firewall-cmd --reload
firewall-cmd --list-all-zones 查看所有區域信息
firewall-cmd --list-all --zone=external
firewall-cmd --get-active-zones 查看活躍區域
firewall-cmd --zone=dmz --list-ports 查看*區域內開啓的接口
firewall-cmd --permanent --zone=external --add-interface=eth1 在*區域內添加接口
firewall-cmd --zone=external --add-port=12345/tcp --permanent 在*區域添加接口
firewall-cmd --zone=dmz --add-service=https --permanent 在*區域添加服務
firewall-cmd --zone=dmz --add-port=12345/tcp --permanent 在*區域添加端口
firewall-cmd --zone=dmz --remove-service=http --permanent 在*區域移除服務
firewall-cmd --zone=dmz --remove-port=12345/tcp --permanent 在*區域移除端口
firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent
firewall-cmd --zone=dmz --list-icmp-blocks
firewall-cmd --zone=dmz --add-icmp-block=echo-reply --permanent
firewall-cmd --zone=external --add-rich-rule=‘rule family=ipv4 source address=192.168.254.0/24 masquerade’ --permanent 啓用僞裝
firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:to addr=192.168.16.22 --permanent 端口轉換
yum -y install httpd mod_ssl
echo “
www.gsy.com
” > /var/www/html/index.html
防火牆和核心防護默認關閉
echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf
sysctl -p
[root@ct ~]# hostnamectl set-hostname gate
[root@ct ~]# su
[root@gate network-scripts]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
inet 192.168.254.20/24 brd 192.168.254.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.247.20/24 brd 192.168.247.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
inet 192.168.16.20/24 brd 192.168.16.255 scope global eth2
gate 網關服務器(www.gsy.com)
eth1:192.168.247.20 nat
eth0:192.168.254.20 vm1
eth2:192.168.16.20 vm2
網站服務器(web):192.168.16.22
網關:192.168.16.20
[root@comp2 ~]# hostnamectl set-hostname web
[root@comp2 ~]# su
[root@web ~]# ip addr
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
inet 192.168.16.22/24 brd 192.168.16.255 scope global eth1
企業內網測試機(ceshi):192.168.254.21
[root@ceshi ~]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.254.21/24 brd 192.168.254.255 scope global eth0
需求描述
1
網關服務器連接互聯網網卡eth1地址爲192.168.247.20,爲公網IP地址,分配到firewall的external區域;連接內網網卡eth0地址爲192.168.254.20,分配到firewall的trusted區域;連接服務器網卡eth2地址爲192.168.16.20,分配到firewall的dmz區域
–permanent參數 : 攜帶該參數表示永久配置,否則表示運行時配置
[root@gate ssh]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
You have new mail in /var/spool/mail/root
[root@gate ssh]# sysctl -p
net.ipv4.ip_forward = 1
[root@gate ssh]# systemctl restart network
[root@gate network-scripts]# firewall-cmd --get-active-zones
FirewallD is not running
You have new mail in /var/spool/mail/root
[root@gate network-scripts]# systemctl start firewalld
[root@gate network-scripts]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@gate network-scripts]# firewall-cmd --get-active-zones
[root@gate network-scripts]#
[root@gate network-scripts]# firewall-cmd --permanent --zone=external --add-interface=eth1
success
[root@gate ssh]# firewall-cmd --reload
[root@gate ssh]# systemctl restart firewalld
You have new mail in /var/spool/mail/root
[root@gate network-scripts]# firewall-cmd --get-active-zones
external
interfaces: eth1
[root@gate network-scripts]# firewall-cmd --zone=trusted --add-interface=eth0 --permanent
success
[root@gate ssh]# firewall-cmd --reload
success
[root@gate network-scripts]# firewall-cmd --get-active-zones
external
interfaces: eth1
trusted
interfaces: eth0
[root@gate network-scripts]# firewall-cmd --zone=dmz --add-interface=eth2 --permanent
success
[root@gate ssh]# firewall-cmd --reload
[root@gate network-scripts]# firewall-cmd --get-active-zones
dmz
interfaces: eth2
external
interfaces: eth1
trusted
interfaces: eth0
2
網站服務器和網關服務器均通過SSH來遠程管理,爲了安全,將SSH默認端口改爲12345
[root@gate network-scripts]# cd /etc/ssh
[root@gate ssh]# ls
moduli sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
ssh_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
[root@gate ssh]# vi sshd_config
17 Port 12345
19 ListenAddress 0.0.0.0
[root@gate ssh]# systemctl restart sshd
