linux防火牆實戰

firewall-cmd --reload

firewall-cmd --list-all-zones 查看所有區域信息

firewall-cmd --list-all --zone=external

firewall-cmd --get-active-zones 查看活躍區域

firewall-cmd --zone=dmz --list-ports 查看*區域內開啓的接口

firewall-cmd --permanent --zone=external --add-interface=eth1 在*區域內添加接口

firewall-cmd --zone=external --add-port=12345/tcp --permanent 在*區域添加接口

firewall-cmd --zone=dmz --add-service=https --permanent 在*區域添加服務

firewall-cmd --zone=dmz --add-port=12345/tcp --permanent 在*區域添加端口

firewall-cmd --zone=dmz --remove-service=http --permanent 在*區域移除服務

firewall-cmd --zone=dmz --remove-port=12345/tcp --permanent 在*區域移除端口

firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent

firewall-cmd --zone=dmz --list-icmp-blocks

firewall-cmd --zone=dmz --add-icmp-block=echo-reply --permanent

firewall-cmd --zone=external --add-rich-rule=‘rule family=ipv4 source address=192.168.254.0/24 masquerade’ --permanent 啓用僞裝

firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:to addr=192.168.16.22 --permanent 端口轉換

yum -y install httpd mod_ssl

echo “

www.gsy.com

” > /var/www/html/index.html

防火牆和核心防護默認關閉

echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf

sysctl -p

[root@ct ~]# hostnamectl set-hostname gate
[root@ct ~]# su
[root@gate network-scripts]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
    inet 192.168.254.20/24 brd 192.168.254.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.247.20/24 brd 192.168.247.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
    inet 192.168.16.20/24 brd 192.168.16.255 scope global eth2

gate 網關服務器(www.gsy.com)

eth1:192.168.247.20 nat

eth0:192.168.254.20 vm1

eth2:192.168.16.20 vm2

網站服務器(web)：192.168.16.22

網關：192.168.16.20

[root@comp2 ~]# hostnamectl set-hostname web
[root@comp2 ~]# su
[root@web ~]# ip addr
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
    inet 192.168.16.22/24 brd 192.168.16.255 scope global eth1

企業內網測試機(ceshi)：192.168.254.21

[root@ceshi ~]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.254.21/24 brd 192.168.254.255 scope global eth0

需求描述

1

網關服務器連接互聯網網卡eth1地址爲192.168.247.20，爲公網IP地址，分配到firewall的external區域；連接內網網卡eth0地址爲192.168.254.20，分配到firewall的trusted區域；連接服務器網卡eth2地址爲192.168.16.20，分配到firewall的dmz區域

–permanent參數 ： 攜帶該參數表示永久配置，否則表示運行時配置

[root@gate ssh]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
You have new mail in /var/spool/mail/root
[root@gate ssh]# sysctl -p
net.ipv4.ip_forward = 1
[root@gate ssh]#  systemctl restart network
[root@gate network-scripts]# firewall-cmd --get-active-zones
FirewallD is not running
You have new mail in /var/spool/mail/root
[root@gate network-scripts]# systemctl start firewalld
[root@gate network-scripts]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@gate network-scripts]# firewall-cmd --get-active-zones
[root@gate network-scripts]# 

[root@gate network-scripts]# firewall-cmd --permanent --zone=external --add-interface=eth1 
success
[root@gate ssh]# firewall-cmd --reload
[root@gate ssh]# systemctl restart firewalld
You have new mail in /var/spool/mail/root
[root@gate network-scripts]# firewall-cmd --get-active-zones
external
  interfaces: eth1
[root@gate network-scripts]# firewall-cmd --zone=trusted --add-interface=eth0 --permanent
success
[root@gate ssh]# firewall-cmd --reload
success
[root@gate network-scripts]# firewall-cmd --get-active-zones
external
  interfaces: eth1
trusted
  interfaces: eth0
[root@gate network-scripts]# firewall-cmd --zone=dmz --add-interface=eth2 --permanent
success
[root@gate ssh]# firewall-cmd --reload
[root@gate network-scripts]# firewall-cmd --get-active-zones
dmz
  interfaces: eth2
external
  interfaces: eth1
trusted
  interfaces: eth0

