Linux firewalld使用教程+rhce课程实验

--timeout=300  设置规则生效300秒

调试阶段使用,防止规则设置错误导致无法远程连接

实验:
在server0机器上部署httpd服务,通过添加富规则,只允许172.25.0.10/32访问,并且记录日志,日志级别为notice,日志前注为"NEW HTTP",限制每秒3个并发,要求持久化生效

1、在server0上执行
yum install httpd -y
systemctl start httpd
systemctl enable httpd

[root@server0 zones]# yum install httpd -y
[root@server0 zones]# systemctl start httpd
[root@server0 zones]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server0 zones]# lsof -i:80 -n
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   8386   root    4u  IPv6  44433      0t0  TCP *:http (LISTEN)
httpd   8387 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)
httpd   8388 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)
httpd   8389 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)
httpd   8390 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)
httpd   8391 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)
httpd   8392 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

  

此时desktop机器是无法访问网页,但是server0机器可以看到网页

[root@desktop0 ~]# curl http://server0
curl: (7) Failed connect to server0:80; No route to host

[root@server0 ~]# curl localhost
hello world

  

因为firewalld中并没有允许http协议的连接连进来

[root@server0 ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option.

public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
所有的zones都没有允许,所以外部访问会被拦截

[root@server0 ~]# firewall-cmd --get-default-zone 
public
[root@server0 ~]# firewall-cmd --list-all-zones 
ROL
  interfaces: 
  sources: 172.25.0.252/32
  services: ssh vnc-server
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
block
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
dmz
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
drop
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
external
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
home
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
internal
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
trusted
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
work
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

  

我们设置一下防火墙的规则

[root@server0 ~]# firewall-cmd --permanent --add-rich-rule=' rule family=ipv4 source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level=notice limit value="3/s" accept  '
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option.

  

success
重新加载 一下
[root@server0 ~]# firewall-cmd --reload
success
查看规则,已经可以看到刚才添加的规则已生效
[root@server0 ~]# firewall-cmd --list-all 
You're performing an operation over default zone ('public'), 
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level="notice" limit value="3/s" accept
查看firewalld xml文件
	[root@server0 ~]# cat /usr/lib/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>
[root@server0 ~]# 
重新进行页面访问,发现已经可以访问了
[root@desktop0 ~]# curl http://172.25.0.11
hello world
[root@desktop0 ~]#

  

查看日志,日志中已经记载出来了

[root@server0 ~]# cat /var/log/messages  | tail -n 1
Dec 23 18:22:37 localhost kernel: NEW HTTP IN=eth0 OUT= MAC=52:54:00:00:00:0b:52:54:00:00:00:0a:08:00 SRC=172.25.0.10 DST=172.25.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8704 DF PROTO=TCP SPT=48464 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
[root@server0 ~]#

  

附加:拒绝另一个地址链接,并且记录日志

添加一条规则,并且重新加载

[root@server0 ~]# firewall-cmd --permanent --add-rich-rule=' rule family=ipv4 source address="172.25.0.1/24" service name=http log level=notice prefix="HARD_LOG " reject  '
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option.

success

[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option.

public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.25.0.1/24" service name="http" log prefix="HARD_LOG " level="notice" reject
	rule family="ipv4" source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level="notice" limit value="3/s" accept
[root@server0 ~]#

  

另一个地址进行访问,但是没有访问进来,查看日志,可以看到访问记录

[root@server0 ~]# cat /var/log/messages  | grep HARD_LOG
Dec 23 18:40:51 localhost kernel: HARD_LOG IN=eth0 OUT= MAC=52:54:00:00:00:0b:00:50:56:c0:00:01:08:00 SRC=172.25.0.1 DST=172.25.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=27789 DF PROTO=TCP SPT=56158 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

  

posted on 2019-04-09 11:34  状元兜里有糖  阅读(826)  评论(0编辑  收藏  举报

导航