6
CentOS7:firewall防火墙使用
source link: https://3mile.github.io/archives/102/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
一、Firewalld防火墙
红帽RHEL7系统已经用firewalld服务替代了iptables服务,新的防火墙管理命令firewall-cmd与图形化工具firewall-config。特点是拥有运行时配置与永久配置选项且能够支持动态更新以及”zone”的区域功能概念,使用图形化工具firewall-config或文本管理工具firewall-cmd,下面实验中会讲到~
另外,你可以可以安装iptables-services服务,这样就可以按照之前的操作来操作iptables了。可以使用service save iptables来保存规则,也可以使用service iptables start|stop来开启和关闭iptables了。
$ yum install iptables-services
1)区域概念与作用
防火墙的网络区域定义了网络连接的可信等级,我们可以根据不同场景来调用不同的firewalld区域,区域规则有:
<td width="617">
默认规则策略
</td>
<td width="617">
允许所有的数据包。
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关或是ssh,mdns,ipp-client,samba-client与dhcpv6-client服务则允许。
</td>
<td width="617">
等同于home区域
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关或是ssh,ipp-client与dhcpv6-client服务则允许。
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关或是ssh,dhcpv6-client服务则允许。
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关或是ssh服务则允许。
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关或是ssh服务则允许。
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关。
</td>
<td width="617">
拒绝流入的数据包,除非与输出流量数据包相关。
</td>
简单来讲就是为用户预先准备了几套规则集合,我们可以根据场景的不同选择合适的规矩集合,而默认区域是public。
2)字符管理工具
如果想要更高效的配置妥当防火墙,那么就一定要学习字符管理工具firewall-cmd命令,命令参数有:
<td>
作用
</td>
<td>
查询默认的区域名称。
</td>
<td>
设置默认的区域,永久生效。
</td>
<td>
显示可用的区域。
</td>
<td>
显示预先定义的服务。
</td>
<td>
显示当前正在使用的区域与网卡名称。
</td>
<td>
将来源于此IP或子网的流量导向指定的区域。
</td>
<td>
不再将此IP或子网的流量导向某个指定区域。
</td>
<td>
将来自于该网卡的所有流量都导向某个指定区域。
</td>
<td>
将某个网卡与区域做关联。
</td>
<td>
显示当前区域的网卡配置参数,资源,端口以及服务等信息。
</td>
<td>
显示所有区域的网卡配置参数,资源,端口以及服务等信息。
</td>
<td>
设置默认区域允许该服务的流量。
</td>
<td>
允许默认区域允许该端口的流量。
</td>
<td>
设置默认区域不再允许该服务的流量。
</td>
<td>
允许默认区域不再允许该端口的流量。
</td>
<td>
让“永久生效”的配置规则立即生效,覆盖当前的。
</td>
特别需要注意的是firewalld服务有两份规则策略配置记录,必需要能够区分:
RunTime:当前正在生效的。
Permanent:永久生效的。
当下面实验修改的是永久生效的策略记录时,必须执行”–reload”参数后才能立即生效,否则要重启后再生效。
查看当前的区域:
$ firewall-cmd --get-default-zone public
$ firewall-cmd --get-default-zone public
查询eno16777728网卡的区域:
<div class="crayon-num" data-line="crayon-5abdc6c5d74a0691589426-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74a0691589426-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-r">get</span><span class="crayon-o">–</span><span class="crayon-v">zone</span><span class="crayon-o">–</span><span class="crayon-v">of</span><span class="crayon-o">–</span><span class="crayon-t">interface</span><span class="crayon-o">=</span><span class="crayon-e">eno16777728</span>
</div>
<div id="crayon-5abdc6c5d74a0691589426-2" class="crayon-line">
<span class="crayon-v">public</span>
</div>
</div>
</td>
</tr>
</table>
在public中分别查询ssh与http服务是否被允许:
<div class="crayon-num" data-line="crayon-5abdc6c5d74a4006396407-2">
2
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74a4006396407-3">
3
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74a4006396407-4">
4
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74a4006396407-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">query</span><span class="crayon-o">–</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">ssh</span>
</div>
<div id="crayon-5abdc6c5d74a4006396407-2" class="crayon-line">
<span class="crayon-i">yes</span>
</div>
<div id="crayon-5abdc6c5d74a4006396407-3" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">query</span><span class="crayon-o">–</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">http</span>
</div>
<div id="crayon-5abdc6c5d74a4006396407-4" class="crayon-line">