2

網站服務器和網關服務器均通過SSH來遠程管理，爲了安全，將SSH默認端口改爲12345

[root@gate network-scripts]# cd /etc/ssh
[root@gate ssh]# ls
moduli      sshd_config         ssh_host_ecdsa_key.pub  ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub
ssh_config  ssh_host_ecdsa_key  ssh_host_ed25519_key    ssh_host_rsa_key
[root@gate ssh]# vi sshd_config 
17 Port 12345
19 ListenAddress 0.0.0.0
[root@gate ssh]# systemctl restart sshd
[root@gate ssh]# yum install net-tools -y
[root@gate ssh]# netstat -natp | grep 12345
tcp        0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN      108697/sshd         
tcp6       0      0 :::12345                :::*                    LISTEN      108697/sshd    

[root@web ~]# vim /etc/ssh/sshd_config 
 17 Port 12345
 19 ListenAddress 0.0.0.0
[root@web ~]# systemctl restart sshd
[root@web ~]# netstat -natp | grep 12345
tcp        0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN      105032/sshd         
tcp6       0      0 :::12345                :::*                    LISTEN      105032/sshd    

[root@gate ssh]# ssh -p 12345 [email protected]
Last login: Fri Apr 10 04:24:17 2020 from 192.168.16.20
[root@web ~]# vi ifcfg-eth0

[root@web ~]# ssh -p 12345 [email protected]
ssh: connect to host 192.168.16.20 port 12345: No route to host

[root@gate ssh]# firewall-cmd --zone=dmz --list-ports

[root@gate ssh]# firewall-cmd --zone=external --list-ports

[root@gate ssh]# firewall-cmd --zone=external --add-port=12345/tcp --permanent
success
[root@gate ssh]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
success
[root@gate ssh]# firewall-cmd --zone=trusted --add-port=12345/tcp --permanent
[root@gate ssh]# firewall-cmd --reload
[root@gate ssh]# firewall-cmd --zone=dmz --list-ports
12345/tcp
[root@gate ssh]# firewall-cmd --zone=external --list-ports
12345/tcp
[root@gate ssh]# vim ssh_config 
 41  Port 12345

[root@web ~]# ssh -p 12345 [email protected]
Last login: Thu Apr  9 20:25:28 2020 from 192.168.16.22
[root@gate ~]# 

3

網站服務器開啓HTTPS，過濾未加密的HTTP流量

[root@web ~]# yum -y install httpd mod_ssl
[root@web ~]# systemctl start httpd
You have new mail in /var/spool/mail/root
[root@web ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@web ~]# echo  "<h1>www.gsy.com<h1>" > /var/www/html/index.html

本地查看

[root@web ~]# systemctl status firewalld
   Active: inactive (dead)
[root@web ~]# systemctl start firewalld
[root@web ~]# systemctl enable firewalld
[root@web ~]# firewall-cmd --zone=dmz --add-interface=eth1 --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --add-service=https --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --remove-service=http --permanent
Warning: NOT_ENABLED: 'http' not in 'dmz'
success
[root@web ~]# 
[root@web ~]# firewall-cmd --zone=dmz --list-services
https ssh
[root@web ~]# firewall-cmd --zone=dmz --list-ports
[root@web ssh]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
success
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --list-all-zones
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  services: https ssh
  ports: 12345/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
[root@web ~]# firewall-cmd --zone=dmz --add-port=443/tcp --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --list-ports
12345/tcp 443/tcp

4

網站務器拒絕ping,網關服務器拒絕來自互聯網上的ping

[root@web ~]# firewall-cmd --get-active-zones
dmz
  interfaces: eth1
[root@web ~]# firewall-cmd --zone=dmz --list-icmp-blocks

[root@web ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent
You have mail in /var/spool/mail/root
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --list-icmp-blocks
echo-request

[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-ZV27i6LR-1586519015939)(G:\GSY\Documents\typora圖片\1586444573508.png)]

[root@web ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-reply --permanent
[root@web ~]# firewall-cmd --reload
[root@web ~]# firewall-cmd --zone=dmz --list-icmp-blocks
echo-request echo-reply

