火墙策略

最新推荐文章于 2023-08-06 01:04:35 发布
最新推荐文章于 2023-08-06 01:04:35 发布
阅读量673 收藏
点赞数
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/doupengqiang/article/details/77414024

ssh

远程链接控制

[root@iptables ~]# which httpd
/usr/sbin/httpd
[root@iptables ~]# vim /etc/hosts.deny

这里写图片描述

[root@iptables ~]# vim /etc/hosts.allow

这里写图片描述
1:用211连接 失败
这里写图片描述
2:用11连接 成功
这里写图片描述
设置将ssh连接记录记录进/var/log/messages

[root@iptables ~]# vim /etc/hosts.allow 
[root@iptables ~]# cat /var/log/messages
Aug 18 22:58:20 mailqq systemd-logind: Removed session 19.
Fri Aug 18 22:58:29 EDT 2017 from 172.25.254.11 to sshd@172.25.254.111
Aug 18 22:58:32 mailqq systemd: Starting Session 20 of user root.
Aug 18 22:58:32 mailqq systemd: Started Session 20 of user root.
Aug 18 22:58:32 mailqq systemd-logind: New session 20 of user root.

这里写图片描述

将连接记录导入到当前shell

这里写图片描述

火墙

firewall和iptables最本质的不同是iptables在 /etc/sysconfig/iptables中储存配置,firewall将配置储存在/usr/lib/firewalld/和/etc/firewalld/中的各种XML文件里。

iptables

配置iptables

[root@iptables ~]# yum install iptables-services.x86_64 -y   #安装iptables
Loaded plugins: langpacks
Package iptables-services-1.4.21-13.el7.x86_64 already installed and latest version
Nothing to do
[root@iptables ~]# systemctl status iptables.service   ##查看iptables状态
iptables.service
   Loaded: masked (/dev/null)
   Active: inactive (dead)


Warning: Unit file changed on disk, 'systemctl daemon-reload' recommended.
[root@iptables ~]# systemctl status firewalld.service    ##查看火墙状态
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: inactive (dead) since Fri 2017-08-18 22:14:54 EDT; 58min ago
  Process: 3281 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 3281 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/firewalld.service

Aug 18 21:48:17 mailqq.qq.example.com systemd[1]: Starting firewalld - dynamic ....
Aug 18 21:48:17 mailqq.qq.example.com systemd[1]: Started firewalld - dynamic f....
Aug 18 21:48:18 mailqq.qq.example.com firewalld[3281]: 2017-08-18 21:48:18 ERROR...
Aug 18 22:14:53 mailqq.qq.example.com systemd[1]: Stopping firewalld - dynamic ....
Aug 18 22:14:54 mailqq.qq.example.com systemd[1]: Stopped firewalld - dynamic f....
Hint: Some lines were ellipsized, use -l to show in full.
[root@iptables ~]# systemctl stop firewalld.service   #停用firewall
[root@iptables ~]# systemctl disable firewalld.service  #开机不启动firewall
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
[root@iptables ~]# systemctl mask firewalld.service    #冻结firewall
ln -s '/dev/null' '/etc/systemd/system/firewalld.service'
[root@iptables ~]# systemctl start iptables.service    #开启iptables
[root@iptables ~]# systemctl status iptables.service   
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
   Active: active (exited) since Fri 2017-08-18 23:18:37 EDT; 9s ago
  Process: 5748 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 5748 (code=exited, status=0/SUCCESS)

Aug 18 23:18:37 iptables.example.com iptables.init[5748]: iptables: Applying fir...
Aug 18 23:18:37 iptables.example.com systemd[1]: Started IPv4 firewall with ipt....
Hint: Some lines were ellipsized, use -l to show in full.
[root@iptables ~]# systemctl enable iptables.service   ##设置开机启动
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.srvice'

这里写图片描述

1:input

2:output

3:forwarder

4:postouting SNAT 地址转换路由后

5:prorouting DNAT 地址转换路由前(回来)

