防火墙富规则、备份恢复、开启内部上网

1. 防火墙富规则策略

​ Firewalld中的富规则表示更细致、更详细的防火墙策略配置,它可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置, 优先级在所有的防火墙策略中也是最高的。下面为Firewalld富规则帮助手册.

[root@web01 ~]# man firewalld                #Firewalld帮助手册

[root@web01 ~]# man firewalld.richlanguage    #Firewalld富规则手册

rule

[source]

[destination]

service|port|protocol|icmp-block|masquerade|forward-port

[log]

[audit]

[accept|reject|drop]

rule [family="ipv4|ipv6"]

source address="address[/mask]" [invert="True"]

destination address="address[/mask]" invert="True"

service name="service name"

port port="port value" protocol="tcp|udp"

protocol value="protocol value"

forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"

log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]

accept | reject [type="reject type"] | drop

#富规则相关命令

--add-rich-rule='<RULE>' #在指定的区添加一条富规则

--remove-rich-rule='<RULE>' #在指定的区删除一条富规则

--query-rich-rule='<RULE>' #找到规则返回0 ,找不到返回1

--list-rich-rules #列出指定区里的所有富规则

1). 比如允许10.0.0.1主机能够访问http服务,允许172.16.1.0/24能访问11211端口

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'

success

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" service name="http" accept

    rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept

#验证测试

[C:\~]$ telnet 10.0.0.6 80

Connecting to 10.0.0.6:80...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

[root@web01 ~]# telnet 10.0.0.6 80

Trying 10.0.0.6...

telnet: connect to address 10.0.0.6: No route to host

[C:\~]$ telnet 10.0.0.6 11211

Connecting to 10.0.0.6:11211...

Canceled.

[root@web01 ~]# telnet 172.16.1.6 11211

Trying 172.16.1.6...

Connected to 172.16.1.6.

Escape character is '^]'.

2). 默认public区域对外开放所有人能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name="ssh" drop'

success

#验证测试

[root@web01 ~]# ssh root@10.0.0.6

root@10.0.0.6's password:

[root@web01 ~]# ssh root@172.16.1.6

^C

3). 使Firewalld允许所有人能访问http,https服务,但只有10.0.0.1主机可以访问ssh服务

[root@firewalld ~]# firewall-cmd --zone=public --add-service={http,https}

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client http https

ports: 443/tcp

protocols:

masquerade: yes

forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" service name="http" accept

    rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept

    rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'

success

[root@firewalld ~]# firewall-cmd --remove-service=ssh

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client http https

ports: 443/tcp

protocols:

masquerade: yes

forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" service name="http" accept

    rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept

    rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop

    rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept

#验证测试

[root@web01 ~]# telnet 10.0.0.6 80

Trying 10.0.0.6...

Connected to 10.0.0.6.

Escape character is '^]'.

^]

telnet> Connection closed.

[root@web01 ~]# ssh root@10.0.0.6

ssh: connect to host 10.0.0.6 port 22: No route to host

[C:\~]$ ssh root@10.0.0.6

Connecting to 10.0.0.6:22...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

4). 当用户来源IP地址是10.0.0.1主机,则将用户请求的5555端口转发至后端172.16.1.7的22端口

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

#开启地址转发

[root@firewalld ~]# firewall-cmd --add-masquerade

Warning: ALREADY_ENABLED: masquerade already enabled in 'public'

success

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.7'

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"

#验证测试

[C:\~]$ ssh root@10.0.0.6 5555

Connecting to 10.0.0.6:5555...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Sun Dec 8 20:12:23 CST 2019 from 10.0.0.100 on ssh:notty

There was 1 failed login attempt since the last successful login.

