Linux 防火墙管理

复制代码
 [root@client ~ 14:08:36]# systemctl status firewalld.service 
 ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
    Active: inactive (dead)
      Docs: man:firewalld(1)
 [root@client ~ 14:18:09]# systemctl enable firewalld.service  --now
 Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
 Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
 ​

查看zone配置

复制代码
 #etc优先级高
 [root@client ~ 14:18:29]# ls /etc/firewalld/
 firewalld.conf  icmptypes  lockdown-whitelist.xml  zones
 helpers         ipsets     services
 [root@client ~ 14:37:38]# ls /usr/lib/firewalld/
 helpers  icmptypes  ipsets  services  zones
 ​
 [root@client ~ 14:38:46]# cd /usr/lib/firewalld/
 [root@client firewalld 14:46:10]# ls
 helpers  icmptypes  ipsets  services  zones
 [root@client firewalld 14:46:12]# ls zones/
 block.xml  drop.xml      home.xml      public.xml   work.xml
 dmz.xml    external.xml  internal.xml  trusted.xml
 [root@client firewalld 14:46:34]# cat zones/trusted.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="ACCEPT">
   <short>Trusted</short>
   <description>All network connections are accepted.</description>
 </zone>
 [root@client firewalld 14:48:05]# cat zones/block.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="%%REJECT%%">
   <short>Block</short>
   <description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
 </zone>
 [root@client firewalld 14:48:19]# cat zones/drop.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="DROP">
   <short>Drop</short>
   <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
 </zone>
 ​

查看服务配置

复制代码
 [root@client firewalld 14:49:22]# ls -1 services
 [root@client firewalld 14:49:22]# cat services/http.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>WWW (HTTP)</short>
   <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
   <port protocol="tcp" port="80"/>
 </service>
 ​
 [root@client firewalld 14:49:40]# cat services/https.xml 
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>Secure WWW (HTTPS)</short>
   <description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
   <port protocol="tcp" port="443"/>
 </service>
 ​
复制代码
 [root@client firewalld 14:49:51]# firewall-cmd --get-zones 
 block dmz drop external home internal public trusted work
 [root@client firewalld 14:50:09]# firewall-cmd --get-active-zones 
 public
   interfaces: ens33
 [root@client firewalld 14:50:20]# firewall-cmd --get-default-zone 
 public
 ​

source管理

复制代码
 # 来源于特定source的数据包交给特定zone处理
 [root@server firewalld 14:59:55]# firewall-cmd --add-source=192.168.1.0/24 --zone=home 
 success
 ​
 # 查看source清单
 [root@server firewalld 15:01:44]# firewall-cmd --list-sources --zone=home
 192.168.1.0/24
 ​
 # 查看source属于哪个zone
 [root@server firewalld 15:02:20]# firewall-cmd --get-zone-of-source=192.168.1.0/24
 home
 ​
 # 查看source是否添加
 [root@server firewalld 15:02:40]# firewall-cmd --query-source=192.168.1.0/24 --zone=home 
 yes
 ​
 # 变更source到其他zone
 [root@server firewalld 15:03:39]# firewall-cmd --change-source=192.168.1.0/24 --zone=public
 success
 ​
 # 删除zone中source
 [root@server firewalld 15:03:59]#  firewall-cmd --remove-source=192.168.1.0/24 --zone=public
 success
 ​

interface管理

复制代码
 # 查看zone中interface
 [root@server firewalld 15:04:06]# firewall-cmd --list-interfaces
 ens33 ens36
 # 查看interface属于哪个zone
 [root@server firewalld 15:04:53]# firewall-cmd --get-zone-of-interface=ens33
 public
 # 查看interface是否添加
 [root@server firewalld 15:05:32]# firewall-cmd --query-interface=ens33
 yes
 # 将interface变更到其他zone
 [root@server firewalld 15:06:05]#  firewall-cmd --change-interface=ens33 --zone=home
 success
 ​
 # 删除zone中interface
 [root@server firewalld 15:06:24]#  firewall-cmd --remove-interface=ens33 --zone=home
 success
 ​
 # 如果interface不属于任何zone,使用以下命令将interface绑定到特定zone
 [root@server firewalld 15:06:46]# firewall-cmd --add-interface=ens33 --zone=public
 success
 ​

service 管理

复制代码
 [root@server ~ 15:29:31]# yum install -y httpd
 [root@server ~ 15:29:31]# systemctl start httpd
 ​
 # 查看系统中预定义了哪些服务
 [root@server ~ 15:30:02]# firewall-cmd --get-services
 ​
 # 查看放行服务列表
 [root@server ~ 15:30:22]# firewall-cmd --list-services 
 dhcpv6-client ssh
 ​
 # 查看服务是否放行
 [root@server ~ 15:30:52]# firewall-cmd --query-service=http
 no
 ​
 # 删除服务
 [root@server ~ 15:31:18]# firewall-cmd --remove-service=http
 ​

port管理

复制代码
 # 添加放行端口
 [root@server ~ 15:31:37]# firewall-cmd --add-port=80/tcp
 success
 ​
 # 查看端口放行列表
 [root@server ~ 15:32:35]# firewall-cmd --list-ports 
 80/tcp
 ​
 # 查看端口是否放行
 [root@server ~ 15:32:55]# firewall-cmd --query-port=80/tcp
 yes
 ​
 # 删除端口
 [root@server ~ 15:33:26]# firewall-cmd --remove-port=80/tcp
 success
 ​