三张表,五条链

filter (input output forwder ) 经过内核

nat (input output postouting prorouting) 经过本机

mangle 附加表

1 iptables -t filter -nL ##查看

2 iptables -F ##刷新

这里写图片描述

未保存,刷新后恢复到最初的样子

3 service iptables save ##保存

[root@iptables ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@iptables ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@iptables ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination   
  [root@iptables ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Aug 17 05:07:20 2017
*filter
:INPUT ACCEPT [136:10844]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:7180]
COMMIT
# Completed on Thu Aug 17 05:07:20 2017

对所有输入直接拒绝,输入下面命令,ssh不能用,此时进入虚拟机主机,输入如图命令,等待几分钟,恢复如初。

[root@iptables ~]# iptables -P INPUT DROP

这里写图片描述

[root@iptables ~]# iptables -A INPUT -j REJECT  ##对所有服务关闭

这里写图片描述

iptables -P INPUT ACCEPUT|DROP ##
iptables -I INPUT 1 -i lo -j ACCEPT ##插入
iptables -I INPUT 2 -s 172.25.254.x -p tcp –dport 22 -j ACCEPT ##插入
iptables -I INPUT 3 -P TCP –drop 80 -j ACCEPT
iptables -D input 3 ##删除
cat /etc/sysconfig/iptables

[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.11        0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@iptables ~]# iptables -D INPUT 2    ##删除
[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.11        0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

添加WESTOS这一项,修改WESTOS为redhat,删除redhat

[root@iptables ~]# iptables -N WESTOS
[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.11        0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain WESTOS (0 references)
target     prot opt source               destination         
[root@iptables ~]# iptables -E WESTOS redhat
[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.11        0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain redhat (0 references)
target     prot opt source               destination         
[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  172.25.254.11        0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.11        0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

接口的开启与查看

[root@iptables ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 20 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 139 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 445 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p udp --dport 445 -j ACCEPT
[root@iptables ~]# iptables -A INPUT -m state --state NEW -p udp --dport 139 -j ACCEPT
[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:139
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:445
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:445
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:139