<span class="crayon-v">no</span>
</div>
</div>
</td>
</tr>
</table>
设置默认规则为dmz:
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74a8063854720-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">set</span><span class="crayon-o">–</span><span class="crayon-st">default</span><span class="crayon-o">–</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">dmz</span>
</div>
</div>
</td>
</tr>
</table>
让“永久生效”的配置文件立即生效:
<div class="crayon-num" data-line="crayon-5abdc6c5d74ac168113846-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74ac168113846-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-e">reload</span>
</div>
<div id="crayon-5abdc6c5d74ac168113846-2" class="crayon-line">
<span class="crayon-v">success</span>
</div>
</div>
</td>
</tr>
</table>
启动/关闭应急状况模式,阻断所有网络连接:
应急状况模式启动后会禁止所有的网络连接,一切服务的请求也都会被拒绝,当心,请慎用。
<div class="crayon-num" data-line="crayon-5abdc6c5d74af368243892-2">
2
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74af368243892-3">
3
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74af368243892-4">
4
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74af368243892-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">panic</span><span class="crayon-o">–</span><span class="crayon-e">on</span>
</div>
<div id="crayon-5abdc6c5d74af368243892-2" class="crayon-line">
<span class="crayon-i">success</span>
</div>
<div id="crayon-5abdc6c5d74af368243892-3" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">panic</span><span class="crayon-o">–</span><span class="crayon-e">off</span>
</div>
<div id="crayon-5abdc6c5d74af368243892-4" class="crayon-line">
<span class="crayon-v">success</span>
</div>
</div>
</td>
</tr>
</table>
如果您已经能够完全理解上面练习中firewall-cmd命令的参数作用,不妨来尝试完成下面的模拟训练吧。
4)规则配置实战
模拟训练A:允许https服务流量通过public区域,要求立即生效且永久有效。
方法一:分别设置当前生效与永久有效的规则记录
<div class="crayon-num" data-line="crayon-5abdc6c5d74b3139077929-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74b3139077929-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-i">https</span>
</div>
<div id="crayon-5abdc6c5d74b3139077929-2" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-v">https</span>
</div>
</div>
</td>
</tr>
</table>
方法二:设置永久生效的规则记录后读取记录
<div class="crayon-num" data-line="crayon-5abdc6c5d74b6489520668-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74b6489520668-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-i">https</span>
</div>
<div id="crayon-5abdc6c5d74b6489520668-2" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">reload</span>
</div>
</div>
</td>
</tr>
</table>
模拟训练B:不再允许http服务流量通过public区域,要求立即生效且永久生效。
<div class="crayon-num" data-line="crayon-5abdc6c5d74ba526591798-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74ba526591798-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">remove</span><span class="crayon-o">–</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">http</span>
</div>
<div id="crayon-5abdc6c5d74ba526591798-2" class="crayon-line">
<span class="crayon-v">success</span>
</div>
</div>
</td>
</tr>
</table>
使用参数”–reload”让永久生效的配置文件立即生效:
<div class="crayon-num" data-line="crayon-5abdc6c5d74bd925646740-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74bd925646740-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-e">reload</span>
</div>
<div id="crayon-5abdc6c5d74bd925646740-2" class="crayon-line">
<span class="crayon-v">success</span>
</div>
</div>
</td>
</tr>
</table>
模拟训练C:允许8080与8081端口流量通过public区域,立即生效且永久生效。
