Firewalld防火墙
安全:
OSI七层模型
物理环境:
硬件 (电源被拔 UPS 网线被拔(打标签)) 机柜上锁
网络 (硬件防火墙-->防DDOS 软件防火墙Firewalld/Iptables(规则限制))
系统 (SSH安全 权限控制 更新补丁 )
服务 mysql redis ..... 所有主机都没有公网IP, 大大的降低被攻击的风险
web SSL、WAF --> SQL注入漏洞、XSS跨站、网站挂马、页面被篡改、蠕虫等黑客
数据 备份
云环境:
网络 高防DDOS、安全组
系统 SSH安全、权限控制、更新补丁、安骑士、堡垒机
web SSL、WAF、云安全中心
数据 备份 敏感数据保护
云架构
安全公司
https://www.newdefend.com
http://www.safedog.cn/
https://www.zoomeye.org/ ZoomEye
安全狗
知道创宇
牛盾云
1. 防火墙安全基本概述
RHEL/CentOS 7系统中集成了多款防火墙管理工具,其中Firewalld(Dynamic Firewall Manager of Linux systems, Linux系统的动态防火墙管理器)服务是默认的防火墙配置管理工具,它拥有基于CLI(命令行界面)和基于GUI(图形用户界面)的两种管理方式。
那么相较于传统的Iptables防火墙,Firewalld支持动态更新,并加入了区域zone的概念。简单来说,区域就是Firewalld预先准备了几套防火墙策略集合(策略模板),用户可以根据生产场景的不同而选择合适的策略集合,从而实现防火墙策略之间的快速切换。
Firewalld规则配置,从外访问服务器内部如果没有添加规则默认是阻止,从服务器内部访问服务器外部默认是允许.
Firewalld底层使用的就是iptables
需要注意的是Firewalld中的区域与接口.
一个网卡仅能绑定一个区域。比如: eth0-->A区域
但一个区域可以绑定多个网卡。比如: B区域-->eth0、eth1、eth2
可以根据来源的地址设定不同的规则。比如:所有人能访问80端口,但只有公司的IP才允许访问22端口。
2. 防火墙使用区域管理
划分不同的区域,制定出不同区域之间的访问控制策略来控制不同程序区域间传送的数据流。
区域 | 默认规则策略 |
---|---|
trusted | 允许所有的数据包流入与流出 |
home | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关,则允许流量 |
internal | 等同于home区域 |
work | 拒绝流入的流量,除非与流出的流量数相关;而如果流量与ssh、ipp-client与dhcpv6-client服务相关,则允许流量 |
public | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许流量 |
external | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
dmz | 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量 |
block | 拒绝流入的流量,除非与流出的流量相关 |
drop | 拒绝流入的流量,除非与流出的流量相关 |
3. 防火墙基本指令参数
Firewall-cmd命令分类列表
参数 | 作用 |
---|---|
zone区域相关指令 | |
--get-default-zone | 查询默认的区域名称 |
--set-default-zone=<区域名称> | 设置默认的区域,使其永久生效 |
--get-active-zones | 显示当前正在使用的区域与网卡名称 |
--get-zones | 显示总共可用的区域 |
--new-zone= | 新增区域 |
--delete-zone= | 删除区域 |
services服务相关指令 | |
--get-services | 显示预先定义的服务 |
--add-service=<服务名> | 设置默认区域允许该服务的流量 |
--remove-service=<服务名> | 设置默认区域不再允许该服务的流量 |
--list-services | 显示默认区域允许的服务 |
Port端口相关指令 | |
--add-port=<端口号/协议> | 设置默认区域允许该端口的流量 |
--remove-port=<端口号/协议> | 设置默认区域不再允许该端口的流量 |
--list-port | 显示默认区域允许的端口 |
Interface网卡相关指令 | |
--get-zone-of-interface=<网卡名称> | 查看接口在哪个区域 |
--add-interface=<网卡名称> | 将源自该网卡的所有流量都导向某个指定区域 |
--remove-interface=<网卡名称> | 删除接口 |
--change-interface=<网卡名称> | 将接口与区域进行关联 |
地址源相关命令 | |
--add-source= | 添加来源地址 |
--remove-source= | 移除来源地址 |
其他相关指令 | |
--list-all | 显示当前区域的网卡配置参数、资源、端口以及服务等信息 |
--reload | 让"永久生效"的配置规则立即生效,并覆盖当前的配置规则 |
--panic-on | 阻断一切网络连接 |
--panic-off | 恢复网络连接 |
4. 防火墙区域配置策略
1. 为了能正常使用Firwalld服务和相关工具去管理防火墙,必须启Fiirwalld服务,同时关闭以前旧防火墙相关服务,同时需要注意Firewalld的规则分两种状态:
runtime运行时: 修改规则马上生效,但是临时生效 [不建议]
permanent持久配置: 修改后需要reload重载才会生效 [强烈推荐]
#禁用旧版防火墙服务
[root@firewalld ~]# systemctl mask iptables
[root@firewalld ~]# systemctl mask ip6tables
#启动firewalld防火墙, 并加入开机自启动服务
[root@firewalld ~]# systemctl start firewalld
[root@firewalld ~]# systemctl enable firewalld
2. Firewalld启动后,我们需要知道使用的是什么区域,区域的规则明细又有哪些?
#显示所有的zone
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
#详细的显示所有zone的默认规则
[root@web01 ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#默认使用的区域
