--timeout=  设置规则生效300秒

调试阶段使用,防止规则设置错误导致无法远程连接

实验:
在server0机器上部署httpd服务,通过添加富规则,只允许172.25.0.10/32访问,并且记录日志,日志级别为notice,日志前注为"NEW HTTP",限制每秒3个并发,要求持久化生效

1、在server0上执行
yum install httpd -y
systemctl start httpd
systemctl enable httpd

[root@server0 zones]# yum install httpd -y

[root@server0 zones]# systemctl start httpd

[root@server0 zones]# systemctl enable httpd

ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

[root@server0 zones]# lsof -i:80 -n

COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

httpd   8386   root    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

httpd   8387 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

httpd   8388 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

httpd   8389 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

httpd   8390 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

httpd   8391 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

httpd   8392 apache    4u  IPv6  44433      0t0  TCP *:http (LISTEN)

  

此时desktop机器是无法访问网页,但是server0机器可以看到网页

[root@desktop0 ~]# curl http://server0

curl: (7) Failed connect to server0:80; No route to host

[root@server0 ~]# curl localhost

hello world

  

因为firewalld中并没有允许http协议的连接连进来

[root@server0 ~]# firewall-cmd --list-all

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'ROL' (see --get-active-zones)

You most likely need to use --zone=ROL option.

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

所有的zones都没有允许,所以外部访问会被拦截

[root@server0 ~]# firewall-cmd --get-default-zone

public

[root@server0 ~]# firewall-cmd --list-all-zones

ROL

  interfaces:

  sources: 172.25.0.252/32

  services: ssh vnc-server

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

block

  interfaces:

  sources:

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

dmz

  interfaces:

  sources:

  services: ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

drop

  interfaces:

  sources:

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

external

  interfaces:

  sources:

  services: ssh

  ports:

  masquerade: yes

  forward-ports:

  icmp-blocks:

  rich rules: 

home

  interfaces:

  sources:

  services: dhcpv6-client ipp-client mdns samba-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

internal

  interfaces:

  sources:

  services: dhcpv6-client ipp-client mdns samba-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

trusted

  interfaces:

  sources:

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules: 

work

  interfaces:

  sources:

  services: dhcpv6-client ipp-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

  

我们设置一下防火墙的规则

[root@server0 ~]# firewall-cmd --permanent --add-rich-rule=' rule family=ipv4 source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level=notice limit value="3/s" accept  '

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'ROL' (see --get-active-zones)

You most likely need to use --zone=ROL option.

  

success
 重新加载 一下 
[root@server0 ~]# firewall-cmd --reload
 success
 查看规则,已经可以看到刚才添加的规则已生效 
[root@server0 ~]# firewall-cmd --list-all

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'ROL' (see --get-active-zones)

You most likely need to use --zone=ROL option

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

	rule family="ipv4" source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level="notice" limit value="3/s" accept

查看firewalld xml文件

	[root@server0 ~]# cat /usr/lib/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="ssh"/>

  <service name="dhcpv6-client"/>

</zone>

[root@server0 ~]# 
重新进行页面访问,发现已经可以访问了
[root@desktop0 ~]# curl http://172.25.0.11

hello world

[root@desktop0 ~]#

  

查看日志,日志中已经记载出来了

[root@server0 ~]# cat /var/log/messages  | tail -n 1

Dec 23 18:22:37 localhost kernel: NEW HTTP IN=eth0 OUT= MAC=52:54:00:00:00:0b:52:54:00:00:00:0a:08:00 SRC=172.25.0.10 DST=172.25.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8704 DF PROTO=TCP SPT=48464 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

[root@server0 ~]#

  

附加:拒绝另一个地址链接,并且记录日志

添加一条规则,并且重新加载

[root@server0 ~]# firewall-cmd --permanent --add-rich-rule=' rule family=ipv4 source address="172.25.0.1/24" service name=http log level=notice prefix="HARD_LOG " reject  '

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'ROL' (see --get-active-zones)

You most likely need to use --zone=ROL option.

success

[root@server0 ~]# firewall-cmd --reload

success

[root@server0 ~]# firewall-cmd --list-all

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'ROL' (see --get-active-zones)

You most likely need to use --zone=ROL option.

