RHEL9 Firewalldのルールセットをnftables サービスに切り替える方法
環境
$cat /etc/redhat-release
Red Hat Enterprise Linux release 9.2 (Plow)
概要
nftables フレームワークはパケットを分類し、iptables、ip6tables、arptables、ebtables、および ipset ユーティリティーの後継です。利便性、機能、パフォーマンスにおいて、
以前のパケットフィルタリングツールに多くの改良が追加されました。
操作方法
1.nftablesを無効にする
$systemctl disable --now nftables
Removed "/etc/systemd/system/multi-user.target.wants/nftables.service".
$systemctl disable --now nftables
Removed "/etc/systemd/system/multi-user.target.wants/nftables.service".
$systemctl disable --now nftables Removed "/etc/systemd/system/multi-user.target.wants/nftables.service".
2.firewalldを有効にする
$systemctl enable --now firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
$systemctl enable --now firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
$systemctl enable --now firewalld Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
3. Firewalldサービスを確認する
$systemctl enable --now firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
[水 12月 06 19:16:30] ~ $systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
Active: active (running) since Wed 2023-12-06 19:16:30 JST; 29s ago
Docs: man:firewalld(1)
Main PID: 2332 (firewalld)
Tasks: 2 (limit: 22838)
Memory: 22.8M
CPU: 499ms
CGroup: /system.slice/firewalld.service
mq2332 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
12月 06 19:16:30 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
12月 06 19:16:30 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
$systemctl enable --now firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
[水 12月 06 19:16:30] ~ $systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
Active: active (running) since Wed 2023-12-06 19:16:30 JST; 29s ago
Docs: man:firewalld(1)
Main PID: 2332 (firewalld)
Tasks: 2 (limit: 22838)
Memory: 22.8M
CPU: 499ms
CGroup: /system.slice/firewalld.service
mq2332 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
12月 06 19:16:30 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
12月 06 19:16:30 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
$systemctl enable --now firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
[水 12月 06 19:16:30] ~ $systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
Active: active (running) since Wed 2023-12-06 19:16:30 JST; 29s ago
Docs: man:firewalld(1)
Main PID: 2332 (firewalld)
Tasks: 2 (limit: 22838)
Memory: 22.8M
CPU: 499ms
CGroup: /system.slice/firewalld.service
mq2332 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
12月 06 19:16:30 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
12月 06 19:16:30 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
4.Firewalld の現在の設定確認
$firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
5.Firewalld バックエンドの nftables の現在のルールセットを全て表示する
$nft list ruleset
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "ens160" goto mangle_PRE_public
goto mangle_PRE_public
}
略
$nft list ruleset
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "ens160" goto mangle_PRE_public
goto mangle_PRE_public
}
略
$nft list ruleset
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "ens160" goto mangle_PRE_public
goto mangle_PRE_public
}
略
6.現在のルールセットを [/etc/sysconfig/nftables.conf] に書き出します
$nft list ruleset > /etc/sysconfig/nftables.conf
7.firewalld サービス停止 & nftables サービス起動
$systemctl disable --now firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
$systemctl enable --now nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
$systemctl disable --now firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
$systemctl enable --now nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
$systemctl disable --now firewalld Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service". Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service". $systemctl enable --now nftables Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
8,確認
$nft list chain inet firewalld filter_IN_public_allow
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
}
}
$nft list chain inet firewalld filter_IN_public_allow
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
}
}
$nft list chain inet firewalld filter_IN_public_allow
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
}
}