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@iptables ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iptables ~]# cat /etc/services | grep dns
dnsix           90/tcp                  # DNSIX Securit Attribute Token Map
dnsix           90/udp                  # DNSIX Securit Attribute Token Map
sdnskmp         558/tcp                 # SDNSKMP
sdnskmp         558/udp                 # SDNSKMP
dns2go          1227/tcp                # DNS2Go
dns2go          1227/udp                # DNS2Go
menandmice-dns  1337/tcp                # menandmice DNS
menandmice-dns  1337/udp                # menandmice DNS
sunscalar-dns   1870/tcp                # SunSCALAR DNS Service
sunscalar-dns   1870/udp                # SunSCALAR DNS Service
ddns-v3         2164/tcp                # Dynamic DNS Version 3
ddns-v3         2164/udp                # Dynamic DNS Version 3
spw-dnspreload  3849/tcp                # SPACEWAY DNS Preload
spw-dnspreload  3849/udp                # SPACEWAY DNS Prelaod
dns-llq         5352/tcp                # DNS Long-Lived Queries
dns-llq         5352/udp                # DNS Long-Lived Queries
mdns            5353/tcp                # Multicast DNS
mdns            5353/udp                # Multicast DNS
mdnsresponder   5354/tcp        noclog  # Multicast DNS Responder IPC
mdnsresponder   5354/udp        noclog  # Multicast DNS Responder IPC
ub-dns-control  8953/tcp                # unbound dns nameserver control
odnsp           9966/tcp                # OKI Data Network Setting Protocol
odnsp           9966/udp                # OKI Data Network Setting Protocol
[root@iptables ~]# cat /etc/services | grep name
# service-name  port/protocol  [aliases ...]   [# comment]
nameserver      42/tcp          name            # IEN 116
nameserver      42/udp          name            # IEN 116
nicname         43/tcp          whois
nicname         43/udp          whois
domain          53/tcp                          # name-domain server
hostname        101/tcp         hostnames       # usually from sri-nic
hostname        101/udp         hostnames       # usually from sri-nic
csnet-ns        105/tcp         cso             # also used by CSO name server
at-nbp          202/tcp                         # AppleTalk name binding
#>Ports are used in the TCP [RFC793] to name the ends of logical
# Gracilis Packeten remote config server.  The official name is listed as
# the primary name, with the unregistered name as an alias.
# being registred.  The primary names are the registered names, and the
# unregistered names used by zebra are listed as aliases.
# This port is registered as wnn6, but also used under the unregistered name
swat            901/tcp         smpnameres      # Samba Web Administration Tool
ptcnameservice  597/tcp                 # PTC Name Service
ptcnameservice  597/udp                 # PTC Name Service
smpnameres      901/udp                 # SMPNAMERES
oraclenames     1575/tcp                # oraclenames
oraclenames     1575/udp                # oraclenames
enl-name        1805/tcp                # ENL-Name
enl-name        1805/udp                # ENL-Name
linkname        1903/tcp                # Local Link Name Resolution
linkname        1903/udp                # Local Link Name Resolution
bcinameservice  3415/tcp                # BCI Name Service
bcinameservice  3415/udp                # BCI Name Service
namemunge       3950/tcp                # Name Munging
namemunge       3950/udp                # Name Munging
fmpro-internal  5003/udp                # FileMaker, Inc. - Proprietary name binding
ub-dns-control  8953/tcp                # unbound dns nameserver control
[root@iptables ~]# cat /etc/services | grep bind
sunrpc          111/tcp         portmapper rpcbind      # RPC 4.0 portmapper TCP
sunrpc          111/udp         portmapper rpcbind      # RPC 4.0 portmapper UDP
at-nbp          202/tcp                         # AppleTalk name binding
ocbinder        183/tcp                 # OCBinder
ocbinder        183/udp                 # OCBinder
unbind-cluster  2138/tcp                # UNBIND-CLUSTER
unbind-cluster  2138/udp                # UNBIND-CLUSTER
binderysupport  2302/tcp                # Bindery Support
binderysupport  2302/udp                # Bindery Support
magbind         3194/tcp                # Rockstorm MAG protocol
magbind         3194/udp                # Rockstorm MAG protocol
fmpro-internal  5003/udp                # FileMaker, Inc. - Proprietary name binding
[root@iptables ~]# cat /etc/services | grep domain
domain          53/tcp                          # name-domain server
domain          53/udp
domaintime      9909/tcp                # domaintime
domaintime      9909/udp                # domaintime
[root@iptables ~]# cat /etc/services | grep nfs
nfs             2049/tcp        nfsd shilp      # Network File System
nfs             2049/udp        nfsd shilp      # Network File System
nfs             2049/sctp       nfsd shilp      # Network File System
netconfsoaphttp 832/tcp                 # NETCONF for SOAP over HTTPS
netconfsoaphttp 832/udp                 # NETCONF for SOAP over HTTPS
netconfsoapbeep 833/tcp                 # NETCONF for SOAP over BEEP
netconfsoapbeep 833/udp                 # NETCONF for SOAP over BEEP
nfsd-keepalive  1110/udp                # Client status info
picknfs         1598/tcp                # picknfs
picknfs         1598/udp                # picknfs
shiva_confsrvr  1651/tcp   shiva-confsrvr   # shiva_confsrvr
shiva_confsrvr  1651/udp   shiva-confsrvr   # shiva_confsrvr
3d-nfsd         2323/tcp                # 3d-nfsd
3d-nfsd         2323/udp                # 3d-nfsd
mediacntrlnfsd  2363/tcp                # Media Central NFSD
mediacntrlnfsd  2363/udp                # Media Central NFSD
winfs           5009/tcp                # Microsoft Windows Filesystem
winfs           5009/udp                # Microsoft Windows Filesystem
enfs            5233/tcp                # Etinnae Network File Service
nfsrdma         20049/tcp               # Network File System (NFS) over RDMA
nfsrdma         20049/udp               # Network File System (NFS) over RDMA
nfsrdma         20049/sctp              # Network File System (NFS) over RDMA
[root@iptables ~]# cat /etc/services | grep squid
squid           3128/tcp        ndl-aas         # squid web proxy