[root@gate ssh]# yum install net-tools -y
[root@gate ssh]# netstat -natp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 108697/sshd
tcp6 0 0 :::12345 :::* LISTEN 108697/sshd
[root@web ~]# vim /etc/ssh/sshd_config
17 Port 12345
19 ListenAddress 0.0.0.0
[root@web ~]# systemctl restart sshd
[root@web ~]# netstat -natp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 105032/sshd
tcp6 0 0 :::12345 :::* LISTEN 105032/sshd
[root@gate ssh]# ssh -p 12345 [email protected]
Last login: Fri Apr 10 04:24:17 2020 from 192.168.16.20
[root@web ~]# vi ifcfg-eth0
[root@web ~]# ssh -p 12345 [email protected]
ssh: connect to host 192.168.16.20 port 12345: No route to host
[root@gate ssh]# firewall-cmd --zone=dmz --list-ports
[root@gate ssh]# firewall-cmd --zone=external --list-ports
[root@gate ssh]# firewall-cmd --zone=external --add-port=12345/tcp --permanent
success
[root@gate ssh]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
success
[root@gate ssh]# firewall-cmd --zone=trusted --add-port=12345/tcp --permanent
[root@gate ssh]# firewall-cmd --reload
[root@gate ssh]# firewall-cmd --zone=dmz --list-ports
12345/tcp
[root@gate ssh]# firewall-cmd --zone=external --list-ports
12345/tcp
[root@gate ssh]# vim ssh_config
41 Port 12345
[root@web ~]# ssh -p 12345 [email protected]
Last login: Thu Apr 9 20:25:28 2020 from 192.168.16.22
[root@gate ~]#
3
網站服務器開啓HTTPS,過濾未加密的HTTP流量
[root@web ~]# yum -y install httpd mod_ssl
[root@web ~]# systemctl start httpd
You have new mail in /var/spool/mail/root
[root@web ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@web ~]# echo "<h1>www.gsy.com<h1>" > /var/www/html/index.html
本地查看
[root@web ~]# systemctl status firewalld
Active: inactive (dead)
[root@web ~]# systemctl start firewalld
[root@web ~]# systemctl enable firewalld
[root@web ~]# firewall-cmd --zone=dmz --add-interface=eth1 --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --add-service=https --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --remove-service=http --permanent
Warning: NOT_ENABLED: 'http' not in 'dmz'
success
[root@web ~]#
[root@web ~]# firewall-cmd --zone=dmz --list-services
https ssh
[root@web ~]# firewall-cmd --zone=dmz --list-ports
[root@web ssh]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
success
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --list-all-zones
dmz (active)
target: default
icmp-block-inversion: no
interfaces: eth1
services: https ssh
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
[root@web ~]# firewall-cmd --zone=dmz --add-port=443/tcp --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --list-ports
12345/tcp 443/tcp
4
網站務器拒絕ping,網關服務器拒絕來自互聯網上的ping
[root@web ~]# firewall-cmd --get-active-zones
dmz
interfaces: eth1
[root@web ~]# firewall-cmd --zone=dmz --list-icmp-blocks
[root@web ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent
You have mail in /var/spool/mail/root
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --list-icmp-blocks
echo-request
[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-ZV27i6LR-1586519015939)(G:\GSY\Documents\typora圖片\1586444573508.png)]
[root@web ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-reply --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --list-icmp-blocks
echo-request echo-reply
公網192.168.247.0網段的主機ping失敗
網關服務器拒絕來自互聯網上的ping
[root@gate ssh]# firewall-cmd --zone=external --list-icmp-block
[root@gate ssh]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent
success
[root@gate ssh]# firewall-cmd --reload
[root@gate ssh]# firewall-cmd --zone=external --list-icmp-block
echo-request
[root@gate ssh]# firewall-cmd --zone=external --add-icmp-block=echo-reply --permanent
[root@gate ssh]# firewall-cmd --reload
success
5
公司內網用戶需要通過網關服務器共享上網
[root@kibana ~]# yum install httpd -y
[root@kibana ~]# systemctl start httpd
[root@kibana ~]# systemctl enable httpd
[root@gate ~]# yum install telnet -y
[root@gate ~]# telnet 192.168.247.134 80
Trying 192.168.247.134...