<div class="crayon-num" data-line="crayon-5abdc6c5d74c0476119097-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74c0476119097-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">port</span><span class="crayon-o">=</span><span class="crayon-cn">8080</span><span class="crayon-o">–</span><span class="crayon-cn">8081</span><span class="crayon-o">/</span><span class="crayon-i">tcp</span>
</div>
<div id="crayon-5abdc6c5d74c0476119097-2" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">reload</span>
</div>
</div>
</td>
</tr>
</table>
模拟训练D:查看模拟实验C中要求加入的端口操作是否成功。
<div class="crayon-num" data-line="crayon-5abdc6c5d74c4754666535-2">
2
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74c4754666535-3">
3
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74c4754666535-4">
4
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74c4754666535-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">list</span><span class="crayon-o">–</span><span class="crayon-i">ports</span>
</div>
<div id="crayon-5abdc6c5d74c4754666535-2" class="crayon-line">
<span class="crayon-cn">8080</span><span class="crayon-o">–</span><span class="crayon-cn">8081</span><span class="crayon-o">/</span><span class="crayon-i">tcp</span>
</div>
<div id="crayon-5abdc6c5d74c4754666535-3" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">list</span><span class="crayon-o">–</span><span class="crayon-i">ports</span>
</div>
<div id="crayon-5abdc6c5d74c4754666535-4" class="crayon-line">
<span class="crayon-cn">8080</span><span class="crayon-o">–</span><span class="crayon-cn">8081</span><span class="crayon-o">/</span><span class="crayon-v">tcp</span>
</div>
</div>
</td>
</tr>
</table>
模拟实验E:将eno16777728网卡的区域修改为external,重启后生效。
<div class="crayon-num" data-line="crayon-5abdc6c5d74c7729254600-2">
2
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74c7729254600-3">
3
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74c7729254600-4">
4
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74c7729254600-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">external</span> <span class="crayon-o">—</span><span class="crayon-v">change</span><span class="crayon-o">–</span><span class="crayon-t">interface</span><span class="crayon-o">=</span><span class="crayon-e">eno16777728</span>
</div>
<div id="crayon-5abdc6c5d74c7729254600-2" class="crayon-line">
<span class="crayon-i">success</span>
</div>
<div id="crayon-5abdc6c5d74c7729254600-3" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-r">get</span><span class="crayon-o">–</span><span class="crayon-v">zone</span><span class="crayon-o">–</span><span class="crayon-v">of</span><span class="crayon-o">–</span><span class="crayon-t">interface</span><span class="crayon-o">=</span><span class="crayon-e">eno16777728</span>
</div>
<div id="crayon-5abdc6c5d74c7729254600-4" class="crayon-line">
<span class="crayon-v">public</span>
</div>
</div>
</td>
</tr>
</table>
端口转发功能可以将原本到某端口的数据包转发到其他端口:
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74cb360834370-1" class="crayon-line">