接口设定

[root@iptables ~]# lftp 172.25.254.111
lftp 172.25.254.111:~> ls              
Interrupt                                    
lftp 172.25.254.111:~> quit
[root@iptables ~]# vim /etc/vsftpd/vsftpd.conf 
[root@iptables ~]# systemctl restart vsftpd
[root@iptables ~]# iptables -I INPUT 2 -m state --state NEW
[root@iptables ~]# iptables -I INPUT 2 -m state --state NEW -p tcp --dport 7000 -j ACCEPT
[root@iptables ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:7000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:139
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:445
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:445
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:139

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@iptables ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iptables ~]# lftp 172.25.254.111lftp 172.25.254.111:~> ls
Interrupt                                    
lftp 172.25.254.111:/> quit
[root@iptables ~]# vim /etc/vsftpd/vsftpd.conf [root@iptables ~]# systemctl restart iptables.service 
[root@iptables ~]# lftp 172.25.254.111
lftp 172.25.254.111:~> ls
Interrupt                                    
lftp 172.25.254.111:/> quit
[root@iptables ~]# getenforce 
Enforcing
[root@iptables ~]# setenforce 0
[root@iptables ~]# lftp 172.25.254.111
lftp 172.25.254.111:~> ls
drwxr-xr-x    2 0        0               6 Mar 07  2014 pub

这里写图片描述

地址伪装

[root@iptables ~]# iptables -F     #刷掉以前策略
[root@iptables ~]# service iptables save   #保存
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iptables ~]# iptables -t nat -nL     #查看
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@iptables ~]# ip addr show       #创建双网卡
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:00:0b:0b brd ff:ff:ff:ff:ff:ff
    inet 172.25.254.111/24 brd 172.25.254.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe00:b0b/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:11:b3:12 brd ff:ff:ff:ff:ff:ff
    inet 172.25.11.111/24 brd 172.25.11.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe11:b312/64 scope link 
       valid_lft forever preferred_lft forever
[root@iptables ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.111

这里写图片描述
这里写图片描述

[root@iptables ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@iptables ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 172.25.11.211

测试
这里写图片描述
这里写图片描述
不在同一网段,连接成功

firewall

停用iptables,召唤回firewall

这里写图片描述

[root@firewall ~]# firewall-cmd --list-all   #查看firewall为public
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp ssh             #开启的服务 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
[root@firewall ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work

这里写图片描述

域的查看和改变

[root@firewall ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work
[root@firewall ~]# firewall-cmd --get-default-zone 
public
[root@firewall ~]# firewall-cmd --set-default-zone=trusted 
success
[root@firewall ~]# firewall-cmd --get-default-zone 
trusted

添加服务

[root@firewall ~]# firewall-cmd --add-service=
amanda-client        kpasswd              pop3s
bacula               ldap                 postgresql
bacula-client        ldaps                proxy-dhcp
dhcp                 libvirt              radius
dhcpv6               libvirt-tls          rpc-bind
dhcpv6-client        mdns                 samba
dns                  mountd               samba-client
ftp                  ms-wbt               smtp
high-availability    mysql                ssh
http                 nfs                  telnet
https                ntp                  tftp
imaps                openvpn              tftp-client
ipp                  pmcd                 transmission-client
ipp-client           pmproxy              vnc-server
ipsec                pmwebapi             wbem-https
kerberos             pmwebapis            
[root@firewall ~]# firewall-cmd --add-service=http
success
[root@firewall ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp http ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

修改文件

[root@firewall ~]# cd /etc/firewalld/zones/
[root@firewall zones]# ls
public.xml  public.xml.old  ROL.xml  trusted.xml  trusted.xml.old
[root@firewall zones]# vim public.xml

这里写图片描述

临时xml文件,删除之后服务不能运行,但是重新启动firewall文件又回来了

[root@firewall zones]# cd /usr/lib/firewalld/services/
[root@firewall services]# ls
amanda-client.xml      ipp-client.xml   mysql.xml       rpc-bind.xml
bacula-client.xml      ipp.xml          nfs.xml         samba-client.xml
bacula.xml             ipsec.xml        ntp.xml         samba.xml
dhcpv6-client.xml      kerberos.xml     openvpn.xml     smtp.xml
dhcpv6.xml             kpasswd.xml      pmcd.xml        ssh.xml
dhcp.xml               ldaps.xml        pmproxy.xml     telnet.xml
dns.xml                ldap.xml         pmwebapis.xml   tftp-client.xml
ftp.xml                libvirt-tls.xml  pmwebapi.xml    tftp.xml
high-availability.xml  libvirt.xml      pop3s.xml       transmission-client.xml
https.xml              mdns.xml         postgresql.xml  vnc-server.xml
http.xml               mountd.xml       proxy-dhcp.xml  wbem-https.xml
imaps.xml              ms-wbt.xml       radius.xml

