리눅스(CentOS7) 서버에 방화벽(firewall)을 활용하여 특정 IP만 접근하게 하는 방법
회사 내부용으로 리눅스 서버로 돌릴 경우 특정사용자만 해당 서버에 접근 하도록 해야 할 필요가 있습니다. 여러가지 방법이 있겠지만 가장 간단한 방법은 방화벽으로 특정 IP외에는 모두 막아
ux.stories.pe.kr
RHEL7 부터 방화벽을 관리하는 데몬이 'firewalld'로 변경
# firewalld 설치
[root@localhost ~]# yum install firewalld
# firewalld 실행하기
[root@localhost ~]# systemctl start firewalld
# firewalld 중지하기
[root@localhost ~]# systemctl stop firewalld
# firewalld 상태 확인하기(중지 상태)
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2023-05-17 13:15:44 KST; 8s ago
Docs: man:firewalld(1)
Process: 800 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 800 (code=exited, status=0/SUCCESS)
# Active에서 dead된 모습 / loaded에서 service; enabled의 경우는 시스템 재부팅 될때 firewalld이 자동 활성화 된다는 설정
May 16 09:13:50 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 16 09:13:51 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 16 09:13:52 localhost.localdomain firewalld[800]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. I... it now.
May 17 13:15:43 localhost.localdomain systemd[1]: Stopping firewalld - dynamic firewall daemon...
May 17 13:15:44 localhost.localdomain systemd[1]: Stopped firewalld - dynamic firewall daemon.
# stopping / stopped으로 firewalld가 현재 중지된 상황이라는 것을 확인한다.
# firewalld 상태 확인하기(실행 상태)
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-05-17 13:16:08 KST; 3s ago
Docs: man:firewalld(1)
Main PID: 6354 (firewalld)
CGroup: /system.slice/firewalld.service
└─6354 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
# Active를 통해 firewalld running 중인 모습
May 17 13:16:08 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 17 13:16:08 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 17 13:16:08 localhost.localdomain firewalld[6354]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. ... it now.
Hint: Some lines were ellipsized, use -l to show in full.
# stop방화벽을 reboot시 firewalld 실행을 하기 싫다면?
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-05-17 13:16:08 KST; 7min ago
Docs: man:firewalld(1)
Main PID: 6354 (firewalld)
CGroup: /system.slice/firewalld.service
└─6354 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
May 17 13:16:08 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 17 13:16:08 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 17 13:16:08 localhost.localdomain firewalld[6354]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. ... it now.
Hint: Some lines were ellipsized, use -l to show in full.
# disable로 자동활성화 끄지
[root@localhost ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
# 현재 reboot 전이기 때문에 firewalld가 켜져있으나 서버 재시작시 disabled로 자동활성화를 꺼둔 상황이다.
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2023-05-17 13:16:08 KST; 8min ago
Docs: man:firewalld(1)
Main PID: 6354 (firewalld)
CGroup: /system.slice/firewalld.service
└─6354 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
May 17 13:16:08 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 17 13:16:08 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 17 13:16:08 localhost.localdomain firewalld[6354]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. ... it now.
Hint: Some lines were ellipsized, use -l to show in full.
# exit로 호스트 종료로 확인 하면 여전히 firewalld가 실행 중인 모습을 확인할 수 있었다.
# 완전히 reboot 후 firewalld의 현재 작업 상태를 확인해보면 비활성화된 모습을 확인할 수 있다.
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
## firewalld을 실행하지 않고 enable을 통해 reboot후 자동 활성화를 시켜주면
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
# 자동연결 활성화는 보였으나 아직 실행전이 방화벽
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
# 정상 자동 firewalld가 실행되는 모습
Last login: Wed May 17 13:27:20 2023 from gateway
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-05-17 13:30:49 KST; 37s ago
Docs: man:firewalld(1)
Main PID: 800 (firewalld)
CGroup: /system.slice/firewalld.service
└─800 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
May 17 13:30:48 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 17 13:30:49 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 17 13:30:49 localhost.localdomain firewalld[800]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. I... it now.