[root@firewalld ~]# firewall-cmd --get-default-zone
public
#查看当前区域的规则有哪些
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#设置默认的区域
[root@web01 ~]# firewall-cmd --set-default-zone=trusted
success
#查看默认的区域
[root@web01 ~]# firewall-cmd --get-default-zone
trusted
#显示当前活动的区域及接口
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0 eth1
#添加一个新的zone
[root@web01 ~]# firewall-cmd --new-zone=test --permanent
success
#查看所有的zone
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
#重启firewalld的设置规则
[root@web01 ~]# firewall-cmd --reload
success
#查看所有的zone
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public test trusted work
#删除zone
[root@web01 ~]# firewall-cmd --delete-zone=test --permanent
success
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public test trusted work
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
3. 使用Firewalld中各个区域规则结合,当前默认区域拒绝所有的流量,但如果来源IP是10.0.0.0/24网段则允许。
#1.临时移除ssh和dhcp的服务策略
[root@web01 ~]# firewall-cmd --list-all
services: ssh dhcpv6-client
[root@firewalld ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}
success
[root@web01 ~]# firewall-cmd --list-all
services:
#2.添加来源是10.0.0.0/24网段,将其加入白名单
[root@firewalld ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=trusted
success
#3.检查当前活动的区域
[root@firewalld ~]# firewall-cmd --get-active-zone
trusted
sources: 10.0.0.0/24
#拒绝10.0.0.0/24网段的所有服务
[root@web01 ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=drop
success
[root@web01 ~]# firewall-cmd --get-active-zone
drop
sources: 10.0.0.0/24
4. 查询public区域是否允许请求SSH、HTTPS协议的流量
[root@firewalld ~]# firewall-cmd --zone=public --query-service=ssh
no
[root@firewalld ~]# firewall-cmd --zone=public --query-service=https
no
5. 开启public区域服务的流量
[root@firewalld ~]# firewall-cmd --zone=public --add-service=ssh
success
[root@firewalld ~]# firewall-cmd --zone=public --query-service=ssh
yes
[root@firewalld ~]# firewall-cmd --zone=public --remove-service=ssh
success
[root@firewalld ~]# firewall-cmd --zone=public --query-service=ssh
no
6. 修改其他区域的服务流量限制
[root@firewalld ~]# firewall-cmd --zone=trusted --query-service=ssh
no
[root@firewalld ~]# firewall-cmd --zone=trusted --add-service=ssh
success
[root@firewalld ~]# firewall-cmd --zone=trusted --query-service=ssh
yes
7. 最后将配置恢复至默认规则,--reload参数仅能恢复临时添加的规则策略
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
5. 防火墙端口访问策略
使用Firewalld允许客户请求的服务器的80/tcp端口,仅临时生效,如添加--permanent重启后则永久生效
1. 临时添加允许放行单个端口
#添加一个端口
[root@firewalld ~]# firewall-cmd --add-port=80/tcp
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#显示所有允许的端口及协议
[root@web01 ~]# firewall-cmd --list-ports
80/tcp
2. 临时添加放行多个端口
[root@firewalld ~]# firewall-cmd --add-port={443/tcp,3306/tcp}
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
3. 永久添加多个端口,需要添加--permanent,并且需要重载Firewalld
[root@firewalld ~]# firewall-cmd --add-port={80/tcp,443/tcp} --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4. 通过--list-ports检查端口放行情况
[root@firewalld ~]# firewall-cmd --list-ports
80/tcp 443/tcp
5. 移除临时添加的端口规则
[root@firewalld ~]# firewall-cmd --remove-port={80/tcp,443/tcp}