Last login: Sun Dec 8 18:59:02 2019 from 10.0.0.100

[root@web02 ~]# ssh root@10.0.0.6 5555

root@10.0.0.6's password:

bash: 5555: command not found

5).查看设定的规则,如果没有添加--permanent参数则重启Firewalld会失效。富规则按先后顺序匹配,优先匹配到的规则生效

[root@firewalld ~]# firewall-cmd --list-rich-rules

rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"

2.Firewalld备份恢复

#我们所有针对public区域编写的永久添加的规则都会写入备份文件(--permanent)

[root@firewalld ~]# cat /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

<short>Public</short>

<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

<service name="ssh"/>

<service name="dhcpv6-client"/>

<service name="test"/>

<port protocol="tcp" port="80"/>

<port protocol="tcp" port="443"/>

<masquerade/>

</zone>

备份的时候只需要把配置文件进行拷贝就行了,导入之后,重启生效。

[root@web01 ~]# firewall-cmd   --zone=public   --add-service=http  --permanent

success

[root@web01 ~]# firewall-cmd   --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules: 

[root@web01 ~]# firewall-cmd   --reload

success

[root@web01 ~]# firewall-cmd   --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client http

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules: 

[root@web01 ~]# firewall-cmd  --zone=public  --remove-service=http  --permanent

success

[root@web01 ~]# firewall-cmd  --reload

success

[root@web01 ~]# firewall-cmd   --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules: 

#备份配置文件

#只保存永久添加的规则

[root@web01 ~]# ll  /etc/firewalld/zones/public.xml		#公共区的配置文件

[root@web01 ~]# ll /etc/firewalld/zones/		#区域的配置规则文件都在这个区中

3. 防火墙开启内部上网

在指定的带有公网IP的实例上启动Firewalld防火墙的NAT地址转换,以此达到内部主机上网。

1. Firewalld防火墙开启masquerade,实现地址转换

1. Firewalld防火墙开启masquerade,实现地址转换

[root@firewalld ~]# firewall-cmd --add-masquerade --permanent

success

[root@firewalld ~]# firewall-cmd --list-rich-rules

rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7" --permanent

[root@firewalld ~]# firewall-cmd --reload

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

2. 客户端将网关指向Firewalld服务器,将所有网络请求交给Firewalld

[root@web01 ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1

GATEWAY=172.16.1.6

3. 客户端还需配置dns服务器

[root@web01 ~]# cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 223.5.5.5

4. 关闭eth0网卡,重启eth1,使其配置生效

[root@web01 ~]# systemctl restart network && ifdown eth0

5. 测试后端web的网络是否正常

[C:\~]$ ssh root@10.0.0.7 5555

Connecting to 10.0.0.7:5555...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Sun Dec 8 20:38:58 CST 2019 from gateway on ssh:notty

There was 1 failed login attempt since the last successful login.

Last login: Sun Dec 8 20:12:25 2019 from 10.0.0.100

[root@web01 ~]# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000

link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

link/ether 00:0c:29:2a:a7:21 brd ff:ff:ff:ff:ff:ff

inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1

valid_lft forever preferred_lft forever

inet6 fe80::20c:29ff:fe2a:a721/64 scope link

valid_lft forever preferred_lft forever

[root@web02 ~]# ping baidu.com

ping: baidu.com: Name or service not known

#重启eth1

[root@web02 ~]# ifdown eth1 && ifup eth1

Device 'eth1' successfully disconnected.

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)

[root@web01 ~]# ping baidu.com

PING baidu.com (220.181.38.148) 56(84) bytes of data.

64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=32.6 ms

^C

--- baidu.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 32.653/32.653/32.653/0.000 ms

Firewalld--03 富规则、备份恢复、开启内部上网的更多相关文章

  1. iptables规则备份和恢复 firewalld的9个zone firewalld关于zone的操作 firewalld关于service的操作

    iptables规则备份和恢复 保存和备份iptables规则Service iptables save //会把规则保存到/etc/sysconfig/iptables把iptables规则备份到m ...

  2. iptables规则备份和恢复、firewalld的9个zone、以及firewalld关于zone和service的操作 使用介绍

    第7周第5次课(5月11日) 课程内容: 10.19 iptables规则备份和恢复10.20 firewalld的9个zone10.21 firewalld关于zone的操作10.22 firewa ...

