• Firewalld--03 富规则、备份恢复、开启内部上网


    防火墙富规则、备份恢复、开启内部上网

    1. 防火墙富规则策略

    ​ Firewalld中的富规则表示更细致、更详细的防火墙策略配置,它可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置, 优先级在所有的防火墙策略中也是最高的。下面为Firewalld富规则帮助手册.

    [root@web01 ~]# man firewalld                #Firewalld帮助手册
    [root@web01 ~]# man firewalld.richlanguage    #Firewalld富规则手册
    rule
    [source]
    [destination]
    service|port|protocol|icmp-block|masquerade|forward-port
    [log]
    [audit]
    [accept|reject|drop]
    
    
    rule [family="ipv4|ipv6"]
    source address="address[/mask]" [invert="True"]
    destination address="address[/mask]" invert="True"
    service name="service name"
    port port="port value" protocol="tcp|udp"
    protocol value="protocol value"
    forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
    log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
    accept | reject [type="reject type"] | drop
    
    #富规则相关命令
    --add-rich-rule='<RULE>' #在指定的区添加一条富规则
    --remove-rich-rule='<RULE>' #在指定的区删除一条富规则
    --query-rich-rule='<RULE>' #找到规则返回0 ,找不到返回1
    --list-rich-rules #列出指定区里的所有富规则
    
    

    1). 比如允许10.0.0.1主机能够访问http服务,允许172.16.1.0/24能访问11211端口

    [root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'
    success
    
    [root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'
    success
    
    [root@firewalld ~]# firewall-cmd --list-all
    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh dhcpv6-client test
    ports: 80/tcp 443/tcp
    protocols:
    masquerade: yes
    forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
    source-ports:
    icmp-blocks:
    rich rules:
        rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
        rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
    
    #验证测试
    [C:~]$ telnet 10.0.0.6 80
    
    Connecting to 10.0.0.6:80...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    [root@web01 ~]# telnet 10.0.0.6 80
    Trying 10.0.0.6...
    telnet: connect to address 10.0.0.6: No route to host
    [C:~]$ telnet 10.0.0.6 11211
    
    Connecting to 10.0.0.6:11211...
    Canceled.
    
    [root@web01 ~]# telnet 172.16.1.6 11211
    Trying 172.16.1.6...
    Connected to 172.16.1.6.
    Escape character is '^]'.
    

    2). 默认public区域对外开放所有人能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器


    [root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name="ssh" drop'
    success
    
    #验证测试
    [root@web01 ~]# ssh root@10.0.0.6
    root@10.0.0.6's password:
    [root@web01 ~]# ssh root@172.16.1.6
    ^C
    

    3). 使Firewalld允许所有人能访问http,https服务,但只有10.0.0.1主机可以访问ssh服务

    [root@firewalld ~]# firewall-cmd --zone=public --add-service={http,https}
    success
    [root@firewalld ~]# firewall-cmd --list-all
    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh dhcpv6-client http https
    ports: 443/tcp
    protocols:
    masquerade: yes
    forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
    source-ports:
    icmp-blocks:
    rich rules:
        rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
        rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
        rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
    
    
    [root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
    success
    
    [root@firewalld ~]# firewall-cmd --remove-service=ssh
    success
    
    [root@firewalld ~]# firewall-cmd --list-all
    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client http https
    ports: 443/tcp
    protocols:
    masquerade: yes
    forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
    source-ports:
    icmp-blocks:
    rich rules:
        rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
        rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
        rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
        rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
    
    
    #验证测试
    
    
    [root@web01 ~]# telnet 10.0.0.6 80
    Trying 10.0.0.6...
    Connected to 10.0.0.6.
    Escape character is '^]'.
    ^]
    telnet> Connection closed.
    [root@web01 ~]# ssh root@10.0.0.6
    ssh: connect to host 10.0.0.6 port 22: No route to host
    
    
    [C:~]$ ssh root@10.0.0.6
    
    
    Connecting to 10.0.0.6:22...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    

    4). 当用户来源IP地址是10.0.0.1主机,则将用户请求的5555端口转发至后端172.16.1.7的22端口

    [root@firewalld ~]# firewall-cmd --list-all
    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh dhcpv6-client test
    ports: 80/tcp 443/tcp
    protocols:
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    
    
    #开启地址转发
    [root@firewalld ~]# firewall-cmd --add-masquerade
    Warning: ALREADY_ENABLED: masquerade already enabled in 'public'
    success
    
    [root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.7'
    success
    [root@firewalld ~]# firewall-cmd --list-all
    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh dhcpv6-client test
    ports: 80/tcp 443/tcp
    protocols:
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
        rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"
    