success
[root@firewalld ~]# firewall-cmd --list-ports
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@firewalld ~]# firewall-cmd --reload
success
#重启之后又回来了,因为之前设置了永久
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
6. 防火墙服务访问策略
使用Firewalld允许客户请求服务器的http https协议,仅临时生效,如添加--permanent重启后则永久生效
1. 临时添加允许放行单个服务
[root@firewalld ~]# firewall-cmd --add-service=http
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
2. 临时添加放行多个服务
[root@firewalld ~]# firewall-cmd --add-service={http,https,mysql}
Warning: ALREADY_ENABLED: 'http' already in 'public'
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https mysql
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
3. 永久添加多个服务,需要添加--permanent,并且需要重Fiirewalld
[root@firewalld ~]# firewall-cmd --add-service={http,https} --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4. 通过--list-services检查端口放行情况
[root@firewalld ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http https
5. 移除临时添加的http、https协议
[root@firewalld ~]# firewall-cmd --remove-service={http,https}
success
[root@firewalld ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@firewalld ~]# firewall-cmd --reload
success
#重启之后,设置又回来了
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#永久移除
[root@firewalld ~]# firewall-cmd --remove-service={http,https} --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
6. 如何添加一个自定义端口,转其为对应的服务
#1.拷贝相应的xml文件
[root@firewalld ~]# cd /usr/lib/firewalld/services/
[root@firewalld /usr/lib/firewalld/services]# cp http.xml test.xml
#2.修改端口为11211
[root@firewalld /usr/lib/firewalld/services]# cat test.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (test)</short>
<description>test is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="11211"/>
</service>
#3.防火墙增加规则
[root@firewalld ~]# firewall-cmd --permanent --add-service=test
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --list-services
ssh dhcpv6-client test
#4.安装memcached, 并监听11211端口
[root@firewalld ~]# systemctl start memcached
[root@firewalld ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 9911/memcached
#5.测试验证
[C:\~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
7. 防火墙端口转发策略
端口转发是指传统的目标地址映射,实现外网访问内网资源,流量转发命令格式为:
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>
如果需要将本地的10.0.0.61:5555端口转发至后端172.16.1.9:22端口
1. 开启masquerade,实现地址转换
#IP地址伪装
[root@firewalld ~]# firewall-cmd --add-masquerade --permanent
success
2. 配置转发规则
[root@firewalld ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
success
[root@firewalld ~]# firewall-cmd --reload
success
3. 验证测试
[C:\~]$ ssh root@10.0.0.6 5555
Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 18:59:01 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 17:21:54 2019 from 10.0.0.1
[root@web01 ~]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2a:a717/64 scope link
valid_lft forever preferred_lft forever
8. 防火墙富规则策略
Firewalld中的富规则表示更细致、更详细的防火墙策略配置,它可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置, 优先级在所有的防火墙策略中也是最高的。下面为Firewalld富规则帮助手册.