<span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-o"><</span>区域<span class="crayon-o">></span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">forward</span><span class="crayon-o">–</span><span class="crayon-v">port</span><span class="crayon-o">=</span><span class="crayon-v">port</span><span class="crayon-o">=</span><span class="crayon-o"><</span>源端口号<span class="crayon-o">></span><span class="crayon-o">:</span><span class="crayon-v">proto</span><span class="crayon-o">=</span><span class="crayon-o"><</span>协议<span class="crayon-o">></span><span class="crayon-o">:</span><span class="crayon-v">toport</span><span class="crayon-o">=</span><span class="crayon-o"><</span>目标端口号<span class="crayon-o">></span><span class="crayon-o">:</span><span class="crayon-v">toaddr</span><span class="crayon-o">=</span><span class="crayon-o"><</span>目标<span class="crayon-i">IP</span>地址<span class="crayon-o">></span>
</div>
</div>
</td>
</tr>
</table>
将访问192.168.10.10主机888端口的请求转发至22端口:
<div class="crayon-num" data-line="crayon-5abdc6c5d74ce086546388-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74ce086546388-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">forward</span><span class="crayon-o">–</span><span class="crayon-v">port</span><span class="crayon-o">=</span><span class="crayon-v">port</span><span class="crayon-o">=</span><span class="crayon-cn">888</span><span class="crayon-o">:</span><span class="crayon-v">proto</span><span class="crayon-o">=</span><span class="crayon-v">tcp</span><span class="crayon-o">:</span><span class="crayon-v">toport</span><span class="crayon-o">=</span><span class="crayon-cn">22</span><span class="crayon-o">:</span><span class="crayon-v">toaddr</span><span class="crayon-o">=</span><span class="crayon-cn">192.168.10.10</span>
</div>
<div id="crayon-5abdc6c5d74ce086546388-2" class="crayon-line">
<span class="crayon-v">success</span>
</div>
</div>
</td>
</tr>
</table>
使用客户机的ssh命令访问192.168.10.10主机的888端口:
<div class="crayon-num" data-line="crayon-5abdc6c5d74d2686144421-2">
2
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74d2686144421-3">
3
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74d2686144421-4">
4
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74d2686144421-5">
5
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74d2686144421-6">
6
</div>
<div class="crayon-num" data-line="crayon-5abdc6c5d74d2686144421-7">
7
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74d2686144421-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">ssh</span> <span class="crayon-o">–</span><span class="crayon-i">p</span> <span class="crayon-cn">888</span> <span class="crayon-cn">192.168.10.10</span>
</div>
<div id="crayon-5abdc6c5d74d2686144421-2" class="crayon-line">
<span class="crayon-e">The </span><span class="crayon-e">authenticity </span><span class="crayon-e">of </span><span class="crayon-i">host</span> <span class="crayon-s">‘[192.168.10.10]:888 ([192.168.10.10]:888)’</span> <span class="crayon-i">can</span>‘<span class="crayon-i">t</span> <span class="crayon-e">be </span><span class="crayon-v">established</span><span class="crayon-sy">.</span>
</div>
<div id="crayon-5abdc6c5d74d2686144421-3" class="crayon-line">
<span class="crayon-e">ECDSA </span><span class="crayon-e">key </span><span class="crayon-e">fingerprint </span><span class="crayon-st">is</span> <span class="crayon-v">b8</span><span class="crayon-o">:</span><span class="crayon-cn">25</span><span class="crayon-o">:</span><span class="crayon-cn">88</span><span class="crayon-o">:</span><span class="crayon-cn">89</span><span class="crayon-o">:</span><span class="crayon-cn">5c</span><span class="crayon-o">:</span><span class="crayon-cn">05</span><span class="crayon-o">:</span><span class="crayon-v">b6</span><span class="crayon-o">:</span><span class="crayon-r">dd</span><span class="crayon-o">:</span><span class="crayon-v">ef</span><span class="crayon-o">:</span><span class="crayon-cn">76</span><span class="crayon-o">:</span><span class="crayon-cn">63</span><span class="crayon-o">:</span><span class="crayon-v">ff</span><span class="crayon-o">:</span><span class="crayon-cn">1a</span><span class="crayon-o">:</span><span class="crayon-cn">54</span><span class="crayon-o">:</span><span class="crayon-cn">02</span><span class="crayon-o">:</span><span class="crayon-cn">1a.</span>
