - unrestricted outbound, restricted inbound to private IPs | ||
| - | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world' | ||
| - | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 127.0.0.0/8 -m comment --comment 'allow internal docker communication, loopback addresses' | ||
| - | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication, private range' | ||
| - | |||
| - | ## 3.1 optional: for wider internal networks | ||
| - | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 192.168.0.0/16 -m comment --comment 'allow internal docker communication, private range' | ||
| - | |||
| - | ## 4. Block all other IPs. This rule has lowest precedence, so you can add rules before this one later. | ||
| - | firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j DROP -m comment --comment 'reject all other traffic to DOCKER-USER' | ||
| - | |||
| - | ## 5. Activate rules | ||
| - | firewall-cmd --reload | ||
| - | |||
| - | ## 6. Start Docker | ||
| - | systemctl start docker.socket docker.service | ||
| - | </code> | ||
Hacsak máshol nincs egyéb rendelkezés, ezen wiki tartalma a következő licenc alatt érhető el: CC Attribution-Noncommercial-Share Alike 4.0 International