[root@web01 ~]# man firewalld #Firewalld帮助手册
[root@web01 ~]# man firewalld.richlanguage #Firewalld富规则手册
rule
[source]
[destination]
service|port|protocol|icmp-block|masquerade|forward-port
[log]
[audit]
[accept|reject|drop]
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
destination address="address[/mask]" invert="True"
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
accept | reject [type="reject type"] | drop
#富规则相关命令
--add-rich-rule='<RULE>' #在指定的区添加一条富规则
--remove-rich-rule='<RULE>' #在指定的区删除一条富规则
--query-rich-rule='<RULE>' #找到规则返回0 ,找不到返回1
--list-rich-rules #列出指定区里的所有富规则
1. 比如允许10.0.0.1主机能够访问http服务,允许172.16.1.0/24能访问11211端口
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'
success
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
#验证测试
[C:\~]$ telnet 10.0.0.6 80
Connecting to 10.0.0.6:80...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[root@web01 ~]# telnet 10.0.0.6 80
Trying 10.0.0.6...
telnet: connect to address 10.0.0.6: No route to host
[C:\~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Canceled.
[root@web01 ~]# telnet 172.16.1.6 11211
Trying 172.16.1.6...
Connected to 172.16.1.6.
Escape character is '^]'.
2. 默认public区域对外开放所有人能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name="ssh" drop'
success
#验证测试
[root@web01 ~]# ssh root@10.0.0.6
root@10.0.0.6's password:
[root@web01 ~]# ssh root@172.16.1.6
^C
3. 使Fiirewalld允许所有人能访问http,https服务,但只有10.0.0.1主机可以访问ssh服务
[root@firewalld ~]# firewall-cmd --zone=public --add-service={http,https}
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
success
[root@firewalld ~]# firewall-cmd --remove-service=ssh
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https
ports: 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
#验证测试
[root@web01 ~]# telnet 10.0.0.6 80
Trying 10.0.0.6...
Connected to 10.0.0.6.
Escape character is '^]'.
^]
telnet> Connection closed.
[root@web01 ~]# ssh root@10.0.0.6
ssh: connect to host 10.0.0.6 port 22: No route to host
[C:\~]$ ssh root@10.0.0.6
Connecting to 10.0.0.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
4. 当用户来源IP地址是10.0.0.1主机,则将用户请求的5555端口转发至后端172.16.1.8的22端口
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#开启地址转发
[root@firewalld ~]# firewall-cmd --add-masquerade
Warning: ALREADY_ENABLED: masquerade already enabled in 'public'
success
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.8'
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.8"
#验证测试
[C:\~]$ ssh root@10.0.0.6 5555
Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 20:12:23 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 18:59:02 2019 from 10.0.0.100
[root@web01 ~]#
[root@web02 ~]# ssh root@10.0.0.6 5555
root@10.0.0.6's password:
bash: 5555: command not found
5. 查看设定的规则,如果没有添加--permanent参数则重启Firewalld会失效。富规则按先后顺序匹配,优先匹配到的规则生效
[root@firewalld ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"
9. Firewalld备份恢复
#我们所有针对public区域编写的永久添加的规则都会写入备份文件(--permanent)
[root@firewalld ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="test"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
<masquerade/>
</zone>
#备份的时候只需要把配置文件进行拷贝就行了,导入之后,重启生效。
10. 防火墙开启内部上网
在指定的带有公网IP的实例上启动Firewalld防火墙的NAT地址转换,以此达到内部主机上网。
1. Firewalld防火墙开启masquerade,实现地址转换
[root@firewalld ~]# firewall-cmd --add-masquerade --permanent
success
[root@web01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.8' --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.8"
2. 客户端将网关指向Firewalld服务器,将所有网络请求交给Firewalld
[root@web02 ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.7
3. 客户端还需配置dns服务器
[root@web02 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 223.5.5.5
4. 关闭eth0网卡,重启eth1,使其配置生效
[root@web02 ~]# systemctl restart network && ifdown eth0
5. 测试后端web的网络是否正常
[C:\~]$ ssh root@10.0.0.7 5555
Connecting to 10.0.0.7:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 20:38:58 CST 2019 from gateway on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 20:12:25 2019 from 10.0.0.100
[root@web02 ~]# ip a
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:21 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.8/24 brd 172.16.1.255 scope global eth1
[root@web02 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=32.6 ms
^C
--- baidu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 32.653/32.653/32.653/0.000 ms