查看服务接口

[root@firewall services]# lsmod | grep nf
nf_conntrack_ftp       18638  0 
nf_conntrack_ipv6      18738  8 
nf_defrag_ipv6         34651  1 nf_conntrack_ipv6
nf_nat_ipv6            13279  1 ip6table_nat
nf_conntrack_ipv4      14862  7 
nf_defrag_ipv4         12729  1 nf_conntrack_ipv4
nf_nat_ipv4            13263  1 iptable_nat
nf_nat                 21798  4 nf_nat_ipv4,nf_nat_ipv6,ip6table_nat,iptable_nat
nf_conntrack          101024  9 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,ip6table_nat,nf_conntrack_ftp,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
binfmt_misc            17468  1 
nfsd                  284378  1 
auth_rpcgss            59368  1 nfsd
nfs_acl                12837  1 nfsd
lockd                  93977  1 nfsd
sun[root@firewall services]# modprobe -r nf_conntrack_ftp   #端口的删除
[root@firewall services]# lsmod | grep nf
nf_conntrack_ipv6      18738  8 
nf_defrag_ipv6         34651  1 nf_conntrack_ipv6
nf_nat_ipv6            13279  1 ip6table_nat
nf_conntrack_ipv4      14862  7 
nf_defrag_ipv4         12729  1 nf_conntrack_ipv4
nf_nat_ipv4            13263  1 iptable_nat
nf_nat                 21798  4 nf_nat_ipv4,nf_nat_ipv6,ip6table_nat,iptable_nat
nf_conntrack          101024  8 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,ip6table_nat,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
binfmt_misc            17468  1 
nfsd                  284378  1 
auth_rpcgss            59368  1 nfsd
nfs_acl                12837  1 nfsd
lockd                  93977  1 nfsd
sunrpc                293453  5 nfsd,auth_rpcgss,lockd,nfs_acl
rpc                293453  5 nfsd,auth_rpcgss,lockd,nfs_acl
[root@firewall services]# systemctl restart firewalld.service 
[root@firewall services]# lsmod | grep nf
nf_conntrack_ftp       18638  0 
nf_conntrack_ipv6      18738  8 
nf_defrag_ipv6         34651  1 nf_conntrack_ipv6
nf_nat_ipv6            13279  1 ip6table_nat
nf_conntrack_ipv4      14862  7 
nf_defrag_ipv4         12729  1 nf_conntrack_ipv4
nf_nat_ipv4            13263  1 iptable_nat
nf_nat                 21798  4 nf_nat_ipv4,nf_nat_ipv6,ip6table_nat,iptable_nat
nf_conntrack          101024  9 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,ip6table_nat,nf_conntrack_ftp,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
binfmt_misc            17468  1 
nfsd                  284378  1 
auth_rpcgss            59368  1 nfsd
nfs_acl                12837  1 nfsd
lockd                  93977  1 nfsd
sunrpc                293453  5 nfsd,auth_rpcgss,lockd,nfs_acl

指定端口的打开

[root@firewall services]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@firewall services]# firewall-cmd --reload 
success
[root@firewall services]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp ssh
  ports: 8080/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
  [root@firewall services]# vim /etc/httpd/conf/httpd.conf 
[root@firewall services]# systemctl restart httpd.service

这里写图片描述

[root@firewall services]# firewall-cmd --permanent --remove-service=http
success
[root@firewall services]# firewall-cmd --permanent --remove-port=8080/tcp
success
[root@firewall services]# firewall-cmd --reload 
success

这里写图片描述

添加特定用户

[root@firewall services]# firewall-cmd --permanent --add-source=172.25.254.11 --zone=trusted
success
[root@firewall services]# firewall-cmd --reload 
success