公網192.168.247.0網段的主機ping失敗

網關服務器拒絕來自互聯網上的ping

[root@gate ssh]# firewall-cmd --zone=external --list-icmp-block

[root@gate ssh]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent
success
[root@gate ssh]# firewall-cmd --reload
[root@gate ssh]# firewall-cmd --zone=external --list-icmp-block
echo-request
[root@gate ssh]# firewall-cmd --zone=external --add-icmp-block=echo-reply --permanent
[root@gate ssh]# firewall-cmd --reload
success

5

公司內網用戶需要通過網關服務器共享上網

[root@kibana ~]# yum install httpd -y
[root@kibana ~]# systemctl start httpd
[root@kibana ~]# systemctl enable httpd

[root@gate ~]# yum install telnet -y
[root@gate ~]# telnet 192.168.247.134 80
Trying 192.168.247.134...
Connected to 192.168.247.134.
Escape character is '^]'.

在網關服務器上查看是否開啓僞裝

[root@gate ~]#  firewall-cmd --list-all --zone=external 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh
  ports: 12345/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: echo-request
  rich rules: 

命令啓動僞裝 192.168.254.0/24

[root@gate ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.254.0/24 masquerade' --permanent
success
[root@gate ~]# firewall-cmd --reload
[root@gate ~]#  firewall-cmd --list-all --zone=external 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: ssh
  ports: 12345/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: echo-request
  rich rules: 
        rule family="ipv4" source address="192.168.254.0/24" masquerade

[root@gate ssh]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
You have new mail in /var/spool/mail/root
[root@gate ssh]# sysctl -p
net.ipv4.ip_forward = 1
[root@gate ssh]#  systemctl restart network 

指定網關，

6

互聯網用戶需要訪問網站服務器

[root@gate ~]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:to addr=192.168.16.22 --permanent
success
放通443端口

[root@gate ~]# firewall-cmd --reload
success

firewalld支持兩種類型的網絡地址轉換

• ip地址僞裝（masquerade）
• 可以實現局域網多個地址共享單一公網地址上網
• ip地址僞裝僅支持IPv4
• 默認external區域啓用僞裝
• 端口轉發（forward-port）
• 也成爲目的地址轉換或端口映射
• 通過端口轉發，指定IP地址及端口的流量將被轉發到相同計算機上的不同端口；或者轉發到不同計算機上的端口

地址僞裝配置

• 爲指定區域增加地址僞裝功能
  firewall-cmd --permanent --zone=dmz --add-masquerade --timeout=86400
  –timeout=86400,在86400秒後自動刪除該功能
• 爲指定區域刪除地址僞裝功能
  firewall-cmd --permanent --zone=dmz --remove-masquerade
• 查詢指定區域是否開啓地址僞裝功能
  firewall-cmd --permanent --zone=dmz --query-masquerade

端口轉發配置

• 列出端口轉發配置
  firewall-cmd --permanent --zone=external --list-forward-ports
• 添加端口轉發規則
  firewall-cmd --permanent --zone=external --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]][–timeout=seconds]
• 刪除端口轉發規則
  firewall-cmd --permanent --zone=external --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
• 查詢端口轉發規則
  firewall-cmd --permanent --zone=external --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]

firewalld直接規則

• 直接規則(direct interface)
  允許管理員手動編寫的iptables、ip6tables和ebtables規則插入到firewalld管理的區域中
  通過firewall-cmd命令中的–direct選項實現
  除顯示插入方式之外，優先匹配直接規則
• 自定義規則鏈
  firewalld自動爲配置了規則的區域創建自定義規則鏈
  IN_區域名_deny:存放拒絕語句，優先於"IN_區域名_allow"的規則
  IN_區域_allow：存放允許語句

問題排障方法

1.出現問題：A服務器鏈接B服務器，鏈接某個功能模塊連接不上
2.解決思路：
檢查B服務器的功能模塊有沒有開啓
檢查環境
檢查配置文件
重啓服務、或者重載服務
本地驗證ssh -p 端口號 ip地址（迴環口、接口IP）
檢查B服務器的防火牆
檢查接口配置信息，查看功能服務是否正常
檢查A服務器的防火牆
檢查接口配置信息
telnet IP地址 端口