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

	rule family="ipv4" source address="172.25.0.1/24" service name="http" log prefix="HARD_LOG " level="notice" reject

	rule family="ipv4" source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level="notice" limit value="3/s" accept

[root@server0 ~]#

  

另一个地址进行访问,但是没有访问进来,查看日志,可以看到访问记录

[root@server0 ~]# cat /var/log/messages  | grep HARD_LOG

Dec 23 18:40:51 localhost kernel: HARD_LOG IN=eth0 OUT= MAC=52:54:00:00:00:0b:00:50:56:c0:00:01:08:00 SRC=172.25.0.1 DST=172.25.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=27789 DF PROTO=TCP SPT=56158 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

  

Linux firewalld使用教程+rhce课程实验的更多相关文章

  1. 《Java程序设计》课程实验要求

    目录 <Java程序设计>课程实验要求 注册实验楼账号 实验一 Java开发环境的熟悉 实验二<Java面向对象程序设计> 实验三 <敏捷开发与XP实践> 实验四 ...

  2. 《嵌入式Linux开发实用教程》

    <嵌入式Linux开发实用教程> 基本信息 作者: 朱兆祺    李强    袁晋蓉 出版社:人民邮电出版社 ISBN:9787115334831 上架时间:2014-2-13 出版日期: ...

  3. CTF必备技能丨Linux Pwn入门教程——PIE与bypass思路

    Linux Pwn入门教程系列分享如约而至,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...

  4. CTF必备技能丨Linux Pwn入门教程——格式化字符串漏洞

    Linux Pwn入门教程系列分享如约而至,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...

  5. CTF必备技能丨Linux Pwn入门教程——ROP技术(上)

    Linux Pwn入门教程系列分享如约而至,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...

  6. CTF必备技能丨Linux Pwn入门教程——环境配置

    说在前面 这是一套Linux Pwn入门教程系列,作者依据Atum师傅在i春秋上的Pwn入门课程中的技术分类,并结合近几年赛事中出现的一些题目和文章整理出一份相对完整的Linux Pwn教程. 问:为 ...

  7. linux 第七周 总结及实验

    姬梦馨 原创作品 <Linux内核分析>MOOC课程http://mooc.study.163.com/course/USTC-1000029000 第七周 Linux内核如何装载和启动一 ...

  8. Linux Capabilities 入门教程:基础实战篇

    该系列文章总共分为三篇: Linux Capabilities 入门教程:概念篇 Linux Capabilities 入门教程:基础实战篇 待续... 上篇文章介绍了 Linux capabilit ...

  9. CTF丨Linux Pwn入门教程:针对函数重定位流程的相关测试(下)

    Linux Pwn入门教程系列分享已接近尾声,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/a ...

随机推荐

  1. build to win读后感

    在软件开发的过程中,不能盲目去show自己的成果,而是要大量考虑别人的意见,在广范围的撒网之后,收集意见,最后在一锤定音. 还有就是,要懂得团队合作,例如,本文介绍了一个事例,作者的团队与科研团队合作 ...

  2. URI,url简介

    URI,URL是什么? URI :Uniform Resource Identifier,统一资源标识符: URL:Uniform Resource Locator,统一资源定位符: URN:Unif ...

  3. : LDAP & Implementation

    LDAP LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP.它是基于X.500标准的,但是简单多了并且可以根据需要 ...

  4. activiti学习第二天

    今天我们来发布一个流程,然后查看数据库中都发生了什么变化. 下面我们使用activiti designer设计一个流程.如图 流程很简单,我们先简单后增加难度. 创建流程图的顺序,新建一个文件夹(di ...

  5. 421. Maximum XOR of Two Numbers in an Array

    这题要求On时间复杂度完成, 第一次做事没什么思路的, 答案网上有不贴了, 总结下这类题的思路. 不局限于这个题, 凡是对于这种给一个  数组,  求出 xxx 最大值的办法, 可能上来默认就是dp, ...

  6. Go Example--strings

    package main import ( "fmt" s "strings" ) var p = fmt.Println func main() { //st ...

  7. 兼容ie,火狐的判断回车键js脚本

    var event = window.event || arguments.callee.caller.arguments[0]; var keycode = event.keyCode || eve ...

  8. STM32_杂_01_串口代码

    #include "stm32f10x.h" #include "serial.h" #include "rtthread.h" #incl ...

  9. 【mysql】mysql触发器使用示例

    mysql触发器 时间点:before/after 触发事件: update/delete/insert 时间点+触发事件:构成一个完整的触发器的触发时机: 一个触发时机最多只能由1个Trigger: ...

  10. [转]IIS 日志记录时间和实际时间 不一样

    今天偶然发现 2003 系统IIS 日志记录时间和实际时间总是差了8个小时,也就是慢了8个小时.苦苦找了半天才发现如下办法能解决 ,特发来分享下 解决1:如果 IIS日志记录默认使用的是W3C扩展日志 ...