这里写图片描述

添加某个网段为信任网段

[root@firewall services]# firewall-cmd --permanent --add-source=172.25.254.0/24 --zone=trusted
success
[root@firewall services]# firewall-cmd --reload 
success

这里写图片描述

网卡的移动

[root@firewall services]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ftp ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@firewall services]# firewall-cmd --permanent --remove-interface=eth1 --zone=public 
success
[root@firewall services]# firewall-cmd --permanent --add-interface=eth1 --zone=trusted 
success
[root@firewall services]# systemctl restart firewalld.service [root@firewall services]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

direct rules

[root@firewall services]# firewall-cmd --direct --get-all-rules ipv4 filter INPUT 1 -s 172.25.254.0/24 -p tcp --dport 80 -j REJECT
[root@firewall services]# firewall-cmd --reload 
success
[root@firewall services]# firewall-cmd --direct --get-all-rules 
ipv4 filter INPUT 1 -s 172.25.254.0/24 -p tcp --dport 80 -j REJECT

伪装

开启伪装功能
[root@firewall services]# firewall-cmd --permanent --add-masquerade 
success
[root@firewall services]# firewall-cmd --reload 
success
[root@firewall services]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
  [root@firewall services]# firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.11.211
success
[root@firewall services]# firewall-cmd --reload 
success
[root@firewall services]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp
  ports: 
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.11.211
  icmp-blocks: 
  rich rules: 
[root@firewall services]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.25.254.111 masquerade'
success
[root@firewall services]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp http
  ports: 
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.11.211
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="172.25.254.111" masquerade
[root@firewall services]# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=172.25.254.11 forward-port port=22 protocol=tcp to-port=22 to-addr=172.25.11.211"
success
[root@firewall services]# geten
getenforce  getent      
[root@firewall services]# getenforce 
Permissive
[root@firewall services]# setenforce 0

