Firewalld--02 端口访问/转发、服务访问、源地址管理
目录
防火墙端口访问/转发、服务访问、源地址管理
1. 防火墙端口访问策略
使用Firewalld允许客户请求的服务器的80/tcp端口,仅临时生效,如添加--permanent重启后则永久生效
1). 临时添加允许放行单个端口
[ ~]# firewall-cmd --add-port=80/tcp success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2). 临时添加放行多个端口
[ ~]# firewall-cmd --add-port={443/tcp,3306/tcp} success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp 443/tcp 3306/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
3). 永久添加多个端口,需要添加--permanent,并且需要重载Firewalld
[ ~]# firewall-cmd --add-port={80/tcp,443/tcp} --permanent success [ ~]# firewall-cmd --reload success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
4). 通过--list-ports检查端口放行情况
[ ~]# firewall-cmd --list-ports 80/tcp 443/tcp
5). 移除临时添加的端口规则
[ ~]# firewall-cmd --remove-port={80/tcp,443/tcp} success [ ~]# firewall-cmd --list-ports [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [ ~]# firewall-cmd --reload success #重启之后又回来了,因为之前设置了永久 [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2. 防火墙服务访问策略
使用Firewalld允许客户请求服务器的http https协议,仅临时生效,如添加--permanent重启后则永久生效
1). 临时添加允许放行单个服务
[ ~]# firewall-cmd --add-service=http success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client http ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2). 临时添加放行多个服务
[ ~]# firewall-cmd --add-service={http,https,mysql} Warning: ALREADY_ENABLED: 'http' already in 'public' success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client http https mysql ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
3). 永久添加多个服务,需要添加--permanent,并且需要重Fiirewalld
[ ~]# firewall-cmd --add-service={http,https} --permanent success [ ~]# firewall-cmd --reload success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client http https ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
4).通过--list-services检查端口放行情况
[ ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client http https
5). 移除临时添加的http、https协议
[ ~]# firewall-cmd --remove-service={http,https} success [ ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [ ~]# firewall-cmd --reload success #重启之后,设置又回来了 [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client http https ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #永久移除 [ ~]# firewall-cmd --remove-service={http,https} --permanent success [ ~]# firewall-cmd --reload success [ ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: 80/tcp 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
6).如何添加一个自定义端口,转其为对应的服务
#1.拷贝相应的xml文件 [ ~]# cd /usr/lib/firewalld/services/ [ /usr/lib/firewalld/services]# cp http.xml test.xml #2.修改端口为11211 [ /usr/lib/firewalld/services]# cat test.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (test)</short> <description>test is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description> <port protocol="tcp" port="11211"/> </service> #3.防火墙增加规则 [ ~]# firewall-cmd --permanent --add-service=test success [ ~]# firewall-cmd --reload success [ ~]# firewall-cmd --list-services ssh dhcpv6-client test #4.安装memcached, 并监听11211端口 [ ~]# systemctl start memcached [ ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 9911/memcached #5.测试验证 [C:\~]$ telnet 10.0.0.6 11211 Connecting to 10.0.0.6:11211... Connection established. To escape to local shell, press 'Ctrl+Alt+]'.
3.防火墙接口管理
#查看接口在哪个zone下面 [ ~]# firewall-cmd --get-zone-of-interface=eth0 public [ ~]# firewall-cmd --get-zone-of-interface=eth1 public #移除eth1接口 [ ~]# firewall-cmd --remove-interface=eth1 success [ ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #添加一个接口 [ ~]# firewall-cmd --add-interface=eth0 success [ ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [ ~]# firewall-cmd --get-zone-of-interface=eth1 no zone #将接口跟zone进行相关联 [ ~]# firewall-cmd --change-interface=eth0 --zone=public success [ ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
4.防火墙源地址管理
#禁用一个ip地址的所有访问 [ ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=drop success [ ~]# firewall-cmd --get-active-zone drop sources: 10.0.0.8/32 public interfaces: eth0 #禁用一个网段 [ ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=drop success [ ~]# firewall-cmd --get-active-zone drop sources: 10.0.0.8/32 10.0.0.0/24 public interfaces: eth0 #允许一个ip地址访问所有 [ ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=trusted success [ ~]# firewall-cmd --get-active-zone public interfaces: eth0 trusted sources: 10.0.0.8/32 #移除ip地址 [ ~]# firewall-cmd --remove-source=10.0.0.8/32 --zone=trusted success [ ~]# firewall-cmd --get-active-zone public interfaces: eth0
5. 防火墙端口转发策略
端口转发是指传统的目标地址映射,实现外网访问内网资源,流量转发命令格式为:
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>
如果需要将本地的10.0.0.61:5555端口转发至后端172.16.1.9:22端口
1. 开启masquerade,实现地址转换 [ ~]# firewall-cmd --add-masquerade --permanent success 2. 配置转发规则 [ ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=10.0.0.7 success [ ~]# firewall-cmd --reload success 3. 验证测试 [C:\~]$ ssh 5555 Connecting to 10.0.0.6:5555... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last failed login: Sun Dec 8 18:59:01 CST 2019 from 10.0.0.100 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Sun Dec 8 17:21:54 2019 from 10.0.0.1 [ ~]# ip a s eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff inet 10.0.0.7/24 brd 10.0.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe2a:a717/64 scope link valid_lft forever preferred_lft forever
相关推荐
OwenJi 2020-03-01
xuezhengyyy 2020-02-15
huangzonggui 2020-01-30
farwang 2020-08-25
BraveWangDev 2020-08-19
ThinkBigWinBig 2020-06-13
Wytheme 2020-06-11
LiHansiyuan 2020-06-06
yongzhang 2020-05-04
wintelx 2020-04-20
wvfeng 2020-04-16
85407718 2020-02-26
OwenJi 2020-02-16
TinyDolphin 2020-01-19
sansan 2020-01-10
Strongding 2020-01-06
iOS开发笔记 2013-06-09
onlykg 2019-12-26