Hint: Some lines were ellipsized, use -l to show in full.# 방화벽 리로드(방화벽에 대해 설정을 하였다면 반드시 해야하는 작업)
[root@localhost ~]# firewall-cmd --reload
success
# 방화벽 상태확인
[root@localhost ~]# firewall-cmd --state
# firewalld가 실행중인 상황이라면 = running
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# firewall-cmd --state
running
# firewalld가 중지된 상황이라면 = not running
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# firewall-cmd --state
not running설정파일 zone 확인하기 (zone의 역할은 서버의 용도에 맞게 정의된 네트워크의 신뢰 레벨 아무런 설정을 잡지 않았다면, 기본적으로 public zone을 사용한다.)
[root@localhost ~]# cd /usr/lib/firewalld/zones
[root@localhost zones]# ls -l
total 36
-rw-r--r--. 1 root root 299 Apr 28 2021 block.xml
-rw-r--r--. 1 root root 293 Apr 28 2021 dmz.xml
-rw-r--r--. 1 root root 291 Apr 28 2021 drop.xml
-rw-r--r--. 1 root root 304 Apr 28 2021 external.xml
-rw-r--r--. 1 root root 369 Apr 28 2021 home.xml
-rw-r--r--. 1 root root 384 Apr 28 2021 internal.xml
-rw-r--r--. 1 root root 315 Apr 28 2021 public.xml
-rw-r--r--. 1 root root 162 Apr 28 2021 trusted.xml
-rw-r--r--. 1 root root 311 Apr 28 2021 work.xml
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work# 활성화된 zone
[root@localhost ~]# firewall-cmd --get-active-zone
public
interfaces: ens33
# default로 설정된 zone 출력
[root@localhost ~]# firewall-cmd --get-default-zone
public
# 현재 '등록'되어 있는 방화벽 리스트
[root@localhost ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 1251/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 특정 zone 목록 출력하기 (drop zone으로 예시)
[root@localhost ~]# firewall-cmd --zone=drop --list-all
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 전체 zone 목록을 상세하게 출력
[root@localhost ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 1251/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:방화벽 포트 추가/제거 (반드시 reload 명령어를 활용해야 포트 적용이 된다. 그렇지 않으면 reboot 후 적용되지 않는다.)
# default zone의 ports 상황
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1251/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 특정 zone을 선택하지 않는다면 default zone인 public zone에 등록하게 된다.
[root@localhost ~]# firewall-cmd --add-port=21/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1251/tcp 21/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 특정 zone을 선택하여 포트 추가하기
[root@localhost ~]# firewall-cmd --zone=public --add-port=22/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1251/tcp 21/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 등록하려는 zone에 이미 동일한 포트가 존재한다면 이미 등록이 되어 있다는
# 경고문을 받게 된다.
[root@localhost ~]# firewall-cmd --add-port=21/tcp
Warning: ALREADY_ENABLED: '21:tcp' already in 'public'
success
# public zone에 21port를 등록한 상황에서 drop zone에 21port를 등록한다면
# 문제 없이 public zone과 drop zone 두군데 모두 21port가 등록되는 모습을 볼 수 있다.
[root@localhost ~]# firewall-cmd --zone=drop --add-port=21/tcp
success
[root@localhost ~]# firewall-cmd --zone=drop --list-all
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports: 21/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1251/tcp 21/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:[root@localhost ~]# firewall-cmd --add-port=21/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1251/tcp 21/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# remove 명령어를 사용한 21포트 제거하기
[root@localhost ~]# firewall-cmd --remove-port=21/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1251/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:firewall-cmd --permanent --add-port=21/tcp : 현재 default된 zone에 reboot 후 21포트 자동추가
'OS' 카테고리의 다른 글
| 리눅스 실습하기(이중화)-06{2023년05월18일} (0) | 2023.05.18 |
|---|---|
| 리눅스 실습하기-05{2023년05월17일} (0) | 2023.05.17 |
| 리눅스 실습하기-02{2023년05월16일} (0) | 2023.05.16 |
| 리눅스 실습하기(chmod/chown)-01{2023년05월15~16일} (0) | 2023.05.16 |
| 리눅스 명령어 {2023년05월12일, 15일} (1) | 2023.05.15 |