</div>
<div id="crayon-5abdc6c5d74d2686144421-4" class="crayon-line">
<span class="crayon-e">Are </span><span class="crayon-e">you </span><span class="crayon-e">sure </span><span class="crayon-e">you </span><span class="crayon-e">want </span><span class="crayon-st">to</span> <span class="crayon-st">continue</span> <span class="crayon-e">connecting</span> <span class="crayon-sy">(</span><span class="crayon-v">yes</span><span class="crayon-o">/</span><span class="crayon-v">no</span><span class="crayon-sy">)</span><span class="crayon-sy">?</span> <span class="crayon-e">yes</span>
</div>
<div id="crayon-5abdc6c5d74d2686144421-5" class="crayon-line">
<span class="crayon-v">Warning</span><span class="crayon-o">:</span> <span class="crayon-e">Permanently </span><span class="crayon-i">added</span> <span class="crayon-s">‘[192.168.10.10]:888’</span> <span class="crayon-sy">(</span><span class="crayon-v">ECDSA</span><span class="crayon-sy">)</span> <span class="crayon-st">to</span> <span class="crayon-e">the </span><span class="crayon-e">list </span><span class="crayon-e">of </span><span class="crayon-e">known </span><span class="crayon-v">hosts</span><span class="crayon-sy">.</span>
</div>
<div id="crayon-5abdc6c5d74d2686144421-6" class="crayon-line">
<span class="crayon-v">root</span><span class="crayon-sy">@</span><span class="crayon-cn">192.168.10.10</span>‘<span class="crayon-i">s</span> <span class="crayon-v">password</span><span class="crayon-o">:</span>
</div>
<div id="crayon-5abdc6c5d74d2686144421-7" class="crayon-line">
<span class="crayon-e">Last </span><span class="crayon-v">login</span><span class="crayon-o">:</span> <span class="crayon-e">Sun </span><span class="crayon-i">Jul</span> <span class="crayon-cn">19</span> <span class="crayon-cn">21</span><span class="crayon-o">:</span><span class="crayon-cn">43</span><span class="crayon-o">:</span><span class="crayon-cn">48</span> <span class="crayon-cn">2015</span> <span class="crayon-i">from</span> <span class="crayon-cn">192.168.10.10</span>
</div>
</div>
</td>
</tr>
</table>
再次提示:请读者们再仔细琢磨下立即生效与重启后依然生效的差别,千万不要修改错了。
模拟实验F:设置富规则,拒绝192.168.10.0/24网段的用户访问ssh服务。
firewalld服务的富规则用于对服务、端口、协议进行更详细的配置,规则的优先级最高。
<div class="crayon-num" data-line="crayon-5abdc6c5d74d6866482606-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74d6866482606-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">cmd</span> <span class="crayon-o">—</span><span class="crayon-v">permanent</span> <span class="crayon-o">—</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">public</span> <span class="crayon-o">—</span><span class="crayon-v">add</span><span class="crayon-o">–</span><span class="crayon-v">rich</span><span class="crayon-o">–</span><span class="crayon-v">rule</span><span class="crayon-o">=</span><span class="crayon-s">“rule family=”</span><span class="crayon-i">ipv4</span><span class="crayon-s">” source address=”</span><span class="crayon-cn">192.168.10.0</span><span class="crayon-o">/</span><span class="crayon-cn">24</span><span class="crayon-s">” service name=”</span><span class="crayon-i">ssh</span><span class="crayon-s">” reject”</span>