    #验证测试
    [C:~]$ ssh root@10.0.0.6 5555
    
    Connecting to 10.0.0.6:5555...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    Last failed login: Sun Dec 8 20:12:23 CST 2019 from 10.0.0.100 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Sun Dec 8 18:59:02 2019 from 10.0.0.100
    
    [root@web02 ~]# ssh root@10.0.0.6 5555
    root@10.0.0.6's password:
    bash: 5555: command not found
    

    5).查看设定的规则,如果没有添加--permanent参数则重启Firewalld会失效。富规则按先后顺序匹配,优先匹配到的规则生效

    [root@firewalld ~]# firewall-cmd --list-rich-rules
    rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"
    

    2.Firewalld备份恢复

    #我们所有针对public区域编写的永久添加的规则都会写入备份文件(--permanent)
    
    [root@firewalld ~]# cat /etc/firewalld/zones/public.xml
    <?xml version="1.0" encoding="utf-8"?>
    <zone>
    <short>Public</short>
    <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
    <service name="ssh"/>
    <service name="dhcpv6-client"/>
    <service name="test"/>
    <port protocol="tcp" port="80"/>
    <port protocol="tcp" port="443"/>
    <masquerade/>
    </zone>
    

    备份的时候只需要把配置文件进行拷贝就行了,导入之后,重启生效。

    [root@web01 ~]# firewall-cmd   --zone=public   --add-service=http  --permanent
    success
    [root@web01 ~]# firewall-cmd   --list-all
    
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: ssh dhcpv6-client
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    	
    [root@web01 ~]# firewall-cmd   --reload
    success
    [root@web01 ~]# firewall-cmd   --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: ssh dhcpv6-client http
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    [root@web01 ~]# firewall-cmd  --zone=public  --remove-service=http  --permanent
    success
    [root@web01 ~]# firewall-cmd  --reload
    success
    [root@web01 ~]# firewall-cmd   --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: ssh dhcpv6-client
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    #备份配置文件
    #只保存永久添加的规则
    [root@web01 ~]# ll  /etc/firewalld/zones/public.xml		#公共区的配置文件
    [root@web01 ~]# ll /etc/firewalld/zones/		#区域的配置规则文件都在这个区中
    
    

    3. 防火墙开启内部上网

    在指定的带有公网IP的实例上启动Firewalld防火墙的NAT地址转换,以此达到内部主机上网。

    1. Firewalld防火墙开启masquerade,实现地址转换

    1. Firewalld防火墙开启masquerade,实现地址转换
    [root@firewalld ~]# firewall-cmd --add-masquerade --permanent
    success
    [root@firewalld ~]# firewall-cmd --list-rich-rules
    rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7" --permanent
    [root@firewalld ~]# firewall-cmd --reload
    success
    
    [root@firewalld ~]# firewall-cmd --list-all
    public
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh dhcpv6-client test
    ports: 80/tcp 443/tcp
    protocols:
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    
    2. 客户端将网关指向Firewalld服务器,将所有网络请求交给Firewalld
    [root@web01 ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1
    GATEWAY=172.16.1.6
    
    3. 客户端还需配置dns服务器
    [root@web01 ~]# cat /etc/resolv.conf
    # Generated by NetworkManager
    nameserver 223.5.5.5
    
    4. 关闭eth0网卡,重启eth1,使其配置生效
    [root@web01 ~]# systemctl restart network && ifdown eth0
    
    5. 测试后端web的网络是否正常
    
    [C:~]$ ssh root@10.0.0.7 5555
    
    
    Connecting to 10.0.0.7:5555...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    
    Last failed login: Sun Dec 8 20:38:58 CST 2019 from gateway on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Sun Dec 8 20:12:25 2019 from 10.0.0.100
    [root@web01 ~]# ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
    valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:2a:a7:21 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
    valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe2a:a721/64 scope link
    valid_lft forever preferred_lft forever
    
    [root@web02 ~]# ping baidu.com
    ping: baidu.com: Name or service not known
    #重启eth1
    [root@web02 ~]# ifdown eth1 && ifup eth1
    Device 'eth1' successfully disconnected.
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)
    [root@web01 ~]# ping baidu.com
    PING baidu.com (220.181.38.148) 56(84) bytes of data.
    64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=32.6 ms
    ^C
    --- baidu.com ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 32.653/32.653/32.653/0.000 ms
    
    
  • 相关阅读:
    as3 return语句中的运算符
    AIR custom ApplicationUpdaterUI
    Flash Builder 无法连接到应用程序以访存概要分析数据
    Android的所有权限说明
    Tomcat数据源配置
    hibernate 延迟加载(懒加载)
    Android SQLite数据库操作
    Android下载文本文件和mp3文件
    JPA注解
    Android Intent传值且实现窗体跳转
  • 原文地址:https://www.cnblogs.com/gongjingyun123--/p/12018442.html
Copyright © 2020-2023  润新知