这里写图片描述

firewalld火墙策略
xrt0211的博客
03-21 615
firewalld火墙策略 1.什么是防火墙? 防火墙也称防护墙,是由Check Point创立者Gil Shwed于1993年发明并引入国际互联网。 防火墙是位于内部网和外部网之间的屏障,它按照系统管理员预先定义好的规则来控制数据包的进出。 防火墙是系统的第一道防线,其作用是防止非法用户的进入。 主要作用:保障内网的安全性、保证内外网之间数据的流通性。 所谓防火墙,指的是一个由软件和硬件设备组...
Linux中的火墙策略优化
Morganite的博客
11-18 1264
一、火墙介绍 1.netfilter 2.iptables 3.iptables|firewalld 二、火墙管理工具切换 在rhel8中默认使用的是firewalld firewalld----->iptables [root@westoslinux ~]# systemctl disable --now firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc
火墙优化策略
weixin_45931409的博客
07-01 275
实验环境 : 两台主机 一台可以连外网 一台只能内网连接 火墙切换方式及安装 iptables的安装及切换 iptables -------->firewalld iptables 的永久保存策略 iptables命令 数据包状态 在服务器上: 在客户主机中 snat(13.30-14.00) 服务器主机: 客户主机: 在客户机中测试: DNAT目的地地址转换 :(14.30-14.50) firewalld firewalld 相较于 iptaples更加
Linux之firewalld火墙策略
Rainable
03-25 409
1. 防火墙介绍 netfilter iptables iptables|firewalld 2. 火墙管理工具切换 在rhel8中默认使用的是firewalld firewalld----->iptables 安装iptables dnf install iptables-services -y 停止firewalld systemctl sto...
火墙
weixin_46119868的博客
03-22 252
1.火墙介绍 1.netfilter 2.iptables 3.iptables|firewalld 2.火墙管理工具切换 在rhel8中默认使用的是firewalld firewalld----->iptables dnf install iptables-services -y systemctl stop firewalld systemctl disable firewalld sy...
(iptables)火墙策略读取的先后顺序 + 引入数据包状态
ly_qiu的博客
06-30 795
实验环境 本实验使用了两台虚拟机,workstation(添加策略) + rhel8(进行访问测试) dnf install httpd -y进行安装后,打开服务 此时ssh可访问,apache也可以 测试步骤 1)设置apache可被访问,iptables不可以 iptables -A INPUT -p tcp --dport 80 -j ACCEPT 设置httpd可以 iptables -A -i lo -j ACCEPT 设置回环接口允许,即本地可访问 此时80接口是允许的,回环接口
linux中的火墙策略优化
shanshuyue的博客
03-02 642
环境:三台主机,一台双网卡172网段和192网段,一台单网卡192网段,一台单网卡172网段,互相可以ping通 1、火墙介绍 netfilter iptables iptables| firewalld 2、火墙的工具切换 在rhel8中默认使用的是firewalld iptables #用来管理内核是它的插件,只可开启一个 #可用iptables和firewalld来管理 firewalld--------->iptables #切换 systemctl disable --now firewa
火墙管理工具iptables ---iptables的用法、火墙策略的修改
Rengar_Yang的博客
08-23 387
一、常见的两种火墙 iptables 防火墙: iptables service 管理防火墙规则的模式(静态):用户将新的防火墙规则添加进 /etc/sysconfig/iptables 配置文件当中,再执行命令 /etc/init.d/iptables reload 使变更的规则生效。在这整个过程的背后,iptables service 首先对旧的防火墙规则进行了清空,然后重新完整地加载所有新的防火墙规则,如果加载了防火墙的模块,需要在重新加载后进行手动加载防火墙的模块。 firewalld防
Linux系统中火墙的管理及优化
weixin_61165327的博客
08-06 190
#当filter和nat表不够用时使用(input output forward postrouting,prerouting,)#添加高级规则,在filter表INPUT链中第一条添加,除1.1.1.60外,其他人都可通过80端口访问。##不经过内核的数据(postrouting,prerouting,input,output)读取的是/etc/sysconfig/iptables文件中的策略。因为读取策略是从上往下的,读到拒绝的策略时就会生效。#允许建立过连接的和正在连接的数据包访问。
iptables
weixin_47444128的博客
09-15 350
iptables 一、日常操作 1、数据包过滤 数据包过来 prerouting 本机处理 input 本机转发 forward 本机响应 output 数据包出去 postrouting 三种数据场景: 本机接收数据包 prerouting - - input 本机转发数据包 prerouting - - forward - - postrouting 本机响应数据包 output - - postrouting 2、iptables简介 iptables是一套C
Linux中的火墙管理
qq_47656380的博客
08-17 221
火墙作用 将对系统有威胁的进程阻塞,Linux火墙主要分为firewall和iptables,默认火墙为firewall 火墙的默认策略 默认的五条链 input:输入 output:输出 forward:转发 postouting:路由之后 prerouting:路由之前 默认的三张表 filter:经过本机的数据(input,output,forward) nat:不经过内核的数据(postouting,prerouting,output,input) mangle:当filter和nat不够用时使用(
(转)TCP注册端口号大全
aibi2794的博客
11-18 4万+
分类: 网络与安全 cisco-sccp 2000/tcp Cisco SCCPcisco-sccp 2000/udp Cisco SCCp# Dan Wing <dwing&cisco.com> November 2003dc 2001/tcpwiz...
PREROUTING 和 POSTROUTING, SNAT 和 DNAT图文解析(非常清淅)
热门推荐
虫二的专栏~~在路上~~~
07-19 5万+
NAT (网络地址转换) 技术在平时是很多见的,如家庭中在使用路由器共享上网时,一般用的就是 NAT 技术,它可以实现众多内网 IP 共享一个公网 IP 上网。NAT 的原理 简单的说就是当内网主机访问外网时,当内网主机的数据包要通过路由器时,路由器将数据包中的源内网 IP 地址改为路由器上的公网 IP 地址,同时记录下该数据包的消息;当外网服务器响应这次由内而外发出的请求或数据交换时,当外...
iptables快速记忆总结
weixin_34416754的博客
02-25 111
流程状态: 两P:PROROUTING,POSTROUTING F:FORWARD I:INPUT O:OUTPUT iptables表: m:mangle n:nat f:filter 按包的走向分: PIOP PFP 助记一些说明:只出现mn表的是两P,mf与IF有关...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值