Connected to 192.168.247.134.
Escape character is '^]'.
在網關服務器上查看是否開啓僞裝
[root@gate ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh
ports: 12345/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks: echo-request
rich rules:
命令啓動僞裝 192.168.254.0/24
[root@gate ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.254.0/24 masquerade' --permanent
success
[root@gate ~]# firewall-cmd --reload
[root@gate ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh
ports: 12345/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks: echo-request
rich rules:
rule family="ipv4" source address="192.168.254.0/24" masquerade
[root@gate ssh]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
You have new mail in /var/spool/mail/root
[root@gate ssh]# sysctl -p
net.ipv4.ip_forward = 1
[root@gate ssh]# systemctl restart network
指定網關,
6
互聯網用戶需要訪問網站服務器
[root@gate ~]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:to addr=192.168.16.22 --permanent
success
放通443端口
[root@gate ~]# firewall-cmd --reload
success
firewalld支持兩種類型的網絡地址轉換
- ip地址僞裝(masquerade)
- 可以實現局域網多個地址共享單一公網地址上網
- ip地址僞裝僅支持IPv4
- 默認external區域啓用僞裝
- 端口轉發(forward-port)
- 也成爲目的地址轉換或端口映射
- 通過端口轉發,指定IP地址及端口的流量將被轉發到相同計算機上的不同端口;或者轉發到不同計算機上的端口
地址僞裝配置
- 爲指定區域增加地址僞裝功能
firewall-cmd --permanent --zone=dmz --add-masquerade --timeout=86400
–timeout=86400,在86400秒後自動刪除該功能 - 爲指定區域刪除地址僞裝功能
firewall-cmd --permanent --zone=dmz --remove-masquerade - 查詢指定區域是否開啓地址僞裝功能
firewall-cmd --permanent --zone=dmz --query-masquerade
端口轉發配置
- 列出端口轉發配置
firewall-cmd --permanent --zone=external --list-forward-ports - 添加端口轉發規則
firewall-cmd --permanent --zone=external --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]][–timeout=seconds] - 刪除端口轉發規則
firewall-cmd --permanent --zone=external --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] - 查詢端口轉發規則
firewall-cmd --permanent --zone=external --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
firewalld直接規則
- 直接規則(direct interface)
允許管理員手動編寫的iptables、ip6tables和ebtables規則插入到firewalld管理的區域中
通過firewall-cmd命令中的–direct選項實現
除顯示插入方式之外,優先匹配直接規則 - 自定義規則鏈
firewalld自動爲配置了規則的區域創建自定義規則鏈
IN_區域名_deny:存放拒絕語句,優先於"IN_區域名_allow"的規則
IN_區域_allow:存放允許語句
問題排障方法
1.出現問題:A服務器鏈接B服務器,鏈接某個功能模塊連接不上
2.解決思路:
檢查B服務器的功能模塊有沒有開啓
檢查環境
檢查配置文件
重啓服務、或者重載服務
本地驗證ssh -p 端口號 ip地址(迴環口、接口IP)
檢查B服務器的防火牆
檢查接口配置信息,查看功能服務是否正常
檢查A服務器的防火牆
檢查接口配置信息
telnet IP地址 端口