放行服务文件示例

  • /usr/lib/firewalld/services/http.xml ~
复制代码
#把 "HTTP 服务规则手册" 从系统的规则库(/usr/lib/firewalld/services/)移动到自己的家目录(~,相当于 "个人抽屉"),移动出去
[root@server ~ 15:33:40]# mv /usr/lib/firewalld/services/http.xml ~

#让保安系统重新 "读一遍所有规则手册",刷新配置,发现没找到
[root@server ~ 15:36:27]# systemctl reload firewalld.service

#告诉保安:"请允许 HTTP 服务的流量通过",没有手册不能执行
[root@server ~ 15:36:35]# firewall-cmd --add-service=http
Error: INVALID_SERVICE: http

#移动回来
[root@server ~ 15:36:43]# mv http.xml /usr/lib/firewalld/services/http.xml

#重启刷新
[root@server ~ 15:36:55]# systemctl reload firewalld.service
#再次执行
[root@server ~ 15:37:38]# firewall-cmd --add-service=http
success

SNAT实验

复制代码
[root@client ~ 19:44:53]# nmcli connection modify ens33 ipv4.gateway 10.1.8.10
[root@client ~ 19:44:58]# nmcli connection up ens33 
[root@client ~ 19:45:06]# ip route
#发现没有显示启动
[root@client ~ 19:45:12]# mtr 1.1.1.1

#进入server端
[root@server ~ 19:46:26]# systemctl start firewalld
[root@server ~ 19:48:53]# systemctl status firewalld
[root@server ~ 19:49:01]# firewall-cmd --add-masquerade 
success
[root@server ~ 19:49:02]# firewall-cmd --query-masquerade 
yes
#client端执行成功
[root@client ~ 19:50:19]# mtr 1.1.1.1

DNAT实验

复制代码
[root@server ~ 19:49:08]# firewall-cmd --add-forward-port=port=1022:proto=tcp:toport=22:toaddr=10.1.8.11
success

#+添加新选项卡
输入  root@10.1.8.10:1022 #10.1.8.10地址显示client端成功

补充实验

复制代码
[root@server ~ 19:52:49]# firewall-cmd --add-forward-port=port=1080:proto=tcp:toport=80:toaddr=10.1.8.11
success
[root@client ~ 19:50:48]# yum install -y httpd
[root@client ~ 19:55:48]# systemctl start httpd
[root@client ~ 19:55:56]# echo Hello World From Client > /var/www/html/index.html
[root@client ~ 19:55:57]# curl localhost
Hello World From Client

# 回到server端
[root@server ~ 19:52:49]# firewall-cmd --add-forward-port=port=1080:proto=tcp:toport=80:toaddr=10.1.8.11
success

# 此时打开浏览器访问10.1.8.10:1080 就可以访问到网页,显示Hello World From Client
相关推荐
༒࿈༙྇洞察༙༙྇྇࿈༒2 小时前
PostgreSQL快速入门
数据库·postgresql
携欢2 小时前
Portswigger靶场之Visible error-based SQL injection通关秘籍
数据库·sql
-XWB-2 小时前
PostgreSQL诊断系列(4/6):表空间与膨胀分析——解决“越用越大”的存储难题
数据库·postgresql
幸福清风2 小时前
【SQL】深入理解MySQL存储过程:MySQL流程控制语句详解
数据库·sql·mysql
她说人狗殊途3 小时前
DDL DML DQL DCL 语句
数据库·oracle
**AE86**5 小时前
sed截取慢SQL大文件并导出指定时间范围内容
数据库·sql·sed
花小璇学linux5 小时前
imx6ull-驱动开发篇42——Linux I2C 驱动框架简介
linux·驱动开发·嵌入式软件
凌肖战5 小时前
编写Linux下设备驱动时两种方案:内核态驱动开发和用户态驱动开发
linux·驱动开发
小清兔5 小时前
c#基础知识
开发语言·数据库·学习·unity·c#·游戏引擎·.net
天上掉下来个程小白6 小时前
微服务-25.网关登录校验-网关传递用户到微服务
java·数据库·微服务