</div>
<div id="crayon-5abdc6c5d74d6866482606-2" class="crayon-line">
<span class="crayon-v">success</span>
</div>
</div>
</td>
</tr>
</table>
二、图形管理工具
执行firewall-config命令即可看到firewalld的防火墙图形化管理工具,真的很强大,可以完成很多复杂的工作。
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74d9516570893-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-e">yum </span><span class="crayon-e">install </span><span class="crayon-v">firewall</span><span class="crayon-o">–</span><span class="crayon-v">config</span>
</div>
</div>
</td>
</tr>
</table>
firewalld防火墙图形化管理工具界面详解:
①:选择”立即生效”或”重启后依然生效”配置。
②:区域列表。
③:服务列表。
④:当前选中的区域。
⑤:被选中区域的服务。
⑥:被选中区域的端口。
⑦:被选中区域的伪装。
⑧:被选中区域的端口转发。
⑨:被选中区域的ICMP包。
⑩:被选中区域的富规则。
⑪:被选中区域的网卡设备。
⑫:被选中区域的服务,前面有√的表示允许。
⑬:firewalld防火墙的状态。
请注意:firewall-config图形化管理工具中没有保存/完成按钮,只要修改就会生效。
允许其他主机访问http服务,仅当前生效:
允许其他主机访问8080-8088端口且重启后依然生效:
开启伪装功能,重启后依然生效:
firewalld防火墙的伪装功能实际就是SNAT技术,即让内网用户不必在公网中暴露自己的真实IP地址。
将向本机888端口的请求转发至本机的22端口且重启后依然生效:
过滤所有”echo-reply”的ICMP协议报文数据包,仅当前生效:
ICMP即互联网控制报文协议”Internet Control Message Protocol“,归属于TCP/IP协议族,主要用于检测网络间是否可通信、主机是否可达、路由是否可用等网络状态,并不用于传输用户数据。
仅允许192.168.10.20主机访问本机的1234端口,仅当前生效:
富规则代表着更细致、更详细的规则策略,针对某个服务、主机地址、端口号等选项的规则策略,优先级最高。
查看网卡设备信息:
firewall-config图形管理工具真的非常实用,很多原本复杂的长命令被用图形化按钮替代,设置规则也变得简单了,日常工作中真的非常实用。所以有必要跟读者们讲清配置防火墙的原则——只要能实现需求的功能,无论用文本管理工具还是图形管理工具都是可以的。
三、服务的访问控制列表
在Linux中不光可以使用iptables来做安全控制,其实简单的控制也可以使用tcp_wrappers来进行。
Tcp_wrappers(即Transmission Control Protocol(TCP)Wrappers)是一款基于IP层的ACL访问控制列表流量监控程序,它能够根据来访主机地址与本机目标服务程序做允许或拒绝规则,控制列表修改后会立即生效,系统将会先检查允许规则,如果匹配允许则直接放行流量,若拒绝规则中匹配则直接拒绝,都不匹配默认也会放行。
允许名单:/etc/hosts.allow
拒绝名单:/etc/hosts.deny
指定客户端的规则如下:
<td>
示例
</td>
<td>
满足示例的客户端列表
</td>
<td>
192.168.10.10
</td>
<td>
IP地址为192.168.10.10的主机。
</td>
<td>
192.168.10.
</td>
<td>
IP段为192.168.10.0/24的主机。
</td>
<td>
192.168.10.0/255.255.255.0
</td>
<td>
IP段为192.168.10.0/24的主机。
</td>
<td>
.linuxprobe.com
</td>
<td>
所有DNS后缀为.linuxprobe.com的主机
</td>
<td>
boss.linuxprobe.com
</td>
<td>
主机名称为boss.linuxprobe.com的主机。
</td>
<td>
ALL
</td>
<td>
所有主机全部包括在内。
</td>
限制只有192.168.10.0/24网段的主机可以访问本机的sshd服务:
编辑允许规则:
<div class="crayon-num" data-line="crayon-5abdc6c5d74e6452947309-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74e6452947309-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-r">cat</span> <span class="crayon-o">/</span><span class="crayon-v">etc</span><span class="crayon-o">/</span><span class="crayon-v">hosts</span><span class="crayon-e">.allow</span>
</div>
<div id="crayon-5abdc6c5d74e6452947309-2" class="crayon-line">
<span class="crayon-v">sshd</span><span class="crayon-o">:</span><span class="crayon-cn">192.168.10.</span>
</div>
</div>
</td>
</tr>
</table>
拒绝其他所有的主机:
<div class="crayon-num" data-line="crayon-5abdc6c5d74fa012080458-2">
2
</div>
</div>
</td>
<td class="crayon-code">
<div class="crayon-pre">
<div id="crayon-5abdc6c5d74fa012080458-1" class="crayon-line">
<span class="crayon-sy">$</span> <span class="crayon-r">cat</span> <span class="crayon-o">/</span><span class="crayon-v">etc</span><span class="crayon-o">/</span><span class="crayon-v">hosts</span><span class="crayon-e">.deny</span>
</div>
<div id="crayon-5abdc6c5d74fa012080458-2" class="crayon-line">
<span class="crayon-v">sshd</span><span class="crayon-o">:</span><span class="crayon-o">*</span>
</div>
</div>
</td>
</tr>
</table>
PS:对于Firewall防火墙,后面持续增加内容……..
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK