SUSE Linux系统firewall防火墙配置

suse12下操作为

关闭防火墙服务:

systemctl stop SuSEfirewall2.service

取消开机启动防火墙服务

systemctl disable SuSEfirewall2.service

开机开启防火墙服务

systemctl enable SuSEfirewall2.service

启动防火墙服务

systemctl start SuSEfirewall2.service

查询防火墙服务状态

systemctl status SuSEfirewall2.service

根据帮助命令查看

SUSE-12:~ # /sbin/SuSEfirewall2 -h

SuSEfirewall2 3.6, Copyright (C) 2005  SUSE LINUX Products GmbH

stateful packet filter rules generator for iptables.

/sbin/SuSEfirewall2 start|test|debug [file FILENAME]

/sbin/SuSEfirewall2 basic|stop|close|status|help

/sbin/SuSEfirewall2 open ZONE TYPE services...

/sbin/SuSEfirewall2 on|off

/sbin/SuSEfirewall2 [-s ] update-rpc

Options:

  start          generate and load the firewall filter rules from

              /etc/sysconfig/SuSEfirewall2

  stop        unload all filter rules

  close       no incoming network traffic except bootp+ping (for boot security)

  basic       set basic filter rules that drop all incoming access

  test        generate and load the filter rules but do not drop any packet but log

              to syslog anything which *would* be denied

  status      print the output of "iptables -nvL"

3. SuSEfirewall2配置文件中FW_SERVICES_EXT_TCP与FW_SERVICES_ACCEPT_EXT的区别：

FW_SERVICES_EXT_TCP 不能做更详细的配置，只有允许和不允许两种配置，不能过滤IP,只能过滤端口;

FW_SERVICES_ACCEPT_EXT 可以做更详细的配置和限制，对IP和端口同时作限制;

但是，如果对同一端口既然配置了FW_SERVICES_EXT_TCP,也配置了FW_SERVICES_ACCEPT_EXT,则系统优先使用

FW_SERVICES_EXT_TCP配置项。

4. 如果有一种场景，既要让指定的IP能访问22端口，又要让所有IP能访问80端口，则这样配置：

FW_SERVICES_EXT_TCP = “80”   #多个端口用空格分开

FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514"  #开放ftp，ssh，telnet，512-514这些端口

FW_SERVICES_ACCEPT_EXT="192.168.1.100,tcp,22"

Format: space separated list of net,protocol[,dport[,sport[,flags]]]

# Example: "0/0,tcp,22"

#

# Supported flags are

#   hitcount=NUMBER     : ipt_recent --hitcount parameter

#   blockseconds=NUMBER : ipt_recent --seconds parameter

#   recentname=NAME     : ipt_recent --name parameter

# Example:

#    Allow max three ssh connects per minute from the same IP address:

#      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

每分钟来自相同ip最大3个ssh链接的语法

如果要对同一个source IP开放多个端口，应将相同的IP写两个，中间用空格隔开

FW_SERVICES_ACCEPT_EXT="192.168.1.100 192.168.1.100,tcp,22 8080 80"

如果对多个source ip 开放ssh端口，配置如下，不能开多行

FW_SERVICES_ACCEPT_EXT="10.1.1.1 20.1.1.1 30.1.1.1,tcp,22"

5. /etc/sysconfig/SuSEfirewall2配置文件中也有相应的详细说明。

firewall配置变更后，需要restart防火墙服务

systemctl restart SuSEfirewall2

配置变更完后，可以通过命令/sbin/SuSEfirewall2 status 查看防火墙端口状态。