  3. Linux centosVMware iptables规则备份和恢复、firewalld的9个zone、firewalld关于zone的操作、firewalld关于service的操作

    一.iptables规则备份和恢复 保存和备份iptables规则 service iptables save //会把规则保存到 /etc/sysconfig/iptables 把iptables规 ...

  4. 删库到跑路?还得看这篇Redis数据库持久化与企业容灾备份恢复实战指南

    本章目录 0x00 数据持久化 1.RDB 方式 2.AOF 方式 如何抉择 RDB OR AOF? 0x01 备份容灾 一.备份 1.手动备份redis数据库 2.迁移Redis指定db-数据库 3 ...

  5. mongodb集群配置及备份恢复

    Mongodb安装: 编辑/etc/yum.repos.d/mongodb.repo,添加以下: [MongoDB] name=MongoDB Repository baseurl=https://r ...

  6. (转)解锁MySQL备份恢复的4种正确姿势

    本文根据DBAplus社群第104期线上分享整理而成. 原文:http://dbaplus.cn/news-11-1267-1.html 讲师介绍   冯帅 点融网高级DBA 获有Oracle OCM ...

  7. (转)Db2 备份恢复性能问题诊断与调优

    原文:https://www.ibm.com/developerworks/cn/analytics/library/ba-lo-backup-restore-performance-issue-ju ...

  8. MySQL 备份恢复(导入导出)单个 innodb表

    MySQL 备份恢复单个innodb表呢,对于这种恢复我们我们很多朋友都不怎么了解了,下面一起来看一篇关于MySQL 备份恢复单个innodb表的教程 在实际环境中,时不时需要备份恢复单个或多个表(注 ...

  9. SYSTEM 表空间管理及备份恢复

    标签: systemoraclesqldatabasefile数据库 2010-11-28 18:14 12689人阅读 评论(0) 收藏 举报 分类: -----Oracle备份恢复(16) 版权声 ...

随机推荐

  1. Kohana Minion cli 学习

    1.E:\html\tproject\framebota\platform\bootstrap.php Kohana::modules(array( 'auth' => MODPATH.'aut ...

  2. C. Almost Equal

    C. Almost Equal n个数字全排成一个圈,满足任意相邻n个之和之间最大最小值之差不超过1 n为偶数时 不存在 n为奇数,构造 #include<bits/stdc++.h> u ...

  3. Oracle--创建TRIGGER实现跟踪用户登录信息

    ---创建日志表记录用户登录信息create  table user_log(  user_id         VARCHAR2(30),  session_id      NUMBER(10),  ...

  4. sql server 高版本数据还原到低版本sql server的注意事项

    生成的sql脚本不能大于100m,否则会报错(System.OutOfMemory) 所以要将较大的sql脚本文件进行分割

  5. equals深入理解

    package cn.galc.test; public class TestEquals { public static void main(String[] args) { /** * 这里使用构 ...

  6. COUNT 和 IFNULL函数

    用COUNT函数: mysql> SELECT count(one) FROM tb_test;+------------+| count(http://www.amjmh.com/v/BIBR ...

  7. Tomcat/weblogic session失效时间的几种设置方法

    一.在容器中设置tomcat中配置server.xml中定义context时采用如下定义: <Context path="/livsorder" docBase=" ...

  8. jmeter接口测试初体验

    今天初体验了一把jmeter,把操作的一些经历贴出来,督促自己进步.等逐步掌握后再次回首时,希望是有所思的,欣慰的! jmeter: Apache JMeter是Apache组织开发的基于Java的压 ...

  9. pthon之mock应用

    研发过程中常见分工合作开发接口,但互相之间接口有依赖,这时候便可以使用mock 目录 1.安装 2.使用mock调试自己写的方法 3.使用mock解除依赖关系 1.安装 由于我的是python2.7, ...

  10. 树莓派3b折腾指南

    最近入手了树梅派3b,搭建了宿舍共享的热点和NAS,搭建透明代理科学上网的计划还没实现. 先报个价,一套折腾下来花了500大洋,树梅派3加外壳200,电源加内存卡100,显示器淘宝二手150,有线键鼠 ...